High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| gotenberg–gotenberg | Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. This is a bypass of the incomplete key-sanitization fix introduced in v8.30.1. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths. | 2026-05-06 | 10 | CVE-2026-40281 | https://github.com/gotenberg/gotenberg/security/advisories/GHSA-q7r4-hc83-hf2q https://github.com/gotenberg/gotenberg/commit/405f1069c026bb08f319fb5a44e5c67c33208318 |
| jkroepke–openvpn-auth-oauth2 | openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive), clients that do not support WebAuth/SSO (e.g., the openvpn CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. The default management-interface mode is not affected because it does not use the OpenVPN plugin return-code mechanism. This issue has been patched in version 1.27.3. | 2026-05-08 | 10 | CVE-2026-41070 | https://github.com/jkroepke/openvpn-auth-oauth2/security/advisories/GHSA-246w-jgmq-88fg https://github.com/jkroepke/openvpn-auth-oauth2/commit/36f69a6c67c1054da7cbfa04ced3f0555127c8f2 |
| gitroomhq–postiz-app | Postiz is an AI social media scheduling tool. Prior to commit da44801, a “Pwn Request” vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801. | 2026-05-08 | 10 | CVE-2026-42298 | https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-v975-9h5p-xhm4 https://github.com/gitroomhq/postiz-app/commit/da448012dd87e94944cbe83a38e7fd023269ec46 |
| GeoVision Inc.–GV-VMS V20.0.2 | GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application accessed locally, but it is also possible to enable remote access via the “WebCam Server” feature. Once enabled, it is possible to access to the management and monitoring feature via a regular Web interface. This webersever is another native application, compiled without ASLR, which makes exploitation much easier and more likely. Most of the features require authentication before being reachable and leverage a standard login page to grant access. However the `gvapi` endpoint uses its own authentication mechanism via an `HTTP Authorization` header. It supports both `Basic` authentication and the `Digest` modes of authentication. #### Stack-overflow via unbound copy of base64 decoded string The `b64decoder` string is sized dynamically, but it is then copied to the `Buffer` stack variable one character at the time at [0], and there’s no bound-check. As such, if the decoded string is bigger than 256 characters (the size of the `Buffer` variable) then a stack overflow occurs. Because the data can be fully controlled by an attacker and lack of ASLR, this vulnerability can easily be exploited to gain full code execution as SYSTEM on the machine running the service. | 2026-05-04 | 10 | CVE-2026-42369 | https://www.geovision.com.tw/cyber_security.php https://https://talosintelligence.com/vulnerability_reports/ |
| Microsoft–Azure DevOps | Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network. | 2026-05-07 | 10 | CVE-2026-42826 | Azure DevOps Information Disclosure Vulnerability |
| Eclipse Foundation–Eclipse BaSyx | In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise. | 2026-05-05 | 10 | CVE-2026-7411 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423 https://gitlab.eclipse.org/security/cve-assignment/-/issues/102 |
| Opencart–opencart | OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized access to user accounts. | 2026-05-10 | 9.8 | CVE-2021-47923 | ExploitDB-50555 Official Product Homepage VulnCheck Advisory: OpenCart 3.0.3.8 Session Fixation via OCSESSID Cookie |
| thecartpress–TheCartPress | WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to administrator to gain full administrative access without authentication. | 2026-05-10 | 9.8 | CVE-2021-47932 | ExploitDB-50378 Official Product Homepage VulnCheck Advisory: WordPress TheCartPress 1.5.3.6 Privilege Escalation Unauthenticated |
| mstore–MStore API | WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server. | 2026-05-10 | 9.8 | CVE-2021-47933 | ExploitDB-50379 Official Product Homepage VulnCheck Advisory: WordPress MStore API 2.0.6 Arbitrary File Upload |
| Opencats–OpenCATS | OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory. | 2026-05-10 | 9.8 | CVE-2021-47936 | ExploitDB-50585 Official Product Homepage Product Reference VulnCheck Advisory: OpenCATS 0.9.4 Remote Code Execution via Resume Upload |
| download-from-files–Download From Files | WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting the AJAX fileupload action. Attackers can send POST requests to the admin-ajax.php endpoint with the download_from_files_617_fileupload action, manipulating the allowExt parameter to bypass file type restrictions and upload executable files like PHP shells to the web root. | 2026-05-10 | 9.8 | CVE-2021-47940 | ExploitDB-50287 Official Product Homepage VulnCheck Advisory: WordPress Download From Files 1.48 Arbitrary File Upload |
| equinox–[OSGi | Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the fork command functionality. Attackers can establish a telnet connection to the OSGi console, perform a telnet handshake, and send fork commands to download and execute malicious Java code, establishing a reverse shell connection. | 2026-05-05 | 9.8 | CVE-2023-54342 | ExploitDB-51878 VulnCheck Advisory: Eclipse Equinox OSGi 3.8-3.18 Console Remote Code Execution |
| equinox–[OSGi | Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Attackers can connect to the OSGi console port and send base64-encoded bash commands wrapped in fork directives to achieve code execution and establish reverse shell connections. | 2026-05-05 | 9.8 | CVE-2023-54344 | ExploitDB-51879 VulnCheck Advisory: Eclipse Equinox OSGi 3.7.2 Remote Code Execution via Console |
| dreamstechnologies–Mentoring | The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts. | 2026-05-05 | 9.8 | CVE-2025-13618 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7192fb4c-0434-4e11-a2a7-c205b8d6b68e?source=cve https://themeforest.net/item/mentoring-education-wordpress-theme/36457081 https://mentoring-wp.dreamsmarketplace.com/documentation/changelog.html |
| Tegsoft Management and Information Services Trade Limited Company–Online Support Application | Improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability in Tegsoft Management and Information Services Trade Limited Company Online Support Application allows Reflected XSS. This issue affects Online Support Application: from V3 through 31122025. | 2026-05-04 | 9.8 | CVE-2025-14320 | https://www.usom.gov.tr/bildirim/tr-26-0142 |
| patriksimek–vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0. | 2026-05-04 | 9.8 | CVE-2026-24118 | https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3 https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74 https://github.com/patriksimek/vm2/releases/tag/v3.11.0 |
| patriksimek–vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5. | 2026-05-04 | 9.8 | CVE-2026-24120 | https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p https://github.com/patriksimek/vm2/releases/tag/v3.10.5 |
| patriksimek–vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0. | 2026-05-04 | 9.8 | CVE-2026-24781 | https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189 https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228 https://github.com/patriksimek/vm2/releases/tag/v3.11.0 |
| Qualcomm, Inc.–Snapdragon | Buffer overflow due to incorrect authorization in PLC FW | 2026-05-04 | 9.6 | CVE-2026-25293 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| patriksimek–vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0. | 2026-05-04 | 9.8 | CVE-2026-26332 | https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95 https://github.com/patriksimek/vm2/releases/tag/v3.11.0 |
| patriksimek–vm2 | vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5. | 2026-05-04 | 9.8 | CVE-2026-26956 | https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66 https://github.com/patriksimek/vm2/releases/tag/v3.10.5 |
| OpenCTI-Platform–opencti | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration. | 2026-05-05 | 9.8 | CVE-2026-27960 | https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-6vvv-vmfr-xhrx |
| Microsoft–Azure Managed Instance for Apache Cassandra | Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. | 2026-05-07 | 9.9 | CVE-2026-33109 | Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability |
| Microsoft–Microsoft Teams | Improper authorization in Microsoft Teams allows an authorized attacker to disclose information over a network. | 2026-05-07 | 9.6 | CVE-2026-33823 | Microsoft Team Events Portal Information Disclosure Vulnerability |
| Microsoft–Azure Managed Instance for Apache Cassandra | Improper input validation in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. | 2026-05-07 | 9 | CVE-2026-33844 | Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability |
| Microsoft–Azure Cloud Shell | Improper neutralization of special elements used in a command (‘command injection’) in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network. | 2026-05-07 | 9.6 | CVE-2026-35428 | Azure Cloud Shell Spoofing Vulnerability |
| Saleswonder LLC–WebinarIgnition | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Saleswonder LLC WebinarIgnition allows Blind SQL Injection. This issue affects WebinarIgnition: from n/a through 4.08.253. | 2026-05-05 | 9.3 | CVE-2026-40797 | https://patchstack.com/database/wordpress/plugin/webinar-ignition/vulnerability/wordpress-webinarignition-plugin-4-06-08-sql-injection-vulnerability?_s_id=cve |
| Spring–Spring Cloud Config | Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater. | 2026-05-07 | 9.1 | CVE-2026-40982 | https://spring.io/security/cve-2026-40982 |
| ci4-cms-erp–ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0. | 2026-05-07 | 9.1 | CVE-2026-41201 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-qxpq-82f3-xj47 https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0 |
| MervinPraison–PraisonAI | PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI’s MCP command handling does not add a command allowlist or argument validation to parse_mcp_command(), allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution. This issue has been patched in version 4.6.9. | 2026-05-08 | 9.8 | CVE-2026-41497 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9qhq-v63v-fv3j https://github.com/MervinPraison/PraisonAI/commit/47bff65413beaa3c21bf633c1fae4e684348368c |
| electerm–electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec(“open …”) command without validation. This issue has been patched in version 3.3.8. | 2026-05-08 | 9.8 | CVE-2026-41500 | https://github.com/electerm/electerm/security/advisories/GHSA-wxw2-rwmh-vr8f https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee https://github.com/electerm/electerm/releases/tag/v3.3.8 |
| electerm–electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec(“rm -rf …”) command without validation. This issue has been patched in version 3.3.8. | 2026-05-08 | 9.8 | CVE-2026-41501 | https://github.com/electerm/electerm/security/advisories/GHSA-8×35-hph8-37hq https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee https://github.com/electerm/electerm/releases/tag/v3.3.8 |
| mauriciopoppe–math-codegen | math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3. | 2026-05-08 | 9.8 | CVE-2026-41507 | https://github.com/mauriciopoppe/math-codegen/security/advisories/GHSA-p6x5-p4xf-cc4r https://github.com/mauriciopoppe/math-codegen/pull/11 https://github.com/mauriciopoppe/math-codegen/commit/4bb52d3030683362b3559ee8dd91350555a05f6b |
| 0din-ai–ai-scanner | ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via JavaScript injection in `BrowserAutomation::PlaywrightService`. This issue has been patched in version 1.4.1. | 2026-05-08 | 9.9 | CVE-2026-41512 | https://github.com/0din-ai/ai-scanner/security/advisories/GHSA-r27j-xxgx-f5vr https://github.com/0din-ai/ai-scanner/releases/tag/v1.4.1 |
| enchant97–note-mark | Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt(“null”) placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: “null” to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3. | 2026-05-04 | 9.4 | CVE-2026-41571 | https://github.com/enchant97/note-mark/security/advisories/GHSA-pxf8-6wqm-r6hh https://github.com/enchant97/note-mark/releases/tag/v0.19.3 |
| inducer–relate | RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py – check_sign_in_key(). This issue has been patched via commit 2f68e16. | 2026-05-08 | 9 | CVE-2026-41588 | https://github.com/inducer/relate/security/advisories/GHSA-78j7-9xr9-2728 https://github.com/inducer/relate/commit/2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb |
| charmbracelet–wish | Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequences over the SCP protocol. This issue has been patched in version 2.0.1. | 2026-05-07 | 9.6 | CVE-2026-41589 | https://github.com/charmbracelet/wish/security/advisories/GHSA-xjvp-7243-rg9h https://github.com/charmbracelet/wish/releases/tag/v2.0.1 |
| freescout-help-desk–freescout | FreeScout is a free help desk and shared inbox built with PHP’s Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user’s password. The endpoint performs no expiration check – the hash remains valid indefinitely until consumed. Combined with realistic hash-leakage scenarios (forwarded invite emails, HTTP referrer to external CDNs on the setup page, server-side log exposure, abandoned invite emails in shared inboxes), this enables unauthenticated permanent account takeover months or years after invite issuance. If the leaked invite was sent to an admin, the takeover yields admin access. This issue has been patched in version 1.8.217. | 2026-05-07 | 9.1 | CVE-2026-41902 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-hqff-cwx7-3jpm https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217 |
| givanz–Vvveb | Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation. | 2026-05-06 | 9.8 | CVE-2026-41930 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmf https://github.com/givanz/Vvveb/commit/f85ca7c2bc389bda3cc2eca87b2514581a628c32 https://www.vulncheck.com/advisories/vvveb-hard-coded-credentials-information-disclosure-via-phpmyadmin |
| orneryd–NornicDB | Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-ms HNSW search, graph traversal, and writes. Prior to version 1.0.42-hotfix, the –address CLI flag (and NORNICDB_ADDRESS / server.host config key) is plumbed through to the HTTP server correctly but never reaches the Bolt server config. The Bolt listener therefore always binds to the wildcard address (all interfaces), regardless of what the user configures. On a LAN, this exposes the graph database – with its default admin:password credentials – to any device sharing the network. This issue has been patched in version 1.0.42-hotfix. | 2026-05-08 | 9.8 | CVE-2026-42072 | https://github.com/orneryd/NornicDB/security/advisories/GHSA-2hp7-65r3-wv54 https://github.com/orneryd/NornicDB/commit/adce4f9a9fc7b6aada07c0bfa2d737cd7a6efaca https://github.com/orneryd/NornicDB/releases/tag/v1.0.42 |
| EvoMap–evolver | Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3. | 2026-05-04 | 9.8 | CVE-2026-42076 | https://github.com/EvoMap/evolver/security/advisories/GHSA-j5w5-568x-rq53 https://github.com/EvoMap/evolver/releases/tag/v1.69.3 |
| OpenC3–cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version 7.0.0-rc3, a SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The tsdb_lookup function in the cvt_model.rb file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary SQL commands, including deleting data. This issue has been patched in version 7.0.0-rc3. | 2026-05-04 | 9.6 | CVE-2026-42087 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5 https://github.com/OpenC3/cosmos/commit/9ba60c09c8836a37a2e4ea67ab35fe403e041415 https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 |
| OpenC3–cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. This issue has been patched in version 7.0.0-rc3. | 2026-05-04 | 9.6 | CVE-2026-42088 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-2wvh-87g2-89hr https://github.com/OpenC3/cosmos/releases/tag/v7.0.0 https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 |
| streetwriters–notesnook | Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = …. Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20. | 2026-05-04 | 9.6 | CVE-2026-42090 | https://github.com/streetwriters/notesnook/security/advisories/GHSA-fjm8-jg78-89h4 https://github.com/streetwriters/notesnook/releases/tag/3.3.20-android https://github.com/streetwriters/notesnook/releases/tag/v3.3.15 |
| useplunk–plunk | Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0. | 2026-05-08 | 9.1 | CVE-2026-42193 | https://github.com/useplunk/plunk/security/advisories/GHSA-9792-w86v-gx53 https://github.com/useplunk/plunk/releases/tag/v0.9.0 |
| labring–FastGPT | FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the –auth none flag and binds the service to all network interfaces (0.0.0.0:8080). This configuration allows any user with network access to the port to bypass authentication and gain full control over the sandbox environment. This issue has been patched in version 4.14.13. | 2026-05-08 | 9.8 | CVE-2026-42302 | https://github.com/labring/FastGPT/security/advisories/GHSA-34rc-438g-7w78 https://github.com/labring/FastGPT/pull/6781 https://github.com/labring/FastGPT/commit/9d1cafce9241430fb5bcdd646455055c5f4ae0a4 https://github.com/labring/FastGPT/releases/tag/v4.14.13 |
| getsentry–sentry | Sentry is an error tracking and performance monitoring tool. From version 21.12.0 to before version 26.4.1, a critical vulnerability was discovered in the SAML SSO implementation of Sentry. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability. This issue has been patched in version 26.4.1. | 2026-05-08 | 9.1 | CVE-2026-42354 | https://github.com/getsentry/sentry/security/advisories/GHSA-rcmw-7mc7-3rj7 https://github.com/getsentry/sentry/pull/113720 https://github.com/getsentry/sentry/commit/0c67558ae7fe08738912d4c5233b53ead048da3b https://github.com/getsentry/sentry/releases/tag/26.4.1 |
| GeoVision Inc.–GV-LPC2011/LPC2211 | An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability. | 2026-05-04 | 9.9 | CVE-2026-42364 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| GeoVision Inc.–GV-LPC2011/LPC2211 | A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability. | 2026-05-04 | 9.9 | CVE-2026-42368 | https://www.geovision.com.tw/cyber_security.php https://https://talosintelligence.com/vulnerability_reports/ |
| GeoVision Inc.–GV-VMS V20.0.2 | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | 2026-05-04 | 9 | CVE-2026-42370 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| D-Link–DIR-605L Firmware | D-Link DIR-605L Hardware Revision B2 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username “Alphanetworks” and the static password “wrgn76_dlwbr_dir605L” read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 9.8 | CVE-2026-42373 | D-Link DIR-605L B2 Hardcoded Telnet Backdoor – Securin Advisory |
| D-Link–DIR-600L Firmware | D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username “Alphanetworks” and the static password “wrgn61_dlwbr_dir600L” read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 9.8 | CVE-2026-42374 | D-Link DIR-600L B1 Hardcoded Telnet Backdoor – Securin Advisory |
| D-Link–DIR-600L Firmware | D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username “Alphanetworks” and the static password “wrgn35_dlwbr_dir600l” read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 9.8 | CVE-2026-42375 | D-Link DIR-600L A1 Hardcoded Telnet Backdoor – Securin Advisory |
| D-Link–DIR-456U Firmware | D-Link DIR-456U Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /etc/init0.d/S80telnetd.sh with the username “Alphanetworks” and the static password “whdrv01_dlob_dir456U” read from /etc/config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 9.8 | CVE-2026-42376 | D-Link DIR-456U A1 Hardcoded Telnet Backdoor – Securin Advisory |
| Termix-SSH–Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate the containerId URL path parameter and WebSocket message field directly into shell commands executed via ssh2.Client.exec() on remote managed servers without any sanitization or validation. An authenticated attacker can inject arbitrary OS commands by crafting a malicious container ID, achieving Remote Code Execution on any managed server. This issue has been patched in version 2.1.0. | 2026-05-08 | 9.9 | CVE-2026-42454 | https://github.com/Termix-SSH/Termix/security/advisories/GHSA-c2g2-hqgq-6w9v https://github.com/Termix-SSH/Termix/releases/tag/release-2.1.0-tag |
| go-pkgz–auth | auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2. | 2026-05-09 | 9.1 | CVE-2026-42560 | https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42 https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698 https://github.com/go-pkgz/auth/releases/tag/v1.25.2 https://github.com/go-pkgz/auth/releases/tag/v2.1.2 |
| phpvms–phpvms | phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6. | 2026-05-09 | 9.4 | CVE-2026-42569 | https://github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh https://github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc https://github.com/phpvms/phpvms/releases/tag/7.0.6 https://github.com/phpvms/phpvms/releases/tag/7.0.7 |
| Arelle–Arelle | Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges. | 2026-05-04 | 9.8 | CVE-2026-42796 | https://github.com/Arelle/Arelle/releases/tag/2.39.10 https://github.com/Arelle/Arelle/pull/2320 https://www.vulncheck.com/advisories/arelle-unauthenticated-rce-via-rest-configure |
| Apache Software Foundation–Apache Polaris | Apache Polaris can issue broad temporary (“vended”) storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker- directed because the attacker can choose a reachable target location. In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued. Closely related to that, the staged-create flow also accepts `write.data.path` / `write.metadata.path` in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-`location` exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued. | 2026-05-04 | 9.9 | CVE-2026-42809 | https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r |
| Apache Software Foundation–Apache Polaris | Apache Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same characters appear to be reused unescaped in S3 IAM resource patterns and `s3:prefix` conditions. In S3 IAM policy matching, `*` is treated as a wildcard rather than as ordinary text. That means temporary credentials issued for one crafted table can match the storage path of a different table. In private testing against Polaris 1.4.0 using Polaris’ AWS S3 temporary- credential path on both MinIO and real AWS S3, credentials returned for crafted tables such as `f*.t1`, `f*.*`, `*.*`, and `foo.*` could reach other tables’ S3 locations. The confirmed behavior includes: – reading another table’s metadata control file ([Iceberg metadata JSON]); – listing another table’s exact S3 table prefix ([table prefix]); – and, when write delegation was returned for the crafted table, creating and deleting an object under another table’s exact S3 table prefix. A control case using ordinary different names did not allow the same cross-table access. A least-privilege AWS S3 variant was also confirmed in which the attacker principal had no Polaris permissions on the victim table and only the minimal permissions required to create and use a crafted wildcard table (namespace-scoped `TABLE_CREATE` and `TABLE_WRITE_DATA` on `*`). In that setup, direct Polaris access to `foo.t1` remained forbidden, but the attacker could still create and load `*.*`, receive delegated S3 credentials, and use those credentials to list, read, create, and delete objects under `foo.t1`. In Iceberg, the metadata JSON file is a control file: it tells readers which data files belong to the table, which snapshots exist, and which table version to read. So unauthorized access to it is already a meaningful confidentiality problem. The confirmed write-capable variant means the issue is not limited to disclosure. | 2026-05-04 | 9.9 | CVE-2026-42810 | https://lists.apache.org/thread/gg3qq9sqg4hdjmprqy46p40xmln61dm9 |
| Apache Software Foundation–Apache Polaris | In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials that only work for one table’s files, but a crafted namespace or table name can cause those credentials to work across the configured bucket instead. Apache Polaris builds Google Cloud Storage downscoped credentials by creating a Credential Access Boundary (CAB) with CEL conditions that are intended to restrict access to the requested table’s storage path. The relevant CEL string is built from the bucket name and the table path. That table path is derived from namespace and table identifiers. In current code, that path appears to be inserted into the CEL expression without escaping. As a result, a namespace or table identifier containing a single quote and other URI-safe CEL fragments can break out of the intended quoted string and change the meaning of the CEL condition. In private testing against Polaris 1.4.0 on real Google Cloud Storage, it was confirmed that Polaris accepted a crafted identifier and returned delegated GCS credentials whose CEL path restriction had effectively collapsed. Those delegated credentials could then: – list another table’s object prefix; – read another table’s metadata control file (Iceberg metadata JSON); – create and delete an object under another table’s object prefix; – and also list, read, create, and delete objects under an unrelated external prefix in the same bucket that was not part of any table path. That last point is important. The issue is not limited to “another table”. In the confirmed setup, once Apache Polaris returned credentials for the crafted table, the path restriction inside the configured bucket was effectively gone. The practical effect is that temporary credentials for one crafted table can be broader than the table Polaris was asked to authorize, and can become effectively bucket-wide within the configured bucket. The current GCS testing used a Polaris principal with broad catalog privileges for setup. A separate least-privilege Polaris RBAC variant has not yet been tested on GCS. However, the storage-credential broadening behavior itself has been confirmed on GCS. | 2026-05-04 | 9.9 | CVE-2026-42811 | https://lists.apache.org/thread/hovn5hmkj9wj7v9cd8sn67svg03klgvg |
| Apache Software Foundation–Apache Polaris | In Apache Iceberg, the table’s metadata files are control files: they tell readers which data files belong to the table and which table version to read. `write.metadata.path` is an optional table property that tells Polaris where to write those metadata files. For a table already registered in a Polaris-managed catalog, changing only that property through an `ALTER TABLE`-style settings change (not a row-level `INSERT`, `SELECT`, `UPDATE`, or `DELETE`) bypasses the commit-time branch that is supposed to revalidate storage locations. The full persisted / credential-vending variant requires the affected catalog to have `polaris.config.allow.unstructured.table.location=true`, with `allowedLocations` broad enough to include the attacker-chosen target. `allowedLocations` is the admin-configured allowlist of storage paths that the catalog is allowed to use. Public project materials suggest that this flag is a real supported compatibility / layout mode, not just a contrived lab-only prerequisite. In that configuration, a user who can change table settings can cause Apache Polaris itself to write new table metadata to an attacker-chosen reachable storage location before the intended location-validation branch runs. If the later concrete-path validation also accepts that location, Polaris persists the resulting metadata path into stored table state. Later table-load and credential APIs can then return temporary cloud-storage credentials for the same location without revalidating it. In plain terms, Polaris can later hand out temporary storage access for the same attacker-chosen area. That attacker-chosen area does not need to be limited to the poisoned table’s own files. If it is a broader storage prefix, another table’s prefix, or, depending on configuration or provider behavior, even a bucket/container root, the resulting disclosure or corruption scope can extend to any data and metadata Polaris can reach there. The practical consequences are therefore similar to the staged-create credential-vending issue already discussed: data and metadata reachable in that storage scope can be exposed and, if write-capable credentials are later issued, modified, corrupted, or removed. Even before that later credential step, Polaris itself performs the metadata write to the unchecked location. So the core issue is not only later credential vending. The primary defect is that Polaris skips its intended location checks before performing a security- sensitive metadata write when only `write.metadata.path` changes. When `polaris.config.allow.unstructured.table.location=false`, current code review suggests the later `updateTableLike(…)` validation usually rejects out-of-tree metadata locations before the unsafe path is persisted. That may reduce the persisted / credential-vending variant, but it does not prevent the underlying defect: Polaris still skips the intended pre-write location check when only `write.metadata.path` changes. | 2026-05-04 | 9.9 | CVE-2026-42812 | https://lists.apache.org/thread/wxd2wj3p0smvrk84msv317wg5tp3jtw9 |
| argoproj–argo-cd | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD’s ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server’s Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9. | 2026-05-07 | 9.6 | CVE-2026-42880 | https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: handle wraparound when searching for blocks for indirect mapped blocks Commit 4865c768b563 (“ext4: always allocate blocks only from groups inode can use”) restricts what blocks will be allocated for indirect block based files to block numbers that fit within 32-bit block numbers. However, when using a review bot running on the latest Gemini LLM to check this commit when backporting into an LTS based kernel, it raised this concern: If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal group was populated via stream allocation from s_mb_last_groups), then start will be >= ngroups. Does this allow allocating blocks beyond the 32-bit limit for indirect block mapped files? The commit message mentions that ext4_mb_scan_groups_linear() takes care to not select unsupported groups. However, its loop uses group = *start, and the very first iteration will call ext4_mb_scan_group() with this unsupported group because next_linear_group() is only called at the end of the iteration. After reviewing the code paths involved and considering the LLM review, I determined that this can happen when there is a file system where some files/directories are extent-mapped and others are indirect-block mapped. To address this, add a safety clamp in ext4_mb_scan_groups(). | 2026-05-05 | 9.8 | CVE-2026-43067 | https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930 https://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c https://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29 https://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1 https://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503 https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dcache: Limit the minimal number of bucket to two There is an OOB read problem on dentry_hashtable when user sets ‘dhash_entries=1’: BUG: unable to handle page fault for address: ffff888b30b774b0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page Oops: Oops: 0000 [#1] SMP PTI RIP: 0010:__d_lookup+0x56/0x120 Call Trace: d_lookup.cold+0x16/0x5d lookup_dcache+0x27/0xf0 lookup_one_qstr_excl+0x2a/0x180 start_dirop+0x55/0xa0 simple_start_creating+0x8d/0xa0 debugfs_start_creating+0x8c/0x180 debugfs_create_dir+0x1d/0x1c0 pinctrl_init+0x6d/0x140 do_one_initcall+0x6d/0x3d0 kernel_init_freeable+0x39f/0x460 kernel_init+0x2a/0x260 There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable: d_lookup b = d_hash(hash) dentry_hashtable + ((u32)hashlen >> d_hash_shift) // The C standard defines the behavior of right shift amounts // exceeding the bit width of the operand as undefined. The // result of ‘(u32)hashlen >> d_hash_shift’ becomes ‘hashlen’, // so ‘b’ will point to an unallocated memory region. hlist_bl_for_each_entry_rcu(b) hlist_bl_first_rcu(head) h->first // read OOB! Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that ‘d_hash_shift’ won’t exceeds the bit width of type u32. | 2026-05-05 | 9.1 | CVE-2026-43071 | https://git.kernel.org/stable/c/426ef05e82ee52c8d0e95fc0808b7383d8352d73 https://git.kernel.org/stable/c/ddd57ebce245f9c7e2f6902a6c087d6186d2385d https://git.kernel.org/stable/c/755b40903eff563768d4d96fd4ef51ec48adde3b https://git.kernel.org/stable/c/5718df131ab78897a9dd1f2e71c3ba732d4392af https://git.kernel.org/stable/c/277cedabb0ab86baae83fa58218be13c6d3e5526 https://git.kernel.org/stable/c/f08fe8891c3eeb63b73f9f1f6d97aa629c821579 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: ioam6: fix OOB and missing lock When trace->type.bit6 is set: if (trace->type.bit6) { … queue = skb_get_tx_queue(dev, skb); qdisc = rcu_dereference(queue->qdisc); This code can lead to an out-of-bounds access of the dev->_tx[] array when is_input is true. In such a case, the packet is on the RX path and skb->queue_mapping contains the RX queue index of the ingress device. If the ingress device has more RX queues than the egress device (dev) has TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues. Add a check to avoid this situation since skb_get_tx_queue() does not clamp the index. This issue has also revealed that per queue visibility cannot be accurate and will be replaced later as a new feature. While at it, add missing lock around qdisc_qstats_qlen_backlog(). The function __ioam6_fill_trace_data() is called from both softirq and process contexts, hence the use of spin_lock_bh() here. | 2026-05-06 | 9.1 | CVE-2026-43083 | https://git.kernel.org/stable/c/6d1d9ed9b409e0662241e3d245d574a18f643494 https://git.kernel.org/stable/c/95a1334748c95dd15546056280ade0c4b8dd7b78 https://git.kernel.org/stable/c/b30b1675aa2bcf0491fd3830b051df4e08a7c8ca |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo_avx2: don’t return non-matching entry on expiry New test case fails unexpectedly when avx2 matching functions are used. The test first loads a ranomly generated pipapo set with ‘ipv4 . port’ key, i.e. nft -f foo. This works. Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f – This is expected to work, because its the same set after all and it was already loaded once. But with avx2, this fails: nft reports a clashing element. The reported clash is of following form: We successfully re-inserted a . b c . d Then we try to insert a . d avx2 finds the already existing a . d, which (due to ‘flush set’) is marked as invalid in the new generation. It skips the element and moves to next. Due to incorrect masking, the skip-step finds the next matching element *only considering the first field*, i.e. we return the already reinserted “a . b”, even though the last field is different and the entry should not have been matched. No such error is reported for the generic c implementation (no avx2) or when the last field has to use the ‘nft_pipapo_avx2_lookup_slow’ fallback. Bisection points to 7711f4bb4b36 (“netfilter: nft_set_pipapo: fix range overlap detection”) but that fix merely uncovers this bug. Before this commit, the wrong element is returned, but erronously reported as a full, identical duplicate. The root-cause is too early return in the avx2 match functions. When we process the last field, we should continue to process data until the entire input size has been consumed to make sure no stale bits remain in the map. | 2026-05-06 | 9.4 | CVE-2026-43114 | https://git.kernel.org/stable/c/fa4f1f52528c73989d820f32bfca06bec5afeece https://git.kernel.org/stable/c/3d53f9aafd469ae1ea27051e00f5b96ca1b55d52 https://git.kernel.org/stable/c/07de44424bb7f17ef9357e8535df96d9e97c40cb https://git.kernel.org/stable/c/0abbc43f71d99baadeeba6fa3fe1c80b676f57ed https://git.kernel.org/stable/c/d3c0037ffe1273fa1961e779ff6906234d6cf53c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() If overlay is used on top of btrfs, dentry->d_sb translates to overlay’s super block and fsid assignment will lead to a crash. Use file_inode(file)->i_sb to always get btrfs_sb. | 2026-05-06 | 9.1 | CVE-2026-43117 | https://git.kernel.org/stable/c/c09a7446aab5773f38d6abb25fce99b8e1dfbc97 https://git.kernel.org/stable/c/32372781d664a9b03c40343e96c29d0a6139f97d https://git.kernel.org/stable/c/2e4adfaec97ee053ad1bdfb5036845e66f7e0d8a https://git.kernel.org/stable/c/d110d7cdb045715c0b45b0dfd974525bb38f653d https://git.kernel.org/stable/c/a85b46db143fda5869e7d8df8f258ccef5fa1719 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dlm: validate length in dlm_search_rsb_tree The len parameter in dlm_dump_rsb_name() is not validated and comes from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can cause out-of-bounds write in dlm_search_rsb_tree(). Add length validation to prevent potential buffer overflow. | 2026-05-06 | 9.8 | CVE-2026-43125 | https://git.kernel.org/stable/c/67288113c5e6cf9e659b4065c0ed6f16100e0c71 https://git.kernel.org/stable/c/082083c9fbd99422a0370fe2102144a231c9f5d6 https://git.kernel.org/stable/c/5f053a2e7209d326cbbc07738fa6d6893d307438 https://git.kernel.org/stable/c/080e5563f878c64e697b89e7439d730d0daad882 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in smb_direct_prepare_negotiation() smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, …). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message. By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow. This fix replaces min_t(int, …) with min_t(u32) | 2026-05-06 | 9.8 | CVE-2026-43185 | https://git.kernel.org/stable/c/ceae058eb707ddd0d68f0872f9d9f23b7c30c37b https://git.kernel.org/stable/c/55abc475d096da4a5356b6efb0cfdc6156bc1550 https://git.kernel.org/stable/c/6b4f875aac344cdd52a1f34cc70ed2f874a65757 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data() On the receive path, __ioam6_fill_trace_data() uses trace->nodelen to decide how much data to write for each node. It trusts this field as-is from the incoming packet, with no consistency check against trace->type (the 24-bit field that tells which data items are present). A crafted packet can set nodelen=0 while setting type bits 0-21, causing the function to write ~100 bytes past the allocated region (into skb_shared_info), which corrupts adjacent heap memory and leads to a kernel panic. Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c to derive the expected nodelen from the type field, and use it: – in ioam6_iptunnel.c (send path, existing validation) to replace the open-coded computation; – in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose nodelen is inconsistent with the type field, before any data is written. Per RFC 9197, bits 12-21 are each short (4-octet) fields, so they are included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to 0xff1ffc00). | 2026-05-06 | 9.8 | CVE-2026-43186 | https://git.kernel.org/stable/c/f4d9d4b8fd839719d564651671e24c62c545c23b https://git.kernel.org/stable/c/fb3c662fafebc5b9d74417ed1de8759f6bb72143 https://git.kernel.org/stable/c/632d233cf2e64a46865ae2c064ae3c9df7c8864f https://git.kernel.org/stable/c/0591d6509c2ff13f09ea2998434aba0c0472e978 https://git.kernel.org/stable/c/e90346a2f1e8917d5760a44a1f61c44e3b36d96b https://git.kernel.org/stable/c/ea3632aefc04205436868541638e26f4a74d5637 https://git.kernel.org/stable/c/6db8b56eed62baacaf37486e83378a72635c04cc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netconsole: avoid OOB reads, msg is not nul-terminated msg passed to netconsole from the console subsystem is not guaranteed to be nul-terminated. Before recent commit 7eab73b18630 (“netconsole: convert to NBCON console infrastructure”) the message would be placed in printk_shared_pbufs, a static global buffer, so KASAN had harder time catching OOB accesses. Now we see: printk: console [netcon_ext0] enabled BUG: KASAN: slab-out-of-bounds in string+0x1f7/0x240 Read of size 1 at addr ffff88813b6d4c00 by task pr/netcon_ext0/594 CPU: 65 UID: 0 PID: 594 Comm: pr/netcon_ext0 Not tainted 6.19.0-11754-g4246fd6547c9 Call Trace: kasan_report+0xe4/0x120 string+0x1f7/0x240 vsnprintf+0x655/0xba0 scnprintf+0xba/0x120 netconsole_write+0x3fe/0xa10 nbcon_emit_next_record+0x46e/0x860 nbcon_kthread_func+0x623/0x750 Allocated by task 1: nbcon_alloc+0x1ea/0x450 register_console+0x26b/0xe10 init_netconsole+0xbb0/0xda0 The buggy address belongs to the object at ffff88813b6d4000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 0 bytes to the right of allocated 3072-byte region [ffff88813b6d4000, ffff88813b6d4c00) | 2026-05-06 | 9.1 | CVE-2026-43197 | https://git.kernel.org/stable/c/3126a2f98beaec5a554a1fb31c46db1e8542665e https://git.kernel.org/stable/c/74ab1456eaa3b2eb986138f9e1f4cb37e73b6f58 https://git.kernel.org/stable/c/82aec772fca2223bc5774bd9af486fd95766e578 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible from TCP ehash table and other cpus might use it. Since newinet->pinet6 is still pointing to the listener ipv6_pinfo bad things can happen as syzbot found. Move the problematic code in tcp_v6_mapped_child_init() and call this new helper from tcp_v4_syn_recv_sock() before the ehash insertion. This allows the removal of one tcp_sync_mss(), since tcp_v4_syn_recv_sock() will call it with the correct context. | 2026-05-06 | 9.8 | CVE-2026-43198 | https://git.kernel.org/stable/c/fe89b2f05b854847784f91127319172945c1fadd https://git.kernel.org/stable/c/7178e2a8027423b2af17ab95df73a749a5b72e5b https://git.kernel.org/stable/c/858d2a4f67ff69e645a43487ef7ea7f28f06deae |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: do not pass flow_id to set_rps_cpu() Blamed commit made the assumption that the RPS table for each receive queue would have the same size, and that it would not change. Compute flow_id in set_rps_cpu(), do not assume we can use the value computed by get_rps_cpu(). Otherwise we risk out-of-bound access and/or crashes. | 2026-05-06 | 9.8 | CVE-2026-43208 | https://git.kernel.org/stable/c/5455a232edea6b946b99449f15ca771a8874a5a6 https://git.kernel.org/stable/c/ed712dc0d64dee5f0d05e4d8ca57711f8a9c850c https://git.kernel.org/stable/c/8a8a9fac9efa6423fd74938b940cb7d731780718 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: define and enforce CEPH_MAX_KEY_LEN When decoding the key, verify that the key material would fit into a fixed-size buffer in process_auth_done() and generally has a sane length. The new CEPH_MAX_KEY_LEN check replaces the existing check for a key with no key material which is a) not universal since CEPH_CRYPTO_NONE has to be excluded and b) doesn’t provide much value since a smaller than needed key is just as invalid as no key — this has to be handled elsewhere anyway. | 2026-05-08 | 9.8 | CVE-2026-43304 | https://git.kernel.org/stable/c/6405e8c680974bb74e2c98d5249fb52c7b12a6c6 https://git.kernel.org/stable/c/8d745d38c88ecbed95f6b2b39857bf89f35a3244 https://git.kernel.org/stable/c/e1dc45d97975f9db65694d234fbddf1915176e16 https://git.kernel.org/stable/c/1b275bd49e58752efb83767a5d1aed41356c5e64 https://git.kernel.org/stable/c/c1a0f5f1e5e7e98c36a362ec3d1fcfd9932931ed https://git.kernel.org/stable/c/d82467c07b03a27c3c5469b62bb3b726305a80bb https://git.kernel.org/stable/c/ac431d597a9bdfc2ba6b314813f29a6ef2b4a3bf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/ipv6: ioam6: prevent schema length wraparound in trace fill ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer. Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length. | 2026-05-08 | 9.8 | CVE-2026-43341 | https://git.kernel.org/stable/c/e96d48b37708d53cbdc47f6f60b0714fc4a5f596 https://git.kernel.org/stable/c/d1b041080086e91d3733a5438a8c51ad5d3d8e09 https://git.kernel.org/stable/c/77695a69baca9b99d95fad09fc78c2318736604f https://git.kernel.org/stable/c/184d2e9db27c0f76226b5cad16fe29510a5d2280 https://git.kernel.org/stable/c/d6e1c9b02d85a4f1f4ba6d68e916d9b610a3ed7d https://git.kernel.org/stable/c/5e67ba9bb531e1ec6599a82a065dea9040b9ce50 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free by using call_rcu() for oplock_info ksmbd currently frees oplock_info immediately using kfree(), even though it is accessed under RCU read-side critical sections in places like opinfo_get() and proc_show_files(). Since there is no RCU grace period delay between nullifying the pointer and freeing the memory, a reader can still access oplock_info structure after it has been freed. This can leads to a use-after-free especially in opinfo_get() where atomic_inc_not_zero() is called on already freed memory. Fix this by switching to deferred freeing using call_rcu(). | 2026-05-08 | 9.8 | CVE-2026-43376 | https://git.kernel.org/stable/c/302fef75512b2c8329a3f5efab1ae7ba2562387a https://git.kernel.org/stable/c/08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c https://git.kernel.org/stable/c/1d6abf145615dbfe267ce3b0a271f95e3780e18e https://git.kernel.org/stable/c/ce8507ee82c888126d8e7565e27c016308d24cde https://git.kernel.org/stable/c/1dfd062caa165ec9d7ee0823087930f3ab8a6294 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being accessed after rcu_read_unlock() has been called. This creates a race condition where the memory could be freed by a concurrent writer between the unlock and the subsequent pointer dereferences (opinfo->is_lease, etc.), leading to a use-after-free. | 2026-05-08 | 9.8 | CVE-2026-43379 | https://git.kernel.org/stable/c/bf4d66d72e4a9e268c1012c331ce9eaedb5e2086 https://git.kernel.org/stable/c/960699317d39f46611f4ebeb69edc567c1f4e6b6 https://git.kernel.org/stable/c/dbbd328cf58261ca239756fe1c0d10c9518d3399 https://git.kernel.org/stable/c/b3568347c51c46e2cabc356bc34676df98296619 https://git.kernel.org/stable/c/eac3361e3d5dd8067b3258c69615888eb45e9f25 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/tcp-md5: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. | 2026-05-08 | 9.4 | CVE-2026-43383 | https://git.kernel.org/stable/c/821c8751fdeecdeecabeb11704dd33439c9e4bbc https://git.kernel.org/stable/c/345a9530756528d7ca407663d659c3c40e75c3dd https://git.kernel.org/stable/c/5d305a95130a8d08b9545e47f1e18d29d59866cb https://git.kernel.org/stable/c/02669e2a4d207068edce7e8b5fafd85822018ce6 https://git.kernel.org/stable/c/ae3831b44f477de048287493e184fc3ff913b624 https://git.kernel.org/stable/c/b502e97e29d791ff7a8051f29a414535739be218 https://git.kernel.org/stable/c/46d0d6f50dab706637f4c18a470aac20a21900d3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/tcp-ao: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. | 2026-05-08 | 9.8 | CVE-2026-43384 | https://git.kernel.org/stable/c/8be6ed64966da48b6c4726918f106c18742a5125 https://git.kernel.org/stable/c/a269cbdc442f8658bca35383e34b9d0b0ff95a1c https://git.kernel.org/stable/c/080b0e210088296dd50d6637c06c1db14246adfe https://git.kernel.org/stable/c/67edfec516d30d3e62925c397be4a1e5185802fc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: kthread: consolidate kthread exit paths to prevent use-after-free Guillaume reported crashes via corrupted RCU callback function pointers during KUnit testing. The crash was traced back to the pidfs rhashtable conversion which replaced the 24-byte rb_node with an 8-byte rhash_head in struct pid, shrinking it from 160 to 144 bytes. struct kthread (without CONFIG_BLK_CGROUP) is also 144 bytes. With CONFIG_SLAB_MERGE_DEFAULT and SLAB_HWCACHE_ALIGN both round up to 192 bytes and share the same slab cache. struct pid.rcu.func and struct kthread.affinity_node both sit at offset 0x78. When a kthread exits via make_task_dead() it bypasses kthread_exit() and misses the affinity_node cleanup. free_kthread_struct() frees the memory while the node is still linked into the global kthread_affinity_list. A subsequent list_del() by another kthread writes through dangling list pointers into the freed and reused memory, corrupting the pid’s rcu.func pointer. Instead of patching free_kthread_struct() to handle the missed cleanup, consolidate all kthread exit paths. Turn kthread_exit() into a macro that calls do_exit() and add kthread_do_exit() which is called from do_exit() for any task with PF_KTHREAD set. This guarantees that kthread-specific cleanup always happens regardless of the exit path – make_task_dead(), direct do_exit(), or kthread_exit(). Replace __to_kthread() with a new tsk_is_kthread() accessor in the public header. Export do_exit() since module code using the kthread_exit() macro now needs it directly. | 2026-05-08 | 9.8 | CVE-2026-43402 | https://git.kernel.org/stable/c/4729c7b00a347fd37d0cbc265b85f2884c3e06b6 https://git.kernel.org/stable/c/5a591d7a5e48d30100943940a30a6ab41b15c672 https://git.kernel.org/stable/c/28aaa9c39945b7925a1cc1d513c8f21ed38f5e4f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in process_message_header() If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header(). Perform an explicit bounds check before decoding the message header. | 2026-05-08 | 9.1 | CVE-2026-43406 | https://git.kernel.org/stable/c/76ccf21a12c5f6d6790bc32c7da82446d877b2f4 https://git.kernel.org/stable/c/75582aaa580c11aed4c7731cad6b068b700e7efb https://git.kernel.org/stable/c/50156622eb0888e62541d715a98584480a1bc7cb https://git.kernel.org/stable/c/dbd857a9e1e33ea71eaf3e211877027e533770d1 https://git.kernel.org/stable/c/69fe5af33fa3806f398d21c081d73c66e5523bc2 https://git.kernel.org/stable/c/035867ae6f18df0aeedb2a57a5b74091bd4e3fe8 https://git.kernel.org/stable/c/69fb5d91bba44ecf7eb80530b85fa4fb028921d5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation. This patch fixes the issue by changing the data type of payload_len to u32. Additionally, the data type of result_msg_len is changed to u32, as it is also a variable holding a non-negative length. Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payload_len and result_msg_len are not greater than the overall segment length. BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262 CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr ceph_con_workfn [libceph] Call Trace: <TASK> dump_stack_lvl+0x76/0xa0 print_report+0xd1/0x620 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? kasan_complete_mode_report_info+0x72/0x210 kasan_report+0xe7/0x130 ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] __asan_report_load_n_noabort+0xf/0x20 ceph_handle_auth_reply+0x642/0x7a0 [libceph] mon_dispatch+0x973/0x23d0 [libceph] ? apparmor_socket_recvmsg+0x6b/0xa0 ? __pfx_mon_dispatch+0x10/0x10 [libceph] ? __kasan_check_write+0x14/0x30i ? mutex_unlock+0x7f/0xd0 ? __pfx_mutex_unlock+0x10/0x10 ? __pfx_do_recvmsg+0x10/0x10 [libceph] ceph_con_process_message+0x1f1/0x650 [libceph] process_message+0x1e/0x450 [libceph] ceph_con_v2_try_read+0x2e48/0x6c80 [libceph] ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph] ? save_fpregs_to_fpstate+0xb0/0x230 ? raw_spin_rq_unlock+0x17/0xa0 ? finish_task_switch.isra.0+0x13b/0x760 ? __switch_to+0x385/0xda0 ? __kasan_check_write+0x14/0x30 ? mutex_lock+0x8d/0xe0 ? __pfx_mutex_lock+0x10/0x10 ceph_con_workfn+0x248/0x10c0 [libceph] process_one_work+0x629/0xf80 ? __kasan_check_write+0x14/0x30 worker_thread+0x87f/0x1570 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfx_try_to_wake_up+0x10/0x10 ? kasan_print_address_stack_frame+0x1f7/0x280 ? __pfx_worker_thread+0x10/0x10 kthread+0x396/0x830 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? __pfx_kthread+0x10/0x10 ? __kasan_check_write+0x14/0x30 ? recalc_sigpending+0x180/0x210 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x3f7/0x610 ? __pfx_ret_from_fork+0x10/0x10 ? __switch_to+0x385/0xda0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> [ idryomov: replace if statements with ceph_decode_need() for payload_len and result_msg_len ] | 2026-05-08 | 9.1 | CVE-2026-43407 | https://git.kernel.org/stable/c/ea080b21092590122c3f971cf588932cdbf47847 https://git.kernel.org/stable/c/edc678e5cd11730a2834b43071d8923f05bc334d https://git.kernel.org/stable/c/6cee34d6669fe176b4259131adb1a145c939b472 https://git.kernel.org/stable/c/8bb87547e92dcf0928ed763c60e0ac8d733c3656 https://git.kernel.org/stable/c/ed024d2f4c79c0eb2464df0fb640610ac301f9a0 https://git.kernel.org/stable/c/f9da5c1bbac5c8e33259fe00ed7347438fffa969 https://git.kernel.org/stable/c/9f9e2297f45fc2d2524eb104c289d69ddef95665 https://git.kernel.org/stable/c/b282c43ed156ae15ea76748fc15cd5c39dc9ab72 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference. qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea. | 2026-05-08 | 9.8 | CVE-2026-43414 | https://git.kernel.org/stable/c/d48ea85463f5b34f7b92ea0a13eddf1ab993da7b https://git.kernel.org/stable/c/c0b7da13a04bd70ef6070bfb9ea85f582294560a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn’t change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues. The issue was discovered by the drivers/net/xdp.py selftest, more specifically the test_xdp_native_tx_mb: – The mlx5 driver allocates a page_pool page and initializes it with a frag counter of 64 (pp_ref_count=64) and the internal frag counter to 0. – The test sends one packet with no payload. – On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP buffer with the packet data starting in the first fragment which is the page mentioned above. – The XDP program runs and calls bpf_xdp_pull_data() which moves the header into the linear part of the XDP buffer. As the packet doesn’t contain more data, the program drops the tail fragment since it no longer contains any payload (pp_ref_count=63). – mlx5 device skips counting this fragment. Internal frag counter remains 0. – mlx5 releases all 64 fragments of the page but page pp_ref_count is 63 => negative reference counting error. Resulting splat during the test: WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] Modules linked in: […] CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] […] Call Trace: <TASK> mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core] mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core] mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core] mlx5e_close_rq+0x78/0xa0 [mlx5_core] mlx5e_close_queues+0x46/0x2a0 [mlx5_core] mlx5e_close_channel+0x24/0x90 [mlx5_core] mlx5e_close_channels+0x5d/0xf0 [mlx5_core] mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core] mlx5e_change_mtu+0x11d/0x490 [mlx5_core] mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core] netif_set_mtu_ext+0xfc/0x240 do_setlink.isra.0+0x226/0x1100 rtnl_newlink+0x7a9/0xba0 rtnetlink_rcv_msg+0x220/0x3c0 netlink_rcv_skb+0x4b/0xf0 netlink_unicast+0x255/0x380 netlink_sendmsg+0x1f3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1e8/0x240 ___sys_sendmsg+0x7c/0xb0 […] __sys_sendmsg+0x5f/0xb0 do_syscall_64+0x55/0xc70 The problem applies for XDP_PASS as well which is handled in a different code path in the driver. This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag. As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags. | 2026-05-08 | 9.8 | CVE-2026-43465 | https://git.kernel.org/stable/c/7d7342a18fadcdb70a63b3c930dc63528ce51832 https://git.kernel.org/stable/c/043bd62f748bc9fd98154037aa598cffbd3c667c https://git.kernel.org/stable/c/db25c42c2e1f9c0d136420fff5e5700f7e771a6f |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context. | 2026-05-05 | 9.1 | CVE-2026-43534 | GitHub Security Advisory (GHSA-7g8c-cfr3-vqqr) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 – Unsanitized External Input in Agent Hook Events |
| OpenClaw–OpenClaw | OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded. | 2026-05-05 | 9.1 | CVE-2026-43566 | GitHub Security Advisory (GHSA-g2hm-779g-vm32) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.7 < 2026.4.14 – Privilege Escalation via Untrusted Webhook Wake Events |
| OpenClaw–OpenClaw | OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized access to the interactive browser session. | 2026-05-06 | 9.8 | CVE-2026-43575 | GitHub Security Advisory (GHSA-92jp-89mq-4374) Patch Commit VulnCheck Advisory: OpenClaw 2026.2.21 < 2026.4.10 – Authentication Bypass in Sandbox noVNC Helper Route |
| OpenClaw–OpenClaw | OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended. | 2026-05-06 | 9.1 | CVE-2026-43578 | GitHub Security Advisory (GHSA-g375-h3v6-4873) Patch Commit VulnCheck Advisory: OpenClaw 2026.3.31 < 2026.4.10 – Privilege Escalation via Missed Async Exec Completion Events in Heartbeat Owner Downgrade |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools protocol outside intended local sandbox boundaries by exploiting the overly broad binding configuration. | 2026-05-06 | 9.6 | CVE-2026-43581 | GitHub Security Advisory (GHSA-525j-hqq2-66r4) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 – Chrome DevTools Protocol Exposure via Overly Broad CDP Relay Binding |
| electerm–electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm’s terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim’s machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches. | 2026-05-08 | 9.6 | CVE-2026-43941 | https://github.com/electerm/electerm/security/advisories/GHSA-fwf6-j56g-m97c |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands. | 2026-05-06 | 9.8 | CVE-2026-44109 | GitHub Security Advisory (GHSA-xh72-v6v9-mwhc) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.15 – Authentication Bypass in Feishu Webhook and Card-Action Validation |
| linkwarden–linkwarden | Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. Prior to version 2.13.0, a Server-Side Request Forgery (SSRF) vulnerability in the fetchTitleAndHeaders function allows authenticated users to make arbitrary HTTP requests to internal services due to insufficient URL validation that only checks for “http://” or “https://” prefixes. This issue has been patched in version 2.13.0. | 2026-05-08 | 9.1 | CVE-2026-44313 | https://github.com/linkwarden/linkwarden/security/advisories/GHSA-5qpc-x7rv-hvmp |
| ahmadgb–GeekyBot AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content | The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution. | 2026-05-05 | 9.8 | CVE-2026-5294 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a1817c58-e807-4ef2-a382-28ca2fd5239e?source=cve https://plugins.trac.wordpress.org/changeset/3497169/geeky-bot |
| MoreConvert–MoreConvert Pro | The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link. | 2026-05-05 | 9.8 | CVE-2026-5722 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fe887475-f7e8-4fda-a793-bc6f37b70f3e?source=cve https://wordpress.org/plugins/smart-wishlist-for-more-convert/ https://moreconvert.com/changelog/ |
| TUBITAK BILGEM Software Technologies Research Institute–Liderahenk | Origin Validation Error vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liderahenk: from 2.0.1 before 2.0.2. | 2026-05-07 | 9.8 | CVE-2026-6508 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0181 |
| DivvyDrive Information Technologies Inc.–DivvyDrive | URL redirection to untrusted site (‘open redirect’) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Parameter Injection. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | 2026-05-07 | 9.6 | CVE-2026-6795 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| GeoVision Inc.–GV-IP Device Utility | An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the “obscurity” of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default. | 2026-05-04 | 9.3 | CVE-2026-7161 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| GeoVision Inc.–GV-VMS V20.0.2 | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. #### Stack-overflow via unconstrained sscanf The call to `sscanf` at [1] to split the `Buffer` variable into the `username` and `password` variables doesn’t limit the size of the extracted content to match the destination buffers’ sizes. In this case, if either the username or password decoded from the authorization string exceeds `40` characters (the size the stack variables `username` and `password`) then a stack overflow will occur. The data is controlled by an attacker, but sronger constraints (e.g. no null bytes) may make exploitation harder. A successful attack could lead to full code execution as SYSTEM on the machine running the service. | 2026-05-04 | 9 | CVE-2026-7372 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| Yarbo–Firmware | Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone who knows them. | 2026-05-07 | 9.8 | CVE-2026-7414 | https://github.com/Bin4ry/yarbo-nat-in-my-back-yard https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000001111111111100011111111111000000000000000000000000000000000000000000000000000001000 |
| Yarbo–Firmware | The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind. | 2026-05-07 | 9.8 | CVE-2026-7415 | https://github.com/Bin4ry/yarbo-nat-in-my-back-yard https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000000111111111100111111111110000000000000000000000000000000000000000000000000000001001 |
| ollama–ollama | Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file’s actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users’ conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed). | 2026-05-04 | 9.1 | CVE-2026-7482 | ollama/ollama PR #14406 — ggml: ensure tensor size is valid (fix) Fix commit 88d57d0 ollama v0.17.1 release notes |
| Totolink–WA300 | A security flaw has been discovered in Totolink WA300 5.2cu.7112_B20190227. The affected element is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument http_host results in buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-04 | 9.8 | CVE-2026-7719 | VDB-360895 | Totolink WA300 POST Request cstecgi.cgi loginauth buffer overflow VDB-360895 | CTI Indicators (IOB, IOC, IOA) Submit #807197 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-loginAuth-34553a41781f8050b8ffc9e90a103cd5 https://www.totolink.net/ |
| Totolink–N300RH | A security flaw has been discovered in Totolink N300RH 3.2.4-B20220812. Affected by this vulnerability is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. Performing a manipulation of the argument Password results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-04 | 9.8 | CVE-2026-7747 | VDB-360922 | Totolink N300RH Parameter cstecgi.cgi loginauth buffer overflow VDB-360922 | CTI Indicators (IOB, IOC, IOA) Submit #807201 | Totolink N300RH N300RH V3_Firmware V3.2.4-B20220812 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-loginauth_password-34553a41781f80c0ad36f4d95122fd40?pvs=73 https://www.totolink.net/ |
| Totolink–A8000RU | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setAppFilterCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable results in os command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-05 | 9.8 | CVE-2026-7823 | VDB-361075 | Totolink A8000RU cstecgi.cgi setAppFilterCfg os command injection VDB-361075 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807775 | Totolink A8000RU 7.1cu.643_b20200521 Command Injection https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_330/README.md https://www.totolink.net/ |
| EFM–ipTIME NAS1dual | A security vulnerability has been detected in EFM ipTIME NAS1dual 1.5.24. This issue affects the function get_csrf_whites of the file /cgi/advanced/misc_main.cgi. Such manipulation leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-05 | 9.8 | CVE-2026-7834 | VDB-361113 | EFM ipTIME NAS1dual misc_main.cgi get_csrf_whites stack-based overflow VDB-361113 | CTI Indicators (IOB, IOC, IOA) Submit #807787 | iptime nas1dual 1.5.24 Stack Overflow https://github.com/glkfc/IoT-Vulnerability/blob/main/iptime/nas1dual/iptime2_en.md |
| D-Link–DI-8100 | A weakness has been identified in D-Link DI-8100 16.07.26A1. Affected is the function sprintf of the file /auto_reboot.asp of the component HTTP Handler. This manipulation of the argument enable/time causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-05 | 9.8 | CVE-2026-7853 | VDB-361130 | D-Link DI-8100 HTTP auto_reboot.asp sprintf buffer overflow VDB-361130 | CTI Indicators (IOB, IOC, IOA) Submit #807837 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/auto_reboot_asp_overflow.md https://www.dlink.com/ |
| D-Link–DI-8100 | A security vulnerability has been detected in D-Link DI-8100 16.07.26A1. Affected by this vulnerability is the function url_rule_asp of the file /url_rule.asp of the component POST Parameter Handler. Such manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-05-05 | 9.8 | CVE-2026-7854 | VDB-361131 | D-Link DI-8100 POST Parameter url_rule.asp url_rule_asp buffer overflow VDB-361131 | CTI Indicators (IOB, IOC, IOA) Submit #807838 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/url_rule_asp_overflow.md https://www.dlink.com/ |
| Universal Robots–PolyScope 5 | OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot’s OS. | 2026-05-08 | 9.8 | CVE-2026-8153 | https://www.universal-robots.com/developer/communication-protocol/dashboard-server/ |
| opencartextensions–Extension TMD Vendor System | Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter. Attackers can craft malicious SQL queries using time-based or content-based blind injection techniques to enumerate usernames, emails, and password reset codes from the oc_user table. | 2026-05-10 | 8.2 | CVE-2021-47928 | ExploitDB-50493 Official Product Homepage Product Reference VulnCheck Advisory: Opencart TMD Vendor System 3.x Blind SQL Injection via product route |
| Balbooa–Balbooa Joomla Forms Builder | Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can send POST requests to the com_baforms component with malicious JSON payloads in the ‘id’ field parameter to extract sensitive database information. | 2026-05-10 | 8.2 | CVE-2021-47930 | ExploitDB-50447 Official Product Homepage VulnCheck Advisory: Balbooa Joomla Forms Builder 2.0.6 SQL Injection Unauthenticated |
| Sentry–Sentry | Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log entry data parameter. Attackers can submit crafted POST requests to the admin audit log endpoint with base64-encoded compressed pickle payloads in the data field to achieve code execution with application privileges. | 2026-05-10 | 8.8 | CVE-2021-47935 | ExploitDB-50318 Product Reference VulnCheck Advisory: Sentry 8.2.0 Remote Code Execution via Pickle Deserialization |
| E107–e107 CMS | e107 CMS 2.3.0 contains a remote code execution vulnerability that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files. Attackers can upload a crafted theme package through the theme.php endpoint that deploys a web shell to the e107_themes directory, then execute system commands via the payload.php script. | 2026-05-10 | 8.8 | CVE-2021-47937 | ExploitDB-50315 Official Product Homepage Product Reference VulnCheck Advisory: e107 CMS 2.3.0 Authenticated Remote Code Execution via Theme Upload |
| Impresscms–ImpressCMS | ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code into the sat_code parameter. Attackers can authenticate, submit a POST request to /modules/system/admin.php?fct=autotasks&op=mod with crafted sat_code containing PHP commands, which creates an executable file that accepts arbitrary commands via GET parameters. | 2026-05-10 | 8.8 | CVE-2021-47938 | ExploitDB-50298 Official Product Homepage Product Reference VulnCheck Advisory: ImpressCMS 1.4.2 Remote Code Execution via Autotasks |
| Evo–Evolution CMS | Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in the ‘post’ parameter to create modules that execute arbitrary commands when invoked. | 2026-05-10 | 8.8 | CVE-2021-47939 | ExploitDB-50296 Official Product Homepage Product Reference VulnCheck Advisory: Evolution CMS 3.1.6 Authenticated Remote Code Execution via Module Creation |
| Modalsurvey–Survey & Poll | WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap cookie parameter. Attackers can craft SQL payloads in the cookie to extract sensitive database information including usernames, passwords, and other confidential data from the WordPress database. | 2026-05-10 | 8.2 | CVE-2021-47941 | ExploitDB-50269 Official Product Homepage VulnCheck Advisory: WordPress Plugin Survey & Poll 1.5.7.3 SQL Injection via sss_params |
| Textpattern–TextPattern CMS | TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content area and execute commands by accessing the uploaded file at /textpattern/files/ with GET parameters passed to the system function. | 2026-05-10 | 8.8 | CVE-2021-47943 | ExploitDB-49996 ExploitDB-50415 VulnCheck Advisory: TextPattern CMS 4.8.7 Remote Code Execution via File Upload |
| Cyberpanel–CyberPanel | CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager controller endpoint. Attackers can manipulate the completeStartingPath parameter in POST requests to /filemanager/controller to create symbolic links, read sensitive files like database credentials, and execute arbitrary shell commands through the /websites/fetchFolderDetails endpoint. | 2026-05-10 | 8.8 | CVE-2021-47949 | ExploitDB-50230 Official Product Homepage Product Reference VulnCheck Advisory: CyberPanel 2.1 Authenticated Remote Code Execution via Symlink Attack |
| MegaTKC–Aero CMS | Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server. | 2026-05-10 | 8.8 | CVE-2022-50944 | ExploitDB-51085 Official Product Homepage VulnCheck Advisory: Aero CMS 0.0.1 PHP Code Injection via posts.php |
| DrayTek–Vigor 2960 | DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter. Attackers can exploit unsanitized input passed to the otp_check.sh script to achieve remote code execution with web server privileges. Exploitation requires knowledge of a valid username and that the target account has MOTP authentication enabled. | 2026-05-08 | 8.1 | CVE-2022-50994 | https://www.draytek.co.uk/support/downloads/vigor-2960/older-firmware/firmware-1514?task=download.send&id=2597:readme-v2960-1514&catid=1251 https://www.draytek.com/about/newsroom/2021/2021/end-of-life-notification-vigor2960 https://www.vulncheck.com/advisories/draytek-vigor-2960-os-command-injection-via-mainfunction-cgi |
| Erpnext–Frappe Framework (ERPNext) | Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the gi_frame attribute to traverse the call stack and invoke os.popen to execute system commands. | 2026-05-05 | 8.8 | CVE-2023-54345 | ExploitDB-51580 Official Product Homepage Product Reference Reference Source Code Repository Reference Source Code Repository VulnCheck Advisory: Frappe Framework ERPNext 13.4.0 Remote Code Execution |
| Rajodiya–ERPGo SaaS | ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|’ /C calc’!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications. | 2026-05-05 | 8.8 | CVE-2023-54348 | ExploitDB-51220 Official Product Homepage Product Reference VulnCheck Advisory: ERPGo SaaS 3.9 CSV Injection via Vendor Creation |
| HCL–BigFix Service Management (SM) | HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. This could allow unauthorized users to gain elevated privileges, bypassing intended access restrictions. This may result in exposure of sensitive data or unauthorized system modifications | 2026-05-06 | 8.3 | CVE-2024-30151 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127782 |
| PHOENIX CONTACT–FL MGUARD 2102 | A low privileged remote attacker can gain the root password due to improper removal of sensitive information before storage or transfer. | 2026-05-07 | 8 | CVE-2024-43384 | https://certvde.com/en/advisories/VDE-2024-039 |
| DivvyDrive Information Technologies Inc.–DivvyDrive | Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding. This issue affects DivvyDrive: from 4.8.2.19 before 4.8.3.2. | 2026-05-07 | 8.3 | CVE-2025-14341 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| Hitachi–Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900 | Remote Code Execution Vulnerability in Hitachi Storage Navigator and the maintenance console in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28. This issue affects Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28 : before DKCMAIN Ver. 88-08-16-xx/00, SVP Ver. 88-08-18-xx/00, before DKCMAIN Ver. 93-07-26-xx/00, SVP Ver. 93-07-26-xx/00, before DKCMAIN Ver. A3-04-02-xx/00, MPC Ver. A3-04-02-xx/00, before DKCMAIN Ver. A3-03-41-xx/00, MPC Ver. A3-03-41-xx/00, before DKCMAIN Ver. A3-03-03-xx/00, MPC Ver. A3-03-03-xx/00. | 2026-05-07 | 8.3 | CVE-2025-1978 | https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_307.html |
| HCL–BigFix RunBookAI | HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component’s input handling was identified that could permit unauthorized command execution. | 2026-05-06 | 8.8 | CVE-2025-31951 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130444 |
| Gen Digital–Norton Secure VPN | A privilege escalation vulnerability exists during the installation of Norton Secure VPN via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in deletion of arbitrary files that can lead to elevation of privileges. | 2026-05-04 | 8.8 | CVE-2025-58074 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2276 |
| Apache Software Foundation–Apache CloudStack | Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue. | 2026-05-08 | 8 | CVE-2025-66467 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Hitachi–Hitachi Virtual Storage Platform One Block 23 | OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23, 24, 26 and 28. This issue affects Hitachi Virtual Storage Platform One Block 23/24/26/28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00. | 2026-05-07 | 8.1 | CVE-2025-9661 | https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_309.html |
| Cisco–Cisco Unity Connection | A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. | 2026-05-06 | 8.8 | CVE-2026-20034 | cisco-sa-unity-rce-ssrf-hENhuASy |
| vda-linux–busybox_mirror | BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Attackers can exploit incorrect heap buffer allocation calculations in the option_to_env() function to cause denial of service or achieve arbitrary code execution on embedded systems without heap hardening. | 2026-05-04 | 8.1 | CVE-2026-29004 | https://y637f9qq2x.com/posts/busybox-dhcpv6-heap-overflow/ https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a https://github.com/vda-linux/busybox_mirror/commit/d368f3f7836d1c2484c8f839316e5c93e76d4409 https://busybox.net/ https://www.vulncheck.com/advisories/busybox-dhcpv6-client-heap-buffer-overflow-via-dns-servers |
| netbox-community–netbox | NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox’s call interception mechanism, achieving remote code execution as the NetBox service user. | 2026-05-04 | 8.8 | CVE-2026-29514 | https://chocapikk.com/posts/2026/netbox-export-template-rce/ https://github.com/netbox-community/netbox/issues/22079 https://github.com/netbox-community/netbox/pull/22078 https://www.vulncheck.com/advisories/netbox-rce-via-rendertemplatemixin |
| Microsoft–Azure Machine Learning | Improper neutralization of input during web page generation (‘cross-site scripting’) in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network. | 2026-05-07 | 8.8 | CVE-2026-32207 | Azure Machine Learning Notebook Spoofing Vulnerability |
| Microsoft–Microsoft Partner Center | Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network. | 2026-05-07 | 8.2 | CVE-2026-34327 | Microsoft Partner Center Spoofing Vulnerability |
| Oracle Corporation–Oracle MCP Server Helper Tool product of Oracle Open Source Projects | Vulnerability in the Oracle MCP Server Helper Tool product of Oracle Open Source Projects (component: helper tool). The supported versions that is affected is 1.0.1-1.0.156. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle MCP Server Helper Tool. Successful attacks of this vulnerability can result in Oracle MCP Server Helper Tool executing malicious SQL. | 2026-05-05 | 8.7 | CVE-2026-35228 | Oracle Advisory |
| Microsoft–Azure AI Foundry | Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network. | 2026-05-07 | 8.6 | CVE-2026-35435 | Azure AI Foundry Elevation of Privilege Vulnerability |
| Gosoft Software Industry and Trade Ltd. Co.–Proticaret E-Commerce | Improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability in Gosoft Software Industry and Trade Ltd. Co. Proticaret E-Commerce allows Cross-Site Scripting (XSS), Reflected XSS. This issue affects Proticaret E-Commerce: from v5.0.0 before V 6.0.1767.1383. | 2026-05-07 | 8.8 | CVE-2026-3953 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0180 |
| Microsoft–Azure Monitor Action Group notification system | Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network. | 2026-05-07 | 8.1 | CVE-2026-41105 | Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability |
| AcademySoftwareFoundation–openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, there is an integer overflow in ImageChannel::resize that leads to heap OOB write via OpenEXRUtil public API. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11. | 2026-05-07 | 8.8 | CVE-2026-41142 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-m25w-72cj-q6mg https://github.com/AcademySoftwareFoundation/openexr/pull/2367 https://github.com/AcademySoftwareFoundation/openexr/commit/0592ee539f33c122c90f09238579b902d838afb4 |
| YesWiki–yeswiki | YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data[‘id_fiche’] value (sourced from $_POST[‘id_fiche’]) is concatenated directly into a raw SQL query without any sanitization or parameterization. This issue has been patched in version 4.6.1. | 2026-05-07 | 8.8 | CVE-2026-41143 | https://github.com/YesWiki/yeswiki/security/advisories/GHSA-f58v-p6j9-24c2 https://github.com/YesWiki/yeswiki/releases/tag/v4.6.1 |
| daptin–daptin | Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() – a raw SQL literal expression builder – without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions. This issue has been patched in version 0.11.4. | 2026-05-07 | 8.3 | CVE-2026-41422 | https://github.com/daptin/daptin/security/advisories/GHSA-rw2c-8rfq-gwfv https://github.com/daptin/daptin/releases/tag/v0.11.4 |
| dagster-io–dagster | Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would execute against the target database backend under the I/O manager’s credentials. Only deployments that use dynamic partitions are affected. Pipelines using static or time-window partitions are not impacted. This issue has been patched in Dagster Core version 1.13.1 and Dagster libraries version 0.29.1. | 2026-05-07 | 8.3 | CVE-2026-41490 | https://github.com/dagster-io/dagster/security/advisories/GHSA-mjw2-v2hm-wj34 https://github.com/dagster-io/dagster/releases/tag/1.13.1 |
| dapr–dapr | Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5. | 2026-05-08 | 8.1 | CVE-2026-41491 | https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463 https://github.com/dapr/dapr/pull/9589 |
| MervinPraison–PraisonAI | PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends – MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB – pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9. | 2026-05-08 | 8.1 | CVE-2026-41496 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5 |
| inducer–relate | RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py’s make_sign_in_key() function and exam.py’s gen_ticket_code() function. This issue has been patched via commit 2f68e16. | 2026-05-07 | 8.7 | CVE-2026-41505 | https://github.com/inducer/relate/security/advisories/GHSA-rvx5-95mm-p77v https://github.com/inducer/relate/commit/2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb |
| Ajax30–BraveCMS-2.0 | Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade’s unescaped output directive {!! !!}. Any JavaScript or HTML injected by an editor-role user is permanently stored and executed in every visitor’s browser upon page load. This issue has been patched via commit 6c56603. | 2026-05-08 | 8.7 | CVE-2026-41524 | https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-xj46-722x-6433 https://github.com/Ajax30/BraveCMS-2.0/commit/6c5660373cf5f0ca9181603280427aca46ef11ea |
| Admidio–admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective – unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones. This issue has been patched in version 5.0.9. | 2026-05-07 | 8.2 | CVE-2026-41669 | https://github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cg https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio–admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the SAML IdP implementation in Admidio’s SSO module uses the AssertionConsumerServiceURL value directly from incoming SAML AuthnRequest messages as the destination for the SAML response, without validating it against the registered ACS URL (smc_acs_url) stored in the database for the corresponding service provider client. An attacker who knows the Entity ID of a registered SP client can craft a SAML AuthnRequest with an arbitrary AssertionConsumerServiceURL, causing the IdP to send the signed SAML response — containing user identity attributes (login name, email, roles, profile fields) — to an attacker-controlled URL. This issue has been patched in version 5.0.9. | 2026-05-07 | 8.2 | CVE-2026-41670 | https://github.com/Admidio/admidio/security/advisories/GHSA-p9w9-87c8-m235 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| i18next–i18next-http-middleware | i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.0) that still exercised the backward-compatibility fallback at LanguageDetector.js:100 or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled lng parameter reached res.setHeader(‘Content-Language’, …) verbatim. This issue has been patched in version 3.9.3. | 2026-05-08 | 8.6 | CVE-2026-41683 | https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-c3h8-g69v-pjrg |
| i18next–i18next-http-middleware | 18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE. | 2026-05-08 | 8.6 | CVE-2026-41690 | https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw |
| i18next–i18next-fs-backend | i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value – containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string – allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4. | 2026-05-08 | 8.2 | CVE-2026-41693 | https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-8847-338w-5hcj |
| Spring–Spring AI | Spring AI’s MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs. Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater. | 2026-05-09 | 8.6 | CVE-2026-41705 | https://spring.io/security/cve-2026-41705 |
| omnifaces–omnifaces | OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=https://cdn.example.com/*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3. | 2026-05-08 | 8.1 | CVE-2026-41883 | https://github.com/omnifaces/omnifaces/security/advisories/GHSA-vp6r-9m58-5xv8 |
| th30d4y–OpenLearnX | OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to version 2.0.3, a remote code execution (RCE) vulnerability was identified in the OpenLearnX code execution environment, allowing sandbox escape and arbitrary command execution. This issue has been patched in version 2.0.3. | 2026-05-08 | 8.8 | CVE-2026-41900 | https://github.com/th30d4y/OpenLearnX/security/advisories/GHSA-8h25-q488-4hxw https://github.com/th30d4y/OpenLearnX/commit/14765d7d1856d564747c55c5412e2f38feab079e https://github.com/th30d4y/OpenLearnX/releases/tag/v2.0.3-security-fix |
| givanz–Vvveb | Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code by exploiting insufficient file extension restrictions. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP. | 2026-05-06 | 8.8 | CVE-2026-41934 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-vfjj-gcvv-w248 https://github.com/givanz/Vvveb/commit/1196561276a3f49da5a714fef89ac9a6c6f9e33b https://www.vulncheck.com/advisories/vvveb-authenticated-rce-via-code-editor |
| givanz–Vvveb | Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that are resolved and persisted into the application database, enabling arbitrary file disclosure and administrator password hash overwriting for privilege escalation. | 2026-05-06 | 8.1 | CVE-2026-41936 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-rfxr-4xpm-wrp7 https://github.com/givanz/Vvveb/commit/86f7128a18edebe0ff47e3855558467eb0ef9106 https://www.vulncheck.com/advisories/vvveb-xml-external-entity-injection-via-import |
| givanz–Vvveb | Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges. | 2026-05-06 | 8.8 | CVE-2026-41938 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a https://www.vulncheck.com/advisories/vvveb-rce-via-media-upload-handler |
| inngest–inngest-js | Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the serve() HTTP handler. The serve() handler implements GET, POST, and PUT methods. Requests using PATCH, OPTIONS, or DELETE fall through to a generic handler that returns diagnostic information. A change introduced in v3.22.0 caused this diagnostic response to include the contents of process.env, exposing any secrets, API keys, or credentials present in the environment. An application is vulnerable if its serve() endpoint is reachable via PATCH, OPTIONS, or DELETE requests, which is common in setups like Next.js Pages Router or Express’s app.use(…). Not affected are Next.js App Router handlers that export only GET, POST, and PUT, and applications using the connect worker method. This issue has been fixed in version 3.54.0. To work around this issue if upgrading is not immediately possible, restrict the serve() endpoint at the framework or reverse-proxy layer to accept only GET, POST, and PUT. The Inngest serve() endpoint does not require any other HTTP methods. | 2026-05-07 | 8.6 | CVE-2026-42047 | https://github.com/inngest/inngest-js/security/advisories/GHSA-2jf5-6wwv-vhxx https://github.com/inngest/inngest-js/releases/tag/inngest%403.54.1 |
| EvoMap–evolver | Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The –out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3. | 2026-05-04 | 8.1 | CVE-2026-42075 | https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j https://github.com/EvoMap/evolver/releases/tag/v1.69.3 |
| icip-cas–PPTAgent | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary code execution via Python eval() of LLM-generated code with builtins in scope. This issue has been patched via commit 418491a. | 2026-05-04 | 8.6 | CVE-2026-42079 | https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-89g2-xw5c-v95p https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00 |
| OpenC3–cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3. | 2026-05-04 | 8.1 | CVE-2026-42084 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7 https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776 https://github.com/OpenC3/cosmos/releases/tag/v6.10.5 https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 |
| avo-hq–avo | Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2. | 2026-05-08 | 8.8 | CVE-2026-42205 | https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8 https://github.com/avo-hq/avo/releases/tag/v3.31.2 |
| gitpython-developers–GitPython | GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as –upload-pack and –receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47. | 2026-05-07 | 8.8 | CVE-2026-42215 | https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-rpm5-65cw-6hj4 https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47 |
| 0xJacky–nginx-ui | Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; it does not authenticate who is allowed to perform installation. A remote attacker who reaches the service before the legitimate operator can set the admin email, username, and password, causing permanent initial-instance takeover. This issue has been patched in version 2.3.8. | 2026-05-04 | 8.1 | CVE-2026-42221 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h27v-ph7w-m9fp https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8 |
| 0xJacky–nginx-ui | Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available. | 2026-05-04 | 8.1 | CVE-2026-42222 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-mxqh-q9h6-v8pq |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover – the attacker steals the JWT and has persistent access to the victim’s account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10. | 2026-05-07 | 8.1 | CVE-2026-42239 | https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r https://github.com/Budibase/budibase/releases/tag/3.35.10 |
| openziti–zrok | zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and-on shares without OS-level permission restrictions-write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2. | 2026-05-08 | 8.7 | CVE-2026-42275 | https://github.com/openziti/zrok/security/advisories/GHSA-74m3-9qvm-rp9h https://github.com/openziti/zrok/commit/459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e https://github.com/openziti/zrok/releases/tag/v2.0.2 |
| gitpython-developers–GitPython | GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(” “.join(multi_options)). A string like “–branch main –config core.hooksPath=/x” passes validation (starts with –branch), but after split becomes [“–branch”, “main”, “–config”, “core.hooksPath=/x”]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47. | 2026-05-07 | 8.1 | CVE-2026-42284 | https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-6953-8485 https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47 |
| argoproj–argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod security context, add tolerations to schedule on control-plane nodes, or enable SA token mounting. This defeats the stated purpose of the feature. The practical impact depends on what Kubernetes-level controls are in place. Clusters with PodSecurity admission or OPA/Gatekeeper would independently block some of these (like hostNetwork). Clusters that rely on Argo’s Strict mode as the primary enforcement layer are fully exposed. This issue has been patched in versions 3.7.14 and 4.0.5. | 2026-05-09 | 8.1 | CVE-2026-42296 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-3775-99mw-8rp4 https://github.com/argoproj/argo-workflows/commit/534f4ff1cbd86908e8ff76d97d553ad5a49a950d https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14 https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| geopython–pygeoapi | pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3. | 2026-05-08 | 8.6 | CVE-2026-42352 | https://github.com/geopython/pygeoapi/security/advisories/GHSA-jgvc-94c8-3chc https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef https://github.com/geopython/pygeoapi/releases/tag/0.23.3 |
| i18next–i18next-http-middleware | i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3. | 2026-05-08 | 8.2 | CVE-2026-42353 | https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-jfgf-83c5-2c4m |
| GeoVision Inc.–GV-LPC2011/LPC2211 | A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability. | 2026-05-04 | 8.6 | CVE-2026-42365 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| D-Link–DIR-605L Firmware | D-Link DIR-605L Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username “Alphanetworks” and the static password “wrgn35_dlwbr_dir605l” read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 8.8 | CVE-2026-42372 | D-Link DIR-605L Support Page |
| OpenClaw–OpenClaw | OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability allowing sandboxed agents to override exec routing by specifying host=node. Attackers can bypass sandbox boundaries and route execution to remote nodes instead of intended sandbox paths. | 2026-05-05 | 8.8 | CVE-2026-42434 | GitHub Security Advisory (GHSA-736r-jwj6-4w23) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.5 < 2026.4.10 – Sandbox Escape via host Parameter Override in Exec Routing |
| OpenClaw–OpenClaw | OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and PS4, affecting execution semantics and security controls. | 2026-05-05 | 8.8 | CVE-2026-42435 | GitHub Security Advisory (GHSA-j6c7-3h5x-99g9) Patch Commit VulnCheck Advisory: OpenClaw 2026.2.22 < 2026.4.12 – Shell-Wrapper Detection Bypass via Environment Variable Assignment Injection |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations. | 2026-05-05 | 8.5 | CVE-2026-42439 | GitHub Security Advisory (GHSA-rj2p-j66c-mgqh) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 – SSRF Policy Bypass in Browser Tabs Action Routes |
| czlonkowski–n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the SDK embedder path (N8NDocumentationMCPServer constructor, getN8nApiClient(), and validateInstanceContext()), the synchronous URL validator in SSRFProtection.validateUrlSync() had no IPv6 checks. IPv4-mapped IPv6 addresses such as http://[::ffff:169.254.169.254] bypassed the cloud-metadata, localhost, and private-IP range checks. An attacker able to supply an n8nApiUrl value could cause the server to issue HTTP requests to cloud metadata endpoints, RFC1918 private networks, or localhost services. Response bodies are returned to the caller (non-blind SSRF), and the n8nApiKey is forwarded in the x-n8n-api-key header to the attacker-controlled target. Projects with deployments embedding n8n-mcp as an SDK using N8NDocumentationMCPServer or N8NMCPEngine with user-supplied InstanceContext are affected. The first-party HTTP server deployment was not primarily affected – it has a second async validator (validateWebhookUrl) that catches IPv6 addresses. This issue has been fixed in version 2.47.14. If users are unable to upgrade immediately as a workaround they can validate URLs before passing to the SDK, restrict egress at the network layer, and reject user-controlled n8nApiUrl values. | 2026-05-07 | 8.5 | CVE-2026-42449 | https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-56c3-vfp2-5qqj https://github.com/czlonkowski/n8n-mcp/commit/9639f757853149f0cb16663cc8b6b6468f27a25f |
| Termix-SSH–Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, /users/login issues a temporary JWT (temp_token) for TOTP-enabled accounts. That token carries a pendingTOTP state and should only be valid for the second-factor flow. However, the auth middleware accepts this token on regular authenticated endpoints. This effectively turns 2FA into single-factor (password) for impacted accounts. This issue has been patched in version 2.1.0. | 2026-05-08 | 8.1 | CVE-2026-42452 | https://github.com/Termix-SSH/Termix/security/advisories/GHSA-vx59-rf9w-9jv8 https://github.com/Termix-SSH/Termix/releases/tag/release-2.1.0-tag |
| gitroomhq–postiz-app | Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7. | 2026-05-08 | 8.9 | CVE-2026-42556 | https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-hhxq-3wg7-4rj8 https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7 |
| alextselegidis–plainpad | Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1. | 2026-05-09 | 8.3 | CVE-2026-42562 | https://github.com/alextselegidis/plainpad/security/advisories/GHSA-pvfv-wvpm-q6f6 https://github.com/alextselegidis/plainpad/issues/138 https://github.com/alextselegidis/plainpad/commit/9216a876d27b22c3d9259551636d803f7cb075fc https://github.com/alextselegidis/plainpad/releases/tag/1.1.1 |
| AzuraCast–AzuraCast | AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station’s media storage directory, achieving remote code execution by writing a PHP webshell to the web root. This issue has been patched in version 0.23.6. | 2026-05-09 | 8.8 | CVE-2026-42605 | https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-vp2f-cqqp-478j https://github.com/AzuraCast/AzuraCast/commit/18c793b4427eb49e67a2fea99a89f1c9d9dd808d https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6 |
| AzuraCast–AzuraCast | AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker’s server. The attacker then uses the token on the real instance to reset the victim’s password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6. | 2026-05-09 | 8.1 | CVE-2026-42606 | https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8 https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85 https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as an array index without a matching range check. Reject IF events whose bsscfg index does not fit in drvr->iflist[] before indexing the interface array. [add missing wifi prefix] | 2026-05-06 | 8.8 | CVE-2026-43110 | https://git.kernel.org/stable/c/3ec7437e9d11374105c2c4e47ae671537729d7e6 https://git.kernel.org/stable/c/9fca68c2512a362cad258e4df12a307bb2ee4b8e https://git.kernel.org/stable/c/1ae1e1caa428844e481231f6dbe9b4f475f1d52d https://git.kernel.org/stable/c/b427c2b05222db36d32ee141609de6128e9091bb https://git.kernel.org/stable/c/304950a467d83678bd0b0f46331882e2ac23b12d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath When cifs_sanitize_prepath is called with an empty string or a string containing only delimiters (e.g., “/”), the current logic attempts to check *(cursor2 – 1) before cursor2 has advanced. This results in an out-of-bounds read. This patch adds an early exit check after stripping prepended delimiters. If no path content remains, the function returns NULL. The bug was identified via manual audit and verified using a standalone test case compiled with AddressSanitizer, which triggered a SEGV on affected inputs. | 2026-05-06 | 8.8 | CVE-2026-43112 | https://git.kernel.org/stable/c/5d4fe469fe7dbff7d874c196bb680a82f2625d95 https://git.kernel.org/stable/c/2d29214448ec0f4e7e18bb1c14dd4a6c07f1c439 https://git.kernel.org/stable/c/86f9c23e0814cfdffda9eedf0c591c51ba209010 https://git.kernel.org/stable/c/49b1ce6d7cfb6c5a49f68bf5ccfcfb6ba14e63c3 https://git.kernel.org/stable/c/78ec5bf2f589ec7fd8f169394bfeca541b077317 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: validate packet IDs before indexing tx_frames wl1251_tx_packet_cb() uses the firmware completion ID directly to index the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the completion block, and the callback does not currently verify that it fits the array before dereferencing it. Reject completion IDs that fall outside wl->tx_frames[] and keep the existing NULL check in the same guard. This keeps the fix local to the trust boundary and avoids touching the rest of the completion flow. | 2026-05-06 | 8.8 | CVE-2026-43113 | https://git.kernel.org/stable/c/b6ba1eacf276063ebeefbbae8056043c24f2efaf https://git.kernel.org/stable/c/df15adc692a802636dd3f258fc7cca8bf7a0ed9a https://git.kernel.org/stable/c/8d7465be5163a923ee5d7459719ef5a021c1584a https://git.kernel.org/stable/c/26ee518695c484f75e3606d631278e84bd24ae02 https://git.kernel.org/stable/c/0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ This adds a check for encryption key size upon receiving L2CAP_LE_CONN_REQ which is required by L2CAP/LE/CFC/BV-15-C which expects L2CAP_CR_LE_BAD_KEY_SIZE. | 2026-05-06 | 8.1 | CVE-2026-43134 | https://git.kernel.org/stable/c/335071c0c3637064ec250481f589075db44fe4e6 https://git.kernel.org/stable/c/fa6ad76fa8623c0a50d529cd5726fa5d819a3be4 https://git.kernel.org/stable/c/9118601ff90b79e8df3c0c98f48ae00c1b02ecef https://git.kernel.org/stable/c/481ea39b342c347b6ac029f3d418486280be4e45 https://git.kernel.org/stable/c/ec91078e132179b04e0c3906b599816c056ceaad https://git.kernel.org/stable/c/96581749c7c14fbec32c35728520867929600041 https://git.kernel.org/stable/c/8dd43f9a9323f9c01bc8246da8d81a4c783c9e97 https://git.kernel.org/stable/c/138d7eca445ef37a0333425d269ee59900ca1104 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm6: fix uninitialized saddr in xfrm6_get_saddr() xfrm6_get_saddr() does not check the return value of ipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitable source address (returns -EADDRNOTAVAIL), saddr->in6 is left uninitialized, but xfrm6_get_saddr() still returns 0 (success). This causes the caller xfrm_tmpl_resolve_one() to use the uninitialized address in xfrm_state_find(), triggering KMSAN warning: ===================================================== BUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940 xfrm_state_find+0x2424/0xa940 xfrm_resolve_and_create_bundle+0x906/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 xfrm_lookup_route+0x63/0x2b0 ip_route_output_flow+0x1ce/0x270 udp_sendmsg+0x2ce1/0x3400 inet_sendmsg+0x1ef/0x2a0 __sock_sendmsg+0x278/0x3d0 __sys_sendto+0x593/0x720 __x64_sys_sendto+0x130/0x200 x64_sys_call+0x332b/0x3e70 do_syscall_64+0xd3/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable tmp.i.i created at: xfrm_resolve_and_create_bundle+0x3e3/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 ===================================================== Fix by checking the return value of ipv6_dev_get_saddr() and propagating the error. | 2026-05-06 | 8.6 | CVE-2026-43139 | https://git.kernel.org/stable/c/4f28141786e1fe884ce42a5197ba9beed540f0ea https://git.kernel.org/stable/c/6535867673bf301d52aa00593a4d1d18cc3922fa https://git.kernel.org/stable/c/eb2ee15290af14c60b45cf2b73f5687d1d077d9b https://git.kernel.org/stable/c/719918fc88df6da023dfff370cd965151a5afd7f https://git.kernel.org/stable/c/dc0abce055134cb83b0d981d31ceb20dda419787 https://git.kernel.org/stable/c/c7221e7bd8fc2ef38a0b27be580d9d202281306b https://git.kernel.org/stable/c/3dcd1664ac15eee6a690daec7c4ffc59190406f7 https://git.kernel.org/stable/c/1799d8abeabc68ec05679292aaf6cba93b343c05 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t) + xfs_attr3_leaf_hdr_size(leaf)); Upon enabling quite a lot more debugging code, I narrowed this down to fsstress trying to set a local extended attribute with namelen=3 and valuelen=71. This results in an entry size of 80 bytes. At the start of xfs_attr3_leaf_add_work, the freemap looks like this: i 0 base 448 size 0 rhs 448 count 46 i 1 base 388 size 132 rhs 448 count 46 i 2 base 2120 size 4 rhs 448 count 46 firstused = 520 where “rhs” is the first byte past the end of the leaf entry array. This is inconsistent — the entries array ends at byte 448, but freemap[1] says there’s free space starting at byte 388! By the end of the function, the freemap is in worse shape: i 0 base 456 size 0 rhs 456 count 47 i 1 base 388 size 52 rhs 456 count 47 i 2 base 2120 size 4 rhs 456 count 47 firstused = 440 Important note: 388 is not aligned with the entries array element size of 8 bytes. Based on the incorrect freemap, the name area starts at byte 440, which is below the end of the entries array! That’s why the assertion triggers and the filesystem shuts down. How did we end up here? First, recall from the previous patch that the freemap array in an xattr leaf block is not intended to be a comprehensive map of all free space in the leaf block. In other words, it’s perfectly legal to have a leaf block with: * 376 bytes in use by the entries array * freemap[0] has [base = 376, size = 8] * freemap[1] has [base = 388, size = 1500] * the space between 376 and 388 is free, but the freemap stopped tracking that some time ago If we add one xattr, the entries array grows to 384 bytes, and freemap[0] becomes [base = 384, size = 0]. So far, so good. But if we add a second xattr, the entries array grows to 392 bytes, and freemap[0] gets pushed up to [base = 392, size = 0]. This is bad, because freemap[1] hasn’t been updated, and now the entries array and the free space claim the same space. The fix here is to adjust all freemap entries so that none of them collide with the entries array. Note that this fix relies on commit 2a2b5932db6758 (“xfs: fix attr leaf header freemap.size underflow”) and the previous patch that resets zero length freemap entries to have base = 0. | 2026-05-06 | 8.8 | CVE-2026-43158 | https://git.kernel.org/stable/c/d08976725355b9d54d8332fce223fa281cc304a5 https://git.kernel.org/stable/c/6a8737afbccc340e718e0b22577312826390be8b https://git.kernel.org/stable/c/a396b3d73d51355e50acdb403ba9c4cae4c1174e https://git.kernel.org/stable/c/38613c01f69e1e77e6b8acab1e8ac665d01c2f15 https://git.kernel.org/stable/c/ef42a8766ff3fdf51cf72fb36d0859c09d134478 https://git.kernel.org/stable/c/43f3b18679615a93bd848afde3602ba160637a46 https://git.kernel.org/stable/c/24ce71852f2cee6581e2cbebc15489ed52bf63b7 https://git.kernel.org/stable/c/3eefc0c2b78444b64feeb3783c017d6adc3cd3ce |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix 22000 series SMEM parsing If the firmware were to report three LMACs (which doesn’t exist in hardware) then using “fwrt->smem_cfg.lmac[2]” is an overrun of the array. Reject such and use IWL_FW_CHECK instead of WARN_ON in this function. | 2026-05-06 | 8.8 | CVE-2026-43172 | https://git.kernel.org/stable/c/1d49a42717bdc8de77eabeb5b7d3e88d141ffea9 https://git.kernel.org/stable/c/2b4b1510aaaf5b9fb57327ecffc20c055f61f205 https://git.kernel.org/stable/c/58192b9ce09b0f0f86e2036683bd542130b91a98 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate release report content before using for RTL8922DE The commit 957eda596c76 (“wifi: rtw89: pci: validate sequence number of TX release report”) does validation on existing chips, which somehow a release report of SKB becomes malformed. As no clear cause found, add rules ahead for RTL8922DE to avoid crash if it happens. | 2026-05-06 | 8.8 | CVE-2026-43176 | https://git.kernel.org/stable/c/ebeaa3b24ba568ff8505165f954dba15cc53e4b3 https://git.kernel.org/stable/c/3e8a88b5e8b3506d9c5e031a65ba65ce9a0683a3 https://git.kernel.org/stable/c/5f93d611b33a05bd03d6843c8efe8cb6a1992620 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: delete attr leaf freemap entries when empty Back in commit 2a2b5932db6758 (“xfs: fix attr leaf header freemap.size underflow”), Brian Foster observed that it’s possible for a small freemap at the end of the end of the xattr entries array to experience a size underflow when subtracting the space consumed by an expansion of the entries array. There are only three freemap entries, which means that it is not a complete index of all free space in the leaf block. This code can leave behind a zero-length freemap entry with a nonzero base. Subsequent setxattr operations can increase the base up to the point that it overlaps with another freemap entry. This isn’t in and of itself a problem because the code in _leaf_add that finds free space ignores any freemap entry with zero size. However, there’s another bug in the freemap update code in _leaf_add, which is that it fails to update a freemap entry that begins midway through the xattr entry that was just appended to the array. That can result in the freemap containing two entries with the same base but different sizes (0 for the “pushed-up” entry, nonzero for the entry that’s actually tracking free space). A subsequent _leaf_add can then allocate xattr namevalue entries on top of the entries array, leading to data loss. But fixing that is for later. For now, eliminate the possibility of confusion by zeroing out the base of any freemap entry that has zero size. Because the freemap is not intended to be a complete index of free space, a subsequent failure to find any free space for a new xattr will trigger block compaction, which regenerates the freemap. It looks like this bug has been in the codebase for quite a long time. | 2026-05-06 | 8.8 | CVE-2026-43187 | https://git.kernel.org/stable/c/f3c0d1fc1eadbb4adbee5ab7757d41d35f48325b https://git.kernel.org/stable/c/aa9083d97e2157da3c6fb45ddb1a97af7f188f7f https://git.kernel.org/stable/c/a631899025d47ea1aa6464d76db5b4d3b6d196fd https://git.kernel.org/stable/c/ffaf5c99d0f862db021fb1af8b813c1416b1beb2 https://git.kernel.org/stable/c/e1b8c6452ee99a30e188a88f3f3f804fb1c6004a https://git.kernel.org/stable/c/f31a8334e1c54b126fcecf98645a49b6bc5ad399 https://git.kernel.org/stable/c/479b05fc3ee272090f671b06a41f3da8aa78eece https://git.kernel.org/stable/c/6f13c1d2a6271c2e73226864a0e83de2770b6f34 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload). | 2026-05-06 | 8.2 | CVE-2026-43190 | https://git.kernel.org/stable/c/f895191dc32c53eaf443b6443fe40945b2f92287 https://git.kernel.org/stable/c/cd5beda7e0e32865e214f28034bb92c1cecff885 https://git.kernel.org/stable/c/eaedc0bc18be46fe7f58170e967959a932c4f824 https://git.kernel.org/stable/c/07a9b32eaae792ff7d0fcac14d8920c937c0a9c3 https://git.kernel.org/stable/c/8b300f726640c48c3edfe9c453334dd801f4b74e https://git.kernel.org/stable/c/5e13d0a37666955b6cfddc0f73cb40ed645b8a05 https://git.kernel.org/stable/c/f6c412dcfd76b0516d51aa847d8f4c7b70381b09 https://git.kernel.org/stable/c/735ee8582da3d239eb0c7a53adca61b79fb228b3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix locking usage for tcon fields We used to use the cifs_tcp_ses_lock to protect a lot of objects that are not just the server, ses or tcon lists. We later introduced srv_lock, ses_lock and tc_lock to protect fields within the corresponding structs. This was done to provide a more granular protection and avoid unnecessary serialization. There were still a couple of uses of cifs_tcp_ses_lock to provide tcon fields. In this patch, I’ve replaced them with tc_lock. | 2026-05-06 | 8.8 | CVE-2026-43215 | https://git.kernel.org/stable/c/953953abb66e52c224057ab91e404284fefeab62 https://git.kernel.org/stable/c/601dd3b79769b38d30b693c40afdb2a4b7edf9d0 https://git.kernel.org/stable/c/3969db6b22e3d90d8c5f22ac1a7fe0350a94c136 https://git.kernel.org/stable/c/8c59eeeeffa1524ef57e173a89a1a3ff539888d5 https://git.kernel.org/stable/c/96c4af418586ee9a6aab61738644366426e05316 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets When the FarSync T-series card is being detached, the fst_card_info is deallocated in fst_remove_one(). However, the fst_tx_task or fst_int_task may still be running or pending, leading to use-after-free bugs when the already freed fst_card_info is accessed in fst_process_tx_work_q() or fst_process_int_work_q(). A typical race condition is depicted below: CPU 0 (cleanup) | CPU 1 (tasklet) | fst_start_xmit() fst_remove_one() | tasklet_schedule() unregister_hdlc_device()| | fst_process_tx_work_q() //handler kfree(card) //free | do_bottom_half_tx() | card-> //use The following KASAN trace was captured: ================================================================== BUG: KASAN: slab-use-after-free in do_bottom_half_tx+0xb88/0xd00 Read of size 4 at addr ffff88800aad101c by task ksoftirqd/3/32 … Call Trace: <IRQ> dump_stack_lvl+0x55/0x70 print_report+0xcb/0x5d0 ? do_bottom_half_tx+0xb88/0xd00 kasan_report+0xb8/0xf0 ? do_bottom_half_tx+0xb88/0xd00 do_bottom_half_tx+0xb88/0xd00 ? _raw_spin_lock_irqsave+0x85/0xe0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfx___hrtimer_run_queues+0x10/0x10 fst_process_tx_work_q+0x67/0x90 tasklet_action_common+0x1fa/0x720 ? hrtimer_interrupt+0x31f/0x780 handle_softirqs+0x176/0x530 __irq_exit_rcu+0xab/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 … Allocated by task 41 on cpu 3 at 72.330843s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x7f/0x90 fst_add_one+0x1a5/0x1cd0 local_pci_probe+0xdd/0x190 pci_device_probe+0x341/0x480 really_probe+0x1c6/0x6a0 __driver_probe_device+0x248/0x310 driver_probe_device+0x48/0x210 __device_attach_driver+0x160/0x320 bus_for_each_drv+0x101/0x190 __device_attach+0x198/0x3a0 device_initial_probe+0x78/0xa0 pci_bus_add_device+0x81/0xc0 pci_bus_add_devices+0x7e/0x190 enable_slot+0x9b9/0x1130 acpiphp_check_bridge.part.0+0x2e1/0x460 acpiphp_hotplug_notify+0x36c/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 … Freed by task 41 on cpu 1 at 75.138639s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x135/0x410 fst_remove_one+0x2ca/0x540 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0x364/0x530 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device+0xd/0x20 disable_slot+0x116/0x260 acpiphp_disable_and_eject_slot+0x4b/0x190 acpiphp_hotplug_notify+0x230/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 … The buggy address belongs to the object at ffff88800aad1000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 28 bytes inside of freed 1024-byte region The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaad0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x100000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000003 ffffea00002ab401 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800aad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800aad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88800aad1000: fa fb —truncated— | 2026-05-06 | 8.8 | CVE-2026-43232 | https://git.kernel.org/stable/c/cac048ebfbb92d91d719f74b59177cb70a7633b8 https://git.kernel.org/stable/c/086131807d119238cd464e5b0845e48d938dfd79 https://git.kernel.org/stable/c/ae894e47e1cd5a6bf8a0423d888c45df8b2b02dc https://git.kernel.org/stable/c/337d7b4112a47984ee319171b75b73bab47e7924 https://git.kernel.org/stable/c/200bdb8d367ca9b478f9c56ebe56411604d55c81 https://git.kernel.org/stable/c/21d341fe514fd07e345ed264c9eee21cb2061ca2 https://git.kernel.org/stable/c/04edfdfdfcdefc02408ab670607261b0a0a9a02e https://git.kernel.org/stable/c/bae8a5d2e759da2e0cba33ab2080deee96a09373 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_choice() In decode_choice(), the boundary check before get_len() uses the variable `len`, which is still 0 from its initialization at the top of the function: unsigned int type, ext, len = 0; … if (ext || (son->attr & OPEN)) { BYTE_ALIGN(bs); if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */ return H323_ERROR_BOUND; len = get_len(bs); /* OOB read */ When the bitstream is exactly consumed (bs->cur == bs->end), the check nf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end), which is false. The subsequent get_len() call then dereferences *bs->cur++, reading 1 byte past the end of the buffer. If that byte has bit 7 set, get_len() reads a second byte as well. This can be triggered remotely by sending a crafted Q.931 SETUP message with a User-User Information Element containing exactly 2 bytes of PER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with the nf_conntrack_h323 helper active. The decoder fully consumes the PER buffer before reaching this code path, resulting in a 1-2 byte heap-buffer-overflow read confirmed by AddressSanitizer. Fix this by checking for 2 bytes (the maximum that get_len() may read) instead of the uninitialized `len`. This matches the pattern used at every other get_len() call site in the same file, where the caller checks for 2 bytes of available data before calling get_len(). | 2026-05-06 | 8.2 | CVE-2026-43233 | https://git.kernel.org/stable/c/bcb50aa0b8f2b74a9fe5a1c7bee6f2657a288041 https://git.kernel.org/stable/c/2a3aac4205e7d2f1aca2e3827de8cdd517d36c4a https://git.kernel.org/stable/c/81f2fc5b0d0cf4696146f00f837596d10b92dead https://git.kernel.org/stable/c/7ef82863d42261817a6394c6c881bd6757a70f16 https://git.kernel.org/stable/c/53d32735d77ab56cc3fc7bd53a7d099418f19be1 https://git.kernel.org/stable/c/f0a83d0a4b7c127d32ac06d607a9214937716129 https://git.kernel.org/stable/c/35f1943d242e1b9f0b6e91c0c93bfb293a9f8224 https://git.kernel.org/stable/c/baed0d9ba91d4f390da12d5039128ee897253d60 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: prevent races in ->query_interfaces() It was possible for two query interface works to be concurrently trying to update the interfaces. Prevent this by checking and updating iface_last_update under iface_lock. | 2026-05-06 | 8.8 | CVE-2026-43239 | https://git.kernel.org/stable/c/93e8e3ee165ae4609a1222b516b573837103d2c3 https://git.kernel.org/stable/c/ab6564f416a6eaf1199200b6100952407b438f7d https://git.kernel.org/stable/c/6287eefaf21ec805d42f941bd368018cf397a7f5 https://git.kernel.org/stable/c/76cc4faba0343c6db945b8dc75425b33d633e1b8 https://git.kernel.org/stable/c/c3c06e42e1527716c54f3ad2ced6a034b5f3a489 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: 9p/xen: protect xen_9pfs_front_free against concurrent calls The xenwatch thread can race with other back-end change notifications and call xen_9pfs_front_free() twice, hitting the observed general protection fault due to a double-free. Guard the teardown path so only one caller can release the front-end state at a time, preventing the crash. This is a fix for the following double-free: [ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none) [ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150 [ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 <48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42 [ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246 [ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000 [ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000 [ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000 [ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68 [ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040 [ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000 [ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660 [ 27.052418] Call Trace: [ 27.052420] <TASK> [ 27.052422] xen_9pfs_front_changed+0x5d5/0x720 [ 27.052426] ? xenbus_otherend_changed+0x72/0x140 [ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10 [ 27.052434] xenwatch_thread+0x94/0x1c0 [ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10 [ 27.052442] kthread+0xf8/0x240 [ 27.052445] ? __pfx_kthread+0x10/0x10 [ 27.052449] ? __pfx_kthread+0x10/0x10 [ 27.052452] ret_from_fork+0x16b/0x1a0 [ 27.052456] ? __pfx_kthread+0x10/0x10 [ 27.052459] ret_from_fork_asm+0x1a/0x30 [ 27.052463] </TASK> [ 27.052465] Modules linked in: [ 27.052471] —[ end trace 0000000000000000 ]— | 2026-05-06 | 8.8 | CVE-2026-43249 | https://git.kernel.org/stable/c/a5d00dff97118a32fcf5fec7a4c3f864c4620c4e https://git.kernel.org/stable/c/59e7707492576bdbfa8c1dbe7d90791df31e4773 https://git.kernel.org/stable/c/bf841d43f7a33d75675ba7f4e214ac1c67913065 https://git.kernel.org/stable/c/ce8ded2e61f47747e31eeefb44dc24a2160a7e32 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq() The cluster_cfg array is dynamically allocated to hold per-CPU configuration structures, with its size based on the number of online CPUs. Previously, this array was indexed using hartid, which may be non-contiguous or exceed the bounds of the array, leading to out-of-bounds access. Switch to using cpuid as the index, as it is guaranteed to be within the valid range provided by for_each_online_cpu(). | 2026-05-06 | 8.4 | CVE-2026-43274 | https://git.kernel.org/stable/c/95438699c92947155823dcd3918049a07f3cd867 https://git.kernel.org/stable/c/0442b6229e2eedc95a6d3d18ce75dec7f5b5377c https://git.kernel.org/stable/c/f7c330a8c83c9b0332fd524097eaf3e69148164d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle dma_free_coherent() in error path takes priv->rx_buf.alloc_len as the dma handle. This would lead to improper unmapping of the buffer. Change the dma handle to priv->rx_buf.alloc_phys. | 2026-05-06 | 8.8 | CVE-2026-43283 | https://git.kernel.org/stable/c/0f589ee54fd6d76d3f75e745f7f12c64cbd749e5 https://git.kernel.org/stable/c/accd0599bc8e73b962247c6c6c70ca7aa1f8e8d0 https://git.kernel.org/stable/c/8320727be7ff704e07c87624efc2a4a75f54b3ce https://git.kernel.org/stable/c/1e300c33ef3cc544c2b9c693778fe9490cfe9184 https://git.kernel.org/stable/c/1b1371cd4032ae859838ebc74215f569987bb197 https://git.kernel.org/stable/c/1b1d3c5d58a80a19d017a409aa2308162bab5bbf https://git.kernel.org/stable/c/7e54ff938bebb173822b4c38b33fc164c1cabf92 https://git.kernel.org/stable/c/ffe68c3766997d82e9ccaf1cdbd47eba269c4aa2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data(). | 2026-05-08 | 8.8 | CVE-2026-43284 | https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9 https://git.kernel.org/stable/c/ab8b995323e5237041472d07e5055f5f7dcdf15b https://git.kernel.org/stable/c/fe785bb3a8096dffcc4048a85cd0c83337eeecad https://git.kernel.org/stable/c/5d55c7336f8032d434adcc5fab987ccc93a44aec https://git.kernel.org/stable/c/8253aab4659ca16116b522203c2a6b18dccacea7 https://git.kernel.org/stable/c/50ed1e7873100f77abad20fd31c51029bc49cd03 https://git.kernel.org/stable/c/b54edf1e9a3fd3491bdcb82a21f8d21315271e0d https://git.kernel.org/stable/c/71a1d9d985d26716f74d21f18ee8cac821b06e97 https://git.kernel.org/stable/c/52646cbd00e765a6db9c3afe9535f26218276034 https://git.kernel.org/stable/c/f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Fix parameter validation for packet data Since commit 9c328f54741b (“net: nfc: nci: Add parameter validation for packet data”) communication with nci nfc chips is not working any more. The mentioned commit tries to fix access of uninitialized data, but failed to understand that in some cases the data packet is of variable length and can therefore not be compared to the maximum packet length given by the sizeof(struct). | 2026-05-08 | 8.3 | CVE-2026-43291 | https://git.kernel.org/stable/c/a24a8a582da4426b2042e510a1080df84083b51d https://git.kernel.org/stable/c/f5218426f765eee22e178df9c126d974792fb6a5 https://git.kernel.org/stable/c/ad058a4317db7fdb3f09caa6ed536d24a62ce6a0 https://git.kernel.org/stable/c/3b91160e9a91b5a2662875417dc42dc5b0bf03ea https://git.kernel.org/stable/c/c692db813a7e3b7c3c17d6e9a3ad2a018bf1142b https://git.kernel.org/stable/c/498fc5d0d650c77e87fcc73808d4f43240c21805 https://git.kernel.org/stable/c/571dcbeb8e635182bb825ae758399831805693c2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix UAF in le_read_features_complete This fixes the following backtrace caused by hci_conn being freed before le_read_features_complete but after hci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue is not able to prevent it: ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline] BUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline] BUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344 Write of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52 CPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:194 [inline] kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline] hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline] le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344 hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 5932: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963 hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084 le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714 hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861 hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408 hci_event_func net/bluetooth/hci_event.c:7716 [inline] hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773 hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Freed by task 5932: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free mm/slub.c:6663 [inline] kfree+0x2f8/0x6e0 mm/slub.c:6871 device_release+0xa4/0x240 drivers/base/core.c:2565 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1e7/0x590 lib/kobject. —truncated— | 2026-05-08 | 8.8 | CVE-2026-43322 | https://git.kernel.org/stable/c/260dc2be643b4a35b27008490c533613e3e53867 https://git.kernel.org/stable/c/035c25007c9e698bef3826070ee34bb6d778020c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: force responder MITM requirements before building the pairing response smp_cmd_pairing_req() currently builds the pairing response from the initiator auth_req before enforcing the local BT_SECURITY_HIGH requirement. If the initiator omits SMP_AUTH_MITM, the response can also omit it even though the local side still requires MITM. tk_request() then sees an auth value without SMP_AUTH_MITM and may select JUST_CFM, making method selection inconsistent with the pairing policy the responder already enforces. When the local side requires HIGH security, first verify that MITM can be achieved from the IO capabilities and then force SMP_AUTH_MITM in the response in both rsp.auth_req and auth. This keeps the responder auth bits and later method selection aligned. | 2026-05-08 | 8.8 | CVE-2026-43334 | https://git.kernel.org/stable/c/425a22c5373d4e1b46492ab869074ebeeade61f3 https://git.kernel.org/stable/c/7ab69426e7ecbd18a222ee2ec87ca612d30197d7 https://git.kernel.org/stable/c/01bb4045d2306c266178f49ce0c3576d237a3040 https://git.kernel.org/stable/c/91649c02c1baaa18cedf7fb425fa1f0f852c8183 https://git.kernel.org/stable/c/c8ff0ca6508535bccabd81c5c9dcc63de8a3d4fb https://git.kernel.org/stable/c/fa14e0e19820b1bbdb42185c9c4efa950bcffef9 https://git.kernel.org/stable/c/ec17efb1ef91506cfd17a77692eaf4bbacb520ea https://git.kernel.org/stable/c/d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix in-place encryption corruption in SMB2_write() SMB2_write() places write payload in iov[1..n] as part of rq_iov. smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message() encrypts iov[1] in-place, replacing the original plaintext with ciphertext. On a replayable error, the retry sends the same iov[1] which now contains ciphertext instead of the original data, resulting in corruption. The corruption is most likely to be observed when connections are unstable, as reconnects trigger write retries that re-send the already-encrypted data. This affects SFU mknod, MF symlinks, etc. On kernels before 6.10 (prior to the netfs conversion), sync writes also used this path and were similarly affected. The async write path wasn’t unaffected as it uses rq_iter which gets deep-copied. Fix by moving the write payload into rq_iter via iov_iter_kvec(), so smb3_init_transform_rq() deep-copies it before encryption. | 2026-05-08 | 8.1 | CVE-2026-43362 | https://git.kernel.org/stable/c/438e77435aee2894d5edf90be5c87004a57f6258 https://git.kernel.org/stable/c/52327268224fb9ccc7ecfbbdfdfff54b6e93c518 https://git.kernel.org/stable/c/92e64f1852f455f57d0850989e57c30d7fac7d95 https://git.kernel.org/stable/c/aea5e37388a080361110ab5790f57ae0af383650 https://git.kernel.org/stable/c/d78840a6a38d312dc1a51a65317bb67e46f0b929 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix undersized l_iclog_roundoff values If the superblock doesn’t list a log stripe unit, we set the incore log roundoff value to 512. This leads to corrupt logs and unmountable filesystems in generic/617 on a disk with 4k physical sectors… XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197. XFS (sda1): failed to locate log tail XFS (sda1): log mount/recovery failed: error -74 XFS (sda1): log mount failed XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Ending clean mount …on the current xfsprogs for-next which has a broken mkfs. xfs_info shows this… meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks = sectsz=4096 attr=2, projid32bit=1 = crc=1 finobt=1, sparse=1, rmapbt=1 = reflink=1 bigtime=1 inobtcount=1 nrext64=1 = exchange=1 metadir=1 data = bsize=4096 blocks=2579968, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1 log =internal log bsize=4096 blocks=16384, version=2 = sectsz=4096 sunit=0 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0 = rgcount=0 rgsize=268435456 extents = zoned=0 start=0 reserved=0 …observe that the log section has sectsz=4096 sunit=0, which means that the roundoff factor is 512, not 4096 as you’d expect. We should fix mkfs not to generate broken filesystems, but anyone can fuzz the ondisk superblock so we should be more cautious. I think the inadequate logic predates commit a6a65fef5ef8d0, but that’s clearly going to require a different backport. | 2026-05-08 | 8.2 | CVE-2026-43365 | https://git.kernel.org/stable/c/5afae524f83d6a18517298491a5624cb0eae5029 https://git.kernel.org/stable/c/2ecda4b83749c1fef0c9dea4fd5e8b513aba3e40 https://git.kernel.org/stable/c/41e91dff2d3974730b5ee50daa8e27ec254cbf91 https://git.kernel.org/stable/c/e88ce9f0536f3b2149afb70625cfc4bd74a4ac6d https://git.kernel.org/stable/c/446a1f5bb64ba38adb93cb043ff0f7b85e8937ca https://git.kernel.org/stable/c/5e7148402dfc4a5b7894d8e97b15e5c2e70924aa https://git.kernel.org/stable/c/52a8a1ba883defbfe3200baa22cf4cd21985d51a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: Don’t log keys in SMB3 signing and encryption key generation When KSMBD_DEBUG_AUTH logging is enabled, generate_smb3signingkey() and generate_smb3encryptionkey() log the session, signing, encryption, and decryption key bytes. Remove the logs to avoid exposing credentials. | 2026-05-08 | 8.1 | CVE-2026-43377 | https://git.kernel.org/stable/c/4084ed720d7d5f4e975c9e4a6267a552dad3b24a https://git.kernel.org/stable/c/fec5c70b82af3f59f15bb984df94e5ad1fccfb1e https://git.kernel.org/stable/c/3fe2d9ec166b7df9a8df6c0fdcfc210572e27e3f https://git.kernel.org/stable/c/407cc37c21d51f9b9d4d20204b04890880cfa6ae https://git.kernel.org/stable/c/c6b01b997a2094969e315f1ebfc1d64b8ae2163d https://git.kernel.org/stable/c/441336115df26b966575de56daf7107ed474faed |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nsfs: tighten permission checks for handle opening Even privileged services should not necessarily be able to see other privileged service’s namespaces so they can’t leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts. | 2026-05-08 | 8.8 | CVE-2026-43391 | https://git.kernel.org/stable/c/1797ee11451f1b2be69863a9f5bd43b948813fdf https://git.kernel.org/stable/c/d2324a9317f00013facb0ba00b00440e19d2af5e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nsfs: tighten permission checks for ns iteration ioctls Even privileged services should not necessarily be able to see other privileged service’s namespaces so they can’t leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts. | 2026-05-08 | 8.8 | CVE-2026-43403 | https://git.kernel.org/stable/c/3376b345df155ca36d8611857b41ff7d5183fc38 https://git.kernel.org/stable/c/2f3dea284c761c890d676f77d5e55c0c496b4ef4 https://git.kernel.org/stable/c/0ad650e60150eda789deca5e78a6a09d26bf8fc9 https://git.kernel.org/stable/c/e6b899f08066e744f89df16ceb782e06868bd148 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: guard option walkers against 1-byte tail reads When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen – 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers. | 2026-05-08 | 8.2 | CVE-2026-43452 | https://git.kernel.org/stable/c/c2a445367a496a3c25dbc940c10c8bd1cfd4c14a https://git.kernel.org/stable/c/ae1e1267650638136b84c23f2b31250f0ccb6823 https://git.kernel.org/stable/c/c39f84e4be1be63fc60ca7141ea7b76edcea5907 https://git.kernel.org/stable/c/9b94f0e42ed248eb31929da84ed9f5310d7ff540 https://git.kernel.org/stable/c/5b18b8b35c7cded2d17b2b2604c9b0694ff48d1c https://git.kernel.org/stable/c/bc18551c6169eac5ed813778d3e3e484002dbbe5 https://git.kernel.org/stable/c/d04800323336eebf441d153f43234eac9b833d36 https://git.kernel.org/stable/c/cfe770220ac2dbd3e104c6b45094037455da81d4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery In case of a TX error CQE, a recovery flow is triggered, mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, desyncing the DMA FIFO producer and consumer. After recovery, the producer pushes new DMA entries at the old dma_fifo_pc, while the consumer reads from position 0. This causes us to unmap stale DMA addresses from before the recovery. The DMA FIFO is a purely software construct with no HW counterpart. At the point of reset, all WQEs have been flushed so dma_fifo_cc is already equal to dma_fifo_pc. There is no need to reset either counter, similar to how skb_fifo pc/cc are untouched. Remove the ‘dma_fifo_cc = 0’ reset. This fixes the following WARNING: WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90 Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:iommu_dma_unmap_page+0x79/0x90 Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 Call Trace: <IRQ> ? __warn+0x7d/0x110 ? iommu_dma_unmap_page+0x79/0x90 ? report_bug+0x16d/0x180 ? handle_bug+0x4f/0x90 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? iommu_dma_unmap_page+0x79/0x90 ? iommu_dma_unmap_page+0x2e/0x90 dma_unmap_page_attrs+0x10d/0x1b0 mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core] mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core] mlx5e_napi_poll+0x8b/0xac0 [mlx5_core] __napi_poll+0x24/0x190 net_rx_action+0x32a/0x3b0 ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core] ? notifier_call_chain+0x35/0xa0 handle_softirqs+0xc9/0x270 irq_exit_rcu+0x71/0xd0 common_interrupt+0x7f/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 | 2026-05-08 | 8.2 | CVE-2026-43466 | https://git.kernel.org/stable/c/821f85d619f7f22cda7b9d7de89cf5eeb1d11544 https://git.kernel.org/stable/c/6eb68ecc5acc3b319986566c595990b8a7265b23 https://git.kernel.org/stable/c/6f41f7812bfa7f991b732a4b45c5c52fc4be3b4e https://git.kernel.org/stable/c/383b37c04a4827ba60b2bafc1a6cdfd995aed58f https://git.kernel.org/stable/c/9c5ee9b981ee050b73fdf3f4a2464d6f1a8e10a8 https://git.kernel.org/stable/c/ce1b19dd0684eeb68a124c11085bd611260b36d9 https://git.kernel.org/stable/c/829efcccfa8f69db5dc8332961295587d218cee6 https://git.kernel.org/stable/c/1633111d69053512d099658d4a05fc736fab36b0 |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel. | 2026-05-05 | 8.2 | CVE-2026-43526 | GitHub Security Advisory (GHSA-2767-2q9v-9326) Patch Commit (1) Patch Commit (2) VulnCheck Advisory: OpenClaw < 2026.4.12 – Server-Side Request Forgery via QQBot Reply Media URL Handling |
| OpenClaw–OpenClaw | OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and weaken risk classification of unsafe applet invocations. | 2026-05-05 | 8.8 | CVE-2026-43530 | GitHub Security Advisory (GHSA-2cq5-mf3v-mx44) Patch Commit VulnCheck Advisory: OpenClaw 2026.2.23 < 2026.4.12 – Weakened Exec Approval Binding via busybox and toybox Applet Execution |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling. | 2026-05-05 | 8.6 | CVE-2026-43533 | GitHub Security Advisory (GHSA-66r7-m7xm-v49h) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 – Arbitrary Local File Read via QQBot Media Tags |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically selected and enabled during authentication setup without explicit user consent. | 2026-05-05 | 8.8 | CVE-2026-43569 | GitHub Security Advisory (GHSA-939r-rj45-g2rj) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.9 – Untrusted Provider Plugin Auto-enablement via Workspace Provider Auth |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading. | 2026-05-05 | 8.8 | CVE-2026-43571 | GitHub Security Advisory (GHSA-82qx-6vj7-p8m2) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 – Untrusted Workspace Plugin Shadow Resolution in Channel Setup |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity. | 2026-05-06 | 8.8 | CVE-2026-43584 | GitHub Security Advisory (GHSA-vfp4-8×56-j7c5) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 – Insufficient Environment Variable Denylist in Exec Policy |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access. | 2026-05-06 | 8.1 | CVE-2026-43585 | GitHub Security Advisory (GHSA-xmxx-7p24-h892) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.15 – Bearer Token Validation Bypass via Stale SecretRef Resolution |
| electerm–electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16. | 2026-05-08 | 8.4 | CVE-2026-43940 | https://github.com/electerm/electerm/security/advisories/GHSA-f77v-9vpc-6pjm https://github.com/electerm/electerm/releases/tag/v3.7.16 |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior. | 2026-05-06 | 8.8 | CVE-2026-44110 | GitHub Security Advisory (GHSA-2gvc-4f3c-2855) Patch Commit (1) Patch Commit (2) VulnCheck Advisory: OpenClaw < 2026.4.15 – Authorization Bypass in Matrix Room Control Commands via DM Pairing Store |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell expansion tokens in heredoc bodies to execute unapproved commands at runtime. | 2026-05-06 | 8.8 | CVE-2026-44115 | GitHub Security Advisory (GHSA-x3h8-jrgh-p8jx) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 – Shell Expansion Bypass in Unquoted Heredocs via Exec Allowlist |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin’s sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources. | 2026-05-06 | 8.6 | CVE-2026-44116 | GitHub Security Advisory (GHSA-2hh7-c75g-qj2r) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 – Server-Side Request Forgery in Zalo Photo URL Validation |
| ProFTPD–ProFTPD | In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When “UseReverseDNS on” is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability. | 2026-05-05 | 8.1 | CVE-2026-44331 | https://github.com/proftpd/proftpd/issues/2057 https://github.com/proftpd/proftpd/commit/766622456440fbca33abd7927c523673a11d1ed1 |
| MervinPraison–PraisonAI | PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287’s fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import sink in praisonai/templates/tool_override.py was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is remotely triggerable through POST /v1/recipes/run with a recipe value pointing at any local absolute path or any GitHub repo (because SecurityConfig.allow_any_github defaults to True). The attacker drops a tools.py next to TEMPLATE.yaml; the server exec_module()s it. No auth required by default, no environment opt-in required. This issue has been patched in version 4.6.32. | 2026-05-08 | 8.4 | CVE-2026-44334 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-xcmw-grxf-wjhj |
| MervinPraison–PraisonAI | PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools. This issue has been patched in praisonai version 4.6.37 and praisonaiagents version 1.6.37. | 2026-05-08 | 8.6 | CVE-2026-44339 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gmjg-hv98-qggq |
| MailEnable–MailEnable Enterprise Premium | MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMail login endpoint using the PersistentLogin parameter and replay it against the WebAdmin portal to perform highly privileged administrative actions. | 2026-05-08 | 8.1 | CVE-2026-44400 | https://www.mailenable.com/Premium-ReleaseNotes.txt https://www.vulncheck.com/advisories/mailenable-enterprise-premium-authorization-bypass-via-webadmin |
| wedevs–User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration | The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuf_files parameter during form submission, combined with unconditional deserialization via maybe_unserialize() when displaying post content. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary PHP objects, which can be leveraged to execute arbitrary code, delete arbitrary files, or perform other malicious actions if a POP chain is present on the target system. | 2026-05-08 | 8.8 | CVE-2026-5127 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2b5d27cc-c6eb-4c5c-8ee1-30483b91c6fd?source=cve https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/wpuf-functions.php#L959 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/wpuf-functions.php#L959 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/wpuf-functions.php#L1103 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/wpuf-functions.php#L1103 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L679 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L679 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L704 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L704 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L429 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L429 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L502 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L502 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php#L35 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Ajax/Frontend_Form_Ajax.php#L35 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php#L36 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Ajax/Frontend_Form_Ajax.php#L36 https://plugins.trac.wordpress.org/changeset/3514258/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-user-frontend/tags/4.3.1&new_path=%2Fwp-user-frontend/tags/4.3.2 |
| DivvyDrive Information Technologies Inc.–DivvyDrive | Improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | 2026-05-07 | 8.8 | CVE-2026-5784 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| Ivanti–Endpoint Manager Mobile | An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access. | 2026-05-07 | 8.8 | CVE-2026-5786 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs |
| Ivanti–Endpoint Manager Mobile | An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates. | 2026-05-07 | 8.9 | CVE-2026-5787 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs |
| DivvyDrive Information Technologies Inc.–DivvyDrive | Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting (XSS). This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | 2026-05-07 | 8.8 | CVE-2026-6002 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| MuffinGroup–Betheme | The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the upload_icons() function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file types. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files (including PHP) and achieve remote code execution via the Icons icon-pack upload flow. | 2026-05-05 | 8.8 | CVE-2026-6261 | https://www.wordfence.com/threat-intel/vulnerabilities/id/722c04c3-8f74-4081-b3a4-cb1ae2027312?source=cve https://support.muffingroup.com/changelog/ |
| Red Hat–Red Hat Ansible Automation Platform 2.5 for RHEL 8 | A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim’s account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email. | 2026-05-04 | 8.3 | CVE-2026-6266 | RHSA-2026:13508 RHSA-2026:13512 RHSA-2026:13545 https://access.redhat.com/security/cve/CVE-2026-6266 RHBZ#2458142 |
| www[.]pgbouncer[.]org–PgBouncer | The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow. | 2026-05-09 | 8.1 | CVE-2026-6665 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| www[.]pgbouncer[.]org–PgBouncer | The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow. | 2026-05-09 | 8.1 | CVE-2026-6665 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| Revolution Slider–Slider Revolution | The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the ‘_get_media_url’ and ‘_check_file_path’ function. This is due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload files that may be executable, which makes remote code execution possible. The vulnerability was partially patched in version 7.0.10 and fully patched in version 7.0.11. | 2026-05-07 | 8.8 | CVE-2026-6692 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e802a6-d2f1-47cc-883a-89110e569168?source=cve https://www.sliderrevolution.com/ |
| davidanderson–WP-Optimize Cache, Compress images, Minify & Clean database to boost page speed & performance | The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unscheduled_original_file_deletion function in all versions up to, and including, 4.5.2 This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is possible because ‘original-file’ is a public (non-protected) meta key – it does not begin with an underscore – allowing Authors to freely create or modify it on their own attachment posts via the standard Edit Media form or the REST API. | 2026-05-07 | 8.1 | CVE-2026-7252 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc815ef2-dd02-4faa-b202-dd1552f889db?source=cve https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-updraft-smush-manager.php#L1649 https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.5.2/includes/class-updraft-smush-manager.php#L1649 https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-updraft-smush-manager.php#L1645 https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.5.2/includes/class-updraft-smush-manager.php#L1645 https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-updraft-smush-manager.php#L81 https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.5.2/includes/class-updraft-smush-manager.php#L81 https://plugins.trac.wordpress.org/changeset/3518513/wp-optimize/trunk/includes/class-updraft-smush-manager.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-optimize/tags/4.5.2&new_path=%2Fwp-optimize/tags/4.5.3 |
| Eclipse Foundation–Eclipse BaSyx | In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS). | 2026-05-05 | 8.6 | CVE-2026-7412 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423 https://gitlab.eclipse.org/security/cve-assignment/-/issues/103 |
| Totolink–WA300 | A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. This issue affects the function UploadCustomModule of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Executing a manipulation of the argument File can lead to buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-04 | 8.8 | CVE-2026-7717 | VDB-360893 | Totolink WA300 POST Request cstecgi.cgi UploadCustomModule buffer overflow VDB-360893 | CTI Indicators (IOB, IOC, IOA) Submit #807193 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-UploadCustomModule-34553a41781f80a8a287e48a7fb04de9 https://www.totolink.net/ |
| Totolink–N300RH | A weakness has been identified in Totolink N300RH 3.2.4-B20220812. Affected by this issue is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Executing a manipulation of the argument FileName can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-04 | 8.8 | CVE-2026-7748 | VDB-360923 | Totolink N300RH POST Request cstecgi.cgi setUpgradeFW buffer overflow VDB-360923 | CTI Indicators (IOB, IOC, IOA) Submit #807202 | Totolink N300RH N300RH V3_Firmware V3.2.4-B20220812 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-setUpgradeFW-34553a41781f80abb1d1c627d7ff4329?pvs=73 https://www.totolink.net/ |
| Totolink–N300RH | A security vulnerability has been detected in Totolink N300RH 3.2.4-B20220812. This affects the function setWanConfig of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument priDns leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-05-04 | 8.8 | CVE-2026-7749 | VDB-360924 | Totolink N300RH POST Request cstecgi.cgi setWanConfig buffer overflow VDB-360924 | CTI Indicators (IOB, IOC, IOA) Submit #807203 | Totolink N300RH N300RH V3_Firmware V3.2.4-B20220812 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-setWanConfig-34553a41781f80ed8500d9b8d54074f2 https://www.totolink.net/ |
| Totolink–N300RH | A vulnerability was detected in Totolink N300RH 3.2.4-B20220812. This vulnerability affects the function setMacFilterRules of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument mac_address results in buffer overflow. The attack may be launched remotely. The exploit is now public and may be used. | 2026-05-04 | 8.8 | CVE-2026-7750 | VDB-360925 | Totolink N300RH POST Request cstecgi.cgi setMacFilterRules buffer overflow VDB-360925 | CTI Indicators (IOB, IOC, IOA) Submit #807204 | Totolink N300RH N300RH V3_Firmware V3.2.4-B20220812 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-setMacFilterRules-34553a41781f809cb952cdcb71ce90d8 https://www.totolink.net/ |
| SmarterTools Inc.–SmarterMail | SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users. | 2026-05-08 | 8.1 | CVE-2026-7807 | https://www.smartertools.com/smartermail/release-notes/current https://www.vulncheck.com/advisories/smartertools-smartermail-build-9560-server-local-file-inclusion-via-the-api-v1-report-summary-type-api |
| GeoVision Inc.–ASManager | A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the frontend restrictions. | 2026-05-06 | 8.8 | CVE-2026-7841 | https://www.geovision.com.tw/cyber_security.php |
| D-Link–DI-8100 | A vulnerability was detected in D-Link DI-8100 16.07.26A1. Affected by this issue is the function tggl_asp of the file /tggl.asp of the component HTTP Request Handler. Performing a manipulation of the argument Name results in buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used. | 2026-05-05 | 8.8 | CVE-2026-7855 | VDB-361132 | D-Link DI-8100 HTTP Request tggl.asp tggl_asp buffer overflow VDB-361132 | CTI Indicators (IOB, IOC, IOA) Submit #807841 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/tggl_asp_overflow.md https://www.dlink.com/ |
| Qwibit–NanoClaw | NanoClaw version 1.2.0 and prior contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this vulnerability to trigger host-side reads of arbitrary files and in some cases achieve recursive deletion of paths outside the intended cleanup target. | 2026-05-06 | 8.8 | CVE-2026-7875 | https://github.com/qwibitai/nanoclaw/pull/2001 https://github.com/qwibitai/nanoclaw/commit/7814e45570edf0024a1a5c2ba9fbc9cb3a49f7f7 https://github.com/qwibitai/nanoclaw/releases/tag/v1.2.0 |
| Totolink–X5000R | A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vulnerability affects the function sub_458E40 of the file /boafrm/formDdns. The manipulation of the argument submit-url leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2026-05-08 | 8.8 | CVE-2026-8137 | VDB-361926 | Totolink X5000R formDdns sub_458E40 buffer overflow VDB-361926 | CTI Indicators (IOB, IOC, IOA) Submit #808863 | Totolink X5000R V9.1.0u.6369_B20230113 Stack-based Buffer Overflow https://github.com/Kiciot/cve/issues/4 https://www.totolink.net/ |
| Tenda–CX12L | A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg”. The manipulation results in stack-based buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-08 | 8.8 | CVE-2026-8138 | VDB-361927 | Tenda CX12L SetPptpServerCfg” formSetPPTPServer stack-based overflow VDB-361927 | CTI Indicators (IOB, IOC, IOA) Submit #808867 | Tenda CX12L V16.03.53.12 Stack-based Buffer Overflow https://github.com/cve-a/lvdan/issues/6 https://www.tenda.com.cn/ |
| Amazon–Amazon Redshift JDBC Driver | An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application’s classpath. To mitigate this issue, users should upgrade to version 2.2.2 or later. | 2026-05-08 | 8.1 | CVE-2026-8178 | https://github.com/aws/amazon-redshift-jdbc-driver/releases/tag/v2.2.2 https://aws.amazon.com/security/security-bulletins/2026-028-aws/ https://github.com/aws/amazon-redshift-jdbc-driver/security/advisories/GHSA-wmmv-vvg5-993q |
| EFM–ipTIME A8004T | A security vulnerability has been detected in EFM ipTIME A8004T 14.18.2. This vulnerability affects the function formWifiBasicSet of the file /goform/WifiBasicSet. The manipulation of the argument security_5g leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 8.8 | CVE-2026-8234 | VDB-362454 | EFM ipTIME A8004T WifiBasicSet formWifiBasicSet stack-based overflow VDB-362454 | CTI Indicators (IOB, IOC, IOA) Submit #808865 | IPTIME A8004T 14.18.2 Stack-based Buffer Overflow https://github.com/Kiciot/cve/issues/5 |
| memono–Notepad | memono Notepad 4.2 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character buffers into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash on iOS devices. | 2026-05-10 | 7.5 | CVE-2021-47944 | ExploitDB-49977 VulnCheck Advisory: memono Notepad 4.2 Denial of Service via Buffer Overflow |
| argus–Argus Surveillance DVR | Argus Surveillance DVR 4.0 contains an unquoted service path vulnerability in the DVRWatchdog service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the Program Files directory to be executed with LocalSystem privileges when the service starts. | 2026-05-10 | 7.8 | CVE-2021-47945 | ExploitDB-50261 VulnCheck Advisory: Argus Surveillance DVR 4.0 Unquoted Service Path Privilege Escalation |
| Backupbliss–WordPress Plugin Backup Migration | WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then construct direct download URLs to retrieve sensitive backup archives containing full database dumps. | 2026-05-05 | 7.5 | CVE-2023-54346 | ExploitDB-51445 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Backup Migration 1.2.8 Unauthenticated Database Backup Download |
| Open-Emr–OpenEMR | OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically test username and password combinations without account lockout restrictions. | 2026-05-05 | 7.5 | CVE-2023-54347 | ExploitDB-51413 Official Product Homepage Product Reference VulnCheck Advisory: OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass |
| Qualcomm, Inc.–Snapdragon | Memory corruption when processing camera sensor input/output control codes with invalid output buffers. | 2026-05-04 | 7.8 | CVE-2025-47405 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory corruption while creating a process on the digital signal processor due to allocation failure at the kernel level. | 2026-05-04 | 7.8 | CVE-2025-47407 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory corruption when another driver calls an IOCTL with invalid input/output buffer. | 2026-05-04 | 7.8 | CVE-2025-47408 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| WPMart–Team Member | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in WPMart Team Member allows Blind SQL Injection. This issue affects Team Member: from n/a through 8.5. | 2026-05-07 | 7.6 | CVE-2025-68060 | https://patchstack.com/database/wordpress/plugin/team-showcase-supreme/vulnerability/wordpress-team-member-plugin-8-5-sql-injection-vulnerability?_s_id=cve |
| Unisoc (Shanghai) Technologies Co., Ltd.–SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In IMS, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71251 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.–SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71252 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.–SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71253 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.–SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71254 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.–SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71255 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.–T8100/T9100/T8200/T8300 | In nr modem, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71256 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| GravityMore–Gravity Bookings | The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-06 | 7.5 | CVE-2026-1719 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ce032abe-ee9d-4be1-ac97-5fa95d598e85?source=cve https://gravitybooking.com/ |
| Cisco–Cisco Unity Connection | A vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct SSRF attacks through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device. | 2026-05-06 | 7.2 | CVE-2026-20035 | cisco-sa-unity-rce-ssrf-hENhuASy |
| Cisco–Cisco IoT Field Network Director (IoT-FND) | A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to cause a DoS condition on a remotely managed router. This vulnerability is due to improper error handling. An attacker could exploit this vulnerability by submitting crafted input to the web-based management interface. A successful exploit could allow the attacker to request unauthorized files from a remote router, causing the router to reload and resulting in a DoS condition. | 2026-05-06 | 7.7 | CVE-2026-20167 | cisco-sa-iot-fnd-dos-n8N26Q4u |
| Cisco–Cisco Small Business Smart and Managed Switches | A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco 350 Series Managed Switches (SG350) and Cisco 350X Series Stackable Managed Switches (SG350X) firmware could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper error handling when parsing response data for a specific SNMP request. An attacker could exploit this vulnerability by sending a specific SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMPv2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMPv3, the attacker must have valid SNMP user credentials for the affected system. | 2026-05-06 | 7.7 | CVE-2026-20185 | cisco-sa-sg350-snmp-dos-GEFZr2Tj |
| Cisco–Cisco Crosswork Network Change Automation | A vulnerability in the connection-handling mechanism of Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. This vulnerability is due to an inadequate implementation of rate-limiting on incoming network connections. An attacker could exploit this vulnerability by sending a large number of connection requests to an affected system. A successful exploit could allow the attacker to exhaust available connection resources, causing Cisco CNC and Cisco NSO to become unresponsive and resulting in a DoS condition for legitimate users and dependent services. A manual reboot of the system is required to recover from this condition. | 2026-05-06 | 7.5 | CVE-2026-20188 | cisco-sa-nso-dos-7Egqyc |
| Meta–react-server-dom-turbopack | A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5). | 2026-05-06 | 7.5 | CVE-2026-23870 | https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when copying data from a freed source while executing performance counter deselect operation. | 2026-05-04 | 7.8 | CVE-2026-24082 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Jules Colle–Conditional Fields for Contact Form 7 | Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process. | 2026-05-04 | 7.5 | CVE-2026-25863 | https://wordpress.org/plugins/cf7-conditional-fields/#developers https://www.vulncheck.com/advisories/conditional-fields-for-contact-form-7-dos-via-uncontrolled-resource-consumption |
| Microsoft–Microsoft 365 Copilot’s Business Chat | Improper neutralization of special elements in M365 Copilot allows an unauthorized attacker to disclose information over a network. | 2026-05-07 | 7.5 | CVE-2026-26129 | M365 Copilot Information Disclosure Vulnerability |
| Microsoft–Microsoft 365 Copilot’s Business Chat | Improper neutralization of special elements in output used by a downstream component (‘injection’) in M365 Copilot allows an unauthorized attacker to disclose information over a network. | 2026-05-07 | 7.5 | CVE-2026-26164 | M365 Copilot Information Disclosure Vulnerability |
| Profelis Information and Consulting Trade and Industry Limited Company–SambaBox | Improper Control of Generation of Code (‘Code Injection’) vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection. This issue affects SambaBox: from 5.1 before 5.3. | 2026-05-04 | 7.2 | CVE-2026-3120 | https://www.usom.gov.tr/bildirim/tr-26-0155 |
| Scott Paterson–easy-paypal-events-tickets | Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying ‘test’ as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18. | 2026-05-04 | 7.5 | CVE-2026-32834 | https://gist.github.com/4lec4st/eb20f9934f8c23b4b241f74a8d884ce9 https://wordpress.org/plugins/easy-paypal-events-tickets https://www.vulncheck.com/advisories/easy-paypal-events-tickets-authentication-bypass-via-qr-code-scanning |
| Microsoft–Copilot Chat (Microsoft Edge) | Improper neutralization of special elements used in a command (‘command injection’) in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network. | 2026-05-07 | 7.5 | CVE-2026-33111 | Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability |
| 10web–Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder | The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the ‘inputs’ parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-05 | 7.5 | CVE-2026-3359 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f37cc880-d8a4-431a-9639-abf01163030a?source=cve https://plugins.trac.wordpress.org/changeset/3518461/form-maker |
| Red Hat–Red Hat Hardened Images | A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption. | 2026-05-04 | 7.5 | CVE-2026-33846 | RHSA-2026:13274 https://access.redhat.com/security/cve/CVE-2026-33846 RHBZ#2450625 |
| Akamai–Guardicore Platform Agent | Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation. The GPA service creates an IPC socket in the world-writable /tmp directory. It accepts unauthenticated IPC control messages. This enables a TOCTOU vulnerability in the HandleSaveLogs() function of the GPA service, by creating a log file and manipulating it into a symlink that points to the targeted path; this can allow an unprivileged local user to make arbitrary root-owned files world-writable. In addition, a diagnostic collection tool (gimmelogs) running with root privileges was vulnerable to command injection from the dbstore, offering a second privilege escalation vector. (On Windows, gimmelogs does not have command injection but does allow writing a ZIP archive to an unintended location.) This affects Akamai Guardicore Platform Agent 7.0 through 7.3.1 and Akamai Zero Trust Client 6.0 through 6.1.5. | 2026-05-08 | 7.4 | CVE-2026-34354 | https://www.akamai.com/blog/security-research/advisory-cve-2026-34354-guardicore-local-privilege-escalation |
| ahmadgb–GeekyBot AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content | The GeekyBot – Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the ‘attributekey’ parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-05 | 7.5 | CVE-2026-3456 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4c716fd3-6297-4b3a-a796-65f68f2986cf?source=cve https://plugins.trac.wordpress.org/changeset/3474168/geeky-bot |
| Hikvision–DS-3E1310P-SI | Some Hikvision switch products (discontinued since December 2023) are vulnerable to authenticated remote command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution. | 2026-05-09 | 7.2 | CVE-2026-3828 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/command-execution-vulnerability-in-some-hikvision-switch-product/ |
| OpenStack–Cyborg | OpenStack Cyborg before 16.0.1 uses rule:allow (check_str=’@’) as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC. | 2026-05-07 | 7.4 | CVE-2026-40213 | https://bugs.launchpad.net/openstack-cyborg/+bug/2143263 https://www.openwall.com/lists/oss-security/2026/05/07/6 https://security.openstack.org/ossa/OSSA-2026-011.html |
| Spring–Spring Cloud Config | When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater. | 2026-05-07 | 7.5 | CVE-2026-40981 | https://spring.io/security/cve-2026-40981 |
| Spring–Spring Cloud Config | The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater. | 2026-05-07 | 7.4 | CVE-2026-41002 | https://spring.io/security/cve-2026-41002 |
| harttle–liquidjs | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7. | 2026-05-09 | 7.5 | CVE-2026-41311 | https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548 https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0 https://github.com/harttle/liquidjs/releases/tag/v10.25.7 |
| QuantumNous–new-api | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. This issue has been patched in version 0.12.10. | 2026-05-08 | 7.1 | CVE-2026-41432 | https://github.com/QuantumNous/new-api/security/advisories/GHSA-xff3-5c9p-2mr4 https://github.com/QuantumNous/new-api/releases/tag/v0.12.10 |
| Scott Paterson–easy-paypal-events-tickets | Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18. | 2026-05-04 | 7.5 | CVE-2026-41471 | https://gist.github.com/4lec4st/9fd04b4bfadb3f7e388f61588f5f2564 https://wordpress.org/plugins/easy-paypal-events-tickets https://www.vulncheck.com/advisories/easy-paypal-events-tickets-information-disclosure-via-qr-code-endpoint |
| cilium–cilium | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.15, 1.18.9, and 1.19.3, the output of cilium-bugtool can contain sensitive data when the tool is run against Cilium deployments with WireGuard encryption enabled. This issue has been patched in versions 1.17.15, 1.18.9, and 1.19.3. | 2026-05-08 | 7.9 | CVE-2026-41520 | https://github.com/cilium/cilium/security/advisories/GHSA-gj49-89wh-h4gj https://github.com/cilium/cilium/releases/tag/v1.17.15 https://github.com/cilium/cilium/releases/tag/v1.18.9 https://github.com/cilium/cilium/releases/tag/v1.19.3 |
| Bricks–Bricks Builder | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Bricks Builder allows Reflected XSS. This issue affects Bricks Builder: from n/a through 1.9.2 to 2.2. | 2026-05-07 | 7.1 | CVE-2026-41554 | https://patchstack.com/database/wordpress/theme/bricks/vulnerability/wordpress-bricks-builder-theme-1-9-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| sebastianbergmann–phpunit | PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP’s INI parser interprets ” as a string delimiter, ; as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives. An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child’s configuration, including auto_prepend_file, extension, disable_functions, open_basedir, and others. Setting auto_prepend_file to an attacker-controlled path yields remote code execution in the child process. This issue has been patched in versions 12.5.22 and 13.1.6. | 2026-05-08 | 7.8 | CVE-2026-41570 | https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-qrr6-mg7r-m243 https://github.com/sebastianbergmann/phpunit/pull/6592 |
| Ajax30–BraveCMS-2.0 | Brave CMS is an open-source CMS. Prior to commit 6c56603, the contact form is publicly accessible (no authentication required). User-supplied message text is passed through PHP’s nl2br() function, which converts newlines to <br> tags but does not escape HTML. The resulting string is then passed to a Blade email template using the unescaped {!! $msg !!} directive. The resulting content is then rendered in a Blade email template using the unescaped {!! $msg !!} directive. Because HTML is not sanitized, arbitrary markup can be injected into the email body. While modern HTML-capable email clients (Gmail or Outlook Web) typically block JavaScript execution, they still render HTML content. This allows attackers to craft convincing phishing interfaces inside the email sent to the administrator. This issue has been patched via commit 6c56603. | 2026-05-08 | 7.1 | CVE-2026-41576 | https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-x7cg-8grr-grvx https://github.com/Ajax30/BraveCMS-2.0/commit/6c5660373cf5f0ca9181603280427aca46ef11ea |
| nocobase–nocobase | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39. | 2026-05-07 | 7.5 | CVE-2026-41640 | https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432 https://github.com/nocobase/nocobase/pull/9133 https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604 https://github.com/nocobase/nocobase/releases/tag/v2.0.39 |
| nocobase–nocobase | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39. | 2026-05-07 | 7.2 | CVE-2026-41641 | https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh https://github.com/nocobase/nocobase/pull/9134 https://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91 https://github.com/nocobase/nocobase/releases/tag/v2.0.39 |
| osrg–gobgp | GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP due to a nil pointer dereference. When a malformed BGP UPDATE message contains an unrecognized Path Attribute marked as “Well-known,” the daemon fails to interrupt the message handling flow. This results in an illegal memory access and a full process crash (panic). This issue has been patched in version 4.4.0. | 2026-05-07 | 7.5 | CVE-2026-41642 | https://github.com/osrg/gobgp/security/advisories/GHSA-7235-89m6-f4px https://github.com/osrg/gobgp/releases/tag/v4.4.0 |
| osrg–gobgp | GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. Prior to version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP where a malformed BGP UPDATE message can trigger a runtime error: index out of range panic. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled. This issue has been patched in version 4.3.0. | 2026-05-07 | 7.5 | CVE-2026-41643 | https://github.com/osrg/gobgp/security/advisories/GHSA-8rxh-r2p6-7f2q https://github.com/osrg/gobgp/releases/tag/v4.3.0 |
| Admidio–admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio’s two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users’ TOTP, including administrators. A group leader with profile edit rights on an admin account can strip that admin’s 2FA. This issue has been patched in version 5.0.9. | 2026-05-07 | 7.1 | CVE-2026-41660 | https://github.com/Admidio/admidio/security/advisories/GHSA-rh3w-4ccx-prf9 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| ellite–Wallos | Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS rebinding TOCTOU window. At time of publication, there are no publicly available patches. | 2026-05-07 | 7.7 | CVE-2026-41688 | https://github.com/ellite/Wallos/security/advisories/GHSA-h4g7-xv3v-q73g https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef |
| locize–locize | locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener(“message”, …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, …) without validating event.origin. The pre-patch listener in src/api/postMessage.js gates dispatch on event.data.sender === “i18next-editor-frame” – that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host – an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down – could send a crafted postMessage and trigger the internal handlers. This issue has been patched in version 4.0.21. | 2026-05-08 | 7.5 | CVE-2026-41886 | https://github.com/locize/locize/security/advisories/GHSA-w937-fg2h-xhq2 https://github.com/locize/locize/releases/tag/v4.0.21 |
| freescout-help-desk–freescout | FreeScout is a free help desk and shared inbox built with PHP’s Laravel framework. Prior to version 1.8.217, a user with updateAutoReply permission can store an XSS payload in the mailbox auto-reply message. The payload is rendered unescaped in the auto-reply email sent to every customer who contacts the mailbox. Email clients do not enforce CSP, so the payload executes in the customer’s webmail / mail-client context. This issue has been patched in version 1.8.217. | 2026-05-07 | 7.6 | CVE-2026-41904 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q3fh-rj9h-jfrc https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217 |
| freescout-help-desk–freescout | FreeScout is a free help desk and shared inbox built with PHP’s Laravel framework. Prior to version 1.8.217, Helper::sanitizeRemoteUrl() in app/Misc/Helper.php follows HTTP redirects via curlGetLastRedirectedUrl() but then re-validates the original URL instead of the final redirect destination. An attacker who can supply any URL that passes the initial host check can redirect FreeScout to internal HTTP services (cloud metadata, internal APIs, RFC1918 ranges) that would normally be blocked. This issue has been patched in version 1.8.217. | 2026-05-07 | 7.7 | CVE-2026-41905 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-22wf-848c-c856 https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217 |
| freescout-help-desk–freescout | FreeScout is a free help desk and shared inbox built with PHP’s Laravel framework. Prior to version 1.8.214, the Change Customer modal correctly hides out-of-scope customers through the mailbox-filtered search endpoint, but the backend conversation_change_customer action accepts any supplied customer_email. A low-privileged agent can forge a request and bind a visible conversation to a hidden customer in another mailbox. This issue has been patched in version 1.8.214. | 2026-05-07 | 7.1 | CVE-2026-41906 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-p6hg-2cwg-rrx9 https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest-Shamir-Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process. | 2026-05-07 | 7.1 | CVE-2026-42010 | https://access.redhat.com/security/cve/CVE-2026-42010 RHBZ#2467289 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems. | 2026-05-07 | 7.4 | CVE-2026-42011 | https://access.redhat.com/security/cve/CVE-2026-42011 RHBZ#2467437 |
| prometheus–prometheus | Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3. | 2026-05-04 | 7.5 | CVE-2026-42151 | https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj https://github.com/prometheus/prometheus/pull/18587 https://github.com/prometheus/prometheus/pull/18590 https://github.com/prometheus/prometheus/releases/tag/v3.11.3 https://github.com/prometheus/prometheus/releases/tag/v3.5.3 |
| prometheus–prometheus | Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3. | 2026-05-04 | 7.5 | CVE-2026-42154 | https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm https://github.com/prometheus/prometheus/pull/18584 https://github.com/prometheus/prometheus/pull/18585 https://github.com/prometheus/prometheus/releases/tag/v3.11.3 https://github.com/prometheus/prometheus/releases/tag/v3.5.3 |
| Eugeny–russh | Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server’s keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1. | 2026-05-08 | 7.5 | CVE-2026-42189 | https://github.com/Eugeny/russh/security/advisories/GHSA-f5v4-2wr6-hqmg https://github.com/Eugeny/russh/commit/6c3c80a9b6d60763d6227d60fa8310e57172a4d1 https://github.com/Eugeny/russh/releases/tag/v0.60.1 |
| dail8859–NotepadNext | Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext’s detectLanguageFromExtension() function interpolates a file’s extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14. | 2026-05-07 | 7.8 | CVE-2026-42214 | https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g https://github.com/dail8859/NotepadNext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc https://github.com/dail8859/NotepadNext/releases/tag/v0.14 |
| Icinga–ipl-web | ipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerability allows an attacker to inject malicious Javascript into a victim’s browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in version 0.13.1. | 2026-05-08 | 7.6 | CVE-2026-42224 | https://github.com/Icinga/ipl-web/security/advisories/GHSA-55wf-5m3q-6jjf https://github.com/Icinga/ipl-web/commit/f387e92504d7a03bb857d1aee9b7410e06dd065d https://github.com/Icinga/ipl-web/releases/tag/v0.13.1 |
| legeling–PromptHub | PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote that fetches a user-supplied URL server-side and reflects the response body (up to 5 MB) back to the caller. The SSRF protection in apps/web/src/utils/remote-http.ts (isPrivateIPv6) attempts to block private/loopback destinations, but multiple alternate-but-valid IPv6 representations bypass the check. The bypasses reach any IPv4 address (loopback, RFC1918, link-local) via IPv4-mapped IPv6 in hex form, and the canonical ::1 via any representation that isn’t the literal string “::1”. Any authenticated user (role: user or admin) can trigger the SSRF. On deployments configured with ALLOW_REGISTRATION=true – a supported and documented configuration – this means any internet user who can register. This issue has been patched in version 0.5.4. | 2026-05-08 | 7.1 | CVE-2026-42261 | https://github.com/legeling/PromptHub/security/advisories/GHSA-9fhh-fjfg-5mr6 https://github.com/legeling/PromptHub/releases/tag/v0.5.4 |
| axios–axios | Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2. | 2026-05-08 | 7.4 | CVE-2026-42264 | https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj https://github.com/axios/axios/pull/10779 https://github.com/axios/axios/commit/47915144662f2733e6c051bdcb895a8c8f0586aa https://github.com/axios/axios/releases/tag/v1.15.2 |
| osrg–gobgp | GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a “withdraw” action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability. This issue has been patched in version 4.5.0. | 2026-05-07 | 7.5 | CVE-2026-42285 | https://github.com/osrg/gobgp/security/advisories/GHSA-p3w2-64xm-833j https://github.com/osrg/gobgp/releases/tag/v4.5.0 |
| befeleme–pyp2spec | pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1. | 2026-05-09 | 7.8 | CVE-2026-42301 | https://github.com/befeleme/pyp2spec/security/advisories/GHSA-r35x-v8p8-xvhw https://github.com/befeleme/pyp2spec/releases/tag/v0.14.1 |
| labring–FastGPT | FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT’s isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 different URL encoding techniques, all of which resolve to the same cloud metadata service but do not match the blocklist patterns. Additionally, the broader private IP check (isInternalIPv4/isInternalIPv6) is disabled by default because CHECK_INTERNAL_IP defaults to false (not ‘true’), so these bypasses reach the metadata endpoint without any further validation. At time of publication, there are no publicly available patches. | 2026-05-08 | 7.7 | CVE-2026-42345 | https://github.com/labring/FastGPT/security/advisories/GHSA-jhqw-944x-xh94 |
| geopython–pygeoapi | pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi’s STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration. This issue has been patched in version 0.23.3. | 2026-05-08 | 7.5 | CVE-2026-42351 | https://github.com/geopython/pygeoapi/security/advisories/GHSA-f6pr-83pg-ghh6 https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52 https://github.com/geopython/pygeoapi/releases/tag/0.23.3 |
| GeoVision Inc.–GV-LPC2011/LPC2211 | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-05-04 | 7.4 | CVE-2026-42366 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content by exploiting route-driven navigation without proper policy re-validation. | 2026-05-05 | 7.7 | CVE-2026-42436 | GitHub Security Advisory (GHSA-c4qm-58hj-j6pj) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.14 – Internal Page Content Exposure via Browser Snapshot and Screenshot Routes |
| OpenClaw–OpenClaw | OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the webhook path. | 2026-05-05 | 7.5 | CVE-2026-42437 | GitHub Security Advisory (GHSA-vw3h-q6xq-jjm5) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.9 < 2026.4.10 – Denial of Service via Oversized WebSocket Frames in Voice-call Realtime Path |
| OpenClaw–OpenClaw | OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading to bypass sender and group-scoped authorization boundaries and retrieve readable local files through the outbound media path. | 2026-05-05 | 7.7 | CVE-2026-42438 | GitHub Security Advisory (GHSA-jhpv-5j76-m56h) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.9 < 2026.4.10 – Sender Policy Bypass in Host Media Attachment Reads |
| chainguard-dev–apko | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5. | 2026-05-09 | 7.5 | CVE-2026-42574 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-qq3r-w4hj-gjp6 https://github.com/chainguard-dev/apko/pull/2187 https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442 https://github.com/chainguard-dev/apko/releases/tag/v1.2.5 |
| chainguard-dev–apko | apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7. | 2026-05-09 | 7.5 | CVE-2026-42575 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-hcwr-pq9g-rq3m https://github.com/chainguard-dev/apko/commit/a118c3d604107532b5525bd4bee2fb369a6228aa https://github.com/chainguard-dev/apko/releases/tag/v1.2.7 |
| OpenStack–Ironic | An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1. | 2026-05-05 | 7.7 | CVE-2026-42997 | https://www.openwall.com/lists/oss-security/2026/05/05/10 https://security.openstack.org/ossa/OSSA-2026-010.html |
| WeePie–WeePie Cookie Allow | The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the ‘consent’ parameter in all versions up to, and including, 3.4.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-05 | 7.5 | CVE-2026-4304 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f783e626-37c0-4ad9-9074-c5332583a0cb?source=cve https://codecanyon.net/item/weepie-cookie-allow-easy-complete-cookie-consent-plugin/10342528 https://weepie-plugins.com/changelog-weepie-cookie-allow-plugin/ |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: drop pending enqueued packets on removal Packets sitting in nfqueue might hold a reference to: – templates that specify the conntrack zone, because a percpu area is used and module removal is possible. – conntrack timeout policies and helper, where object removal leave a stale reference. Since these objects can just go away, drop enqueued packets to avoid stale reference to them. If there is a need for finer grain removal, this logic can be revisited to make selective packet drop upon dependencies. | 2026-05-05 | 7.8 | CVE-2026-43060 | https://git.kernel.org/stable/c/8a64e76933672b08bd85b63086f33432070fd729 https://git.kernel.org/stable/c/3da0b946835f33bf36b459ead764c61a761e689b https://git.kernel.org/stable/c/ab50302190b303f847c4eba0e31a01a56dec596e https://git.kernel.org/stable/c/e68a8db3a0546482b34e9ca5ca886bcf73eb37bb https://git.kernel.org/stable/c/6802ff8beceb9c4254318e81c1395720438f2cc2 https://git.kernel.org/stable/c/f29a055e4f593e577805b41228b142b58f48df1b https://git.kernel.org/stable/c/77da55dee67720e2b8d2db49a53334e6c017ee7b https://git.kernel.org/stable/c/36eae0956f659e48d5366d9b083d9417f3263ddc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() l2cap_ecred_reconf_rsp() casts the incoming data to struct l2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with result at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes with result at offset 0). This causes two problems: – The sizeof(*rsp) length check requires 8 bytes instead of the correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected with -EPROTO. – rsp->result reads from offset 6 instead of offset 0, returning wrong data when the packet is large enough to pass the check. Fix by using the correct type. Also pass the already byte-swapped result variable to BT_DBG instead of the raw __le16 field. | 2026-05-05 | 7.1 | CVE-2026-43062 | https://git.kernel.org/stable/c/21d3ba696918d6373233aac0b9d51fcabdedddc0 https://git.kernel.org/stable/c/3b94e62caa1dc1198d0d55d97bd710da1dee15d7 https://git.kernel.org/stable/c/111f74547eee8cfedfb854284e80f35c8a491186 https://git.kernel.org/stable/c/dd3b221e21079ade8263fbb7176f3d55ad75d3b6 https://git.kernel.org/stable/c/d90150c72d2e6a8a3079e88755dafcfbe91c746d https://git.kernel.org/stable/c/5a1ea296f8589ce8f1e3141b2b123b34ad010e19 https://git.kernel.org/stable/c/f110b8f58b254bf997cec1bd60701b7798e9bb82 https://git.kernel.org/stable/c/15145675690cab2de1056e7ed68e59cbd0452529 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: don’t irele after failing to iget in xfs_attri_recover_work xlog_recovery_iget* never set @ip to a valid pointer if they return an error, so this irele will walk off a dangling pointer. Fix that. | 2026-05-05 | 7.8 | CVE-2026-43063 | https://git.kernel.org/stable/c/b5c5a50c2f513d4a13a6763564a07b470e69cc5a https://git.kernel.org/stable/c/a1a5df1038f0b3c560d204270373621a4e622808 https://git.kernel.org/stable/c/40082d08b638485cbaa543dc8087a3d1844d6f08 https://git.kernel.org/stable/c/70685c291ef82269180758130394ecdc4496b52c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Reset register ID for BPF_END value tracking When a register undergoes a BPF_END (byte swap) operation, its scalar value is mutated in-place. If this register previously shared a scalar ID with another register (e.g., after an `r1 = r0` assignment), this tie must be broken. Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END. Consequently, if a conditional jump checks the swapped register, the verifier incorrectly propagates the learned bounds to the linked register, leading to false confidence in the linked register’s value and potentially allowing out-of-bounds memory accesses. Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case to break the scalar tie, similar to how BPF_NEG handles it via `__mark_reg_known`. | 2026-05-05 | 7.8 | CVE-2026-43070 | https://git.kernel.org/stable/c/a17443af874229408ce6b78e2c8a2b5adeb4b7d8 https://git.kernel.org/stable/c/0d15c3611a2cc5d08993545d4032055ae10ae2c1 https://git.kernel.org/stable/c/a3125bc01884431d30d731461634c8295b6f0529 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: eventpoll: defer struct eventpoll free to RCU grace period In certain situations, ep_free() in eventpoll.c will kfree the epi->ep eventpoll struct while it still being used by another concurrent thread. Defer the kfree() to an RCU callback to prevent UAF. | 2026-05-06 | 7.8 | CVE-2026-43074 | https://git.kernel.org/stable/c/a6566cd33f6f967a7651ebf2ce0dd31572e319cf https://git.kernel.org/stable/c/5b1173b165421561db29f30afc7e97d940a398a9 https://git.kernel.org/stable/c/7e8083f5eeedab0f460063b9c2c14c9a4e71a427 https://git.kernel.org/stable/c/ae0bb9c1fb7c2594519aeeb096cf2c3b7837b322 https://git.kernel.org/stable/c/07712db80857d5d09ae08f3df85a708ecfc3b61f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline KASAN reports a use-after-free write of 4086 bytes in ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on a loop device. The actual bug is an out-of-bounds write past the inode block buffer, not a true use-after-free. The write overflows into an adjacent freed page, which KASAN reports as UAF. The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk id_count field to determine whether a write fits in inline data. On a corrupted filesystem, id_count can exceed the physical maximum inline data capacity, causing writes to overflow the inode block buffer. Call trace (crash path): vfs_copy_file_range (fs/read_write.c:1634) do_splice_direct splice_direct_to_actor iter_file_splice_write ocfs2_file_write_iter generic_perform_write ocfs2_write_end ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) memcpy_from_folio <– KASAN: write OOB So add id_count upper bound check in ocfs2_validate_inode_block() to alongside the existing i_size check to fix it. | 2026-05-06 | 7.8 | CVE-2026-43075 | https://git.kernel.org/stable/c/e2c9dc6b6e96f3585f2a1062ca3374a52db0938f https://git.kernel.org/stable/c/947f953978b0d9463498d548d0f054f5a75be2e9 https://git.kernel.org/stable/c/0c1af902223b6fcedb60904ca0b551254686c7b9 https://git.kernel.org/stable/c/69d3c69ade1e4285ab4ca48fe7acee0767e65604 https://git.kernel.org/stable/c/7bc5da4842bed3252d26e742213741a4d0ac1b14 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate inline data i_size during inode read When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode’s i_size can exceed the actual inline data capacity (id_count). This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory. In the syzbot report: – i_size was 1099511627576 bytes (~1TB) – Actual inline data capacity (id_count) is typically <256 bytes – A garbage rec_len (54648) caused ctx->pos to jump out of bounds – This triggered a UAF in ocfs2_check_dir_entry() Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data. | 2026-05-06 | 7.8 | CVE-2026-43076 | https://git.kernel.org/stable/c/37f074e65f24f10f8d8df224a572e4cb9e6faf63 https://git.kernel.org/stable/c/c1de19e891be3bfb3e1d0c7cf07bbb8fb3b77c1b https://git.kernel.org/stable/c/cd2d765aa7157f852999842af32148128c735d39 https://git.kernel.org/stable/c/77d0295725109d77f5854ef5b58c0d06c08168cc https://git.kernel.org/stable/c/1524af3685b35feac76662cc551cbc37bd14775f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg – Fix page reassignment overflow in af_alg_pull_tsgl When page reassignment was added to af_alg_pull_tsgl the original loop wasn’t updated so it may try to reassign one more page than necessary. Add the check to the reassignment so that this does not happen. Also update the comment which still refers to the obsolete offset argument. | 2026-05-06 | 7.8 | CVE-2026-43078 | https://git.kernel.org/stable/c/fa48d3ea9cdbfb28c1fd6756c6c5cd01351aa51e https://git.kernel.org/stable/c/2b781d1d4f933990318bcc5c68fb75a717379e42 https://git.kernel.org/stable/c/f7826bc0b39928a4a22f6b815dd9940b22a63503 https://git.kernel.org/stable/c/710a4ce5d7afd9fe082c75dec282ab4a11c0fe71 https://git.kernel.org/stable/c/c8369a6d62f5abde9cbd4b62c45bf4b996be2468 https://git.kernel.org/stable/c/dea5fcf085f977b6c2de1b2d4ec4767b6c840d1f https://git.kernel.org/stable/c/9532501e0f1b200ea80baa0e33e0b06da10bb271 https://git.kernel.org/stable/c/31d00156e50ecad37f2cb6cbf04aaa9a260505ef |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: make hash table per queue Sharing a global hash table among all queues is tempting, but it can cause crash: BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] [..] nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] nfnetlink_rcv_msg+0x46a/0x930 kmem_cache_alloc_node_noprof+0x11e/0x450 struct nf_queue_entry is freed via kfree, but parallel cpu can still encounter such an nf_queue_entry when walking the list. Alternative fix is to free the nf_queue_entry via kfree_rcu() instead, but as we have to alloc/free for each skb this will cause more mem pressure. | 2026-05-06 | 7.8 | CVE-2026-43084 | https://git.kernel.org/stable/c/22730cb96093b5be0609063bbb1923dbecd61252 https://git.kernel.org/stable/c/41e3652a178cb0eecd48e0e6e27fbb73a004046a https://git.kernel.org/stable/c/9e5ebef91120d2764aefe557c3a484b6288f341f https://git.kernel.org/stable/c/936206e3f6ff411581e615e930263d6f8b78df9d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: Wait for RCU readers during policy netns exit xfrm_policy_fini() frees the policy_bydst hash tables after flushing the policy work items and deleting all policies, but it does not wait for concurrent RCU readers to leave their read-side critical sections first. The policy_bydst tables are published via rcu_assign_pointer() and are looked up through rcu_dereference_check(), so netns teardown must also wait for an RCU grace period before freeing the table memory. Fix this by adding synchronize_rcu() before freeing the policy hash tables. | 2026-05-06 | 7.8 | CVE-2026-43091 | https://git.kernel.org/stable/c/b66920a3348c0f63ba18365248fa21fbf0b3a937 https://git.kernel.org/stable/c/438b1f668ad58f46ce699bb48e4698a7839e3f9e https://git.kernel.org/stable/c/3733fce2871c9bca9dd18a1a23b1432ea215a094 https://git.kernel.org/stable/c/33a3149dd81a1e2f52b80ee1e0fc380b39f3d028 https://git.kernel.org/stable/c/069daad4f2ae9c5c108131995529d5f02392c446 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xsk: tighten UMEM headroom validation to account for tailroom and min frame The current headroom validation in xdp_umem_reg() could leave us with insufficient space dedicated to even receive minimum-sized ethernet frame. Furthermore if multi-buffer would come to play then skb_shared_info stored at the end of XSK frame would be corrupted. HW typically works with 128-aligned sizes so let us provide this value as bare minimum. Multi-buffer setting is known later in the configuration process so besides accounting for 128 bytes, let us also take care of tailroom space upfront. | 2026-05-06 | 7.8 | CVE-2026-43093 | https://git.kernel.org/stable/c/a03975beb9f6af0d8ac051e30b2abeabe618414f https://git.kernel.org/stable/c/0ec4d3f6e6934deb843b561ae048cd17218e5ad1 https://git.kernel.org/stable/c/9ea6ba4f3195dcba6e8b3e7b2e748593b7cafb12 https://git.kernel.org/stable/c/6523bc1b40e69301f24c14338b762af4739d6d39 https://git.kernel.org/stable/c/a315e022a72d95ef5f1d4e58e903cb492b0ad931 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing this error pointer to dev_hold() will cause a kernel crash with null-ptr-deref. Instead, silently discard the request. RFC 8335 does not appear to define a specific response for the case where an IPv6 interface identifier is syntactically valid but the implementation cannot perform the lookup at runtime, and silently dropping the request may safer than misreporting “No Such Interface”. | 2026-05-06 | 7.5 | CVE-2026-43099 | https://git.kernel.org/stable/c/47a8bf52156ac7e7a581eca31c1f964ba4258d4d https://git.kernel.org/stable/c/6be325206850a0891896d38bcf83a09d8b54ec48 https://git.kernel.org/stable/c/f91b3ed9e7fa82a70511b5f6901c88379acf2964 https://git.kernel.org/stable/c/5b9911582d441f72fe6ccb15ffe3303bbc07f6f5 https://git.kernel.org/stable/c/fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data() We need to check __in6_dev_get() for possible NULL value, as suggested by Yiming Qian. Also add skb_dst_dev_rcu() instead of skb_dst_dev(), and two missing READ_ONCE(). Note that @dev can’t be NULL. | 2026-05-06 | 7.5 | CVE-2026-43101 | https://git.kernel.org/stable/c/4198aab6f000b4febb18ea820fea20634dd789c7 https://git.kernel.org/stable/c/3719c234fa94c37c955b1ecd3742ef280ec135e6 https://git.kernel.org/stable/c/4e65a8b8daa18d63255ec58964dd192c7fdd9f8b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix incorrect dentry refcount in cachefiles_cull() The patch mentioned below changed cachefiles_bury_object() to expect 2 references to the ‘rep’ dentry. Three of the callers were changed to use start_removing_dentry() which takes an extra reference so in those cases the call gets the expected references. However there is another call to cachefiles_bury_object() in cachefiles_cull() which did not need to be changed to use start_removing_dentry() and so was not properly considered. It still passed the dentry with just one reference so the net result is that a reference is lost. To meet the expectations of cachefiles_bury_object(), cachefiles_cull() must take an extra reference before the call. It will be dropped by cachefiles_bury_object(). | 2026-05-06 | 7.8 | CVE-2026-43106 | https://git.kernel.org/stable/c/6577df7dc7a7de128442b6192c7a32195c923480 https://git.kernel.org/stable/c/1635c2acdde86c4f555b627aec873c8677c421ed |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HID: roccat: fix use-after-free in roccat_report_event roccat_report_event() iterates over the device->readers list without holding the readers_lock. This allows a concurrent roccat_release() to remove and free a reader while it’s still being accessed, leading to a use-after-free. Protect the readers list traversal with the readers_lock mutex. | 2026-05-06 | 7.8 | CVE-2026-43111 | https://git.kernel.org/stable/c/e6a445513fbc6a0329d2d5ff375b6725750ec5a6 https://git.kernel.org/stable/c/e16a6d11bd77b81632165f02cf0d5946df74b3b7 https://git.kernel.org/stable/c/36bb2d0b915014bbdc5044982b31b57b78045b93 https://git.kernel.org/stable/c/bca0b595e15450dd66b1153c76c4ef1087ee011b https://git.kernel.org/stable/c/d802d848308b35220f21a8025352f0c0aba15c12 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ensure safe access to master conntrack Holding reference on the expectation is not sufficient, the master conntrack object can just go away, making exp->master invalid. To access exp->master safely: – Grab the nf_conntrack_expect_lock, this gets serialized with clean_from_lists() which also holds this lock when the master conntrack goes away. – Hold reference on master conntrack via nf_conntrack_find_get(). Not so easy since the master tuple to look up for the master conntrack is not available in the existing problematic paths. This patch goes for extending the nf_conntrack_expect_lock section to address this issue for simplicity, in the cases that are described below this is just slightly extending the lock section. The add expectation command already holds a reference to the master conntrack from ctnetlink_create_expect(). However, the delete expectation command needs to grab the spinlock before looking up for the expectation. Expand the existing spinlock section to address this to cover the expectation lookup. Note that, the nf_ct_expect_iterate_net() calls already grabs the spinlock while iterating over the expectation table, which is correct. The get expectation command needs to grab the spinlock to ensure master conntrack does not go away. This also expands the existing spinlock section to cover the expectation lookup too. I needed to move the netlink skb allocation out of the spinlock to keep it GFP_KERNEL. For the expectation events, the IPEXP_DESTROY event is already delivered under the spinlock, just move the delivery of IPEXP_NEW under the spinlock too because the master conntrack event cache is reached through exp->master. While at it, add lockdep notations to help identify what codepaths need to grab the spinlock. | 2026-05-06 | 7.8 | CVE-2026-43116 | https://git.kernel.org/stable/c/f338ced0473849c9f6ed0b77ca99f1aab5826787 https://git.kernel.org/stable/c/497f99b26fffdc5635706d1b4811f1ed8ee21a5b https://git.kernel.org/stable/c/bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix double free related to rereg_user_mr If IB_MR_REREG_TRANS is set during rereg_user_mr, the umem will be released and a new one will be allocated in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans fails after the new umem is allocated, it releases the umem, but does not set iwmr->region to NULL. The problem is that this failure is propagated to the user, who will then call ibv_dereg_mr (as they should). Then, the dereg_mr path will see a non-NULL umem and attempt to call ib_umem_release again. Fix this by setting iwmr->region to NULL after ib_umem_release. Fixed: 5ac388db27c4 (“RDMA/irdma: Add support to re-register a memory region”) | 2026-05-06 | 7.8 | CVE-2026-43120 | https://git.kernel.org/stable/c/62298a48f8b8788ad8b8464e6ffdf1ddebd2217e https://git.kernel.org/stable/c/66964118f1f50ed85001c8fc9f7ab5bbdd021ee0 https://git.kernel.org/stable/c/0f22c32141acdcda266b26cab2b830baf870f3e0 https://git.kernel.org/stable/c/0c5d70bcb9d2275a1c8515a924016fcfeb4ab441 https://git.kernel.org/stable/c/29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: mixer: oss: Add card disconnect checkpoints ALSA OSS mixer layer calls the kcontrol ops rather individually, and pending calls might be not always caught at disconnecting the device. For avoiding the potential UAF scenarios, add sanity checks of the card disconnection at each entry point of OSS mixer accesses. The rwsem is taken just before that check, hence the rest context should be covered by that properly. | 2026-05-06 | 7.8 | CVE-2026-43126 | https://git.kernel.org/stable/c/ae583f113d15fa97e5234133c20d09f8e6214e47 https://git.kernel.org/stable/c/e6645e625480cdf1079a4265f758d13b70721029 https://git.kernel.org/stable/c/8c097cf736993454acf3f711a3b376d6c7ad8965 https://git.kernel.org/stable/c/084d5d44418148662365eced3e126ad1a81ee3e2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in failure path In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf is immediately unpinned but the umem_dmabuf->pinned flag is still set. Then, when ib_umem_release() is called, it calls ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again. Fix this by removing the immediate unpin upon failure and just let the ib_umem_release/revoke path handle it. This also ensures the proper unmap-unpin unwind ordering if the dmabuf_map_pages call happened to fail due to dma_resv_wait_timeout (and therefore has a non-NULL umem_dmabuf->sgt). | 2026-05-06 | 7.8 | CVE-2026-43128 | https://git.kernel.org/stable/c/70542b69abff34d24b11ae0bb200cc7a766d18df https://git.kernel.org/stable/c/b324327ff6f48d8065dca67eb3b91357e72726bd https://git.kernel.org/stable/c/ba3bf0f1bf1d5d0404678485e872980532fcc2c4 https://git.kernel.org/stable/c/d3e32e2f3262f1b25d77c085ace38e2cc4ad75cf https://git.kernel.org/stable/c/40126bcbefa79ea86672e05dae608596bab38319 https://git.kernel.org/stable/c/104016eb671e19709721c1b0048dd912dc2e96be |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation Commit cc3ed80ae69f (“KVM: nSVM: always use vmcb01 to for vmsave/vmload of guest state”) made KVM always use vmcb01 for the fields controlled by VMSAVE/VMLOAD, but it missed updating the VMLOAD/VMSAVE emulation code to always use vmcb01. As a result, if VMSAVE/VMLOAD is executed by an L2 guest and is not intercepted by L1, KVM will mistakenly use vmcb02. Always use vmcb01 instead of the current VMCB. | 2026-05-06 | 7.9 | CVE-2026-43133 | https://git.kernel.org/stable/c/10063e1251c1485034a018236080792ad083dcc5 https://git.kernel.org/stable/c/c3b7015000988ba35ecd5648f4b2283960f00543 https://git.kernel.org/stable/c/3880e331b0b31d0d5d3702b124f6c93539cd478a https://git.kernel.org/stable/c/fce2fd4a2ca05670a91015aacccf96a1c26268fd https://git.kernel.org/stable/c/d464cf1ed900d47c85393d40b00017b6adfc2e6c https://git.kernel.org/stable/c/0004ecb798b30e90d7ebfe74efae2d9423315a64 https://git.kernel.org/stable/c/127ccae2c185f62e6ecb4bf24f9cb307e9b9c619 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: perf/arm-cmn: Reject unsupported hardware configurations So far we’ve been fairly lax about accepting both unknown CMN models (at least with a warning), and unknown revisions of those which we do know, as although things do frequently change between releases, typically enough remains the same to be somewhat useful for at least some basic bringup checks. However, we also make assumptions of the maximum supported sizes and numbers of things in various places, and there’s no guarantee that something new might not be bigger and lead to nasty array overflows. Make sure we only try to run on things that actually match our assumptions and so will not risk memory corruption. We have at least always failed on completely unknown node types, so update that error message for clarity and consistency too. | 2026-05-06 | 7.8 | CVE-2026-43150 | https://git.kernel.org/stable/c/7e2c200010aa93fa78201da959b4ac6b9f8fed0b https://git.kernel.org/stable/c/d3e837e11ee9ed08df229272319199003ba00379 https://git.kernel.org/stable/c/00d69f21ef2ab00e6156c764d89e2b3539eb2f33 https://git.kernel.org/stable/c/08c7eadd8a934a1968e1aeeee8b61b853b99fb3a https://git.kernel.org/stable/c/a251d866f50b6a4c95901fa722025065679c2eca https://git.kernel.org/stable/c/36c0de02575ce59dfd879eb4ef63d53a68bbf9ce |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: remove xfs_attr_leaf_hasname The calling convention of xfs_attr_leaf_hasname() is problematic, because it returns a NULL buffer when xfs_attr3_leaf_read fails, a valid buffer when xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and a non-NULL buffer pointer for an already released buffer when xfs_attr3_leaf_lookup_int fails with other error values. Fix this by simply open coding xfs_attr_leaf_hasname in the callers, so that the buffer release code is done by each caller of xfs_attr3_leaf_read. | 2026-05-06 | 7.8 | CVE-2026-43153 | https://git.kernel.org/stable/c/2fbc8421d1db102c0e5458607e042a23a03648b1 https://git.kernel.org/stable/c/457121c01f609b9934addbb04d5c1ef638c71c61 https://git.kernel.org/stable/c/530082df991903f3330354e99e0cb7b05debfa86 https://git.kernel.org/stable/c/3a65ea768b8094e4699e72f9ab420eb9e0f3f568 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: udplite: Fix null-ptr-deref in __udp_enqueue_schedule_skb(). syzbot reported null-ptr-deref of udp_sk(sk)->udp_prod_queue. [0] Since the cited commit, udp_lib_init_sock() can fail, as can udp_init_sock() and udpv6_init_sock(). Let’s handle the error in udplite_sk_init() and udplitev6_sk_init(). [0]: BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:82 [inline] BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] BUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719 Read of size 4 at addr 0000000000000008 by task syz.2.18/2944 CPU: 1 UID: 0 PID: 2944 Comm: syz.2.18 Not tainted syzkaller #0 PREEMPTLAZY Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <IRQ> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 kasan_report+0xa2/0xe0 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200 instrument_atomic_read include/linux/instrumented.h:82 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719 __udpv6_queue_rcv_skb net/ipv6/udp.c:795 [inline] udpv6_queue_rcv_one_skb+0xa2e/0x1ad0 net/ipv6/udp.c:906 udp6_unicast_rcv_skb+0x227/0x380 net/ipv6/udp.c:1064 ip6_protocol_deliver_rcu+0xe17/0x1540 net/ipv6/ip6_input.c:438 ip6_input_finish+0x191/0x350 net/ipv6/ip6_input.c:489 NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318 ip6_input+0x16c/0x2b0 net/ipv6/ip6_input.c:500 NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6149 [inline] __netif_receive_skb+0xd3/0x370 net/core/dev.c:6262 process_backlog+0x4d6/0x1160 net/core/dev.c:6614 __napi_poll+0xae/0x320 net/core/dev.c:7678 napi_poll net/core/dev.c:7741 [inline] net_rx_action+0x60d/0xdc0 net/core/dev.c:7893 handle_softirqs+0x209/0x8d0 kernel/softirq.c:622 do_softirq+0x52/0x90 kernel/softirq.c:523 </IRQ> <TASK> __local_bh_enable_ip+0xe7/0x120 kernel/softirq.c:450 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline] __dev_queue_xmit+0x109c/0x2dc0 net/core/dev.c:4856 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x158/0x4e0 net/ipv6/ip6_output.c:219 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x342/0x580 net/ipv6/ip6_output.c:246 ip6_send_skb+0x1d7/0x3c0 net/ipv6/ip6_output.c:1984 udp_v6_send_skb+0x9a5/0x1770 net/ipv6/udp.c:1442 udp_v6_push_pending_frames+0xa2/0x140 net/ipv6/udp.c:1469 udpv6_sendmsg+0xfe0/0x2830 net/ipv6/udp.c:1759 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xe5/0x270 net/socket.c:742 __sys_sendto+0x3eb/0x580 net/socket.c:2206 __do_sys_sendto net/socket.c:2213 [inline] __se_sys_sendto net/socket.c:2209 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2209 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd2/0xf20 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f67b4d9c629 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f67b5c98028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f67b5015fa0 RCX: 00007f67b4d9c629 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f67b4e32b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000040000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f67b5016038 R14: 00007f67b5015fa0 R15: 00007ffe3cb66dd8 </TASK> | 2026-05-06 | 7.5 | CVE-2026-43164 | https://git.kernel.org/stable/c/f27030ac5bef47d997cfac05a3d188aa69f4df7f https://git.kernel.org/stable/c/0f13fa087ead642ea1eb5fdb6eb092c913ef06b7 https://git.kernel.org/stable/c/470c7ca2b4c3e3a51feeb952b7f97a775b5c49cd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix interlaced plain identification for encoded extents Only plain data whose start position and on-disk physical length are both aligned to the block size should be classified as interlaced plain extents. Otherwise, it must be treated as shifted plain extents. This issue was found by syzbot using a crafted compressed image containing plain extents with unaligned physical lengths, which can cause OOB read in z_erofs_transform_plain(). | 2026-05-06 | 7.1 | CVE-2026-43166 | https://git.kernel.org/stable/c/9d5a97bc71ed5783687705c708454c4453aa91d1 https://git.kernel.org/stable/c/d3790f26d38606f020212486359b84632c19d08b https://git.kernel.org/stable/c/4a2d046e4b13202a6301a993961f5b30ae4d7119 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: procfs: fix possible double mmput() in do_procmap_query() When user provides incorrectly sized buffer for build ID for PROCMAP_QUERY we return with -ENAMETOOLONG error. After recent changes this condition happens later, after we unlocked mmap_lock/per-VMA lock and did mmput(), so original goto out is now wrong and will double-mmput() mm_struct. Fix by jumping further to clean up only vm_file and name_buf. | 2026-05-06 | 7.8 | CVE-2026-43178 | https://git.kernel.org/stable/c/f9fe092084cd04deea18747f58a2304026e76aaa https://git.kernel.org/stable/c/8adaff87db143583e08eec4f4e7788f1ef8af94d https://git.kernel.org/stable/c/90f5e87c9b75833b9ef3a4415b92c0247f28ab2f https://git.kernel.org/stable/c/61dc9f776705d6db6847c101b98fa4f0e9eb6fa3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode kaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls netif_stop_queue() and netif_wake_queue(). These are TX queue flow control functions unrelated to RX multicast configuration. The premature netif_wake_queue() can re-enable TX while tx_urb is still in-flight, leading to a double usb_submit_urb() on the same URB: kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); } kaweth_set_rx_mode() { netif_stop_queue(); netif_wake_queue(); // wakes TX queue before URB is done } kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); // URB submitted while active } This triggers the WARN in usb_submit_urb(): “URB submitted while active” This is a similar class of bug fixed in rtl8150 by – commit 958baf5eaee3 (“net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast”). Also kaweth_set_rx_mode() is already functionally broken, the real set_rx_mode action is performed by kaweth_async_set_rx_mode(), which in turn is not a no-op only at ndo_open() time. | 2026-05-06 | 7.8 | CVE-2026-43180 | https://git.kernel.org/stable/c/443a830b1dc4f85c7560da59d4494b629feee215 https://git.kernel.org/stable/c/586318c2730433184c6f1d21183e346ddf25e81d https://git.kernel.org/stable/c/a2cd4b4db315a845a5603d08c9d03b11ddfc799d https://git.kernel.org/stable/c/ef9b10a020503888eb6c8ed85a3d901a624ede4c https://git.kernel.org/stable/c/9c79b839a63980c7da7ec5db895198045e154112 https://git.kernel.org/stable/c/fc393af769af845d9985e2845e49553d8f015a64 https://git.kernel.org/stable/c/8367c0e90126426e60581e4c07e1ec4411a0f843 https://git.kernel.org/stable/c/64868f5ecadeb359a49bc4485bfa7c497047f13a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rnbd-srv: Zero the rsp buffer before using it Before using the data buffer to send back the response message, zero it completely. This prevents any stray bytes to be picked up by the client side when there the message is exchanged between different protocol versions. | 2026-05-06 | 7.5 | CVE-2026-43184 | https://git.kernel.org/stable/c/e4272754063d52c9ad0169865add8816ba696471 https://git.kernel.org/stable/c/e2cacec7d4291300a282feb3af8eba57b93b15aa https://git.kernel.org/stable/c/b646e54d23b9b592d612a2036aab14e0f6c14206 https://git.kernel.org/stable/c/30868a6a5238849d554295aff3ce61d242d7fad8 https://git.kernel.org/stable/c/7aac0a30dcf41cdb510526740d9a2ab1520c5d98 https://git.kernel.org/stable/c/c94ede3c436dfbd9cedd9cb69f604f6fc901b6a2 https://git.kernel.org/stable/c/852475278ca5e96e0c0275950e1a84203e602b33 https://git.kernel.org/stable/c/69d26698e4fd44935510553809007151b2fe4db5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: consume xmit errors of GSO frames udpgro_frglist.sh and udpgro_bench.sh are the flakiest tests currently in NIPA. They fail in the same exact way, TCP GRO test stalls occasionally and the test gets killed after 10min. These tests use veth to simulate GRO. They attach a trivial (“return XDP_PASS;”) XDP program to the veth to force TSO off and NAPI on. Digging into the failure mode we can see that the connection is completely stuck after a burst of drops. The sender’s snd_nxt is at sequence number N [1], but the receiver claims to have received (rcv_nxt) up to N + 3 * MSS [2]. Last piece of the puzzle is that senders rtx queue is not empty (let’s say the block in the rtx queue is at sequence number N – 4 * MSS [3]). In this state, sender sends a retransmission from the rtx queue with a single segment, and sequence numbers N-4*MSS:N-3*MSS [3]. Receiver sees it and responds with an ACK all the way up to N + 3 * MSS [2]. But sender will reject this ack as TCP_ACK_UNSENT_DATA because it has no recollection of ever sending data that far out [1]. And we are stuck. The root cause is the mess of the xmit return codes. veth returns an error when it can’t xmit a frame. We end up with a loss event like this: ————————————————- | GSO super frame 1 | GSO super frame 2 | |———————————————–| | seg | seg | seg | seg | seg | seg | seg | seg | | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | ————————————————- x ok ok <ok>| ok ok ok <x> \ snd_nxt “x” means packet lost by veth, and “ok” means it went thru. Since veth has TSO disabled in this test it sees individual segments. Segment 1 is on the retransmit queue and will be resent. So why did the sender not advance snd_nxt even tho it clearly did send up to seg 8? tcp_write_xmit() interprets the return code from the core to mean that data has not been sent at all. Since TCP deals with GSO super frames, not individual segment the crux of the problem is that loss of a single segment can be interpreted as loss of all. TCP only sees the last return code for the last segment of the GSO frame (in <> brackets in the diagram above). Of course for the problem to occur we need a setup or a device without a Qdisc. Otherwise Qdisc layer disconnects the protocol layer from the device errors completely. We have multiple ways to fix this. 1) make veth not return an error when it lost a packet. While this is what I think we did in the past, the issue keeps reappearing and it’s annoying to debug. The game of whack a mole is not great. 2) fix the damn return codes We only talk about NETDEV_TX_OK and NETDEV_TX_BUSY in the documentation, so maybe we should make the return code from ndo_start_xmit() a boolean. I like that the most, but perhaps some ancient, not-really-networking protocol would suffer. 3) make TCP ignore the errors It is not entirely clear to me what benefit TCP gets from interpreting the result of ip_queue_xmit()? Specifically once the connection is established and we’re pushing data – packet loss is just packet loss? 4) this fix Ignore the rc in the Qdisc-less+GSO case, since it’s unreliable. We already always return OK in the TCQ_F_CAN_BYPASS case. In the Qdisc-less case let’s be a bit more conservative and only mask the GSO errors. This path is taken by non-IP-“networks” like CAN, MCTP etc, so we could regress some ancient thing. This is the simplest, but also maybe the hackiest fix? Similar fix has been proposed by Eric in the past but never committed because original reporter was working with an OOT driver and wasn’t providing feedback (see Link). | 2026-05-06 | 7.5 | CVE-2026-43194 | https://git.kernel.org/stable/c/ae3f627b45fbc3c776a4e484696f3cad7cbb4eca https://git.kernel.org/stable/c/0c9de092ef8c50a7ee9612811566f0aa81d8d7b6 https://git.kernel.org/stable/c/56bd32c0edca34041a5c215887fcf562fae2e2db https://git.kernel.org/stable/c/9ac6aebef4b4bfc5ed408b0b65645981574bc780 https://git.kernel.org/stable/c/ea5d7787635e26ec1194ec7eec0e8e5ae3bd10a5 https://git.kernel.org/stable/c/4cb163e9efcac4cd35c3043e097f25081a5c015c https://git.kernel.org/stable/c/c86901d22c89a6bf4e2f013e948aaabc60869893 https://git.kernel.org/stable/c/7aa767d0d3d04e50ae94e770db7db8197f666970 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix “scheduling while atomic” in IPsec MAC address query Fix a “scheduling while atomic” bug in mlx5e_ipsec_init_macs() by replacing mlx5_query_mac_address() with ether_addr_copy() to get the local MAC address directly from netdev->dev_addr. The issue occurs because mlx5_query_mac_address() queries the hardware which involves mlx5_cmd_exec() that can sleep, but it is called from the mlx5e_ipsec_handle_event workqueue which runs in atomic context. The MAC address is already available in netdev->dev_addr, so no need to query hardware. This avoids the sleeping call and resolves the bug. Call trace: BUG: scheduling while atomic: kworker/u112:2/69344/0x00000200 __schedule+0x7ab/0xa20 schedule+0x1c/0xb0 schedule_timeout+0x6e/0xf0 __wait_for_common+0x91/0x1b0 cmd_exec+0xa85/0xff0 [mlx5_core] mlx5_cmd_exec+0x1f/0x50 [mlx5_core] mlx5_query_nic_vport_mac_address+0x7b/0xd0 [mlx5_core] mlx5_query_mac_address+0x19/0x30 [mlx5_core] mlx5e_ipsec_init_macs+0xc1/0x720 [mlx5_core] mlx5e_ipsec_build_accel_xfrm_attrs+0x422/0x670 [mlx5_core] mlx5e_ipsec_handle_event+0x2b9/0x460 [mlx5_core] process_one_work+0x178/0x2e0 worker_thread+0x2ea/0x430 | 2026-05-06 | 7.5 | CVE-2026-43199 | https://git.kernel.org/stable/c/e1407fb7c337373dfaaae2445d828b0b9ae26a29 https://git.kernel.org/stable/c/57957bc7f1865778ec9b1618e15515feb6df7eb4 https://git.kernel.org/stable/c/546de94e41e92e1f7dc6213615fb7c794d05db98 https://git.kernel.org/stable/c/859380694f434597407632c29f30fdb5e763e6cc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: atm: fore200e: fix use-after-free in tasklets during device removal When the PCA-200E or SBA-200E adapter is being detached, the fore200e is deallocated. However, the tx_tasklet or rx_tasklet may still be running or pending, leading to use-after-free bug when the already freed fore200e is accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet(). One of the race conditions can occur as follows: CPU 0 (cleanup) | CPU 1 (tasklet) fore200e_pca_remove_one() | fore200e_interrupt() fore200e_shutdown() | tasklet_schedule() kfree(fore200e) | fore200e_tx_tasklet() | fore200e-> // UAF Fix this by ensuring tx_tasklet or rx_tasklet is properly canceled before the fore200e is released. Add tasklet_kill() in fore200e_shutdown() to synchronize with any pending or running tasklets. Moreover, since fore200e_reset() could prevent further interrupts or data transfers, the tasklet_kill() should be placed after fore200e_reset() to prevent the tasklet from being rescheduled in fore200e_interrupt(). Finally, it only needs to do tasklet_kill() when the fore200e state is greater than or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized in earlier states. In a word, the tasklet_kill() should be placed in the FORE200E_STATE_IRQ branch within the switch…case structure. This bug was identified through static analysis. | 2026-05-06 | 7.5 | CVE-2026-43203 | https://git.kernel.org/stable/c/91f25749aaf57c47ae1e12478144e6ea8c8562f2 https://git.kernel.org/stable/c/73fbc5d1a9ccb626937500bbd67136f077d8237b https://git.kernel.org/stable/c/aba0b4bc09376dfc3d53c826514fe38fc8337f52 https://git.kernel.org/stable/c/e075ec9b08f862dade8011481058f7eb5f716c57 https://git.kernel.org/stable/c/97900f512252a59f23d6ce4ab215cc88fed66e68 https://git.kernel.org/stable/c/e4ff4e3ffcf9d5aad380cdd1d8cdc008bb34f97d https://git.kernel.org/stable/c/5189368f10903956be05062d160b2804bf5e5016 https://git.kernel.org/stable/c/8930878101cd40063888a68af73b1b0f8b6c79bc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8 bytes via memset without checking the buffer size parameter. This allows unprivileged userspace to trigger an out-of bounds kernel memory write by passing a small buffer, leading to potential privilege escalation. | 2026-05-06 | 7.8 | CVE-2026-43206 | https://git.kernel.org/stable/c/3e04bc310d80b46eaf481f1fefcbcb37a187412d https://git.kernel.org/stable/c/de8d7a25cd2eb5875b1d8d4fbc7fe4b4138b781f https://git.kernel.org/stable/c/b4034442cb090e4a980bdcc1540948606cbc951b https://git.kernel.org/stable/c/4857c37c7ba9aa38b9a4c694e8bd8d0091c87940 https://git.kernel.org/stable/c/75fb57efdd7863fffbc39db23e9cad7aafda26ed https://git.kernel.org/stable/c/bfcd6b53e1f4feb182952f4ff9a137c36ceaf20b https://git.kernel.org/stable/c/4e72f419e4ed44cb3b60506752d8688c20a60a9b https://git.kernel.org/stable/c/8a70a26c9f34baea6c3199a9862ddaff4554a96d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix error handling in probe function Add mtk_mdp_unregister_m2m_device() on the error handling path to prevent resource leak. Add check for the return value of vpu_get_plat_device() to prevent null pointer dereference. And vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak. | 2026-05-06 | 7.8 | CVE-2026-43207 | https://git.kernel.org/stable/c/9d9c67976eda502edc6b3a148a1c5b6a18b69a98 https://git.kernel.org/stable/c/0bc43eaf021347f8d5aba87712c36b799695eec6 https://git.kernel.org/stable/c/9d7962d5c81d6cf3f8dbdb5c71c57600bac5772b https://git.kernel.org/stable/c/12cafc15d24611bfb43c82877b1bbb7454a85d5a https://git.kernel.org/stable/c/c8737d33d4e8ffae87e5d5edac17f8a705235cc2 https://git.kernel.org/stable/c/b3fc99fe5b25613dd61c57bc70b8479adff4f60d https://git.kernel.org/stable/c/2e8f53a7382943411557e370f1a4f3946624a30e https://git.kernel.org/stable/c/8a8a3232abac5b972058a5f2cb3e33199d2a8648 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: Fix pci_slot_trylock() error handling Commit a4e772898f8b (“PCI: Add missing bridge lock to pci_bus_lock()”) delegates the bridge device’s pci_dev_trylock() to pci_bus_trylock() in pci_slot_trylock(), but it forgets to remove the corresponding pci_dev_unlock() when pci_bus_trylock() fails. Before a4e772898f8b, the code did: if (!pci_dev_trylock(dev)) /* <- lock bridge device */ goto unlock; if (dev->subordinate) { if (!pci_bus_trylock(dev->subordinate)) { pci_dev_unlock(dev); /* <- unlock bridge device */ goto unlock; } } After a4e772898f8b the bridge-device lock is no longer taken, but the pci_dev_unlock(dev) on the failure path was left in place, leading to the bug. This yields one of two errors: 1. A warning that the lock is being unlocked when no one holds it. 2. An incorrect unlock of a lock that belongs to another thread. Fix it by removing the now-redundant pci_dev_unlock(dev) on the failure path. [Same patch later posted by Keith at https://patch.msgid.link/20260116184150.3013258-1-kbusch@meta.com] | 2026-05-06 | 7.8 | CVE-2026-43211 | https://git.kernel.org/stable/c/ebb27b7399ab8b9eb1f792b329aa5f6250c590d4 https://git.kernel.org/stable/c/fbe06a3058114bf95a17a4941b205f4b321c6f0a https://git.kernel.org/stable/c/943ed56606a7ab2fe5a99cad572dd17d484310c7 https://git.kernel.org/stable/c/a19b61fdb958ffadbba85b43c991eb9fc70c1c1c https://git.kernel.org/stable/c/0425aaf20b407d2f2cf3bf469808e4a35f9abb8b https://git.kernel.org/stable/c/bd435f4b738130d732ef64e0e57e45185f77165d https://git.kernel.org/stable/c/8b08ea9690b212b7bf7f12414039259cf34b1aa0 https://git.kernel.org/stable/c/9368d1ee62829b08aa31836b3ca003803caf0b72 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: Make cpumask_of_node() robust against NUMA_NO_NODE The arch definition of cpumask_of_node() cannot handle NUMA_NO_NODE – which is a valid index – so add a check for this. | 2026-05-06 | 7.8 | CVE-2026-43212 | https://git.kernel.org/stable/c/b5bf05e05cdf489a04137e4da407de9d4cca5295 https://git.kernel.org/stable/c/bb1a54f7f011f19ed936632698eae574e0b91063 https://git.kernel.org/stable/c/92adfb707beec0fe956424373654a70aad35ea13 https://git.kernel.org/stable/c/61a56df2fbaad3a4d00f0c6a904b5d1ee8982eb4 https://git.kernel.org/stable/c/1d8f2f024801019d85159a020b72a4424b46bcf4 https://git.kernel.org/stable/c/94b0c831eda778ae9e4f2164a8b3de485d8977bb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate sequence number of TX release report Hardware rarely reports abnormal sequence number in TX release report, which will access out-of-bounds of wd_ring->pages array, causing NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1085 Comm: irq/129-rtw89_p Tainted: G S U 6.1.145-17510-g2f3369c91536 #1 (HASH:69e8 1) Call Trace: <IRQ> rtw89_pci_release_tx+0x18f/0x300 [rtw89_pci (HASH:4c83 2)] rtw89_pci_napi_poll+0xc2/0x190 [rtw89_pci (HASH:4c83 2)] net_rx_action+0xfc/0x460 net/core/dev.c:6578 net/core/dev.c:6645 net/core/dev.c:6759 handle_softirqs+0xbe/0x290 kernel/softirq.c:601 ? rtw89_pci_interrupt_threadfn+0xc5/0x350 [rtw89_pci (HASH:4c83 2)] __local_bh_enable_ip+0xeb/0x120 kernel/softirq.c:499 kernel/softirq.c:423 </IRQ> <TASK> rtw89_pci_interrupt_threadfn+0xf8/0x350 [rtw89_pci (HASH:4c83 2)] ? irq_thread+0xa7/0x340 kernel/irq/manage.c:0 irq_thread+0x177/0x340 kernel/irq/manage.c:1205 kernel/irq/manage.c:1314 ? thaw_kernel_threads+0xb0/0xb0 kernel/irq/manage.c:1202 ? irq_forced_thread_fn+0x80/0x80 kernel/irq/manage.c:1220 kthread+0xea/0x110 kernel/kthread.c:376 ? synchronize_irq+0x1a0/0x1a0 kernel/irq/manage.c:1287 ? kthread_associate_blkcg+0x80/0x80 kernel/kthread.c:331 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> To prevent crash, validate rpp_info.seq before using. | 2026-05-06 | 7.5 | CVE-2026-43213 | https://git.kernel.org/stable/c/ef7fa19809b2d892d45da53f90ac698d13c367fd https://git.kernel.org/stable/c/b342dd13aedccb0dd27365f6cc63a262f42394ce https://git.kernel.org/stable/c/957eda596c7665f2966970fd1dcc35fe299b38e8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2() Add SRCU read-side protection when reading PDPTR registers in __get_sregs2(). Reading PDPTRs may trigger access to guest memory: kvm_pdptr_read() -> svm_cache_reg() -> load_pdptrs() -> kvm_vcpu_read_guest_page() -> kvm_vcpu_gfn_to_memslot() kvm_vcpu_gfn_to_memslot() dereferences memslots via __kvm_memslots(), which uses srcu_dereference_check() and requires either kvm->srcu or kvm->slots_lock to be held. Currently only vcpu->mutex is held, triggering lockdep warning: ============================= WARNING: suspicious RCU usage in kvm_vcpu_gfn_to_memslot 6.12.59+ #3 Not tainted include/linux/kvm_host.h:1062 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz.5.1717/15100: #0: ff1100002f4b00b0 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x1d5/0x1590 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xf0/0x120 lib/dump_stack.c:120 lockdep_rcu_suspicious+0x1e3/0x270 kernel/locking/lockdep.c:6824 __kvm_memslots include/linux/kvm_host.h:1062 [inline] __kvm_memslots include/linux/kvm_host.h:1059 [inline] kvm_vcpu_memslots include/linux/kvm_host.h:1076 [inline] kvm_vcpu_gfn_to_memslot+0x518/0x5e0 virt/kvm/kvm_main.c:2617 kvm_vcpu_read_guest_page+0x27/0x50 virt/kvm/kvm_main.c:3302 load_pdptrs+0xff/0x4b0 arch/x86/kvm/x86.c:1065 svm_cache_reg+0x1c9/0x230 arch/x86/kvm/svm/svm.c:1688 kvm_pdptr_read arch/x86/kvm/kvm_cache_regs.h:141 [inline] __get_sregs2 arch/x86/kvm/x86.c:11784 [inline] kvm_arch_vcpu_ioctl+0x3e20/0x4aa0 arch/x86/kvm/x86.c:6279 kvm_vcpu_ioctl+0x856/0x1590 virt/kvm/kvm_main.c:4663 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xbd/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2026-05-06 | 7.8 | CVE-2026-43214 | https://git.kernel.org/stable/c/f621ca24f9f489e226e22560761b04884984133b https://git.kernel.org/stable/c/708e20c66b2761d878a2bc3c7534e7f814e4dec5 https://git.kernel.org/stable/c/9f2bfea51151dfbb24b52f452eb3d5f5fe0e506e https://git.kernel.org/stable/c/57536ff0a6bd69a5808d682925202babdb5ddc13 https://git.kernel.org/stable/c/b33f8d816950b10e7879cd8ffd7ae4b649ada4db https://git.kernel.org/stable/c/95d848dc7e639988dbb385a8cba9b484607cf98c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: verisilicon: AV1: Fix tile info buffer size Each tile info is composed of: row_sb, col_sb, start_pos and end_pos (4 bytes each). So the total required memory is AV1_MAX_TILES * 16 bytes. Use the correct #define to allocate the buffer and avoid writing tile info in non-allocated memory. | 2026-05-06 | 7.8 | CVE-2026-43222 | https://git.kernel.org/stable/c/a5b1ddbe31f49b4da78642157589970e9b60a231 https://git.kernel.org/stable/c/34f36f9c6114af781a5a4f7a7c99334c85b73fc7 https://git.kernel.org/stable/c/f122f2b3ce9dbde60bf7ab0b180fe4a01f9d9bc4 https://git.kernel.org/stable/c/74abfadd7ef5ac9f3a6111d550cc651d1457c641 https://git.kernel.org/stable/c/a505ca2db89ad92a8d8d27fa68ebafb12e04a679 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/rds: No shortcut out of RDS_CONN_ERROR RDS connections carry a state “rds_conn_path::cp_state” and transitions from one state to another and are conditional upon an expected state: “rds_conn_path_transition.” There is one exception to this conditionality, which is “RDS_CONN_ERROR” that can be enforced by “rds_conn_path_drop” regardless of what state the condition is currently in. But as soon as a connection enters state “RDS_CONN_ERROR”, the connection handling code expects it to go through the shutdown-path. The RDS/TCP multipath changes added a shortcut out of “RDS_CONN_ERROR” straight back to “RDS_CONN_CONNECTING” via “rds_tcp_accept_one_path” (e.g. after “rds_tcp_state_change”). A subsequent “rds_tcp_reset_callbacks” can then transition the state to “RDS_CONN_RESETTING” with a shutdown-worker queued. That’ll trip up “rds_conn_init_shutdown”, which was never adjusted to handle “RDS_CONN_RESETTING” and subsequently drops the connection with the dreaded “DR_INV_CONN_STATE”, which leaves “RDS_SHUTDOWN_WORK_QUEUED” on forever. So we do two things here: a) Don’t shortcut “RDS_CONN_ERROR”, but take the longer path through the shutdown code. b) Add “RDS_CONN_RESETTING” to the expected states in “rds_conn_init_shutdown” so that we won’t error out and get stuck, if we ever hit weird state transitions like this again.” | 2026-05-06 | 7.5 | CVE-2026-43226 | https://git.kernel.org/stable/c/9bcd7c00691a2db9745817d5ea79262a503b135c https://git.kernel.org/stable/c/a179ac7be8f5a650d0068040705f4cddd6ca369c https://git.kernel.org/stable/c/19e384a7d00d888303a8285977cdf1970c6cccd6 https://git.kernel.org/stable/c/f0f729bdffb08af32e0f54521b81b8a9e0321f16 https://git.kernel.org/stable/c/81248b1eb3c5954cc1fc7b33b7c03e34d20cb8c8 https://git.kernel.org/stable/c/899ef00963ce76f9fc421a7d02335fe4ead6389b https://git.kernel.org/stable/c/9ff599a9be784a808c36765086e3db2144aa3b66 https://git.kernel.org/stable/c/ad22d24be635c6beab6a1fdd3f8b1f3c478d15da |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/rds: Clear reconnect pending bit When canceling the reconnect worker, care must be taken to reset the reconnect-pending bit. If the reconnect worker has not yet been scheduled before it is canceled, the reconnect-pending bit will stay on forever. | 2026-05-06 | 7.5 | CVE-2026-43230 | https://git.kernel.org/stable/c/3cf001aff71b1db1b4732a5381b012a114720664 https://git.kernel.org/stable/c/60b347333ec259ac7352f62cbbc365b04c065ff8 https://git.kernel.org/stable/c/597c46a42930c963f448720aaf5001dd4ed98af4 https://git.kernel.org/stable/c/391200c274e90c34071b909ba12e3390b81b767f https://git.kernel.org/stable/c/ba2e3472022f44baddf000621fed150d7a599ea3 https://git.kernel.org/stable/c/14eae5564053ac3973b9369dc674638f22f4765e https://git.kernel.org/stable/c/bcf034fa5f66b6a3e787f765a917934a2045cf7a https://git.kernel.org/stable/c/b89fc7c2523b2b0750d91840f4e52521270d70ed |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release The atmel_hlcdc_plane_atomic_duplicate_state() callback was copying the atmel_hlcdc_plane state structure without properly duplicating the drm_plane_state. In particular, state->commit remained set to the old state commit, which can lead to a use-after-free in the next drm_atomic_commit() call. Fix this by calling __drm_atomic_helper_duplicate_plane_state(), which correctly clones the base drm_plane_state (including the ->commit pointer). It has been seen when closing and re-opening the device node while another DRM client (e.g. fbdev) is still attached: ============================================================================= BUG kmalloc-64 (Not tainted): Poison overwritten —————————————————————————– 0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b FIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b Allocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0 pid=29 drm_atomic_helper_setup_commit+0x1e8/0x7bc drm_atomic_helper_commit+0x3c/0x15c drm_atomic_commit+0xc0/0xf4 drm_framebuffer_remove+0x4cc/0x5a8 drm_mode_rmfb_work_fn+0x6c/0x80 process_one_work+0x12c/0x2cc worker_thread+0x2a8/0x400 kthread+0xc0/0xdc ret_from_fork+0x14/0x28 Freed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0 pid=169 drm_atomic_helper_commit_hw_done+0x100/0x150 drm_atomic_helper_commit_tail+0x64/0x8c commit_tail+0x168/0x18c drm_atomic_helper_commit+0x138/0x15c drm_atomic_commit+0xc0/0xf4 drm_atomic_helper_set_config+0x84/0xb8 drm_mode_setcrtc+0x32c/0x810 drm_ioctl+0x20c/0x488 sys_ioctl+0x14c/0xc20 ret_fast_syscall+0x0/0x54 Slab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0 flags=0x200(workingset|zone=0) Object 0xc611b340 @offset=832 fp=0xc611b7c0 | 2026-05-06 | 7.8 | CVE-2026-43236 | https://git.kernel.org/stable/c/fd4a4d0711f48a99b25bcd45e00eef8339eff82d https://git.kernel.org/stable/c/6404898af86d986db1dbbe06177c143e40652e49 https://git.kernel.org/stable/c/796e77c14c4c1e2cd36473760fb6cc66c695eb47 https://git.kernel.org/stable/c/ac2d898da5095d46bd1ff8585fdd753d58ad91e7 https://git.kernel.org/stable/c/a205740a7231e967ac77cb731171642901c327af https://git.kernel.org/stable/c/7b4d0fab3ff2c00c6d34e1952c9df5129a826aee https://git.kernel.org/stable/c/549c6db503dbb85dbff4840830971853feac6625 https://git.kernel.org/stable/c/bc847787233277a337788568e90a6ee1557595eb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4 This commit simplifies the amdgpu_gem_va_ioctl function, key updates include: – Moved the logic for managing the last update fence directly into amdgpu_gem_va_update_vm. – Introduced checks for the timeline point to enable conditional replacement or addition of fences. v2: Addressed review comments from Christian. v3: Updated comments (Christian). v4: The previous version selected the fence too early and did not manage its reference correctly, which could lead to stale or freed fences being used. This resulted in refcount underflows and could crash when updating GPU timelines. The fence is now chosen only after the VA mapping work is completed, and its reference is taken safely. After exporting it to the VM timeline syncobj, the driver always drops its local fence reference, ensuring balanced refcounting and avoiding use-after-free on dma_fence. Crash signature: [ 205.828135] refcount_t: underflow; use-after-free. [ 205.832963] WARNING: CPU: 30 PID: 7274 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 … [ 206.074014] Call Trace: [ 206.076488] <TASK> [ 206.078608] amdgpu_gem_va_ioctl+0x6ea/0x740 [amdgpu] [ 206.084040] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu] [ 206.089994] drm_ioctl_kernel+0x86/0xe0 [drm] [ 206.094415] drm_ioctl+0x26e/0x520 [drm] [ 206.098424] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu] [ 206.104402] amdgpu_drm_ioctl+0x4b/0x80 [amdgpu] [ 206.109387] __x64_sys_ioctl+0x96/0xe0 [ 206.113156] do_syscall_64+0x66/0x2d0 … [ 206.553351] BUG: unable to handle page fault for address: ffffffffc0dfde90 … [ 206.553378] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0 … [ 206.553405] Call Trace: [ 206.553409] <IRQ> [ 206.553415] ? __pfx_drm_sched_fence_free_rcu+0x10/0x10 [gpu_sched] [ 206.553424] dma_fence_signal+0x30/0x60 [ 206.553427] drm_sched_job_done.isra.0+0x123/0x150 [gpu_sched] [ 206.553434] dma_fence_signal_timestamp_locked+0x6e/0xe0 [ 206.553437] dma_fence_signal+0x30/0x60 [ 206.553441] amdgpu_fence_process+0xd8/0x150 [amdgpu] [ 206.553854] sdma_v4_0_process_trap_irq+0x97/0xb0 [amdgpu] [ 206.554353] edac_mce_amd(E) ee1004(E) [ 206.554270] amdgpu_irq_dispatch+0x150/0x230 [amdgpu] [ 206.554702] amdgpu_ih_process+0x6a/0x180 [amdgpu] [ 206.555101] amdgpu_irq_handler+0x23/0x60 [amdgpu] [ 206.555500] __handle_irq_event_percpu+0x4a/0x1c0 [ 206.555506] handle_irq_event+0x38/0x80 [ 206.555509] handle_edge_irq+0x92/0x1e0 [ 206.555513] __common_interrupt+0x3e/0xb0 [ 206.555519] common_interrupt+0x80/0xa0 [ 206.555525] </IRQ> [ 206.555527] <TASK> … [ 206.555650] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0 … [ 206.555667] Kernel panic – not syncing: Fatal exception in interrupt | 2026-05-06 | 7.8 | CVE-2026-43237 | https://git.kernel.org/stable/c/e9e477d3197f7d8955a042c0d7f53f78f13218ba https://git.kernel.org/stable/c/0399b8416ecf64ef86ad23401fe23eabdb07831a https://git.kernel.org/stable/c/bd8150a1b3370a9f7761c5814202a3fe5a79f44f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs: ->d_compare() must not block … so don’t use __getname() there. Switch it (and ntfs_d_hash(), while we are at it) to kmalloc(PATH_MAX, GFP_NOWAIT). Yes, ntfs_d_hash() almost certainly can do with smaller allocations, but let ntfs folks deal with that – keep the allocation size as-is for now. Stop abusing names_cachep in ntfs, period – various uses of that thing in there have nothing to do with pathnames; just use k[mz]alloc() and be done with that. For now let’s keep sizes as-in, but AFAICS none of the users actually want PATH_MAX. | 2026-05-06 | 7.5 | CVE-2026-43245 | https://git.kernel.org/stable/c/142c444a395f4d26055c8a4473e228bb86283f1e https://git.kernel.org/stable/c/fb4b1f969ba01fa1d4088467a02fc1e5f0806710 https://git.kernel.org/stable/c/ca2a04e84af79596e5cd9cfe697d5122ec39c8ce |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vhost: move vdpa group bound check to vhost_vdpa Remove duplication by consolidating these here. This reduces the posibility of a parent driver missing them. While we’re at it, fix a bug in vdpa_sim where a valid ASID can be assigned to a group equal to ngroups, causing an out of bound write. | 2026-05-06 | 7.8 | CVE-2026-43248 | https://git.kernel.org/stable/c/ddb57354634b6ba851b79da45f1de42c646f27d0 https://git.kernel.org/stable/c/7441d35d14d9a3d66d925d90cb73c75394e6d454 https://git.kernel.org/stable/c/406db68f9cb976a8ddfafd631197264f2307e9c9 https://git.kernel.org/stable/c/cd025c1e876b4e262e71398236a1550486a73ede |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: move wait_on_sem() out of spinlock With iommu.strict=1, the existing completion wait path can cause soft lockups under stressed environment, as wait_on_sem() busy-waits under the spinlock with interrupts disabled. Move the completion wait in iommu_completion_wait() out of the spinlock. wait_on_sem() only polls the hardware-updated cmd_sem and does not require iommu->lock, so holding the lock during the busy wait unnecessarily increases contention and extends the time with interrupts disabled. | 2026-05-06 | 7.5 | CVE-2026-43253 | https://git.kernel.org/stable/c/f2f65b28d802a667119147444ec2ae33eebf9a58 https://git.kernel.org/stable/c/715c263119fd1b918a9fcbd8a36ea5b604a46324 https://git.kernel.org/stable/c/e15768e68820142077bbca402d8e902f64ade1b0 https://git.kernel.org/stable/c/496269d12072ecb219826485bdbec70c92a8eef5 https://git.kernel.org/stable/c/d2a0cac10597068567d336e85fa3cbdbe8ca62bf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp – fix packet extraction from stream When processing TCP stream data in ovpn_tcp_recv, we receive large cloned skbs from __strp_rcv that may contain multiple coalesced packets. The current implementation has two bugs: 1. Header offset overflow: Using pskb_pull with large offsets on coalesced skbs causes skb->data – skb->head to exceed the u16 storage of skb->network_header. This causes skb_reset_network_header to fail on the inner decapsulated packet, resulting in packet drops. 2. Unaligned protocol headers: Extracting packets from arbitrary positions within the coalesced TCP stream provides no alignment guarantees for the packet data causing performance penalties on architectures without efficient unaligned access. Additionally, openvpn’s 2-byte length prefix on TCP packets causes the subsequent 4-byte opcode and packet ID fields to be inherently misaligned. Fix both issues by allocating a new skb for each openvpn packet and using skb_copy_bits to extract only the packet content into the new buffer, skipping the 2-byte length prefix. Also, check the length before invoking the function that performs the allocation to avoid creating an invalid skb. If the packet has to be forwarded to userspace the 2-byte prefix can be pushed to the head safely, without misalignment. As a side effect, this approach also avoids the expensive linearization that pskb_pull triggers on cloned skbs with page fragments. In testing, this resulted in TCP throughput improvements of up to 74%. | 2026-05-06 | 7.5 | CVE-2026-43254 | https://git.kernel.org/stable/c/0315bec883c67fa1413c61e504a28dc5bd02eb37 https://git.kernel.org/stable/c/7dba6cd7fb168d7615194a631c9c100c1c224131 https://git.kernel.org/stable/c/d4f687fbbce45b5e88438e89b5e26c0c15847992 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update() vfe_isr() iterates using MSM_VFE_IMAGE_MASTERS_NUM(7) as the loop bound and passes the index to vfe_isr_reg_update(). However, vfe->line[] array is defined with VFE_LINE_NUM_MAX(4): struct vfe_line line[VFE_LINE_NUM_MAX]; When index is 4, 5, 6, the access to vfe->line[line_id] exceeds the array bounds and resulting in out-of-bounds memory access. Fix this by using separate loops for output lines and write masters. | 2026-05-06 | 7.8 | CVE-2026-43256 | https://git.kernel.org/stable/c/e6cbf765686fb6c1d8f2530b3daf6c66efc92f5d https://git.kernel.org/stable/c/0c074e80921fd18984b75836730d76c768c84f65 https://git.kernel.org/stable/c/1b103307df6d461a0731be25aca69ad0335b0933 https://git.kernel.org/stable/c/fade67c88870f497a13ed450ba01f7236c92dd9b https://git.kernel.org/stable/c/e7a38ecda2498e7ce998793ac2a46ca47317635d https://git.kernel.org/stable/c/d965919af524e68cb2ab1a685872050ad2ee933d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: alpha: fix user-space corruption during memory compaction Alpha systems can suffer sporadic user-space crashes and heap corruption when memory compaction is enabled. Symptoms include SIGSEGV, glibc allocator failures (e.g. “unaligned tcache chunk”), and compiler internal errors. The failures disappear when compaction is disabled or when using global TLB invalidation. The root cause is insufficient TLB shootdown during page migration. Alpha relies on ASN-based MM context rollover for instruction cache coherency, but this alone is not sufficient to prevent stale data or instruction translations from surviving migration. Fix this by introducing a migration-specific helper that combines: – MM context invalidation (ASN rollover), – immediate per-CPU TLB invalidation (TBI), – synchronous cross-CPU shootdown when required. The helper is used only by migration/compaction paths to avoid changing global TLB semantics. Additionally, update flush_tlb_other(), pte_clear(), to use READ_ONCE()/WRITE_ONCE() for correct SMP memory ordering. This fixes observed crashes on both UP and SMP Alpha systems. | 2026-05-06 | 7.8 | CVE-2026-43258 | https://git.kernel.org/stable/c/d4ca6ca2c6f5a1d19d9014c5b36d96637846b5d6 https://git.kernel.org/stable/c/03e42b5f7ad4c2c3db8bd384bab7990d5d53c90f https://git.kernel.org/stable/c/bab8d762a8dbb816b10011e13b87d1bca91e5f77 https://git.kernel.org/stable/c/dd5712f3379cfe760267cdd28ff957d9ab4e51c7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix Null reference while testing fluster When multi instances are created/destroyed, many interrupts happens and structures for decoder are removed. “struct vpu_instance” this structure is shared for all flow in the decoder, so if the structure is not protected by lock, Null dereference could happens sometimes. IRQ Handler was spilt to two phases and Lock was added as well. | 2026-05-06 | 7.8 | CVE-2026-43263 | https://git.kernel.org/stable/c/ea316b784fe6a61b29131c98cddb24e651b1dcbc https://git.kernel.org/stable/c/d12bcf183ec7da4305d848068d15f18044eaf62a https://git.kernel.org/stable/c/e66ff2b08e4ee1c4d3b84f24818e5bcc178cc3a4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm: clear cloned request bio pointer when last clone bio completes Stale rq->bio values have been observed to cause double-initialization of cloned bios in request-based device-mapper targets, leading to use-after-free and double-free scenarios. One such case occurs when using dm-multipath on top of a PCIe NVMe namespace, where cloned request bios are freed during blk_complete_request(), but rq->bio is left intact. Subsequent clone teardown then attempts to free the same bios again via blk_rq_unprep_clone(). The resulting double-free path looks like: nvme_pci_complete_batch() nvme_complete_batch() blk_mq_end_request_batch() blk_complete_request() // called on a DM clone request bio_endio() // first free of all clone bios … rq->end_io() // end_clone_request() dm_complete_request(tio->orig) dm_softirq_done() dm_done() dm_end_request() blk_rq_unprep_clone() // second free of clone bios Fix this by clearing the clone request’s bio pointer when the last cloned bio completes, ensuring that later teardown paths do not attempt to free already-released bios. | 2026-05-06 | 7.8 | CVE-2026-43278 | https://git.kernel.org/stable/c/8d9ddad561136f7e6a9346767bf97b4d79e38e67 https://git.kernel.org/stable/c/7daf279c674d515fb22a727a7bbc92aeb35c5442 https://git.kernel.org/stable/c/e2e738e8dfbbf83bd2bae0467ec4420cc52da42a https://git.kernel.org/stable/c/b1c1a2637ebd675aa2d71fee8c70da8791d73850 https://git.kernel.org/stable/c/83d72091804600ead96dc9e9f518ea56cb4942f6 https://git.kernel.org/stable/c/fb8a6c18fb9a6561f7a15b58b272442b77a242dd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Add sanity check for OOB writes at silencing At silencing the playback URB packets in the implicit fb mode before the actual playback, we blindly assume that the received packets fit with the buffer size. But when the setup in the capture stream differs from the playback stream (e.g. due to the USB core limitation of max packet size), such an inconsistency may lead to OOB writes to the buffer, resulting in a crash. For addressing it, add a sanity check of the transfer buffer size at prepare_silent_urb(), and stop the data copy if the received data overflows. Also, report back the transfer error properly from there, too. Note that this doesn’t fix the root cause of the playback error itself, but this merely covers the kernel Oops. | 2026-05-06 | 7.8 | CVE-2026-43279 | https://git.kernel.org/stable/c/fa01973bb79d70c4736b6a4b2de99fbb2cbc8d1f https://git.kernel.org/stable/c/780dc57794a217b49994fa1d0b42465fb10a00aa https://git.kernel.org/stable/c/8995fc0e00b3fee9bf7ecb3d836b635b730c1049 https://git.kernel.org/stable/c/fc9e5af60dc199051dc202ae78e1fe76a9977a5e https://git.kernel.org/stable/c/6af16f1b8649df4c00d6ced924bdd8b72c885b6a https://git.kernel.org/stable/c/ccaf9296763be4f76b59e2cac377006016c34435 https://git.kernel.org/stable/c/fba2105a157fffcf19825e4eea498346738c9948 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise When user provides a bogus pat_index value through the madvise IOCTL, the xe_pat_index_get_coh_mode() function performs an array access without validating bounds. This allows a malicious user to trigger an out-of-bounds kernel read from the xe->pat.table array. The vulnerability exists because the validation in madvise_args_are_sane() directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without first checking if pat_index is within [0, xe->pat.n_entries). Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug builds, it still performs the unsafe array access in production kernels. v2(Matthew Auld) – Using array_index_nospec() to mitigate spectre attacks when the value is used v3(Matthew Auld) – Put the declarations at the start of the block (cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29) | 2026-05-06 | 7.1 | CVE-2026-43280 | https://git.kernel.org/stable/c/ffba51100ff61792fefbae11ca38ac1987a818dd https://git.kernel.org/stable/c/79f52655567a6471ff3d0d6325ede91bb14461f4 https://git.kernel.org/stable/c/fbbe32618e97eff81577a01eb7d9adcd64a216d7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Return queued buffers on start_streaming() failure Return buffers if streaming fails to start due to uvc_pm_get() error. This bug may be responsible for a warning I got running while :; do yavta -c3 /dev/video0; done on an xHCI controller which failed under this workload. I had no luck reproducing this warning again to confirm. xhci_hcd 0000:09:00.0: HC died; cleaning up usb 13-2: USB disconnect, device number 2 WARNING: CPU: 2 PID: 29386 at drivers/media/common/videobuf2/videobuf2-core.c:1803 vb2_start_streaming+0xac/0x120 | 2026-05-08 | 7.8 | CVE-2026-43290 | https://git.kernel.org/stable/c/69c32df23bed6001864779b965fa009bcd9a26de https://git.kernel.org/stable/c/a5c01f15809d1d2c319d8bfb11d071df11ab731c https://git.kernel.org/stable/c/4cf3b6fd54ebb1ebc977bdc47fb6cfcf9a471a22 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: Workaround SQM/PSE stalls by disabling sticky NIX SQ manager sticky mode is known to cause stalls when multiple SQs share an SMQ and transmit concurrently. Additionally, PSE may deadlock on transitions between sticky and non-sticky transmissions. There is also a credit drop issue observed when certain condition clocks are gated. work around these hardware errata by: – Disabling SQM sticky operation: – Clear TM6 (bit 15) – Clear TM11 (bit 14) – Disabling sticky → non-sticky transition path that can deadlock PSE: – Clear TM5 (bit 23) – Preventing credit drops by keeping the control-flow clock enabled: – Set TM9 (bit 21) These changes are applied via NIX_AF_SQM_DBG_CTL_STATUS. With this configuration the SQM/PSE maintain forward progress under load without credit loss, at the cost of disabling sticky optimizations. | 2026-05-08 | 7.5 | CVE-2026-43296 | https://git.kernel.org/stable/c/9a3fd301329474f449e75f86d8a4f6b9c603fd6c https://git.kernel.org/stable/c/d0b3c8a80336029d9356f429151eb27922d80a3c https://git.kernel.org/stable/c/36cc5a5e0178d5fb79e04173b8aa623b0108819a https://git.kernel.org/stable/c/d9b549b6951ba178ec14339a031cae65f4e43fe1 https://git.kernel.org/stable/c/cec2ceb35ce7bc874c43812bb39200d6cf691b87 https://git.kernel.org/stable/c/8052d0587fb14b85539c3a14a226586c0c3d6b4c https://git.kernel.org/stable/c/b7eba260a34e854e2487b8363c11976f082df00d https://git.kernel.org/stable/c/70e9a5760abfb6338d63994d4de6b0778ec795d6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: clear page->private in free_pages_prepare() Several subsystems (slub, shmem, ttm, etc.) use page->private but don’t clear it before freeing pages. When these pages are later allocated as high-order pages and split via split_page(), tail pages retain stale page->private values. This causes a use-after-free in the swap subsystem. The swap code uses page->private to track swap count continuations, assuming freshly allocated pages have page->private == 0. When stale values are present, swap_count_continued() incorrectly assumes the continuation list is valid and iterates over uninitialized page->lru containing LIST_POISON values, causing a crash: KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107] RIP: 0010:__do_sys_swapoff+0x1151/0x1860 Fix this by clearing page->private in free_pages_prepare(), ensuring all freed pages have clean state regardless of previous use. | 2026-05-08 | 7.8 | CVE-2026-43303 | https://git.kernel.org/stable/c/23b82b7a26182ad840ae67d390d7ec9771e8c00f https://git.kernel.org/stable/c/d757c793853ec5483eb41ec2942c300b8fa720fb https://git.kernel.org/stable/c/ac1ea219590c09572ed5992dc233bbf7bb70fef9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iio: accel: adxl380: Avoid reading more entries than present in FIFO The interrupt handler reads FIFO entries in batches of N samples, where N is the number of scan elements that have been enabled. However, the sensor fills the FIFO one sample at a time, even when more than one channel is enabled. Therefore,the number of entries reported by the FIFO status registers may not be a multiple of N; if this number is not a multiple, the number of entries read from the FIFO may exceed the number of entries actually present. To fix the above issue, round down the number of FIFO entries read from the status registers so that it is always a multiple of N. | 2026-05-08 | 7.8 | CVE-2026-43307 | https://git.kernel.org/stable/c/a40f316085985f916ba1599fc303fdbc6a078e86 https://git.kernel.org/stable/c/a8e88edfd69df7b63c882aa53e61e7c078806ad7 https://git.kernel.org/stable/c/f42ddb2945ae4ce2b6f1c2e7aae9f14455a734d3 https://git.kernel.org/stable/c/c1b14015224cfcccd5356333763f2f4f401bd810 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Properly mark live registers for indirect jumps For a `gotox rX` instruction the rX register should be marked as used in the compute_insn_live_regs() function. Fix this. | 2026-05-08 | 7.8 | CVE-2026-43321 | https://git.kernel.org/stable/c/7beae54111c34ca63357ef120e115889b915beb5 https://git.kernel.org/stable/c/d1aab1ca576c90192ba961094d51b0be6355a4d6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix interrupt synchronization error This fixes an error in synchronization in the dummy-hcd driver. The error has a somewhat involved history. The synchronization mechanism was introduced by commit 7dbd8f4cabd9 (“USB: dummy-hcd: Fix erroneous synchronization change”), which added an emulated “interrupts enabled” flag together with code emulating synchronize_irq() (it waits until all current handler callbacks have returned). But the emulated interrupt-disable occurred too late, after the driver containing the handler callback routines had been told that it was unbound and no more callbacks would occur. Commit 4a5d797a9f9c (“usb: gadget: dummy_hcd: fix gpf in gadget_setup”) tried to fix this by moving the synchronize_irq() emulation code from dummy_stop() to dummy_pullup(), which runs before the unbind callback. There still were races, though, because the emulated interrupt-disable still occurred too late. It couldn’t be moved to dummy_pullup(), because that routine can be called for reasons other than an impending unbind. Therefore commits 7dc0c55e9f30 (“USB: UDC core: Add udc_async_callbacks gadget op”) and 04145a03db9d (“USB: UDC: Implement udc_async_callbacks in dummy-hcd”) added an API allowing the UDC core to tell dummy-hcd exactly when emulated interrupts and their callbacks should be disabled. That brings us to the current state of things, which is still wrong because the emulated synchronize_irq() occurs before the emulated interrupt-disable! That’s no good, beause it means that more emulated interrupts can occur after the synchronize_irq() emulation has run, leading to the possibility that a callback handler may be running when the gadget driver is unbound. To fix this, we have to move the synchronize_irq() emulation code yet again, to the dummy_udc_async_callbacks() routine, which takes care of enabling and disabling emulated interrupt requests. The synchronization will now run immediately after emulated interrupts are disabled, which is where it belongs. | 2026-05-08 | 7.8 | CVE-2026-43324 | https://git.kernel.org/stable/c/d847f375b1bcea713143bc02720d13d2d01b012a https://git.kernel.org/stable/c/cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4 https://git.kernel.org/stable/c/5aa776c8615bea3b1eaeec87b0788375800ead4f https://git.kernel.org/stable/c/94d4fab1dd9e64f45449bcc7d6a5acf796b13015 https://git.kernel.org/stable/c/5687a09776069bd915560021c9728ca528440128 https://git.kernel.org/stable/c/8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7 https://git.kernel.org/stable/c/2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SNAT (4 payload actions) * DNAT (4 payload actions) * Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing) for QinQ. * Redirect (1 action) Which makes 17, while the maximum is 16. But act_ct supports for tunnels actions too. Note that payload action operates at 32-bit word level, so mangling an IPv6 address takes 4 payload actions. Update flow_action_entry_next() calls to check for the maximum number of supported actions. While at it, rise the maximum number of actions per flow from 16 to 24 so this works fine with IPv6 setups. | 2026-05-08 | 7.8 | CVE-2026-43329 | https://git.kernel.org/stable/c/ead66c77303f760f6c30be96e2e20d5a77cef614 https://git.kernel.org/stable/c/fe9018d3e94329f1951b00805a8640bc06f56ead https://git.kernel.org/stable/c/5382bb03e9c33b089d60788478b922a2dca284cc https://git.kernel.org/stable/c/57c78bd2e2dd08897acd35b2bf8bcef322e36f5e https://git.kernel.org/stable/c/504c9456699dcf4d15195ef34a0fa94a80bfc877 https://git.kernel.org/stable/c/879959a7a2be814dd57568655eafa3d8f4d0309e https://git.kernel.org/stable/c/76522fcdbc3a02b568f5d957f7e66fc194abb893 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: caam – fix overflow on long hmac keys When a key longer than block size is supplied, it is copied and then hashed into the real key. The memory allocated for the copy needs to be rounded to DMA cache alignment, as otherwise the hashed key may corrupt neighbouring memory. The copying is performed using kmemdup, however this leads to an overflow: reading more bytes (aligned_len – keylen) from the keylen source buffer. Fix this by replacing kmemdup with kmalloc, followed by memcpy. | 2026-05-08 | 7.8 | CVE-2026-43330 | https://git.kernel.org/stable/c/31022cfde5235c45fa765f0aabeff5f0652852f2 https://git.kernel.org/stable/c/c2fb4984fe09fc176fe4c12d5e3edf626df6511d https://git.kernel.org/stable/c/aa545df011338df13f0833fc1fabcb15c0521959 https://git.kernel.org/stable/c/cebc5ebd958346195b77f42d0cd5141b4e448fae https://git.kernel.org/stable/c/80688afb9c35b3934ce2d6be9973758915e2e0ef |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone device registration error path If thermal_zone_device_register_with_trips() fails after registering a thermal zone device, it needs to wait for the tz->removal completion like thermal_zone_device_unregister(), in case user space has managed to take a reference to the thermal zone device’s kobject, in which case thermal_release() may not be called by the error path itself and tz may be freed prematurely. Add the missing wait_for_completion() call to the thermal zone device registration error path. | 2026-05-08 | 7.8 | CVE-2026-43332 | https://git.kernel.org/stable/c/9e796001af97a1f7368d5114b7a8533dd98d797a https://git.kernel.org/stable/c/604da9c04c218362e1c1457304ebeb9c199d537c https://git.kernel.org/stable/c/c4c7219e93319bba9ba0765dee597784c78f63c5 https://git.kernel.org/stable/c/4d390f0e507dfb16d58f83a58d78d1150dc8b9d7 https://git.kernel.org/stable/c/9e07e3b81807edd356e1f794cffa00a428eff443 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: lib/crypto: chacha: Zeroize permuted_state before it leaves scope Since the ChaCha permutation is invertible, the local variable ‘permuted_state’ is sufficient to compute the original ‘state’, and thus the key, even after the permutation has been done. While the kernel is quite inconsistent about zeroizing secrets on the stack (and some prominent userspace crypto libraries don’t bother at all since it’s not guaranteed to work anyway), the kernel does try to do it as a best practice, especially in cases involving the RNG. Thus, explicitly zeroize ‘permuted_state’ before it goes out of scope. | 2026-05-08 | 7.5 | CVE-2026-43336 | https://git.kernel.org/stable/c/e90ee961af515a484f091678ce58a4c3f7b73b02 https://git.kernel.org/stable/c/b416a4245f04a450c67a13e6d96056c37c5b33fe https://git.kernel.org/stable/c/bd62d9b44464a6c20a34a74068e7a784d0afa04a https://git.kernel.org/stable/c/066c760acead1fb743bae294dbd89f479ae43b9b https://git.kernel.org/stable/c/1d761e5a7340c46479fb2399598f331e4fe2c633 https://git.kernel.org/stable/c/1933249263c3a98df79992f61a566476e4163bcc https://git.kernel.org/stable/c/91999af43ca2125e3b2c18fcfc02912ada02efc3 https://git.kernel.org/stable/c/e5046823f8fa3677341b541a25af2fcb99a5b1e0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible UaF in addrconf_permanent_addr() The mentioned helper try to warn the user about an exceptional condition, but the message is delivered too late, accessing the ipv6 after its possible deletion. Reorder the statement to avoid the possible UaF; while at it, place the warning outside the idev->lock as it needs no protection. | 2026-05-08 | 7.8 | CVE-2026-43339 | https://git.kernel.org/stable/c/eec49a33611f20336b357b3953df44f1a02049e8 https://git.kernel.org/stable/c/bacc7f31085c9820922f00bc7d79756ffa13123a https://git.kernel.org/stable/c/7bfafa1b0cd582983ebec6bb20f0a435528fe567 https://git.kernel.org/stable/c/7d9f2f4aabd116ca68fbdab5d8fb8dac74c2ea1e https://git.kernel.org/stable/c/25357b670afb5b517096da783abaa5cc4bf8359e https://git.kernel.org/stable/c/3cd4efb5df72843dfac892d0b3c7a4a8bd926b65 https://git.kernel.org/stable/c/2d88ed7fa000e19c2dc0fa31b3a849e3f5bca5c1 https://git.kernel.org/stable/c/fd63f185979b047fb22a0dfc6bd94d0cab6a6a70 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: ipa: fix event ring index not programmed for IPA v5.0+ For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to CH_C_CNTXT_1. The v5.0 register definition intended to define this field in the CH_C_CNTXT_1 fmask array but used the old identifier of ERINDEX instead of CH_ERINDEX. Without a valid event ring, GSI channels could never signal transfer completions. This caused gsi_channel_trans_quiesce() to block forever in wait_for_completion(). At least for IPA v5.2 this resolves an issue seen where runtime suspend, system suspend, and remoteproc stop all hanged forever. It also meant the IPA data path was completely non functional. | 2026-05-08 | 7.5 | CVE-2026-43345 | https://git.kernel.org/stable/c/ae8343a19ccb051d519dbb3a9082ddea9f0551d3 https://git.kernel.org/stable/c/2bf18b643c4656413f7cfd5615af60a6b4e261da https://git.kernel.org/stable/c/2d2dc166d55148cfcf8ae67b415f8d6d110e6fca https://git.kernel.org/stable/c/34c988bb04cbdf093d2134e179433da49ffcd044 https://git.kernel.org/stable/c/56007972c0b1e783ca714d6f1f4d6e66e531d21f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: dts: qcom: monaco: Reserve full Gunyah metadata region We observe spurious “Synchronous External Abort” exceptions (ESR=0x96000010) and kernel crashes on Monaco-based platforms. These faults are caused by the kernel inadvertently accessing hypervisor-owned memory that is not properly marked as reserved. >From boot log, The Qualcomm hypervisor reports the memory range at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned: qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0 However, the EFI memory map provided by firmware only reserves the subrange 0x91a40000-0x91a87fff (288 KiB). The remaining portion (0x91a88000-0x91afffff) is incorrectly reported as conventional memory (from efi debug): efi: 0x000091a40000-0x000091a87fff [Reserved…] efi: 0x000091a88000-0x0000938fffff [Conventional…] As a result, the allocator may hand out PFNs inside the hypervisor owned region, causing fatal aborts when the kernel accesses those addresses. Add a reserved-memory carveout for the Gunyah hypervisor metadata at 0x91a80000 (512 KiB) and mark it as no-map so Linux does not map or allocate from this area. For the record: Hyp version: gunyah-e78adb36e debug (2025-11-17 05:38:05 UTC) UEFI Ver: 6.0.260122.BOOT.MXF.1.0.c1-00449-KODIAKLA-1 | 2026-05-08 | 7.5 | CVE-2026-43347 | https://git.kernel.org/stable/c/edde62571f7602d83243ca51729ce42d22ea04d2 https://git.kernel.org/stable/c/59bd9088336d2bb7e713dcf4df5cbda86bb3c611 https://git.kernel.org/stable/c/85d98669fa7f1d3041d962515e45ee6e392db6f8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: require a full NFS mode SID before reading mode bits parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits. That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives the sub_auth[2] read four bytes past the end of the ACE. Require num_subauth >= 3 before treating the ACE as an NFS mode SID. This keeps the fix local to the special-SID mode path without changing compare_sids() semantics for the rest of cifsacl. | 2026-05-08 | 7.6 | CVE-2026-43350 | https://git.kernel.org/stable/c/b53b8e98c23310294fc45fc686db5ee860311896 https://git.kernel.org/stable/c/c8eef12af1cc73031639ea7cf16e0b10e2536b0b https://git.kernel.org/stable/c/38a69f08ee82c450d3e4168707fff2e317dc3ff7 https://git.kernel.org/stable/c/f8488c07bea2431ee12a6067d736578064fa46b4 https://git.kernel.org/stable/c/2757ad3e4b6f9e0fed4c7739594e702abc5cab21 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue The logic used to abort the DMA ring contains several flaws: 1. The driver unconditionally issues a ring abort even when the ring has already stopped. 2. The completion used to wait for abort completion is never re-initialized, resulting in incorrect wait behavior. 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which resets hardware ring pointers and disrupts the controller state. 4. If the ring is already stopped, the abort operation should be considered successful without attempting further action. Fix the abort handling by checking whether the ring is running before issuing an abort, re-initializing the completion when needed, ensuring that RING_CTRL_ENABLE remains asserted during abort, and treating an already stopped ring as a successful condition. | 2026-05-08 | 7.8 | CVE-2026-43352 | https://git.kernel.org/stable/c/003df94bcc9227e8e930abd03ac7f63ac10033dc https://git.kernel.org/stable/c/5549611888f5ca2db5e8e692b57f30626ddf9898 https://git.kernel.org/stable/c/b795e68bf3073d67bebbb5a44d93f49efc5b8cc7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix race in DMA ring dequeue The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for multiple transfers that timeout around the same time. However, the function is not serialized and can race with itself. When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes incomplete transfers, and then restarts the ring. If another timeout triggers a parallel call into the same function, the two instances may interfere with each other – stopping or restarting the ring at unexpected times. Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to itself. | 2026-05-08 | 7.8 | CVE-2026-43353 | https://git.kernel.org/stable/c/b684b420a5bb0ea1b0e13abfdb8ce41c5266e62e https://git.kernel.org/stable/c/4faa1e9c67a2229f6749190aedaf88ce0391efd2 https://git.kernel.org/stable/c/1dca8aee80eea76d2aae21265de5dd64f6ba0f09 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: check if target buffer list is still legacy on recycle There’s a gap between when the buffer was grabbed and when it potentially gets recycled, where if the list is empty, someone could’ve upgraded it to a ring provided type. This can happen if the request is forced via io-wq. The legacy recycling is missing checking if the buffer_list still exists, and if it’s of the correct type. Add those checks. | 2026-05-08 | 7.8 | CVE-2026-43366 | https://git.kernel.org/stable/c/a7b33671e418fca507feebd1d56e7f4952a4b25c https://git.kernel.org/stable/c/439a6728ec4641ffad1ca796622c19bc525e570f https://git.kernel.org/stable/c/f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa https://git.kernel.org/stable/c/50ad880db3013c6fee0ef13781762a39e2e7ef83 https://git.kernel.org/stable/c/97b57f69fee1b61b41acbf37e7720cac9d389fa4 https://git.kernel.org/stable/c/c2c185be5c85d37215397c8e8781abf0a69bec1f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix potential overflow of shmem scatterlist length When a scatterlists table of a GEM shmem object of size 4 GB or more is populated with pages allocated from a folio, unsigned int .length attribute of a scatterlist may get overflowed if total byte length of pages allocated to that single scatterlist happens to reach or cross the 4GB limit. As a consequence, users of the object may suffer from hitting unexpected, premature end of the object’s backing pages. [278.780187] ————[ cut here ]———— [278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg+0x199/0x1d0 [i915] … [278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary) [278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER [278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024 [278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915] … [278.780786] Call Trace: [278.780787] <TASK> [278.780788] ? __apply_to_page_range+0x3e6/0x910 [278.780795] ? __pfx_remap_sg+0x10/0x10 [i915] [278.780906] apply_to_page_range+0x14/0x30 [278.780908] remap_io_sg+0x14d/0x260 [i915] [278.781013] vm_fault_cpu+0xd2/0x330 [i915] [278.781137] __do_fault+0x3a/0x1b0 [278.781140] do_fault+0x322/0x640 [278.781143] __handle_mm_fault+0x938/0xfd0 [278.781150] handle_mm_fault+0x12c/0x300 [278.781152] ? lock_mm_and_find_vma+0x4b/0x760 [278.781155] do_user_addr_fault+0x2d6/0x8e0 [278.781160] exc_page_fault+0x96/0x2c0 [278.781165] asm_exc_page_fault+0x27/0x30 … That issue was apprehended by the author of a change that introduced it, and potential risk even annotated with a comment, but then never addressed. When adding folio pages to a scatterlist table, take care of byte length of any single scatterlist not exceeding max_segment. (cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60) | 2026-05-08 | 7.8 | CVE-2026-43368 | https://git.kernel.org/stable/c/aeb7255531ba4a5c3a64938577170d08b78de399 https://git.kernel.org/stable/c/1c956f0fccc26fefcbb507516c49d1db41c40471 https://git.kernel.org/stable/c/eae4bf4107571283031db96ce132e951615e2ae4 https://git.kernel.org/stable/c/21a301f12d18797bf889c15497f922edfdaece3a https://git.kernel.org/stable/c/029ae067431ab9d0fca479bdabe780fa436706ea |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix use-after-free race in VM acquire Replace non-atomic vm->process_info assignment with cmpxchg() to prevent race when parent/child processes sharing a drm_file both try to acquire the same VM after fork(). (cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618) | 2026-05-08 | 7.8 | CVE-2026-43370 | https://git.kernel.org/stable/c/ae87aea330c24f462fc7058ed543ba8bc6798447 https://git.kernel.org/stable/c/46d309996bd9251792d7dafdbaf615cf202b4447 https://git.kernel.org/stable/c/e61e355cbe49e585097eee28c15b862bfb1c0668 https://git.kernel.org/stable/c/c658c1c85ec235b7ecfbf8dbfee385b1332088f4 https://git.kernel.org/stable/c/904025fa8bba1d028adade33346372b4ac1a9249 https://git.kernel.org/stable/c/7885eb335d8f9e9942925d57e300a85e3f82ded4 https://git.kernel.org/stable/c/94b7782d0c8024f5b88454241c8d4777076c3786 https://git.kernel.org/stable/c/2c1030f2e84885cc58bffef6af67d5b9d2e7098f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: ncsi: fix skb leak in error paths Early return paths in NCSI RX and AEN handlers fail to release the received skb, resulting in a memory leak. Specifically, ncsi_aen_handler() returns on invalid AEN packets without consuming the skb. Similarly, ncsi_rcv_rsp() exits early when failing to resolve the NCSI device, response handler, or request, leaving the skb unfreed. | 2026-05-08 | 7.5 | CVE-2026-43373 | https://git.kernel.org/stable/c/9891d7f4f1ede473c54b49776ae07755083eef06 https://git.kernel.org/stable/c/fef5aa6e3bcf3c8053307642663a63b7362d7552 https://git.kernel.org/stable/c/81d6aee32f8f7bbc175c05dbf61f4430bfb88c4a https://git.kernel.org/stable/c/59962588197863d0d746879f193905c0c6b3df49 https://git.kernel.org/stable/c/553366c271479c0d571dd1bb5d1bcde4747fb82e https://git.kernel.org/stable/c/b70c4e5e711931cdd56e6e905737b72f1e649189 https://git.kernel.org/stable/c/87138dde2d6937b12b967f28fe598a7d59000ae4 https://git.kernel.org/stable/c/5c3398a54266541610c8d0a7082e654e9ff3e259 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix percpu use-after-free in remove_nh_grp_entry When removing a nexthop from a group, remove_nh_grp_entry() publishes the new group via rcu_assign_pointer() then immediately frees the removed entry’s percpu stats with free_percpu(). However, the synchronize_net() grace period in the caller remove_nexthop_from_groups() runs after the free. RCU readers that entered before the publish still see the old group and can dereference the freed stats via nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a use-after-free on percpu memory. Fix by deferring the free_percpu() until after synchronize_net() in the caller. Removed entries are chained via nh_list onto a local deferred free list. After the grace period completes and all RCU readers have finished, the percpu stats are safely freed. | 2026-05-08 | 7.8 | CVE-2026-43374 | https://git.kernel.org/stable/c/abf4feaee6405f1441929c6ebe7a250f2cd170a7 https://git.kernel.org/stable/c/ab5ebab9664214ba41a7633cb4e72f128204f924 https://git.kernel.org/stable/c/9e08ad731862b22a87cc55f752e16d66cdc9e231 https://git.kernel.org/stable/c/b2662e7593e94ae09b1cf7ee5f09160a3612bcb2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: Fix rcu_tasks stall in threaded busypoll I was debugging a NIC driver when I noticed that when I enable threaded busypoll, bpftrace hangs when starting up. dmesg showed: rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 10658 jiffies old. rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 40793 jiffies old. rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 131273 jiffies old. rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 402058 jiffies old. INFO: rcu_tasks detected stalls on tasks: 00000000769f52cd: .N nvcsw: 2/2 holdout: 1 idle_cpu: -1/64 task:napi/eth2-8265 state:R running task stack:0 pid:48300 tgid:48300 ppid:2 task_flags:0x208040 flags:0x00004000 Call Trace: <TASK> ? napi_threaded_poll_loop+0x27c/0x2c0 ? __pfx_napi_threaded_poll+0x10/0x10 ? napi_threaded_poll+0x26/0x80 ? kthread+0xfa/0x240 ? __pfx_kthread+0x10/0x10 ? ret_from_fork+0x31/0x50 ? __pfx_kthread+0x10/0x10 ? ret_from_fork_asm+0x1a/0x30 </TASK> The cause is that in threaded busypoll, the main loop is in napi_threaded_poll rather than napi_threaded_poll_loop, where the latter rarely iterates more than once within its loop. For rcu_softirq_qs_periodic inside napi_threaded_poll_loop to report its qs state, the last_qs must be 100ms behind, and this can’t happen because napi_threaded_poll_loop rarely iterates in threaded busypoll, and each time napi_threaded_poll_loop is called last_qs is reset to latest jiffies. This patch changes so that in threaded busypoll, last_qs is saved in the outer napi_threaded_poll, and whether busy_poll_last_qs is NULL indicates whether napi_threaded_poll_loop is called for busypoll. This way last_qs would not reset to latest jiffies on each invocation of napi_threaded_poll_loop. | 2026-05-08 | 7.5 | CVE-2026-43385 | https://git.kernel.org/stable/c/52459201d0df3fdbb1d281738b7b772e2cacb49c https://git.kernel.org/stable/c/1a86a1f7d88996085934139fa4c063b6299a2dd3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: Use u32 for non-negative values in ceph_monmap_decode() This patch fixes unnecessary implicit conversions that change signedness of blob_len and num_mon in ceph_monmap_decode(). Currently blob_len and num_mon are (signed) int variables. They are used to hold values that are always non-negative and get assigned in ceph_decode_32_safe(), which is meant to assign u32 values. Both variables are subsequently used as unsigned values, and the value of num_mon is further assigned to monmap->num_mon, which is of type u32. Therefore, both variables should be of type u32. This is especially relevant for num_mon. If the value read from the incoming message is very large, it is interpreted as a negative value, and the check for num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to allocate a very large chunk of memory for monmap, which will most likely fail. In this case, an unnecessary attempt to allocate memory is performed, and -ENOMEM is returned instead of -EINVAL. | 2026-05-08 | 7.5 | CVE-2026-43405 | https://git.kernel.org/stable/c/ee5588e2bc41acb73f6676c0520420c107cd0140 https://git.kernel.org/stable/c/86f7060cd638d6eb042e8ed780fb83a59ca0dcb3 https://git.kernel.org/stable/c/5f2806684b05bd24d05c091083b8e2517ba8ffac https://git.kernel.org/stable/c/b268984ae88cb0dcd7a8e8263962c748448e26e8 https://git.kernel.org/stable/c/ba0a4df8c563536857dcbf7b4dbd0f2a15f57ace https://git.kernel.org/stable/c/08bc6173fd611ad5a40f472bf5f15b92aea0fe40 https://git.kernel.org/stable/c/770444611f047dbfd4517ec0bc1b179d40c2f346 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: add a bunch of missing ceph_path_info initializers ceph_mdsc_build_path() must be called with a zero-initialized ceph_path_info parameter, or else the following ceph_mdsc_free_path_info() may crash. Example crash (on Linux 6.18.12): virt_to_cache: Object is not a Slab page! WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6732 kmem_cache_free+0x316/0x400 […] Call Trace: […] ceph_open+0x13d/0x3e0 do_dentry_open+0x134/0x480 vfs_open+0x2a/0xe0 path_openat+0x9a3/0x1160 […] cache_from_obj: Wrong slab cache. names_cache but object is from ceph_inode_info WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6746 kmem_cache_free+0x2dd/0x400 […] kernel BUG at mm/slub.c:634! Oops: invalid opcode: 0000 [#1] SMP NOPTI RIP: 0010:__slab_free+0x1a4/0x350 Some of the ceph_mdsc_build_path() callers had initializers, but others had not, even though they were all added by commit 15f519e9f883 (“ceph: fix race condition validating r_parent before applying state”). The ones without initializer are suspectible to random crashes. (I can imagine it could even be possible to exploit this bug to elevate privileges.) Unfortunately, these Ceph functions are undocumented and its semantics can only be derived from the code. I see that ceph_mdsc_build_path() initializes the structure only on success, but not on error. Calling ceph_mdsc_free_path_info() after a failed ceph_mdsc_build_path() call does not even make sense, but that’s what all callers do, and for it to be safe, the structure must be zero-initialized. The least intrusive approach to fix this is therefore to add initializers everywhere. | 2026-05-08 | 7.8 | CVE-2026-43408 | https://git.kernel.org/stable/c/644b47f0574fd82aeb9d00317eca8d1f2a525c8c https://git.kernel.org/stable/c/8be8911f590813e6f90bc6407ced1b23e50bc5da https://git.kernel.org/stable/c/453df1f4535842bf17ff1885a225e153d7ee3374 https://git.kernel.org/stable/c/43323a5934b660afae687e8e4e95ac328615a5c4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rust_binder: avoid reading the written value in offsets array When sending a transaction, its offsets array is first copied into the target proc’s vma, and then the values are read back from there. This is normally fine because the vma is a read-only mapping, so the target process cannot change the value under us. However, if the target process somehow gains the ability to write to its own vma, it could change the offset before it’s read back, causing the kernel to misinterpret what the sender meant. If the sender happens to send a payload with a specific shape, this could in the worst case lead to the receiver being able to privilege escalate into the sender. The intent is that gaining the ability to change the read-only vma of your own process should not be exploitable, so remove this TOCTOU read even though it’s unexploitable without another Binder bug. | 2026-05-08 | 7.8 | CVE-2026-43433 | https://git.kernel.org/stable/c/e19afb53f7723b3bd22224f2b0c7dcfa70bb973f https://git.kernel.org/stable/c/3672141c93b7a0c0132bf5d5021a4b7f1d663aaa https://git.kernel.org/stable/c/4cb9e13fec0de7c942f5f927469beb8e48ddd20f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rust_binder: check ownership before using vma When installing missing pages (or zapping them), Rust Binder will look up the vma in the mm by address, and then call vm_insert_page (or zap_page_range_single). However, if the vma is closed and replaced with a different vma at the same address, this can lead to Rust Binder installing pages into the wrong vma. By installing the page into a writable vma, it becomes possible to write to your own binder pages, which are normally read-only. Although you’re not supposed to be able to write to those pages, the intent behind the design of Rust Binder is that even if you get that ability, it should not lead to anything bad. Unfortunately, due to another bug, that is not the case. To fix this, store a pointer in vm_private_data and check that the vma returned by vma_lookup() has the right vm_ops and vm_private_data before trying to use the vma. This should ensure that Rust Binder will refuse to interact with any other VMA. The plan is to introduce more vma abstractions to avoid this unsafe access to vm_ops and vm_private_data, but for now let’s start with the simplest possible fix. C Binder performs the same check in a slightly different way: it provides a vm_ops->close that sets a boolean to true, then checks that boolean after calling vma_lookup(), but this is more fragile than the solution in this patch. (We probably still want to do both, but the vm_ops->close callback will be added later as part of the follow-up vma API changes.) It’s still possible to remap the vma so that pages appear in the right vma, but at the wrong offset, but this is a separate issue and will be fixed when Rust Binder gets a vm_ops->close callback. | 2026-05-08 | 7.8 | CVE-2026-43434 | https://git.kernel.org/stable/c/20a01f20d1f4064d90a8627aa41b5987f0220bb9 https://git.kernel.org/stable/c/5a472d04fb4b9115fb7d1535bd885cea450f14db https://git.kernel.org/stable/c/8ef2c15aeae07647f530d30f6daaf79eb801bcd1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() In the drain loop, the local variable ‘runtime’ is reassigned to a linked stream’s runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) – all referencing the linked stream’s runtime without any lock or refcount protecting its lifetime. A concurrent close() on the linked stream’s fd triggers snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private() → snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime). No synchronization prevents kfree(runtime) from completing while the drain path dereferences the stale pointer. Fix by caching the needed runtime fields (no_period_wakeup, rate, buffer_size) into local variables while still holding the stream lock, and using the cached values after the lock is released. | 2026-05-08 | 7.8 | CVE-2026-43437 | https://git.kernel.org/stable/c/9baee36e8c5443411c4629afabafaff8a46a23fd https://git.kernel.org/stable/c/fc71f888994569f87d5bee20b1ac6c9c1e3a7a79 https://git.kernel.org/stable/c/629cf09464cf98670996ea5c191dc9743e6f3f00 https://git.kernel.org/stable/c/ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432 https://git.kernel.org/stable/c/4a758e9a1f5ed722f83c4dd35f867fe811553bcb https://git.kernel.org/stable/c/c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694 https://git.kernel.org/stable/c/9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Remove redundant css_put() in scx_cgroup_init() The iterator css_for_each_descendant_pre() walks the cgroup hierarchy under cgroup_lock(). It does not increment the reference counts on yielded css structs. According to the cgroup documentation, css_put() should only be used to release a reference obtained via css_get() or css_tryget_online(). Since the iterator does not use either of these to acquire a reference, calling css_put() in the error path of scx_cgroup_init() causes a refcount underflow. Remove the unbalanced css_put() to prevent a potential Use-After-Free (UAF) vulnerability. | 2026-05-08 | 7.8 | CVE-2026-43438 | https://git.kernel.org/stable/c/cc095cd305fddbe25a968e4a78436ff9476cf0f6 https://git.kernel.org/stable/c/6eaaa67d6998f6c30c462b140db8c062e07ec473 https://git.kernel.org/stable/c/bf50f3285eda8a0173625fcdb5f183f96e1008cd https://git.kernel.org/stable/c/1336b579f6079fb8520be03624fcd9ba443c930b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled When booting with the ‘ipv6.disable=1’ parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bonding ARP/NS validation is enabled, an IPv6 NS/NA packet received on a slave can reach bond_validate_na(), which calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can crash in __ipv6_chk_addr_and_flags(). BUG: kernel NULL pointer dereference, address: 00000000000005d8 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 Call Trace: <IRQ> ipv6_chk_addr+0x1f/0x30 bond_validate_na+0x12e/0x1d0 [bonding] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] bond_rcv_validate+0x1a0/0x450 [bonding] bond_handle_frame+0x5e/0x290 [bonding] ? srso_alias_return_thunk+0x5/0xfbef5 __netif_receive_skb_core.constprop.0+0x3e8/0xe50 ? srso_alias_return_thunk+0x5/0xfbef5 ? update_cfs_rq_load_avg+0x1a/0x240 ? srso_alias_return_thunk+0x5/0xfbef5 ? __enqueue_entity+0x5e/0x240 __netif_receive_skb_one_core+0x39/0xa0 process_backlog+0x9c/0x150 __napi_poll+0x30/0x200 ? srso_alias_return_thunk+0x5/0xfbef5 net_rx_action+0x338/0x3b0 handle_softirqs+0xc9/0x2a0 do_softirq+0x42/0x60 </IRQ> <TASK> __local_bh_enable_ip+0x62/0x70 __dev_queue_xmit+0x2d3/0x1000 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? packet_parse_headers+0x10a/0x1a0 packet_sendmsg+0x10da/0x1700 ? kick_pool+0x5f/0x140 ? srso_alias_return_thunk+0x5/0xfbef5 ? __queue_work+0x12d/0x4f0 __sys_sendto+0x1f3/0x220 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x101/0xf80 ? exc_page_fault+0x6e/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate() and avoid the path to ipv6_chk_addr(). | 2026-05-08 | 7.5 | CVE-2026-43441 | https://git.kernel.org/stable/c/49dbfcb70eca5f6f9043594e1e323c74c39e3863 https://git.kernel.org/stable/c/cf6099ef493b94e140b0fad52482a78853115318 https://git.kernel.org/stable/c/c78f01abe535853f13f0b26cd5b1d2f19bf52e2f https://git.kernel.org/stable/c/95faa1459b83fa544191e82ccc73856f03b7741f https://git.kernel.org/stable/c/c9c238066fb254dabf65e27379f93c56112c5b96 https://git.kernel.org/stable/c/30021e969d48e5819d5ae56936c2f34c0f7ce997 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY, the boundary check for 128-byte SQE operations in io_init_req() validated the logical SQ head position rather than the physical SQE index. The existing check: !(ctx->cached_sq_head & (ctx->sq_entries – 1)) ensures the logical position isn’t at the end of the ring, which is correct for NO_SQARRAY rings where physical == logical. However, when sq_array is present, an unprivileged user can remap any logical position to an arbitrary physical index via sq_array. Setting sq_array[N] = sq_entries – 1 places a 128-byte operation at the last physical SQE slot, causing the 128-byte memcpy in io_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE array. Replace the cached_sq_head alignment check with a direct validation of the physical SQE index, which correctly handles both sq_array and NO_SQARRAY cases. | 2026-05-08 | 7.1 | CVE-2026-43442 | https://git.kernel.org/stable/c/1f794f9bed3e5cf7250a3b4daf112a72ed1513e9 https://git.kernel.org/stable/c/6f02c6b196036dbb6defb4647d8707d29b7fe95b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iavf: fix PTP use-after-free during reset Commit 7c01dbfc8a1c5f (“iavf: periodically cache PHC time”) introduced a worker to cache PHC time, but failed to stop it during reset or disable. This creates a race condition where `iavf_reset_task()` or `iavf_disable_vf()` free adapter resources (AQ) while the worker is still running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it accesses freed memory/locks, leading to a crash. Fix this by calling `iavf_ptp_release()` before tearing down the adapter. This ensures `ptp_clock_unregister()` synchronously cancels the worker and cleans up the chardev before the backing resources are destroyed. | 2026-05-08 | 7.8 | CVE-2026-43447 | https://git.kernel.org/stable/c/1b034f2429ce6b45ce74dc266175d277acafc5c4 https://git.kernel.org/stable/c/90cc8b2add29b57288025b51c70bc647e7cccb12 https://git.kernel.org/stable/c/efc54fb13d79117a825fef17364315a58682c7ec |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix for duplicate device in netdev hooks When handling NETDEV_REGISTER notification, duplicate device registration must be avoided since the device may have been added by nft_netdev_hook_alloc() already when creating the hook. | 2026-05-08 | 7.8 | CVE-2026-43454 | https://git.kernel.org/stable/c/6d2a95c6890577cc3eab2b20018e16850d7fb094 https://git.kernel.org/stable/c/2041cdb078041611510fc189410bc70b29f688fb https://git.kernel.org/stable/c/b7cdc5a97d02c943f4bdde4d5767ad0c13cad92b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bonding: fix type confusion in bond_setup_by_slave() kernel BUG at net/core/skbuff.c:2306! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306 RSP: 0018:ffffc90004aff760 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900 RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000 R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780 R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0 Call Trace: <TASK> ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900 dev_hard_header include/linux/netdevice.h:3439 [inline] packet_snd net/packet/af_packet.c:3028 [inline] packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592 ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646 __sys_sendmsg+0x170/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe1a0e6c1a9 When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond, bond_setup_by_slave() directly copies the slave’s header_ops to the bond device: bond_dev->header_ops = slave_dev->header_ops; This causes a type confusion when dev_hard_header() is later called on the bond device. Functions like ipgre_header(), ip6gre_header(),all use netdev_priv(dev) to access their device-specific private data. When called with the bond device, netdev_priv() returns the bond’s private data (struct bonding) instead of the expected type (e.g. struct ip_tunnel), leading to garbage values being read and kernel crashes. Fix this by introducing bond_header_ops with wrapper functions that delegate to the active slave’s header_ops using the slave’s own device. This ensures netdev_priv() in the slave’s header functions always receives the correct device. The fix is placed in the bonding driver rather than individual device drivers, as the root cause is bond blindly inheriting header_ops from the slave without considering that these callbacks expect a specific netdev_priv() layout. The type confusion can be observed by adding a printk in ipgre_header() and running the following commands: ip link add dummy0 type dummy ip addr add 10.0.0.1/24 dev dummy0 ip link set dummy0 up ip link add gre1 type gre local 10.0.0.1 ip link add bond1 type bond mode active-backup ip link set gre1 master bond1 ip link set gre1 up ip link set bond1 up ip addr add fe80::1/64 dev bond1 | 2026-05-08 | 7.8 | CVE-2026-43456 | https://git.kernel.org/stable/c/9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d https://git.kernel.org/stable/c/6ac890f1d60ac3707ee8dae15a67d9a833e49956 https://git.kernel.org/stable/c/95597d11dc8bddb2b9a051c9232000bfbb5e43ba https://git.kernel.org/stable/c/950803f7254721c1c15858fbbfae3deaaeeecb11 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-core: flush delayed work before removing DAIs and widgets When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler. During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM close path can call snd_soc_dapm_stream_stop() which schedules new delayed work with a pmdown_time timer delay. Since this happens after the flush in snd_soc_unbind_card(), the new work is not caught. soc_remove_link_components() then frees DAPM widgets before this work fires, leading to the use-after-free. The existing flush in soc_free_pcm_runtime() also cannot help as it runs after soc_remove_link_components() has already freed the widgets. Add a flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() (after which no new PCM closes can schedule further delayed work) and before soc_remove_link_dais() and soc_remove_link_components() (which tear down the structures the delayed work accesses). | 2026-05-08 | 7.3 | CVE-2026-43459 | https://git.kernel.org/stable/c/bf80a89da97285d9b877e0c6995e870d46b8025c https://git.kernel.org/stable/c/3887e514978d28216246360b46a9cb534969eb5a https://git.kernel.org/stable/c/231568afbc0cd25b8fb2a94ebf9738eabe1cf007 https://git.kernel.org/stable/c/317a9298c54bb00319da73e5a7179f00e67fcbdf https://git.kernel.org/stable/c/eab71e11ce2447c1e01809cbc11eab4234cf8dc8 https://git.kernel.org/stable/c/7d33e6140945482a07f8089ee86e13e02553ffdb https://git.kernel.org/stable/c/c054f0607c8bb1b1aa529bc109e4149298a1cccd https://git.kernel.org/stable/c/95bc5c225513fc3c4ce169563fb5e3929fbb938b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: amlogic: spifc-a4: Fix DMA mapping error handling Fix three bugs in aml_sfc_dma_buffer_setup() error paths: 1. Unnecessary goto: When the first DMA mapping (sfc->daddr) fails, nothing needs cleanup. Use direct return instead of goto. 2. Double-unmap bug: When info DMA mapping failed, the code would unmap sfc->daddr inline, then fall through to out_map_data which would unmap it again, causing a double-unmap. 3. Wrong unmap size: The out_map_info label used datalen instead of infolen when unmapping sfc->iaddr, which could lead to incorrect DMA sync behavior. | 2026-05-08 | 7.8 | CVE-2026-43461 | https://git.kernel.org/stable/c/0a83d6c9e149a176340190fa9cbadf2266db4c9a https://git.kernel.org/stable/c/c0b88f1176074f80140ed77fce909f254b7180ab https://git.kernel.org/stable/c/b20b437666e1cb26a7c499d1664e8f2a0ac67000 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: spacemit: Fix error handling in emac_tx_mem_map() The DMA mappings were leaked on mapping error. Free them with the existing emac_free_tx_buf() function. | 2026-05-08 | 7.5 | CVE-2026-43462 | https://git.kernel.org/stable/c/c34ebd7b24ea70be3c6fdb6936f79f593f37df60 https://git.kernel.org/stable/c/edeaba385318f60ec1b32470da4d5eb800294d16 https://git.kernel.org/stable/c/86292155bea578ebab0ca3b65d4d87ecd8a0e9ea |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn’t change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues. Such issue can be observed with the test_xdp_native_adjst_tail_shrnk_data selftest when using a payload of 3600 and shrinking by 256 bytes (an upcoming selftest patch): the last fragment gets released by the XDP code but doesn’t get tracked by the driver. This results in a negative pp_ref_count during page release and the following splat: WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137 Modules linked in: […] CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core] […] Call Trace: <TASK> mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core] mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core] mlx5e_close_rq+0x50/0x60 [mlx5_core] mlx5e_close_queues+0x36/0x2c0 [mlx5_core] mlx5e_close_channel+0x1c/0x50 [mlx5_core] mlx5e_close_channels+0x45/0x80 [mlx5_core] mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core] mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core] netif_set_mtu_ext+0xf1/0x230 do_setlink.isra.0+0x219/0x1180 rtnl_newlink+0x79f/0xb60 rtnetlink_rcv_msg+0x213/0x3a0 netlink_rcv_skb+0x48/0xf0 netlink_unicast+0x24a/0x350 netlink_sendmsg+0x1ee/0x410 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x232/0x280 ___sys_sendmsg+0x78/0xb0 __sys_sendmsg+0x5f/0xb0 […] do_syscall_64+0x57/0xc50 This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag. As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags. | 2026-05-08 | 7.5 | CVE-2026-43464 | https://git.kernel.org/stable/c/c74557495efb4bd0adefdfc8678ecdbc82a06da3 https://git.kernel.org/stable/c/03cb50e5b74fce8bf6d92b860371b66253cf0f8d https://git.kernel.org/stable/c/a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xprtrdma: Decrement re_receiving on the early exit paths In the event that rpcrdma_post_recvs() fails to create a work request (due to memory allocation failure, say) or otherwise exits early, we should decrement ep->re_receiving before returning. Otherwise we will hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and the completion will never be triggered. On a system with high memory pressure, this can appear as the following hung task: INFO: task kworker/u385:17:8393 blocked for more than 122 seconds. Tainted: G S E 6.19.0 #3 “echo 0 > /proc/sys/kernel/hung_task_timeout_secs” disables this message. task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000 Workqueue: xprtiod xprt_autoclose [sunrpc] Call Trace: <TASK> __schedule+0x48b/0x18b0 ? ib_post_send_mad+0x247/0xae0 [ib_core] schedule+0x27/0xf0 schedule_timeout+0x104/0x110 __wait_for_common+0x98/0x180 ? __pfx_schedule_timeout+0x10/0x10 wait_for_completion+0x24/0x40 rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma] xprt_rdma_close+0x12/0x40 [rpcrdma] xprt_autoclose+0x5f/0x120 [sunrpc] process_one_work+0x191/0x3e0 worker_thread+0x2e3/0x420 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x273/0x2b0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 | 2026-05-08 | 7.5 | CVE-2026-43469 | https://git.kernel.org/stable/c/7ea69259a60a364f56cf4aa9e2eafb588d1c762b https://git.kernel.org/stable/c/8cb6b5d8296b1f99a8d36849901ebabfe3f749db https://git.kernel.org/stable/c/74c39a47856bddcde7874f2196a00143b5cd0af9 https://git.kernel.org/stable/c/49f53ee4e25297d886f14e31f355ad1c2735ddfb https://git.kernel.org/stable/c/8127b5fec04757c2a41ed65bca0b3266968efd3b https://git.kernel.org/stable/c/dc3ebd7e2d73dbd4d317785735ffa6c4a6384ddf https://git.kernel.org/stable/c/7b6275c80a0c81c5f8943272292dfe67730ce849 |
| betterdocs–BetterDocs Pro | The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions in all versions up to, and including, 3.7.0. This is due to the `limit` POST parameter being interpolated directly into a SQL query string before being passed to `$wpdb->prepare()`, which only parameterizes other variables. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Encyclopedia feature must be enabled in BetterDocs Pro settings for the vulnerability to be exploitable. | 2026-05-07 | 7.5 | CVE-2026-4348 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5c0f02ad-f5f1-42b1-8116-e391aaa85430?source=cve https://betterdocs.co/changelog/ |
| CISA–manage.get.gov | manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30. | 2026-05-07 | 7.6 | CVE-2026-43510 | url url url url url url |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests. | 2026-05-05 | 7.7 | CVE-2026-43527 | GitHub Security Advisory (GHSA-53vx-pmqw-863c) Patch Commit (1) Patch Commit (2) Patch Commit (3) Patch Commit (4) VulnCheck Advisory: OpenClaw < 2026.4.14 – Server-Side Request Forgery via Private Network Navigation |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior. | 2026-05-05 | 7.3 | CVE-2026-43531 | GitHub Security Advisory (GHSA-7wv4-cc7p-jhxc) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.9 – Environment Variable Injection via Workspace .env File |
| OpenClaw–OpenClaw | OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters in sandbox media processing. Attackers can bypass media normalization to inject host-local media references into channel action paths expecting normalized media. | 2026-05-05 | 7.7 | CVE-2026-43532 | GitHub Security Advisory (GHSA-c9h3-5p7r-mrjh) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.7 < 2026.4.10 – Sandbox Media Normalization Bypass via Discord Event Cover Image |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement. | 2026-05-05 | 7.7 | CVE-2026-43573 | GitHub Security Advisory (GHSA-527m-976r-jf79) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 – SSRF Policy Bypass in Existing-Session Browser Interaction Routes |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections to arbitrary hosts and perform SSRF-style attacks. | 2026-05-06 | 7.7 | CVE-2026-43576 | GitHub Security Advisory (GHSA-f7fh-qg34-x2xh) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.5 – Second-hop SSRF via CDP /json/version WebSocket URL |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute unauthorized navigation. | 2026-05-06 | 7.7 | CVE-2026-43580 | GitHub Security Advisory (GHSA-536q-mj95-h29h) Patch Commit (1) Patch Commit (2) Patch Commit (3) VulnCheck Advisory: OpenClaw < 2026.4.10 – Incomplete Navigation Guard Coverage in Browser Interactions |
| horsicq–DIE-engine | Detect-It-Easy prior to 3.21 contains a path traversal vulnerability that allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries with relative traversal sequences or absolute paths. Attackers can exploit insufficient path normalization during archive extraction to write files outside the intended extraction directory and achieve persistent code execution by overwriting user startup scripts. | 2026-05-04 | 7.1 | CVE-2026-43616 | https://github.com/horsicq/DIE-engine/releases/tag/3.21 https://github.com/horsicq/Detect-It-Easy https://github.com/horsicq/Formats/commit/56cdf50ee3c72c56284e2819b23e98332842d259 https://github.com/horsicq/XArchive/commit/6a2aa84c2fd120b704f76bb5c5ee3e9b5a7a0fcc https://github.com/horsicq/DIE-engine/commit/cbbe1688e58ffd430d284bf65f336973f083db69 https://github.com/horsicq/DIE-engine/commit/7fd300b926daf19707b2a36f0abe8b60a51308ee https://www.vulncheck.com/advisories/detect-it-easy-path-traversal-arbitrary-file-write |
| electerm–electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.9, a code execution (RCE) vulnerability exists in electerm’s SFTP open with system editor or “Edit with custom editor” feature. When a user opts to edit a file using open with system editor or open with a custom editor, the filename is passed directly into a command line without sanitization. A malicious actor controlling the SSH server or user OS can exploit this by crafting a filename containing shell metacharacters. If a victim subsequently attempts to edit this file, the injected commands are executed on their machine with the user’s privileges. This could allow the attacker to run arbitrary code, install malware, or move laterally within the network. This issue has been patched in version 3.7.9. | 2026-05-08 | 7.8 | CVE-2026-43943 | https://github.com/electerm/electerm/security/advisories/GHSA-q4p8-8j9m-8hxj https://github.com/electerm/electerm/commit/24ce7103e264cffe6eb5476c0506a2379e6f8333 https://github.com/electerm/electerm/releases/tag/v3.7.9 |
| NixOS–Nix | An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0). | 2026-05-05 | 7.5 | CVE-2026-44028 | https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407 https://github.com/NixOS/nix/security/advisories/GHSA-vh5x-56v6-4368 https://www.openwall.com/lists/oss-security/2026/05/04/33 https://www.openwall.com/lists/oss-security/2026/05/04/32 https://lix.systems/blog/2026-05-05-lix-unsigned-integer-overflow/ |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows. | 2026-05-06 | 7.8 | CVE-2026-44114 | GitHub Security Advisory (GHSA-hxvm-xjvf-93f3) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.20 – Environment Variable Namespace Collision via Workspace dotenv |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata. | 2026-05-06 | 7.8 | CVE-2026-44118 | GitHub Security Advisory (GHSA-r6xh-pqhr-v4xh) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 – Owner Context Spoofing via Bearer Token Header |
| gitpython-developers–GitPython | GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python’s configparser without validating for newlines. GitPython’s own _write() converts embedded newlines into indented continuation lines (e.g. n becomes nt), but Git still accepts an indented [core] stanza as a section header – so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49. | 2026-05-07 | 7.8 | CVE-2026-44244 | https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67 https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49 |
| MervinPraison–PraisonAI | PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34. | 2026-05-08 | 7.3 | CVE-2026-44338 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6rmh-7xcm-cpxj |
| Postorius project–Postorius | Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026. | 2026-05-07 | 7.2 | CVE-2026-44742 | https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b https://gitlab.com/mailman/postorius/-/merge_requests/972 https://gitlab.com/mailman/postorius/-/issues/620 https://www.openwall.com/lists/oss-security/2026/05/07/3 |
| wproyal–Royal Addons for Elementor Addons and Templates Kit for Elementor | The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘status’ parameter in the wpr_update_form_action_meta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a publicly leaked nonce that allows unauthenticated access to the AJAX handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 7.2 | CVE-2026-4803 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c91a14d3-bc41-4490-888c-486ad2994095?source=cve https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L73 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plugin.php#L613 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L21 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-submissions-cpt.php#L23 https://plugins.trac.wordpress.org/changeset/3503219/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php |
| strategy11team–AWP Classifieds | The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the ‘regions’ parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-05 | 7.5 | CVE-2026-5100 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7908d167-f831-4ed0-b754-2b390b5c3b2c?source=cve https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1240 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1258 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1269 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1276 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L63 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L70 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L168 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L174 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/class-awpcp.php#L339 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/class-awpcp.php#L342 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L795 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L804 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L881 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L887 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L890 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L895 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L902 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L903 |
| wpmudev–Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 1.52.1 via the ‘upload-1[file][file_path]’ parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Successful exploitation requires a publicly accessible form with a File Upload field where Save and Continue is enabled in that form’s Behavior settings and the Save and Continue email notification is configured to attach uploaded files in Email Notifications. | 2026-05-05 | 7.5 | CVE-2026-5192 | https://www.wordfence.com/threat-intel/vulnerabilities/id/788422c4-e070-48aa-a85d-a5d5a25a6a1d?source=cve https://plugins.trac.wordpress.org/changeset/3500671/forminator |
| Ivanti–Endpoint Manager Mobile | An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods. | 2026-05-07 | 7 | CVE-2026-5788 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs |
| fast-uri–fast-uri | fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later. | 2026-05-04 | 7.5 | CVE-2026-6321 | https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6 https://cna.openjsf.org/security-advisories.html |
| fast-uri–fast-uri | fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI’s authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later. | 2026-05-05 | 7.5 | CVE-2026-6322 | https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc https://cna.openjsf.org/security-advisories.html |
| MAXHUB–MAXHUB Pivot client application | This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations. | 2026-05-07 | 7.3 | CVE-2026-6411 | https://www.maxhub.com/en/support/ https://www.cisa.gov/news-events/ics-advisories/icsa-26-127-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-127-01.json |
| www[.]pgbouncer[.]org–PgBouncer | An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet. | 2026-05-09 | 7.5 | CVE-2026-6664 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| www[.]pgbouncer[.]org–PgBouncer | An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet. | 2026-05-09 | 7.5 | CVE-2026-6664 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| MongoDB Inc.–MongoDB C Driver | The MongoDB C Driver’s Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with authMechanism=GSSAPI. | 2026-05-06 | 7.8 | CVE-2026-6691 | https://jira.mongodb.org/browse/CDRIVER-6134 |
| Ivanti–Endpoint Manager Mobile | An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution. | 2026-05-07 | 7.2 | CVE-2026-6973 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US |
| thedark–Auto Affiliate Links | The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the ‘url’ POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element’s href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator’s browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook. | 2026-05-08 | 7.2 | CVE-2026-7330 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6c8ed84e-3504-42e3-821d-794198d7adda?source=cve https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L225 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L225 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L225 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L304 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L304 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L278 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L278 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L304 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L278 https://plugins.trac.wordpress.org/changeset/3519003/wp-auto-affiliate-links/trunk/aal_stats.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-auto-affiliate-links/tags/6.8.8&new_path=%2Fwp-auto-affiliate-links/tags/6.8.8.1 |
| latepoint–LatePoint Calendar Booking Plugin for Appointments and Events | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘booking_form_page_url’ parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation. | 2026-05-06 | 7.2 | CVE-2026-7332 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c03ddcf0-6955-4645-b311-c3833ca61455?source=cve https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/activities_controller.php#L214 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/activities_controller.php#L214 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L260 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/stripe_connect_controller.php#L260 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/activities_helper.php#L83 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/activities_helper.php#L83 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/activities_controller.php#L214 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/stripe_connect_controller.php#L260 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/activities_helper.php#L83 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522933%40latepoint%2Ftrunk&old=3516282%40latepoint%2Ftrunk&sfp_email=&sfph_mail= |
| GeoVision Inc.–GV-LPC2011/LPC2211 | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page. | 2026-05-04 | 7.4 | CVE-2026-7371 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| Yarbo–Firmware | A hidden, persistent backdoor was found in Yarbo firmware v2.3.9 that provides remote, unauthenticated (or weakly authenticated) access to privileged functionality. The backdoor is undocumented, cannot be disabled via user-facing settings, and survives factory reset and ordinary firmware updates. | 2026-05-07 | 7.2 | CVE-2026-7413 | https://github.com/Bin4ry/yarbo-nat-in-my-back-yard https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000000111111111111111111111110000000000000000000000000000000000000000000000000000000111 |
| PrefectHQ–prefect | A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called f8afecadf88ea5f73694dafa3a365b9d8fae1ad6. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-04 | 7.3 | CVE-2026-7723 | VDB-360899 | PrefectHQ prefect WebSocket Endpoint in missing authentication VDB-360899 | CTI Indicators (IOB, IOC, IOA) Submit #807256 | PerfectHQ Perfect <=3.6.13 Missing Critical Step in Authentication https://gist.github.com/nedlir/f1ab8aa038aafbcc6beeef21fab1d74f https://github.com/PrefectHQ/prefect/pull/20372 https://github.com/PrefectHQ/prefect/commit/f8afecadf88ea5f73694dafa3a365b9d8fae1ad6 https://github.com/PrefectHQ/prefect/releases/tag/3.6.14 https://github.com/PrefectHQ/prefect/ |
| Shandong Hoteam Software–PDM Product Data Management System | A vulnerability was determined in Shandong Hoteam Software PDM Product Data Management System up to 8.3.9. This affects the function GetQueryMachineGridOnePageData of the file /Base/BaseService.asmx/DataService. This manipulation of the argument SortOrder causes sql injection. The attack can be initiated remotely. Upgrading to version 8.3.10 is able to mitigate this issue. You should upgrade the affected component. | 2026-05-04 | 7.3 | CVE-2026-7727 | VDB-360902 | Shandong Hoteam Software PDM Product Data Management System DataService GetQueryMachineGridOnePageData sql injection VDB-360902 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803268 | Shandong Hoteam Software Co., Ltd. PDM <8.3.10 SQL Injection https://ucn9h68n9289.feishu.cn/wiki/KvbxwRlmRihO8ZkT1E1c64pdngh https://en.hoteamsoft.com/pdm |
| n/a–funadmin | A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 59. To fix this issue, it is recommended to deploy a patch. | 2026-05-04 | 7.3 | CVE-2026-7733 | VDB-360908 | funadmin Frontend Chunked Upload Endpoint UploadService.php chunkUpload unrestricted upload VDB-360908 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807559 | FunAdmin v<=V7.1.0-rc6 Unrestricted Upload https://gitee.com/funadmin/funadmin/issues/IJ8NXT https://gitee.com/funadmin/funadmin/pulls/59 https://gitee.com/funadmin/funadmin/ |
| osrg–GoBGP | A vulnerability was found in osrg GoBGP up to 4.3.0. Affected is the function PathAttributeAigp.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component AIGP Attribute Parser. Performing a manipulation results in buffer overflow. It is possible to initiate the attack remotely. Upgrading to version 4.4.0 is able to address this issue. The patch is named 51ad1ada06cb41ce47b7066799981816f50b7ced. The affected component should be upgraded. | 2026-05-04 | 7.3 | CVE-2026-7735 | VDB-360910 | osrg GoBGP AIGP Attribute bgp.go PathAttributeAigp.DecodeFromBytes buffer overflow VDB-360910 | CTI Indicators (IOB, IOC, IOA) Submit #807600 | GoBGP 4.3.0 Improper Input Validation https://github.com/osrg/gobgp/commit/51ad1ada06cb41ce47b7066799981816f50b7ced https://github.com/osrg/gobgp/releases/tag/v4.4.0 https://github.com/osrg/gobgp/ |
| osrg–GoBGP | A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by this vulnerability is the function parseRibEntry of the file pkg/packet/mrt/mrt.go. Executing a manipulation can lead to integer underflow. It is possible to launch the attack remotely. Upgrading to version 4.4.0 addresses this issue. This patch is called 76d911046344a3923cbe573364197aa081944592. It is suggested to upgrade the affected component. | 2026-05-04 | 7.3 | CVE-2026-7736 | VDB-360911 | osrg GoBGP mrt.go parseRibEntry integer underflow VDB-360911 | CTI Indicators (IOB, IOC, IOA) Submit #807604 | osrg GoBGP <= 4.3.0 Integer Underflow https://github.com/osrg/gobgp/commit/76d911046344a3923cbe573364197aa081944592 https://github.com/osrg/gobgp/releases/tag/v4.4.0 https://github.com/osrg/gobgp/ |
| @fastify/accepts-serializer–@fastify/accepts-serializer | @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option. | 2026-05-04 | 7.5 | CVE-2026-7768 | https://cna.openjsf.org/security-advisories.html https://github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg |
| HashiCorp–Boundary | Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5. | 2026-05-04 | 7.5 | CVE-2026-7776 | https://discuss.hashicorp.com/t/hcsec-2026-11-boundary-workers-vulnerable-to-denial-of-service-during-tls-handshake |
| RTGS2017–NagaAgent | A vulnerability has been found in RTGS2017 NagaAgent up to 5.1.0. This issue affects some unknown processing of the file apiserver/routes/extensions.py of the component Skills Endpoint. Such manipulation of the argument Name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 7.3 | CVE-2026-7784 | VDB-360981 | RTGS2017 NagaAgent Skills Endpoint extensions.py path traversal VDB-360981 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807744 | RTGS2017 NagaAgent 5.10 Path Traversal https://github.com/RTGS2017/NagaAgent/issues/311 https://github.com/RTGS2017/NagaAgent/ |
| A-G-U-P-T-A–wireshark-mcp | A security flaw has been discovered in A-G-U-P-T-A wireshark-mcp edaf604416fbc94a201b4043092d4a1b09a12275/400c3da70074f22f3cce7ccb65304cafc7089c89. This affects the function quick_capture of the file pyshark_mcp.py. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 7.3 | CVE-2026-7785 | VDB-360985 | A-G-U-P-T-A wireshark-mcp pyshark_mcp.py quick_capture os command injection VDB-360985 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807745 | A-G-U-P-T-A wireshark-mcp 400c3da70074f22f3cce7ccb65304cafc7089c89 Command Injection https://github.com/A-G-U-P-T-A/wireshark-mcp/issues/1 https://github.com/A-G-U-P-T-A/wireshark-mcp/ |
| Axle-Bucamp–MCP-Docusaurus | A security flaw has been discovered in Axle-Bucamp MCP-Docusaurus up to 404bc028e15ec304c9a045528560f4b5f27a17e0. The affected element is the function update_document/continue_document/delete_document/get_content of the file app/routes/document.py. Performing a manipulation of the argument DOCS_DIR/path results in path traversal. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 7.3 | CVE-2026-7788 | VDB-360994 | Axle-Bucamp MCP-Docusaurus document.py get_content path traversal VDB-360994 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807746 | Axle-Bucamp MCP-Docusaurus 404bc028e15ec304c9a045528560f4b5f27a17e0 Path Traversal https://github.com/Axle-Bucamp/MCP-Docusaurus/issues/2 https://github.com/Axle-Bucamp/MCP-Docusaurus/ |
| Amazon–Workspaces | Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM. | 2026-05-04 | 7.8 | CVE-2026-7791 | https://aws.amazon.com/security/security-bulletins/2026-025-aws/ |
| UsamaK98–python-notebook-mcp | A flaw has been found in UsamaK98 python-notebook-mcp up to a05a232815809a7e425b5fa7be26e0d4369894c2. Impacted is the function create_notebook/read_notebook/edit_cell/add_cell of the file server.py. This manipulation causes path traversal. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 7.3 | CVE-2026-7810 | VDB-361070 | UsamaK98 python-notebook-mcp server.py add_cell path traversal VDB-361070 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807748 | UsamaK98 python-notebook-mcp a05a232815809a7e425b5fa7be26e0d4369894c2 Path Traversal https://github.com/UsamaK98/python-notebook-mcp/issues/5 https://github.com/UsamaK98/python-notebook-mcp/ |
| 54yyyu–code-mcp | A vulnerability has been found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The affected element is the function is_safe_path of the file src/code_mcp/server.py of the component MCP File Handler. Such manipulation leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 7.3 | CVE-2026-7811 | VDB-361071 | 54yyyu code-mcp MCP File server.py is_safe_path path traversal VDB-361071 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807751 | 54yyyu code-mcp 4cfc4643541a110c906d93635b391bf7e357f4a8 Path Traversal https://github.com/54yyyu/code-mcp/issues/4 https://github.com/54yyyu/code-mcp/ |
| 54yyyu–code-mcp | A vulnerability was found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The impacted element is the function git_operation of the file src/code_mcp/server.py of the component MCP Tool. Performing a manipulation of the argument operation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 7.3 | CVE-2026-7812 | VDB-361072 | 54yyyu code-mcp MCP Tool server.py git_operation command injection VDB-361072 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807752 | 54yyyu code-mcp 4cfc4643541a110c906d93635b391bf7e357f4a8 Command Injection https://github.com/54yyyu/code-mcp/issues/5 https://github.com/54yyyu/code-mcp/ |
| Ivanti–Endpoint Manager Mobile | Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of the newly enrolled device identity. | 2026-05-07 | 7.4 | CVE-2026-7821 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US |
| IObit–Advanced SystemCare | A security flaw has been discovered in IObit Advanced SystemCare 19. This affects an unknown part of the file ASC.exe of the component Service. The manipulation results in symlink following. Attacking locally is a requirement. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. | 2026-05-05 | 7 | CVE-2026-7832 | VDB-361111 | IObit Advanced SystemCare Service ASC.exe symlink VDB-361111 | CTI Indicators (IOB, IOC, IOA) Submit #797630 | IObit Advanced SystemCare 19 Link Following https://github.com/usernameone101/Writeups/blob/main/IObit%20Zero%20Day%20(Updated%20v2).pdf |
| EFM–ipTIME C200 | A weakness has been identified in EFM ipTIME C200 up to 1.092. This vulnerability affects the function sub_408F90 of the file /cgi/iux_set.cgi of the component ApplyRestore Endpoint. This manipulation of the argument RestoreFile causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-05 | 7.2 | CVE-2026-7833 | VDB-361112 | EFM ipTIME C200 ApplyRestore Endpoint iux_set.cgi sub_408F90 command injection VDB-361112 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807786 | iptime c200 1.092 Command Injection https://github.com/glkfc/IoT-Vulnerability/blob/main/iptime/c200/sub_409054_vulnerability_report_EN.md |
| D-Link–DI-8100 | A vulnerability was identified in D-Link DI-8100 16.07.26A1. This affects the function sprintf of the file yyxz.asp. The manipulation of the argument ID leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2026-05-05 | 7.2 | CVE-2026-7851 | VDB-361128 | D-Link DI-8100 yyxz.asp sprintf stack-based overflow VDB-361128 | CTI Indicators (IOB, IOC, IOA) Submit #807798 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/yyxz_dlink_asp_overflow.md https://www.dlink.com/ |
| D-Link–DI-8100 | A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part of the file /url_member.asp of the component Web Management Interface. Executing a manipulation of the argument Name can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used. | 2026-05-05 | 7.2 | CVE-2026-7856 | VDB-361133 | D-Link DI-8100 Web Management url_member.asp buffer overflow VDB-361133 | CTI Indicators (IOB, IOC, IOA) Submit #807849 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/url_member_asp_overflow.md https://www.dlink.com/ |
| D-Link–DI-8100 | A vulnerability has been found in D-Link DI-8100 16.07.26A1. This vulnerability affects the function sprintf of the file /user_group.asp of the component CGI Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-05-05 | 7.2 | CVE-2026-7857 | VDB-361134 | D-Link DI-8100 CGI user_group.asp sprintf buffer overflow VDB-361134 | CTI Indicators (IOB, IOC, IOA) Submit #807853 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/user_group_asp_overflow.md https://www.dlink.com/ |
| PicoTronica–e-Clinic Healthcare System ECHS | A flaw has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. The impacted element is an unknown function of the file /cdemos/echs/priv/echs.js. This manipulation of the argument ADMIN_KEY causes hard-coded credentials. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 5.7.1 is sufficient to resolve this issue. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-06 | 7.3 | CVE-2026-8032 | VDB-361358 | PicoTronica e-Clinic Healthcare System ECHS echs.js hard-coded credentials VDB-361358 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800792 | PicoTronica e-Clinic Healthcare System (ECHS) v5.7 Improper Privilege Management https://docs.google.com/document/d/1w1veNs8I3nxsVxbSiIgJmt-4S5a0rW0bvjDvEe7iDr0/edit?usp=sharing |
| SourceCodester–Pharmacy Sales and Inventory System | A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-07 | 7.3 | CVE-2026-8083 | VDB-361837 | SourceCodester Pharmacy Sales and Inventory System ajax.php save_user sql injection VDB-361837 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807848 | sourcecodester Pharmacy Sales and Inventory System V1.0 SQL injection https://github.com/zhi-cyber/cve-2/issues/1 https://www.sourcecodester.com/ |
| code-projects–Feedback System | A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-05-07 | 7.3 | CVE-2026-8098 | VDB-361851 | code-projects Feedback System checklogin.php sql injection VDB-361851 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808126 | code-projects FEEDBACK SYSTEM V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/3 https://code-projects.org/ |
| SourceCodester–Comment System | A flaw has been found in SourceCodester Comment System 1.0. This issue affects some unknown processing of the file post_comment.php. This manipulation of the argument Name causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-05-08 | 7.3 | CVE-2026-8126 | VDB-361916 | SourceCodester Comment System post_comment.php sql injection VDB-361916 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808686 | sourcecodester Comment System V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/7 https://www.sourcecodester.com/ |
| SourceCodester–SUP Online Shopping | A vulnerability was found in SourceCodester SUP Online Shopping 1.0. The affected element is an unknown function of the file /admin/viewmsg.php. Performing a manipulation of the argument msgid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2026-05-08 | 7.3 | CVE-2026-8128 | VDB-361918 | SourceCodester SUP Online Shopping viewmsg.php sql injection VDB-361918 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808772 | sourcecodester SUP Online Shopping V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/9 https://www.sourcecodester.com/ |
| SourceCodester–SUP Online Shopping | A vulnerability was determined in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file wishlist.php. Executing a manipulation of the argument delwlistid can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-05-08 | 7.3 | CVE-2026-8129 | VDB-361919 | SourceCodester SUP Online Shopping wishlist.php sql injection VDB-361919 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808773 | sourcecodester SUP Online Shopping V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/10 https://www.sourcecodester.com/ |
| SourceCodester–SUP Online Shopping | A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. This affects an unknown function of the file /admin/message.php. The manipulation of the argument seenid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2026-05-08 | 7.3 | CVE-2026-8130 | VDB-361920 | SourceCodester SUP Online Shopping message.php sql injection VDB-361920 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808774 | sourcecodester SUP Online Shopping V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/11 https://www.sourcecodester.com/ |
| SourceCodester–SUP Online Shopping | A security flaw has been discovered in SourceCodester SUP Online Shopping 1.0. This impacts an unknown function of the file /admin/replymsg.php. The manipulation of the argument msgid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-08 | 7.3 | CVE-2026-8131 | VDB-361921 | SourceCodester SUP Online Shopping replymsg.php sql injection VDB-361921 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808775 | sourcecodester SUP Online Shopping V1.0 sql https://github.com/redshadowword-cell/CVE/issues/12 https://www.sourcecodester.com/ |
| CodeAstro–Leave Management System | A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txt_username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-08 | 7.3 | CVE-2026-8132 | VDB-361922 | CodeAstro Leave Management System login.php sql injection VDB-361922 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808784 | codeastro Leave Management System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/64 https://codeastro.com/ |
| zyx0814–FilePress | A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The name of the patch is e20ec58414103f781858f2951d178e19b1736664. A patch should be applied to remediate this issue. | 2026-05-08 | 7.3 | CVE-2026-8133 | VDB-361923 | zyx0814 FilePress Shares Filelist API admin.php sql injection VDB-361923 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808819 | zyx0814 FilePress <=2.2.0 SQL Injection https://github.com/zyx0814/FilePress/issues/70 https://github.com/zyx0814/FilePress/pull/71 https://github.com/xiaohaiyang-ai/Web-Security-Research/tree/main/FilePress/Shares-API-PreAuth-SQLi https://github.com/zyx0814/FilePress/commit/e20ec58414103f781858f2951d178e19b1736664 https://github.com/zyx0814/FilePress/ |
| Industrial Application Software IAS–Canias ERP | A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This issue affects the function iasServerRemoteInterface.doAction of the component Java RMI Session Management. Such manipulation leads to improper authentication. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 7.3 | CVE-2026-8216 | VDB-362433 | Industrial Application Software IAS Canias ERP Java RMI Session Management iasServerRemoteInterface.doAction improper authentication VDB-362433 | CTI Indicators (IOB, IOC, IOA) Submit #808244 | Industrial Application Software – IAS Canias ERP 8.03– Improper Authentication (CWE-287) https://hawktrace.com/blog/caniaserp |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Rocketsoft–Rocket LMS | Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attackers can submit support tickets with embedded HTML/JavaScript payloads that execute in the browsers of other users viewing the message history, enabling session hijacking and phishing attacks. | 2026-05-10 | 6.4 | CVE-2021-47907 | ExploitDB-50677 Official Product Homepage VulnCheck Advisory: Rocket LMS 1.1 Persistent Cross-Site Scripting via Support Tickets |
| Accesspressthemes–AccessPress Social Icons | AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the ‘icon title’ field. Attackers can store XSS payloads like image tags with onerror event handlers that execute when the plugin page is viewed, affecting all users who access the plugin interface. | 2026-05-10 | 6.4 | CVE-2021-47910 | ExploitDB-50515 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin AccessPress Social Icons 1.8.2 Stored XSS |
| Soliloquywp–Slider by Soliloquy | Slider by Soliloquy 2.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the title parameter. Attackers can add JavaScript payloads in the title field when creating or editing sliders, which executes in the browsers of users viewing the slider on both administrative and frontend pages. | 2026-05-10 | 6.4 | CVE-2021-47922 | ExploitDB-50563 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Slider by Soliloquy 2.6.2 Stored XSS |
| Etoilewebdesign–Ultimate Product Catalog | Ultimate Product Catalog 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed. | 2026-05-10 | 6.4 | CVE-2021-47924 | ExploitDB-50534 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Ultimate Product Catalog 5.8.2 Stored XSS via price |
| Cmdbuild–CMDBuild | CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file attachments in the classes endpoint, which execute when other users view the affected records or preview attachments. | 2026-05-10 | 6.4 | CVE-2021-47925 | ExploitDB-50527 Official Product Homepage Product Reference VulnCheck Advisory: CMDBuild 3.3.2 Multiple Stored Cross-Site Scripting |
| Form2Email–Contact Form to Email | Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name field. Attackers can craft form names containing JavaScript code that executes when other logged-in users access the form management page, enabling session hijacking or credential theft. | 2026-05-10 | 6.4 | CVE-2021-47926 | ExploitDB-50524 Official Product Homepage VulnCheck Advisory: WordPress Contact Form to Email 1.3.24 Stored XSS |
| Wpsymposiumpro–WP Symposium Pro | WordPress Plugin WP Symposium Pro 2021.10 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting insufficient sanitization of the forum name parameter. Attackers can submit POST requests to the admin setup page with JavaScript payloads in the wps_admin_forum_add_name parameter, which are stored and executed when the forum is accessed. | 2026-05-10 | 6.4 | CVE-2021-47927 | ExploitDB-50514 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin WP Symposium Pro 2021.10 Stored XSS via wps_admin_forum_add_name |
| Filterable-Portfolio–Filterable Portfolio Gallery | Filterable Portfolio Gallery 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by entering payloads in the title field. Attackers can store JavaScript code like image tags with onerror handlers that execute when the gallery is previewed, affecting all users viewing the page. | 2026-05-10 | 6.4 | CVE-2021-47929 | ExploitDB-50458 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Filterable Portfolio Gallery 1.0 Stored XSS |
| Exponentcms–Exponent CMS | Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary JavaScript, and the application also exposes database credentials in responses and lacks brute-force protection on authentication endpoints. | 2026-05-10 | 6.4 | CVE-2021-47931 | ExploitDB-50611 Official Product Homepage VulnCheck Advisory: Exponent CMS 2.6 Multiple Vulnerabilities Stored XSS Authentication |
| Projectsend–Projectsend | Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the ‘name’ parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the browser when the file is viewed by other users, particularly affecting System Administrator users on the Dashboard page. | 2026-05-10 | 6.4 | CVE-2021-47947 | ExploitDB-50240 Official Product Homepage Product Reference VulnCheck Advisory: Projectsend r1295 Stored Cross-Site Scripting via files-edit.php |
| Ampps–Advanced Guestbook | Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the s_emotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in the s_emotion field, which executes when administrators view the smilies tab. | 2026-05-10 | 6.4 | CVE-2021-47950 | ExploitDB-49875 Official Product Homepage VulnCheck Advisory: Advanced Guestbook 2.4.4 Persistent XSS via Smilies |
| picture-gallery–Picture Gallery | WordPress Picture Gallery 1.4.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Edit Content URL field in the Access Control settings. Attackers can enter JavaScript payloads in the plugin options that are stored in the database and executed when the functionality is triggered, enabling session hijacking or credential theft. | 2026-05-10 | 6.4 | CVE-2021-47951 | ExploitDB-50187 Product Reference VulnCheck Advisory: WordPress Picture Gallery 1.4.2 Stored XSS via Edit Content URL |
| Moodle–Moodle LMS | Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary scripts in users’ browsers and steal session cookies. | 2026-05-10 | 6.1 | CVE-2022-50943 | ExploitDB-51115 Official Product Homepage Product Reference VulnCheck Advisory: Moodle LMS 4.0 Cross-Site Scripting via course search.php |
| 3dady–real-time web stats | WordPress 3dady real-time web stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dady_input_text or dady2_input_text fields via the plugin options panel to execute arbitrary code when the page is viewed. | 2026-05-10 | 6.4 | CVE-2022-50945 | ExploitDB-51021 Official Product Homepage VulnCheck Advisory: WordPress 3dady Real-Time Web Stats 1.0 Stored XSS |
| netroics–Netroics Blog Posts Grid | WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject script payloads through the testimonial title field that execute in the browsers of other users viewing the draft post, enabling cookie theft and session hijacking. | 2026-05-10 | 6.4 | CVE-2022-50946 | ExploitDB-51008 Product Reference VulnCheck Advisory: WordPress Plugin Netroics Blog Posts Grid 1.0 Stored XSS |
| RadiusTheme–Testimonial Slider and Showcase | WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject JavaScript payloads through the testimonial title field that execute in the browsers of users viewing the draft post, enabling cookie theft and session hijacking. | 2026-05-10 | 6.4 | CVE-2022-50947 | ExploitDB-51007 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Testimonial Slider and Showcase 2.2.6 Stored XSS |
| Motopress–Motopress Hotel Booking Lite | Motopress Hotel Booking Lite 4.2.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting payloads in accommodation type fields. Attackers can inject script tags through the title and excerpt parameters when creating accommodation types, which execute in the browser when visitors access the accommodations page. | 2026-05-10 | 6.4 | CVE-2022-50948 | ExploitDB-50951 Official Product Homepage VulnCheck Advisory: Motopress Hotel Booking Lite 4.2.4 Stored Cross-Site Scripting |
| A-J-Evolution–Videos sync PDF | WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized nom, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers through the plugin options panel to execute arbitrary JavaScript when administrators view or edit video settings. | 2026-05-10 | 6.4 | CVE-2022-50949 | ExploitDB-50874 Official Product Homepage VulnCheck Advisory: WordPress Plugin Videos sync PDF 1.7.4 Stored XSS |
| cab-fare-calculator–cab-fare-calculator | WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tblight.php. Attackers can supply path traversal sequences through the controller GET parameter to include and execute files outside the intended controllers directory. | 2026-05-10 | 6.2 | CVE-2022-50954 | ExploitDB-50843 Official Product Homepage VulnCheck Advisory: WordPress Plugin cab-fare-calculator 1.0.3 Local File Inclusion |
| amministrazione-aperta–amministrazione-aperta | WordPress Plugin amministrazione-aperta 3.7.3 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in the open parameter. Attackers can supply file paths through the open GET parameter in dispatcher.php to include and read sensitive files accessible to the web server. | 2026-05-10 | 6.2 | CVE-2022-50956 | ExploitDB-50838 Official Product Homepage VulnCheck Advisory: WordPress Plugin amministrazione-aperta 3.7.3 Local File Read |
| avatar_uploader–avatar_uploader | Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers. | 2026-05-10 | 6.1 | CVE-2022-50957 | ExploitDB-50841 Product Reference VulnCheck Advisory: Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS |
| jetpack–Jetpack | WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers can craft URLs to the grunion-form-view.php endpoint with script payloads in the post_id parameter to execute arbitrary JavaScript in victim browsers. | 2026-05-10 | 6.1 | CVE-2022-50958 | ExploitDB-50735 Product Reference VulnCheck Advisory: WordPress Plugin Jetpack 9.1 Cross Site Scripting via grunion-form-view.php |
| wpdevart–Contact Form Builder | WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form_id parameter. Attackers can craft malicious URLs to code_generator.php with script payloads in the form_id parameter to execute arbitrary JavaScript in victim browsers. | 2026-05-10 | 6.1 | CVE-2022-50959 | ExploitDB-50734 Product Reference VulnCheck Advisory: WordPress Contact Form Builder 1.6.1 Cross-Site Scripting via code_generator.php |
| Varun Sridharan–International Sms For Contact Form | WordPress International Sms For Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inject malicious scripts through the page parameter in class-sms-log-display.php to execute arbitrary JavaScript in administrator browsers. | 2026-05-10 | 6.1 | CVE-2022-50960 | ExploitDB-50719 Product Reference VulnCheck Advisory: WordPress International Sms Contact Form 7 Integration 1.2 XSS |
| IP2Location–IP2Location Country Blocker | WordPress Plugin IP2Location Country Blocker 2.26.7 contains a stored cross-site scripting vulnerability that allows authenticated users to inject arbitrary JavaScript code through the Frontend Settings interface. Attackers can inject malicious scripts in the URL field of the Display page settings that execute when administrators or other authenticated users visit the plugin settings page. | 2026-05-10 | 6.4 | CVE-2022-50961 | ExploitDB-50709 Product Reference VulnCheck Advisory: WordPress Plugin IP2Location Country Blocker 2.26.7 Stored XSS |
| uBidAuction–uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the orders/myOrders module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims’ browsers. | 2026-05-10 | 6.1 | CVE-2022-50962 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 myOrders Reflected XSS |
| uBidAuction–uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/active module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims’ browsers. | 2026-05-10 | 6.1 | CVE-2022-50963 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 myAuctions active Reflected XSS |
| uBidAuction–uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/loose module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims’ browsers. | 2026-05-10 | 6.1 | CVE-2022-50964 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 myAuctions loose Reflected XSS |
| uBidAuction–uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the posts/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims’ browsers. | 2026-05-10 | 6.1 | CVE-2022-50965 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 posts manage Reflected XSS |
| uBidAuction–uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the news/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims’ browsers. | 2026-05-10 | 6.1 | CVE-2022-50966 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 news manage Reflected XSS |
| uBidAuction–uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the tickets/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims’ browsers. | 2026-05-10 | 6.1 | CVE-2022-50967 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 tickets manage Reflected XSS |
| uBidAuction–uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims’ browsers. | 2026-05-10 | 6.1 | CVE-2022-50968 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 auctions manage Reflected XSS |
| uBidAuction–uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims’ browsers. | 2026-05-10 | 6.1 | CVE-2022-50969 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 mailingLog manage Reflected XSS |
| Spondonit–AmazCart CMS | AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search functionality. Attackers can enter script tags in the search box to execute arbitrary JavaScript that fires when search history is viewed or results are displayed. | 2026-05-05 | 6.1 | CVE-2023-54349 | ExploitDB-51219 Official Product Homepage Product Reference VulnCheck Advisory: AmazCart CMS 3.4 Reflected Cross-Site Scripting via Search |
| Mikrotik–RouterOS | RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X), among others. The vulnerability lies in shared certificate validation logic which uses the system certificate store that is shared and equally trusted by all system services. This causes confusion of scope, allowing any certificate authority present in the system-wide trust store to be trusted in any context (with some exceptions), allowing partial or full authentication bypass in CAPsMAN, OpenVPN, Dot1X and potentially others. | 2026-05-05 | 6.5 | CVE-2025-42611 | https://www.cert.si/en/cve-2025-42611/ |
| Medtronic–MyCareLink Patient Monitor 24950 | Medtronic MyCareLink Patient Monitor has an internal serial interface, which allows an attacker with physical access to access a login prompt via a UART terminal. | 2026-05-07 | 6.8 | CVE-2025-4386 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/mycarelink-patient-monitor-vulnerabilities.html https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01 |
| Medtronic–MyCareLink Patient Monitor 24950 | Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data. | 2026-05-07 | 6.8 | CVE-2025-4397 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/mycarelink-patient-monitor-vulnerabilities.html https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01 https://www.medtronic.com/en-us/e/product-security/security-bulletins/mycarelink-8-7-18.html https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-219-01 |
| Qualcomm, Inc.–Snapdragon | Transient DOS when processing target power rate tables during channel configuration. | 2026-05-04 | 6.5 | CVE-2025-47401 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Transient DOS when processing a malformed Fast Transition response frame with an invalid header structure during wireless roaming. | 2026-05-04 | 6.5 | CVE-2025-47403 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory corruption when dynamically changing the size of a previously allocated buffer while its contents are being modified. | 2026-05-04 | 6.5 | CVE-2025-47404 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Information Disclosure while processing IOCTL handler callbacks without verifying buffer size. | 2026-05-04 | 6.1 | CVE-2025-47406 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Apache Software Foundation–Apache CloudStack | Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure’s resources and lead to denial of service conditions. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue. | 2026-05-08 | 6.5 | CVE-2025-69233 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Hikvision–HikCentral Professional | There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission. | 2026-05-09 | 6.8 | CVE-2026-1749 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-hikcentral-professional/ |
| Cisco–Cisco IoT Field Network Director (IoT-FND) | A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to retrieve files that they do not have permission to access. This vulnerability is due to insufficient file access checks. An attacker could exploit this vulnerability by submitting crafted input in the web-based management interface. A successful exploit could allow the attacker to read files that they are not authorized to access. | 2026-05-06 | 6.5 | CVE-2026-20168 | cisco-sa-iot-fnd-dos-n8N26Q4u |
| Cisco–Cisco IoT Field Network Director (IoT-FND) | A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to access files and execute commands on a remote router. This vulnerability is due to insufficient input validation of user-supplied data. An attacker could exploit this vulnerability by submitting crafted input in the web-based management interface. A successful exploit could allow the attacker to create, read, or delete files and execute limited commands in user EXEC mode on a remote router. | 2026-05-06 | 6.4 | CVE-2026-20169 | cisco-sa-iot-fnd-dos-n8N26Q4u |
| WProyal–Royal Elementor Addons | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WProyal Royal Elementor Addons allows Stored XSS. This issue affects Royal Elementor Addons: from n/a before 1.7.1053. | 2026-05-07 | 6.5 | CVE-2026-27421 | https://patchstack.com/database/wordpress/plugin/royal-elementor-addons/vulnerability/wordpress-royal-elementor-addons-plugin-1-7-1053-cross-site-scripting-xss-vulnerability?_s_id=cve |
| traccar–traccar | Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0. | 2026-05-05 | 6.5 | CVE-2026-27644 | https://github.com/traccar/traccar/security/advisories/GHSA-745r-9qgj-x7m7 https://github.com/traccar/traccar/blob/v6.11.1/src/main/java/org/traccar/reports/CsvExportProvider.java#L89-L91 |
| jegstudio–Gutenverse Ultimate WordPress FSE Blocks Addons & Ecosystem | The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘separatorIconSVG’ parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 6.4 | CVE-2026-2868 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc540e5c-180f-4743-b1fb-608aa0e3ae79?source=cve https://plugins.trac.wordpress.org/changeset/3507804/gutenverse |
| jegstudio–Gutenverse Ultimate WordPress FSE Blocks Addons & Ecosystem | The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the import_images() function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-05-05 | 6.4 | CVE-2026-2948 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ac909a4b-d949-42eb-871a-963bc6242c12?source=cve https://plugins.trac.wordpress.org/changeset/3507804/gutenverse |
| gofiber–fiber | Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0. | 2026-05-05 | 6.5 | CVE-2026-30246 | https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8 https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621 https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in the X.Org X server. This out-of-bounds read vulnerability in the XKB geometry processing, specifically within the `CheckSetGeom()` and `XkbAddGeomKeyAlias` functions, allows an attacker to read uninitialized or out-of-bounds memory. An attacker with a connection to the X11 server, either locally or remotely, can exploit this without user interaction. This could lead to the disclosure of memory contents or cause a denial of service by crashing the server. | 2026-05-05 | 6.1 | CVE-2026-34000 | https://access.redhat.com/security/cve/CVE-2026-34000 RHBZ#2451107 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in the X.Org X server. This vulnerability, an out-of-bounds read, affects the XKB (X Keyboard Extension) modifier map handling. An attacker with access to the X11 server can exploit this by sending a malformed request, which causes the server to read beyond its intended memory boundaries. This can lead to the exposure of sensitive information or cause the server to crash, resulting in a denial of service. | 2026-05-05 | 6.1 | CVE-2026-34002 | https://access.redhat.com/security/cve/CVE-2026-34002 RHBZ#2451112 |
| edge22–GenerateBlocks | The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that the user has the edit_posts capability but does not verify the user has permission to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive information from arbitrary posts including author email addresses and non-protected post meta values by crafting dynamic tag payloads such as {{post_meta id:<target>|key:<meta_key>}} and {{post_title id:<target>|link:author_email}}. | 2026-05-05 | 6.5 | CVE-2026-3454 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0297d524-e016-4f8d-920c-d58c62edb2a0?source=cve https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L424 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L501 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tag-callbacks.php#L64 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tag-callbacks.php#L364 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/class-meta-handler.php#L335 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L392 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3495827%40generateblocks%2Ftrunk&old=3415721%40generateblocks%2Ftrunk&sfp_email=&sfph_mail= |
| Oracle Corporation–Oracle OCI CLI of Oracle Open Source Projects | Vulnerability in the Oracle OCI CLI product of Oracle Open Source Projects. The supported versions that is affected is 3.77. Easily exploitable vulnerability allows unauthenticated attacker with network access to compromise Oracle OCI CLI. Successful attacks of this vulnerability can result in Oracle OCI CLI allowing users to place imported files outside the intended directory. | 2026-05-06 | 6.1 | CVE-2026-35254 | Oracle Advisory |
| Oracle Corporation–Oracle Cloud Native Environment Command Line Interface | Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line Interface product via a malicious environment variable. Successful attacks of this vulnerability can result in Oracle Cloud Native Environment Command Line Interface allowing users to execute arbitrary code. | 2026-05-06 | 6.6 | CVE-2026-35255 | Oracle Advisory |
| OpenStack–Cyborg | In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller’s project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects’ instances, aka cross-tenant denial of service. | 2026-05-07 | 6.3 | CVE-2026-40214 | https://bugs.launchpad.net/openstack-cyborg/+bug/2144056 https://www.openwall.com/lists/oss-security/2026/05/07/6 https://security.openstack.org/ossa/OSSA-2026-011.html |
| pglombardo–PasswordPusher | Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2. | 2026-05-08 | 6.5 | CVE-2026-41308 | https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-qfh8-f79c-x86c https://github.com/pglombardo/PasswordPusher/pull/4381 https://github.com/pglombardo/PasswordPusher/commit/45dc2512875231ef45ecd5dfc8c3c8185f882bf4 |
| ironfede–openmcdf | OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch. This issue has been patched in version 3.1.3. | 2026-05-08 | 6.2 | CVE-2026-41511 | https://github.com/openmcdf/openmcdf/security/advisories/GHSA-jxpf-xq2m-q525 https://github.com/openmcdf/openmcdf/commit/24f445a557fc4f46461cf6d02d296cce16c293a0 https://github.com/openmcdf/openmcdf/releases/tag/v3.1.3 |
| th30d4y–IP | In th30d4y/IP from version 1.0.1 to before version 2.0.1, a DOM-Based Cross-Site Scripting (XSS) vulnerability was identified in an IP Reputation Checker application. Unsanitized user input was directly rendered in the browser, allowing attackers to execute arbitrary JavaScript. This issue has been patched in version 2.0.1. | 2026-05-08 | 6.1 | CVE-2026-41575 | https://github.com/th30d4y/IP/security/advisories/GHSA-j7wv-7j97-9qh9 |
| marko-js–marko | Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a <script> or <style> tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a <script> or <style> block could break out of the tag with </SCRIPT>, </Style>, etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting. This issue has been patched in marko version 5.38.36 and @marko/runtime-tags 6.0.164. | 2026-05-08 | 6.4 | CVE-2026-41591 | https://github.com/marko-js/marko/security/advisories/GHSA-x9fj-57fh-c8wq |
| lxc–incus | Incus is a system container and virtual machine manager. Prior to version 7.0.0, a missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file. This issue has been patched in version 7.0.0. | 2026-05-07 | 6.5 | CVE-2026-41647 | https://github.com/lxc/incus/security/advisories/GHSA-fwj8-62r8-8p8m https://github.com/lxc/incus/releases/tag/v7.0.0 |
| NaturalIntelligence–fast-xml-parser | fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the “–>” sequence in comment content or the “]]>” sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0. | 2026-05-07 | 6.1 | CVE-2026-41650 | https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6 https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.6.0 |
| Admidio–admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the ecard_preview.php endpoint does not validate that the ecard_template POST parameter is a safe filename before passing it to ECard::getEcardTemplate(). An authenticated user can supply a path traversal payload (e.g., ../config.php) to read arbitrary files accessible to the web server process, including adm_my_files/config.php which contains database credentials. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.5 | CVE-2026-41655 | https://github.com/Admidio/admidio/security/advisories/GHSA-m3vp-3jjm-gpmx https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio–admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.5 | CVE-2026-41658 | https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio–admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user’s browser through a reflected XSS in system/msg_window.php. The endpoint passes user input through htmlspecialchars(), which does not encode square brackets. A subsequent call to Language::prepareTextPlaceholders() converts those brackets into HTML angle brackets, producing executable markup. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.1 | CVE-2026-41661 | https://github.com/Admidio/admidio/security/advisories/GHSA-gq27-fc8w-vcmp https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio–admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint (/modules/sso/index.php/oidc/introspect) always returns {“active”: true} for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (/oidc/revoke) returns {“revoked”: true} without actually revoking any token, preventing resource servers from invalidating compromised credentials. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.8 | CVE-2026-41671 | https://github.com/Admidio/admidio/security/advisories/GHSA-9xx5-cv6j-x533 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| lxc–incus | Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo() trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid inline config that passes the initial import preflight while also carrying a malformed legacy backup/container/backup.yaml file that is reparsed later from the restored file system. ParseConfigYamlFile() accepts YAML documents with no container section, and multiple downstream consumers then dereference. Container without checking for nil. Confirmed examples in the instance restore and import flow include backup.UpdateInstanceConfig() and internalImportFromBackup(). An authenticated user with permission to import instance backups may be able to crash the Incus daemon with a crafted backup archive whose inline backup/index.yaml is valid but whose extracted legacy backup.yaml omits container. The crash occurs in the restore path after archive extraction has begun. This issue has been patched in version 7.0.0. | 2026-05-07 | 6.5 | CVE-2026-41684 | https://github.com/lxc/incus/security/advisories/GHSA-x5r6-jr56-89pv https://github.com/lxc/incus/releases/tag/v7.0.0 |
| ellite–Wallos | Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted internal automation services. When such a target exposes deployment or execution APIs, this can further enable adjacent-service RCE, but that downstream result is conditional on the target service. At time of publication, there are no publicly available patches. | 2026-05-07 | 6 | CVE-2026-41689 | https://github.com/ellite/Wallos/security/advisories/GHSA-jx6w-832g-42wv |
| i18next–i18next-http-backend | Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template without any encoding, validation, or path sanitisation. When an application exposes the language-code selection to user-controlled input (the default – i18next-browser-languagedetector reads ?lng= query params, cookies, localStorage, and request headers), an attacker can inject characters that change the structure of the outgoing request URL. This is a single URL-injection vulnerability. The attacker-controlled value is neutralised before it is used as part of an output URL string; the attack shape covers both path traversal and broader URL-structure injection – both are closed by the one interpolateUrl sanitisation fix. This issue has been fixed in version 3.0.5. If users cannot upgrade immediately, they can work around the issue by sanitising lng / ns before they reach i18next (strip .., /, , ?, #, %, whitespace, and control characters; cap the length). | 2026-05-07 | 6.5 | CVE-2026-41691 | https://github.com/i18next/i18next-http-backend/security/advisories/GHSA-q89c-q3h5-w34g https://github.com/i18next/i18next-http-backend/commit/4cee84f229c637b9c182366d3156f726d407a621 |
| locize–i18next-locize-backend | i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL. Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites – _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding. This issue has been patched in version 9.0.2. | 2026-05-08 | 6.5 | CVE-2026-41885 | https://github.com/locize/i18next-locize-backend/security/advisories/GHSA-mgcp-mfp8-3q45 |
| givanz–Vvveb | Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization. | 2026-05-07 | 6.1 | CVE-2026-41929 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a https://www.vulncheck.com/advisories/vvveb-unauthenticated-reflected-xss-via-visual-editor |
| langgenius–dify | Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing. | 2026-05-05 | 6.5 | CVE-2026-41950 | https://github.com/langgenius/dify/releases/tag/1.14.0 https://huntr.com/bounties/181136ec-d957-4b75-8ea7-6fa7b8abd01d https://www.vulncheck.com/advisories/dify-authorization-bypass-via-file-uuid |
| MapServer–MapServer | MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer’s WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2. | 2026-05-08 | 6.1 | CVE-2026-42030 | https://github.com/MapServer/MapServer/security/advisories/GHSA-4g9f-ph64-hg2x https://github.com/MapServer/MapServer/releases/tag/rel-8-6-2 |
| patrickhener–goshs | goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim’s browser – bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2. | 2026-05-04 | 6.5 | CVE-2026-42091 | https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm https://github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32 https://github.com/patrickhener/goshs/releases/tag/v2.0.2 |
| titraio–titra | titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as google_secret, openai_apikey, and google_clientid. At time of publication no public patch is available. | 2026-05-04 | 6.5 | CVE-2026-42092 | https://github.com/titraio/titra/security/advisories/GHSA-4h9p-49hg-vppw |
| GreycLab–CImg | CImg Library is a C++ library for image processing. Prior to commit 4ca26bc, there is an integer overflow vulnerability in the W*H*D size computation inside _load_pnm() that can bypass the memory allocation guard. A crafted PNM/PGM/PPM file with large dimension values causes the overflow to wrap around, allocating an undersized buffer and potentially triggering a heap buffer overflow. Any application using CImg to load untrusted image files is affected. This issue has been patched via commit 4ca26bc. | 2026-05-04 | 6.1 | CVE-2026-42144 | https://github.com/GreycLab/CImg/security/advisories/GHSA-4663-63fm-44gc https://github.com/GreycLab/CImg/issues/478 https://github.com/GreycLab/CImg/commit/4ca26bce4d8c61fcd1507d5f9401b9fb1222c27d https://github.com/GreycLab/CImg/releases/tag/v.3.7.5 |
| Erudika–scoold | Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address is written to the application configuration file. The change does not become active immediately in the current process, because the ADMINS set is loaded once at startup. After a Scoold restart, though, the selected user is recognized as an administrator and gains access to the admin panel. This issue gives an attacker a reliable persistence path: write their own email into scoold.admins, wait for a restart or trigger one operationally, and the account comes back as admin. This issue has been patched in version 1.67.0. | 2026-05-08 | 6.7 | CVE-2026-42176 | https://github.com/Erudika/scoold/security/advisories/GHSA-7qfx-c234-xg4g https://github.com/Erudika/scoold/releases/tag/1.67.0 |
| LemmyNet–lemmy | Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18. | 2026-05-08 | 6.3 | CVE-2026-42180 | https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948 https://github.com/LemmyNet/lemmy/releases/tag/0.19.18 |
| LemmyNet–lemmy | Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18. | 2026-05-08 | 6.5 | CVE-2026-42181 | https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq https://github.com/LemmyNet/lemmy/releases/tag/0.19.18 |
| Admidio–admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio’s fetch_metadata.php validates the resolved IP address but passes the original hostname-based URL to curl_init(), leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.8 | CVE-2026-42194 | https://github.com/Admidio/admidio/security/advisories/GHSA-hcjj-chvw-fmw9 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| becheran–grid | Grid is a data structure grid for rust. From version 0.17.0 to before version 1.0.1, an integer overflow in Grid::expand_rows() can corrupt the relationship between the grid’s logical dimensions and its backing storage. After the internal invariant is broken, the safe API get() may invoke get_unchecked() with an invalid index, resulting in Undefined Behavior. This issue has been patched in version 1.0.1. | 2026-05-08 | 6.2 | CVE-2026-42199 | https://github.com/becheran/grid/security/advisories/GHSA-38c5-483c-4qqp https://github.com/becheran/grid/commit/be213bd3528727148bef2d523c89e95d1fd9c072 https://github.com/becheran/grid/releases/tag/v1.0.1 |
| almirhodzic–nova-toggle-5 | nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint (POST/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource – including users who do not have access to Nova itself (for example, frontend customers sharing the web guard with the Nova admin area). The endpoint also accepted an arbitrary attribute parameter, which meant a valid caller could toggle any boolean column on the underlying model – not just columns exposed as Toggle fields on the resource. This issue has been patched in version 1.3.0. | 2026-05-08 | 6.5 | CVE-2026-42202 | https://github.com/almirhodzic/nova-toggle-5/security/advisories/GHSA-f5c8-m5vw-rmgq https://github.com/almirhodzic/nova-toggle-5/releases/tag/v1.3.0 |
| halfgaar–FlashMQ | FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.1, a remote client with retained publish permission can crash the FlashMQ broker when both set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread are configured to non-default values, resulting in denial of service. If anonymous retained publishing is allowed, no authentication is required; otherwise, the attacker needs the corresponding publish permission. This issue has been patched in version 1.26.1. | 2026-05-08 | 6.5 | CVE-2026-42209 | https://github.com/halfgaar/FlashMQ/security/advisories/GHSA-2789-vfcg-5922 https://github.com/halfgaar/FlashMQ/issues/167 https://github.com/halfgaar/FlashMQ/commit/193b6e7767889511cfa8e933908ea5e6a1077a1f https://github.com/halfgaar/FlashMQ/releases/tag/v1.26.1 |
| 0xJacky–nginx-ui | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret query parameter), causing the request to be treated as authenticated via the trusted-node path and associated with the init user. This issue has been patched in version 2.3.8. | 2026-05-04 | 6.5 | CVE-2026-42220 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-7jrr-xw9c-mj39 https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8 |
| 0xJacky–nginx-ui | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:”true” – however, this tag is only enforced during writes (via ProtectedFill in SaveSettings) and is completely ignored during reads. This exposes 40+ protected fields including JwtSecret (enabling auth token forgery), NodeSecret (enabling cluster node impersonation), OIDC ClientSecret (enabling OAuth account takeover), and the IP whitelist configuration. This issue has been patched in version 2.3.8. | 2026-05-04 | 6.5 | CVE-2026-42223 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-q4w7-56hr-83rm https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8 |
| onyx-dot-app–onyx | Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user’s uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never checks that the file belongs to them. An attacker who knows or obtains a file UUID can access confidential documents, chat attachments, and other files uploaded by any user in the system. This issue has been patched in versions 3.0.9, 3.1.6, and 3.2.6. | 2026-05-08 | 6.5 | CVE-2026-42277 | https://github.com/onyx-dot-app/onyx/security/advisories/GHSA-vg3h-35f7-7w6r |
| Syslifters–sysreptor | SysReptor is a fully customizable pentest reporting platform. From version 2026.4 to before version 2026.27, the endpoints for reading and creating sharing links for personal notes is not properly authorized. This allows authenticated attackers who obtain the note ID of victim users to list and create sharing links to those users’ personal notes. This gives attackers read and write access to notes of other users. This exploit works in both SysReptor Professional and Community. In Community it has, however, no impact because all users have superuser permissions and can list personal notes of other users at /admin/pentests/usernotebookpage/. This issue has been patched in version 2026.27. | 2026-05-08 | 6.8 | CVE-2026-42291 | https://github.com/Syslifters/sysreptor/security/advisories/GHSA-pcpr-q2qj-3v43 https://github.com/Syslifters/sysreptor/releases/tag/2026.27 |
| labring–FastGPT | FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT’s isInternalAddress() function in packages/service/common/system/utils.ts is vulnerable to DNS rebinding (TOCTOU – Time-of-Check to Time-of-Use). The function resolves the hostname via dns.resolve4()/dns.resolve6() and checks resolved IPs against private ranges, but the actual HTTP request happens in a separate call with a new DNS resolution, allowing the DNS record to change between validation and fetch. At time of publication, there are no publicly available patches. | 2026-05-08 | 6.3 | CVE-2026-42344 | https://github.com/labring/FastGPT/security/advisories/GHSA-cc8x-jrqv-hmwh |
| gitroomhq–postiz-app | Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4-v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7. | 2026-05-08 | 6.5 | CVE-2026-42346 | https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-f7jj-p389-4w45 https://github.com/gitroomhq/postiz-app/commit/071143dcb01cdeb9d5d7019892f4c6ff7b19dbeb https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7 |
| GeoVision Inc.–GV-LPC2011/LPC2211 | A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability. | 2026-05-04 | 6.5 | CVE-2026-42367 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access controls to mutate persistent profile configuration through non-owner message-tool runs. | 2026-05-05 | 6.5 | CVE-2026-42433 | GitHub Security Advisory (GHSA-7jp6-r74r-995q) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 – Unauthorized Matrix Profile Config Persistence Access via operator.write Message Tools |
| grimmory-tools–grimmory | Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting (XSS) vulnerability in Grimmory’s browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser with full access to the Grimmory application’s session context. This can enable session token theft and account takeover, including administrative access if an administrator opens the affected book. This issue has been patched in version 2.3.1. | 2026-05-08 | 6.3 | CVE-2026-42451 | https://github.com/grimmory-tools/grimmory/security/advisories/GHSA-frv6-5wq5-9p24 http://github.com/grimmory-tools/grimmory/releases/tag/v2.3.1 |
| chainguard-dev–apko | apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. This issue has been patched in version 1.2.7. | 2026-05-09 | 6.5 | CVE-2026-42576 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-m7hm-vm4x-28jf https://github.com/chainguard-dev/apko/commit/6604826b19e36e9bc6e196592800fad93738f4a1 https://github.com/chainguard-dev/apko/releases/tag/v1.2.7 |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication material, and channel credentials that should have been redacted. | 2026-05-05 | 6.5 | CVE-2026-43528 | GitHub Security Advisory (GHSA-8372-7vhw-cm6q) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.14 – Redaction Bypass via sourceConfig and runtimeConfig Aliases |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender’s authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a more privileged sender’s context, causing earlier messages to execute with elevated permissions. | 2026-05-05 | 6.8 | CVE-2026-43535 | GitHub Security Advisory (GHSA-jwrq-8g5x-5fhm) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.14 – Authorization Context Reuse in Collect-Mode Queue Batches |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool’s outPath parameter that bypasses workspace-only filesystem guards. Attackers can exploit this by specifying an outPath outside the workspace boundary to write files to unintended locations on the system. | 2026-05-05 | 6.5 | CVE-2026-43567 | GitHub Security Advisory (GHSA-jf25-7968-h2h5) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 – Path Traversal in screen_record outPath Parameter |
| OpenClaw–OpenClaw | OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming endpoint to escalate privileges. | 2026-05-05 | 6.5 | CVE-2026-43568 | GitHub Security Advisory (GHSA-5gjc-grvm-m88j) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.5 < 2026.4.10 – Privilege Escalation via Memory Dreaming Configuration in /dreaming Endpoint |
| OpenClaw–OpenClaw | OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory. | 2026-05-05 | 6.5 | CVE-2026-43570 | GitHub Security Advisory (GHSA-cr8r-7g2h-6wr6) Patch Commit (1) Patch Commit (2) VulnCheck Advisory: OpenClaw 2026.3.22 < 2026.4.5 – Symlink Traversal in Remote Marketplace Repository Path Handling |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id. | 2026-05-05 | 6.5 | CVE-2026-43574 | GitHub Security Advisory (GHSA-49cg-279w-m73x) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.12 – Improper Authorization via Empty Approver Lists |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and create or read disallowed file:// pages despite direct navigation policy restrictions. | 2026-05-06 | 6.5 | CVE-2026-43577 | GitHub Security Advisory (GHSA-qmwg-qprg-3j38) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.9 – Arbitrary File Read via Browser Interaction Routes |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile settings through unprotected mutation endpoints to gain unauthorized configuration persistence. | 2026-05-06 | 6.5 | CVE-2026-43579 | GitHub Security Advisory (GHSA-f3h5-h452-vp3j) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 – Insufficient Access Control in Nostr Profile Mutation Routes |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual network requests to pivot to internal resources via unallowlisted hostname URLs. | 2026-05-06 | 6.3 | CVE-2026-43582 | GitHub Security Advisory (GHSA-xq94-r468-qwgj) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 – DNS Rebinding SSRF via Hostname Validation Bypass |
| roxnor–ElementsKit Elementor Addons Advanced Widgets & Templates Addons for Elementor | The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type by visiting a specially crafted URL. The widget’s custom designs, text, and configurations are permanently replaced with a blank template. | 2026-05-05 | 6.5 | CVE-2026-4362 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7740fdfb-65b2-4d27-935f-b0e73487f0c4?source=cve https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L27 https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L10 https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/init.php#L37 https://plugins.trac.wordpress.org/changeset/3499543/elementskit-lite/trunk/modules/widget-builder/live-action.php https://plugins.trac.wordpress.org/changeset?old_path=%2Felementskit-lite/tags/3.8.2&new_path=%2Felementskit-lite/tags/3.9.0 |
| wpkube–Subscribe To Comments Reloaded | The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users | 2026-05-05 | 6.5 | CVE-2026-4409 | https://www.wordfence.com/threat-intel/vulnerabilities/id/91f9235e-f578-475f-92c3-34062d6d1e3d?source=cve https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/wp_subscribe_reloaded.php#L1613 https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/utils/stcr_utils.php#L164 https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/templates/user.php#L37 |
| labring–FastGPT | FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in MCP tool URL handling. The direct MCP preview/run endpoints already rejected internal/private network URLs, but the MCP tool create/update endpoints could still save an internal MCP server URL. That stored URL could later be used by workflow execution without revalidating the destination. An authenticated user with permission to create or manage MCP toolsets could store an internal endpoint such as http://localhost:3000/mcp and later cause the FastGPT backend workflow runner to connect to that internal destination. This issue has been patched in version 4.14.17. | 2026-05-08 | 6.3 | CVE-2026-44284 | https://github.com/labring/FastGPT/security/advisories/GHSA-cxxj-99f7-f5wq https://github.com/labring/FastGPT/pull/6826 https://github.com/labring/FastGPT/commit/c1c6b9520d976d25ed945b5bc4e0768149e6db69 https://github.com/labring/FastGPT/releases/tag/v4.14.17 |
| MervinPraison–PraisonAI | PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. This issue has been patched in version 4.6.34. | 2026-05-08 | 6.3 | CVE-2026-44337 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3643-7v76-5cj2 |
| vim–vim | Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file’s compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the ‘spelllang’ option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450. | 2026-05-08 | 6.6 | CVE-2026-45130 | https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8 https://github.com/vim/vim/releases/tag/v9.2.0450 |
| Hex-Rays–IDA | Hex-Rays IDA Pro 9.2 and 9.3 before 9.3sp2 does not block Clang dependency-file generation (via argument injection), which allows attackers to place their code into a plugins directory if the victim uses an attacker-supplied .i64 file. | 2026-05-09 | 6.5 | CVE-2026-45181 | https://blog.calif.io/p/using-ida-to-find-bugs-in-ida-with https://docs.hex-rays.com/release-notes/9_3sp2 |
| KDE–Kdenlive | Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used. | 2026-05-09 | 6.5 | CVE-2026-45184 | https://commits.kde.org/kdenlive/94042ddd259551e4a7a5f6672329752972c84685 https://commits.kde.org/kdenlive/c3999aacc6da54756f3df8aab03b900459562ecd https://kde.org/info/security/advisory-20260508-1.txt |
| shapedplugin–Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel | The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox `data-caption` attributes in all versions up to, and including, 2.7.10. This is due to the `fancybox-config.js` script reading the carousel container’s `id` attribute directly from the DOM to construct a jQuery selector without sanitization. When a Contributor crafts an HTML block with a malformed carousel container ID (containing characters invalid for jQuery selectors), the custom fancybox configuration throws a JavaScript error and fails to initialize. This causes the bundled fancybox library (v3.5.7) to fall back to its default caption handling, which renders the `data-caption` attribute content as raw HTML. Since WordPress allows `data-*` attributes through `wp_kses_post()`, this makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks an image in the crafted carousel lightbox. | 2026-05-05 | 6.4 | CVE-2026-4665 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e75815a3-2414-47f3-b0c4-e5d3e2cb369d?source=cve https://plugins.trac.wordpress.org/browser/wp-carousel-free/tags/2.7.10/public/js/fancybox-config.js#L3 https://plugins.trac.wordpress.org/browser/wp-carousel-free/trunk/public/js/fancybox-config.js#L3 https://plugins.trac.wordpress.org/changeset/3506878/wp-carousel-free/trunk/public/js/fancybox.js |
| commonninja–Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website | The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘chartid’ shortcode attribute in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 6.4 | CVE-2026-4730 | https://www.wordfence.com/threat-intel/vulnerabilities/id/491c7680-d270-41ed-a756-9397a0bd86bc?source=cve https://wordpress.org/plugins/charts-ninja-graphs-and-charts https://plugins.trac.wordpress.org/browser/charts-ninja-graphs-and-charts/tags/2.1.0/chartsninja.php#L24 https://plugins.trac.wordpress.org/browser/charts-ninja-graphs-and-charts/trunk/chartsninja.php#L24 |
| croixhaug–Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the nonce_permissions_check() method combined with the public exposure of a site-wide reusable nonce. The plugin exposes a public_nonce value through the /wp-json/ssa/v1/embed-inner endpoint, which is accessible to unauthenticated users. The appointment deletion endpoint at /wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk use a permission check that accepts requests containing both an X-WP-Nonce header (with any arbitrary value) and an X-PUBLIC-Nonce header (with the valid public nonce). When the X-WP-Nonce validation fails, the function falls back to validating the X-PUBLIC-Nonce without properly rejecting the request. Since the public_nonce is exposed to all unauthenticated visitors and is site-wide (not user-specific or appointment-specific), attackers can obtain it and use it to view details of arbitrary appointments, including the public_edit_url, or delete arbitrary appointments by ID. This makes it possible for unauthenticated attackers to view, delete or modify any appointment in the system, disclosing sensitive appointment data, causing service disruption, and loss of booking records. | 2026-05-07 | 6.5 | CVE-2026-4807 | https://www.wordfence.com/threat-intel/vulnerabilities/id/436ab843-7729-4d57-9c9e-2ede2f101ddb?source=cve https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/lib/td-util/class-td-api-model.php#L361 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/lib/td-util/class-td-api-model.php#L110 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/class-appointment-model.php#L698 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/class-shortcodes.php#L889 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/booking-app-new/iframe-inner.php#L444 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/class-bootstrap.php#L151 https://plugins.trac.wordpress.org/changeset/3511993/simply-schedule-appointments/trunk/includes |
| wproyal–Royal Addons for Elementor Addons and Templates Kit for Elementor | The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget’s ‘instagram_follow_text’ setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that exploitation requires that an administrator has previously configured the Instagram Feed widget with a valid Instagram access token on the site. | 2026-05-05 | 6.4 | CVE-2026-5159 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ee96d8c5-baf0-4c5c-9ace-e88bbb95ee0a?source=cve https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5528-L5530 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5528-L5530 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5623-L5625 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5623-L5625 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L2181-L2193 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L2181-L2193 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3514368%40royal-elementor-addons%2Ftrunk&old=3503219%40royal-elementor-addons%2Ftrunk&sfp_email=&sfph_mail= |
| mirceatm–NMR Strava activities | The NMR Strava activities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `strava_nmr_connect` shortcode in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-08 | 6.4 | CVE-2026-5341 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7e033919-ca00-4789-8635-b4189e1499ef?source=cve https://plugins.trac.wordpress.org/browser/nmr-strava-activities/tags/1.0.14/nmr-strava-activities.php#L247 https://plugins.trac.wordpress.org/browser/nmr-strava-activities/tags/1.0.14/nmr-strava-activities.php#L259 https://plugins.trac.wordpress.org/browser/nmr-strava-activities/tags/1.0.15/nmr-strava-activities.php#L240 https://plugins.trac.wordpress.org/browser/nmr-strava-activities/tags/1.0.15/nmr-strava-activities.php#L251 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3524779%40nmr-strava-activities%2Ftrunk&old=3520018%40nmr-strava-activities%2Ftrunk&sfp_email=&sfph_mail= |
| bitacre–WP-Clippy | The WP-Clippy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `clippy` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 6.4 | CVE-2026-5505 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ec49ed83-a09d-460d-be34-0fb79032b543?source=cve https://plugins.trac.wordpress.org/browser/wp-clippy/tags/1.0.0/wp-clippy.php#L23 https://plugins.trac.wordpress.org/browser/wp-clippy/trunk/wp-clippy.php#L23 https://plugins.trac.wordpress.org/browser/wp-clippy/tags/1.0.0/wp-clippy.php#L26 https://plugins.trac.wordpress.org/browser/wp-clippy/trunk/wp-clippy.php#L26 |
| servmask–All-in-One WP Migration Unlimited Extension | The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the ‘Ai1wmve_Schedules_Controller::save’ handler for ‘admin_post_ai1wm_schedule_event_save’ not verifying user capabilities before saving schedule data. This makes it possible for authenticated attackers, with subscriber-level access and above, to create scheduled export jobs and send backup notifications to attacker-controlled email addresses. Because such notifications include the random backup filename, full site backups can subsequently be downloaded from the target site, resulting in sensitive information exposure. | 2026-05-06 | 6.5 | CVE-2026-5753 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a8a31080-c124-49be-b9d1-7bc5abe7cbda?source=cve https://help.servmask.com/knowledgebase/unlimited-extension-changelog/ |
| DivvyDrive Information Technologies Inc.–DivvyDrive | Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross Site Request Forgery. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | 2026-05-07 | 6.5 | CVE-2026-5791 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| roxnor–EmailKit Email Customizer for WooCommerce & WP | The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to and including 1.6.5. This is due to a flawed path traversal validation in the create_template() method of the CheckForm class, where realpath() is called on the allowed base directory (wp-content/uploads/emailkit/templates/) which may not exist, causing it to return false. In PHP 8.x, strpos($real_path, false) implicitly converts false to an empty string, and strpos() with an empty needle always returns 0, causing the check strpos(…) !== 0 to evaluate to false and bypassing the path validation entirely. This makes it possible for authenticated attackers, with Author-level access and above, to read arbitrary files from the server, including sensitive files such as wp-config.php, by supplying an absolute path to the emailkit-editor-template REST API parameter. | 2026-05-05 | 6.5 | CVE-2026-5957 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae58e5b0-b587-4503-8519-c5a50245891a?source=cve https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L166 https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L170 https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/EmailSettings/MetformEmailSettings.php#L252 https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L170 https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L163 https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L163 https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L166 https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/EmailSettings/MetformEmailSettings.php#L252 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3511701%40emailkit%2Ftrunk&old=3496714%40emailkit%2Ftrunk&sfp_email=&sfph_mail= |
| wpmudev–Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration, unlike the parallel listen_for_csv_export() function which correctly verifies user permissions. This makes it possible for authenticated attackers with subscriber-level access to configure a scheduled export job that emails all form submissions to an attacker-controlled email address, resulting in sensitive data exfiltration. | 2026-05-07 | 6.5 | CVE-2026-6214 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b8d42c-bceb-456e-a682-358e8df831e3?source=cve https://plugins.trac.wordpress.org/browser/forminator/trunk/library/class-export.php#L178 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/library/class-export.php#L178 https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/classes/class-admin-l10n.php#L448 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/classes/class-admin-l10n.php#L448 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3512045%40forminator%2Ftrunk&old=3510688%40forminator%2Ftrunk&sfp_email=&sfph_mail= |
| sszdh–Simple Owl Shortcodes | The Simple Owl Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘num’ attribute of the ‘owls_wrapper’ shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 6.4 | CVE-2026-6255 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e33a2f27-20c2-4963-9558-1eead0515690?source=cve https://plugins.trac.wordpress.org/browser/simple-owl-shortcodes/tags/2.1.1/inc/owls_wrapper.php#L11 https://plugins.trac.wordpress.org/browser/simple-owl-shortcodes/trunk/inc/owls_wrapper.php#L11 |
| MuffinGroup–Betheme | The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the upload_icons() function workflow using a user-controlled upload path (`mfn-icon-upload`) in a filesystem move operation without constraining it to the uploads directory. This makes it possible for authenticated attackers, with contributor-level access and above, to move/delete arbitrary local files via path traversal. | 2026-05-05 | 6.5 | CVE-2026-6262 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3486f114-5625-4751-a25e-2c5ab7b15b38?source=cve https://support.muffingroup.com/changelog/ |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent runs, can exploit a vulnerability in the Keylime verifier. The verifier uses a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation instead of a cryptographically random value. This allows the attacker to stockpile valid TPM quotes and replay them to evade detection after compromising the system. This issue affects only the push model deployment. | 2026-05-06 | 6.3 | CVE-2026-6420 | https://access.redhat.com/security/cve/CVE-2026-6420 RHBZ#2458889 |
| iovamihai–Affiliate Program Suite SliceWP Affiliates | The Affiliate Program Suite – SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the ‘slicewp_affiliate_url’ shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-06 | 6.4 | CVE-2026-6672 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5b9e92ea-49fc-420d-9d0e-29bcf78843bd?source=cve https://plugins.trac.wordpress.org/changeset/3517135/slicewp |
| zingaya–Zingaya Click-to-Call | The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ’email’, ‘first_name’, ‘last_name’, and ‘phone’ parameters on the plugin’s sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-05-05 | 6.1 | CVE-2026-6696 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5bdd515c-6b52-467c-9446-6ae9b3b75e50?source=cve https://wordpress.org/plugins/zingaya-click-to-call/ https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L62 https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L71 https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L79 https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L104 |
| foux–Publish 2 Ping.fm | The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the ‘/wp-admin/options-general.php?page=admin.php’ page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-05 | 6.1 | CVE-2026-6702 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c0dc5349-139a-4bf3-8503-0e75b132c68c?source=cve https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/admin.php#L136 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/admin.php#L136 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/admin.php#L76 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/admin.php#L76 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/prefs.php#L219 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/prefs.php#L219 |
| phpsandeepkumar–Blog Settings | The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-05-05 | 6.1 | CVE-2026-6704 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d28e5374-dd34-4745-a20b-059e9846d96d?source=cve https://wordpress.org/plugins/blog-settings/ https://plugins.trac.wordpress.org/browser/blog-settings/tags/1.0/blog-settings.php#L173 https://plugins.trac.wordpress.org/browser/blog-settings/tags/1.0/blog-settings.php#L46 |
| Rapid7–Velociraptor | Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs – even if they have no explicit permissions in the target org. However, the problem does not occur in reverse – a user with read access to a sub org is unable to read from other org or the root org. | 2026-05-06 | 6.8 | CVE-2026-6863 | https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/ |
| latepoint–LatePoint Calendar Booking Plugin for Appointments and Events | The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint – where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database – combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator’s or agent’s browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed. | 2026-05-06 | 6.4 | CVE-2026-7457 | https://www.wordfence.com/threat-intel/vulnerabilities/id/628b3f53-decd-47ac-a2d1-339ade1e6944?source=cve https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/misc/process_action.php#L606 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/misc/process_action.php#L606 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L318 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L318 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/replacer_helper.php#L276 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/replacer_helper.php#L276 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/misc/process_action.php#L606 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/controllers/customer_cabinet_controller.php#L318 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/helpers/replacer_helper.php#L276 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522933%40latepoint%2Ftrunk&old=3516282%40latepoint%2Ftrunk&sfp_email=&sfph_mail= |
| wowdevs–Sky Addons Elementor Addons with Widgets & Templates | The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sky-custom-scripts` custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with `capability_type => ‘post’` and `show_in_rest => true`, combined with insufficient input sanitization on the `sky_script_content` meta field and lack of output escaping when rendering scripts on the frontend. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via the REST API that execute on every frontend page for all site visitors. | 2026-05-08 | 6.4 | CVE-2026-7475 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cfaa8ffd-549e-4803-aa17-d1317a606e7a?source=cve https://plugins.trac.wordpress.org/browser/sky-elementor-addons/tags/3.3.2/includes/custom-scripts/class-custom-scripts-data.php#L128 https://plugins.trac.wordpress.org/browser/sky-elementor-addons/tags/3.3.2/includes/custom-scripts/class-custom-scripts-loader.php#L270 https://plugins.trac.wordpress.org/browser/sky-elementor-addons/trunk/includes/custom-scripts/class-custom-scripts-data.php#L134 https://plugins.trac.wordpress.org/browser/sky-elementor-addons/tags/3.3.3/includes/custom-scripts/class-custom-scripts-data.php#L134 https://plugins.trac.wordpress.org/browser/sky-elementor-addons/trunk/includes/custom-scripts/class-custom-scripts-loader.php#L237 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3521696%40sky-elementor-addons%2Ftrunk&old=3517772%40sky-elementor-addons%2Ftrunk&sfp_email=&sfph_mail= |
| oleksandrz–E2Pdf Export Pdf Tool for WordPress | The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ attribute of the `e2pdf-download` shortcode in all versions up to, and including, 1.32.17. This is due to insufficient input sanitization and output escaping on the shortcode attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-08 | 6.4 | CVE-2026-7650 | https://www.wordfence.com/threat-intel/vulnerabilities/id/36310ab1-f84e-4154-b782-51254c476d79?source=cve https://wordpress.org/plugins/e2pdf https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.00/classes/model/e2pdf-shortcode.php#L157 https://plugins.trac.wordpress.org/browser/e2pdf/trunk/classes/model/e2pdf-shortcode.php#L172 https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.18/classes/model/e2pdf-shortcode.php#L172 https://plugins.trac.wordpress.org/changeset/3522046/e2pdf/trunk/classes/model/e2pdf-shortcode.php |
| crocodilestick–Calibre-Web-Automated | A vulnerability was detected in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this vulnerability is the function generate_auth_token of the file cps/kobo_auth.py of the component Kobo auth-token Route. The manipulation results in improper authorization. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.0.7 addresses this issue. The patch is identified as 9f50bb2c16160564c9f8777dc2ceed3eb95e4807. The affected component should be upgraded. | 2026-05-04 | 6.3 | CVE-2026-7713 | VDB-360889 | crocodilestick Calibre-Web-Automated Kobo auth-token Route kobo_auth.py generate_auth_token improper authorization VDB-360889 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806403 | crocodilestick Calibre-Web-Automated v1.0.0-v4.0.6 IDOR in auth-token generation leading to account takeover https://github.com/crocodilestick/Calibre-Web-Automated/issues/1303 https://github.com/new-usemame/Calibre-Web-NextGen/pull/18 https://gist.github.com/menelausx/ef98aa78ed2869ccaa316ff45ed1a440 https://github.com/new-usemame/Calibre-Web-NextGen/commit/9f50bb2c16160564c9f8777dc2ceed3eb95e4807 https://github.com/new-usemame/Calibre-Web-NextGen/releases/tag/v4.0.7 https://github.com/crocodilestick/Calibre-Web-Automated/ |
| crocodilestick–Calibre-Web-Automated | A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwa_functions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-04 | 6.5 | CVE-2026-7714 | VDB-360890 | crocodilestick Calibre-Web-Automated Admin Endpoint cwa_functions.py missing authentication VDB-360890 | CTI Indicators (IOB, IOC, IOA) Submit #806468 | crocodilestick Calibre-Web-Automated v1.0.0-v4.0.6 Denial of Service https://github.com/crocodilestick/Calibre-Web-Automated/issues/1304 https://github.com/crocodilestick/Calibre-Web-Automated/pull/1308 https://gist.github.com/menelausx/1b45c952d352a2ebdc01cd8d5aa88e87 https://github.com/crocodilestick/Calibre-Web-Automated/ |
| ravenwits–mcp-server-arangodb | A vulnerability has been found in ravenwits mcp-server-arangodb up to 0.4.7. This affects the function arango_backup of the file src/tools.ts of the component MCP Interface. Such manipulation of the argument outputDir leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 6.3 | CVE-2026-7715 | VDB-360891 | ravenwits mcp-server-arangodb MCP tools.ts arango_backup path traversal VDB-360891 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806913 | ravenwits mcp-server-arangodb 0.4.7 Path Traversal https://github.com/ravenwits/mcp-server-arangodb/issues/7 https://github.com/BruceJqs/public_exp/issues/34 https://github.com/ravenwits/mcp-server-arangodb/ |
| code-projects–Gym Management System In PHP | A vulnerability was found in code-projects Gym Management System In PHP and Windows NT 1.0. This vulnerability affects unknown code of the file /index.php. Performing a manipulation of the argument day results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-05-04 | 6.3 | CVE-2026-7716 | VDB-360892 | code-projects Gym Management System In PHP/Windows NT index.php sql injection VDB-360892 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807105 | Code-projects Gym Management System In PHP 1.0 SQL injection https://github.com/QAp89/CVE/blob/main/SQL1.md https://code-projects.org/ |
| Totolink–WA300 | A vulnerability was identified in Totolink WA300 5.2cu.7112_B20190227. Impacted is the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument webWlanIdx leads to command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-05-04 | 6.3 | CVE-2026-7718 | VDB-360894 | Totolink WA300 POST Request cstecgi.cgi setWebWlanIdx command injection VDB-360894 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807196 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-setWebWlanIdx-34553a41781f800ab40ae0c3d68c78a6?pvs=73 https://www.totolink.net/ |
| Totolink–WA300 | A weakness has been identified in Totolink WA300 5.2cu.7112_B20190227. The impacted element is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument langType causes command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | 2026-05-04 | 6.3 | CVE-2026-7720 | VDB-360896 | Totolink WA300 POST Request cstecgi.cgi setLanguageCfg command injection VDB-360896 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807198 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-setLanguageCfg-34553a41781f8007b6c5c7964d424286 https://www.totolink.net/ |
| Totolink–WA300 | A security vulnerability has been detected in Totolink WA300 5.2cu.7112_B20190227. This affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument hostTime leads to command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2026-05-04 | 6.3 | CVE-2026-7721 | VDB-360897 | Totolink WA300 cstecgi.cgi NTPSyncWithHost command injection VDB-360897 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807199 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-NTPSyncWithHost-34553a41781f80808f3cfd14e1c603e7 https://www.totolink.net/ |
| PrefectHQ–prefect | A vulnerability was found in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commit_sha/directories results in argument injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 3.6.25.dev7 can resolve this issue. The patch is identified as 6a9d9918716ce4ee0297b69f3046f7067ef1faae. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-04 | 6.3 | CVE-2026-7725 | VDB-360901 | PrefectHQ prefect GitRepository Pull storage.py argument injection VDB-360901 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807356 | PerfectHQ Perfect <= 3.6.24 Argument Injection https://gist.github.com/nedlir/c37d90dda5f715790eafc970b2ef0c8a https://github.com/PrefectHQ/prefect/pull/21384 https://github.com/PrefectHQ/prefect/commit/6a9d9918716ce4ee0297b69f3046f7067ef1faae https://github.com/PrefectHQ/prefect/releases/tag/3.6.25.dev7 https://github.com/PrefectHQ/prefect/ |
| ryanjoachim–mcp-rtfm | A vulnerability was identified in ryanjoachim mcp-rtfm 0.1.0. This vulnerability affects the function get_doc_content/read_doc/update_doc of the component MCP Interface. Such manipulation of the argument docFile leads to path traversal. The attack can be launched remotely. The exploit is publicly available and might be used. The name of the patch is e6f0686fc36012f78236e7fed172c81444904b0b. It is best practice to apply a patch to resolve this issue. | 2026-05-04 | 6.3 | CVE-2026-7728 | VDB-360903 | ryanjoachim mcp-rtfm MCP update_doc path traversal VDB-360903 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807538 | ryanjoachim mcp-rtfm 0.1.0, Commit 054fe515735cb477d4640c20930c04b243e443fc Path Traversal https://github.com/ryanjoachim/mcp-rtfm/issues/5 https://github.com/BruceJqs/public_exp/issues/35 https://github.com/ryanjoachim/mcp-rtfm/commit/e6f0686fc36012f78236e7fed172c81444904b0b https://github.com/ryanjoachim/mcp-rtfm/ |
| pixelsock–directus-mcp | A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance. | 2026-05-04 | 6.3 | CVE-2026-7729 | VDB-360904 | pixelsock directus-mcp MCP index.ts validateUrl server-side request forgery VDB-360904 | CTI Indicators (IOB, IOC, IOA) Submit #807539 | pixelsock directus-mcp 1.0.0, Commit 77758625355d105364eeaeac9afec2f743fe369b Server-Side Request Forgery https://github.com/pixelsock/directus-mcp/issues/13 https://github.com/pixelsock/directus-mcp/pull/14 https://github.com/BruceJqs/public_exp/issues/36 https://github.com/pixelsock/directus-mcp/ |
| privsim–mcp-test-runner | A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function child_process.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 6.3 | CVE-2026-7730 | VDB-360905 | privsim mcp-test-runner MCP index.ts child_process.spawn os command injection VDB-360905 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807541 | privsim mcp-test-runner 0.2.0, Commit 83c84ed053f534774f7de935aeaa7698a5e5f9dc Command Injection https://github.com/privsim/mcp-test-runner/issues/24 https://github.com/BruceJqs/public_exp/issues/37 https://github.com/privsim/mcp-test-runner/ |
| code-projects–BloodBank Managing System | A security vulnerability has been detected in code-projects BloodBank Managing System 1.0. The affected element is an unknown function of the file get_state.php. The manipulation of the argument G_STATE_ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2026-05-04 | 6.3 | CVE-2026-7731 | VDB-360906 | code-projects BloodBank Managing System get_state.php sql injection VDB-360906 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807557 | Code-projects BLOODBANK MANAGING SYSTEM IN PHP 1.0 SQL injection https://github.com/QAp89/CVE/blob/main/SQL3.md https://code-projects.org/ |
| code-projects–BloodBank Managing System | A vulnerability was detected in code-projects BloodBank Managing System 1.0. The impacted element is an unknown function of the file request_blood.php. The manipulation results in unrestricted upload. The attack can be executed remotely. The exploit is now public and may be used. | 2026-05-04 | 6.3 | CVE-2026-7732 | VDB-360907 | code-projects BloodBank Managing System request_blood.php unrestricted upload VDB-360907 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807558 | Code-projects BLOODBANK MANAGING SYSTEM IN PHP 1.0 arbitrary file upload leading to RCE vulnerability https://github.com/QAp89/CVE/blob/main/Arbitrary%20file%20upload%20leading%20to%20RCE1.md https://code-projects.org/ |
| puchunjie–doc-tools-mcp | A security flaw has been discovered in puchunjie doc-tools-mcp 1.0.18. This affects the function create_document/open_document of the file src/mcp-server.ts of the component MCP Interface. The manipulation of the argument filePath results in path traversal. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 6.3 | CVE-2026-7738 | VDB-360913 | puchunjie doc-tools-mcp MCP mcp-server.ts open_document path traversal VDB-360913 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807642 | puchunjie @puchunjie/doc-tools-mcp 1.0.18, Commit c96df45a16710a3eec41a7a94c32b81468db28ea Path Traversal https://github.com/puchunjie/doc-tools-mcp/issues/4 https://github.com/BruceJqs/public_exp/issues/38 https://github.com/puchunjie/doc-tools-mcp/ |
| CodeAstro–Online Classroom | A vulnerability was detected in CodeAstro Online Classroom 1.0. Impacted is an unknown function of the file /OnlineClassroom/studentlogin. Performing a manipulation of the argument sid results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2026-05-04 | 6.3 | CVE-2026-7741 | VDB-360916 | CodeAstro Online Classroom studentlogin sql injection VDB-360916 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807692 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/18 https://codeastro.com/ |
| CodeAstro–Online Classroom | A flaw has been found in CodeAstro Online Classroom 1.0. The affected element is an unknown function of the file /OnlineClassroom/facultylogin. Executing a manipulation of the argument fid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2026-05-04 | 6.3 | CVE-2026-7742 | VDB-360917 | CodeAstro Online Classroom facultylogin sql injection VDB-360917 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807694 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/19 https://codeastro.com/ |
| CodeAstro–Online Classroom | A vulnerability has been found in CodeAstro Online Classroom 1.0. The impacted element is an unknown function of the file /OnlineClassroom/studentdetails. The manipulation of the argument deleteid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2026-05-04 | 6.3 | CVE-2026-7743 | VDB-360918 | CodeAstro Online Classroom studentdetails sql injection VDB-360918 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807695 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/20 https://codeastro.com/ |
| CodeAstro–Online Classroom | A vulnerability was found in CodeAstro Online Classroom 1.0. This affects an unknown function of the file /OnlineClassroom/addnewstudent. The manipulation of the argument fname results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-05-04 | 6.3 | CVE-2026-7744 | VDB-360919 | CodeAstro Online Classroom addnewstudent sql injection VDB-360919 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807696 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/21 https://codeastro.com/ |
| CodeAstro–Online Classroom | A vulnerability was determined in CodeAstro Online Classroom 1.0. This impacts an unknown function of the file /OnlineClassroom/facultydetails. This manipulation of the argument deleteid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-04 | 6.3 | CVE-2026-7745 | VDB-360920 | CodeAstro Online Classroom facultydetails sql injection VDB-360920 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807697 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/22 https://codeastro.com/ |
| SourceCodester–Web-based Pharmacy Product Management System | A vulnerability was identified in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected is an unknown function of the file /product_expiry/edit-admin.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2026-05-04 | 6.3 | CVE-2026-7746 | VDB-360921 | SourceCodester Web-based Pharmacy Product Management System edit-admin.php sql injection VDB-360921 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807693 | SourceCodester Web-based Pharmacy Product Management System V1.0 SQL Injection https://github.com/mjh134/CVE/issues/1 https://www.sourcecodester.com/ |
| CodeCanyon–Perfex CRM | A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component Tenant Handler. The manipulation of the argument ID results in authorization bypass. The attack may be performed from remote. The exploit is now public and may be used. | 2026-05-04 | 6.3 | CVE-2026-7782 | VDB-360979 | CodeCanyon Perfex CRM Tenant Clients.php project authorization VDB-360979 | CTI Indicators (IOB, IOC, IOA) Submit #807683 | Canyon Perfex CRM CRM 3.4.1 Improper Authorization https://bytium.com/insights/perfex-crm-3-4-1-cross-tenant-broken-access-control-on-project-discussion-comments |
| CodeCanyon–Perfex CRM | A flaw has been found in CodeCanyon Perfex CRM up to 3.4.1. This vulnerability affects the function AbstractKanban::applySortQuery of the file application/services/AbstractKanban.php of the component Admin Kanban Endpoint. This manipulation of the argument this causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-05-04 | 6.3 | CVE-2026-7783 | VDB-360980 | CodeCanyon Perfex CRM Admin Kanban Endpoint AbstractKanban.php applySortQuery sql injection VDB-360980 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807743 | CodeCanyon Perfex CRM 3.4.1 SQL Injection https://bytium.com/insights/blind-sql-injection-in-perfex-crm-3-4-1 |
| itsourcecode–Courier Management System | A vulnerability was identified in itsourcecode Courier Management System 1.0. This impacts an unknown function of the file /print_pdets.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-05-05 | 6.3 | CVE-2026-7822 | VDB-361074 | itsourcecode Courier Management System print_pdets.php sql injection VDB-361074 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807773 | itsourcecode Courier Management System V1.0 SQL Injection https://github.com/ltranquility/submit/issues/14 https://itsourcecode.com/ |
| chatchat-space–Langchain-Chatchat | A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Compatible File Service. The manipulation results in missing authentication. The attacker must have access to the local network to execute the attack. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 6.3 | CVE-2026-7844 | VDB-361123 | chatchat-space Langchain-Chatchat Compatible File Service openai_routes.py delete_file missing authentication VDB-361123 | CTI Indicators (IOB, IOC, IOA) Submit #807790 | chatchat-space Langchain-Chatchat 0.3.1.3 Missing Authorization / CWE-862 https://github.com/chatchat-space/Langchain-Chatchat/issues/5465 https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-4-Missing-Auth-File-Endpoints.md https://github.com/chatchat-space/Langchain-Chatchat/ |
| MongoDB Inc.–MongoDB Server | An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server. This issue affects MongoDB Server 8.2 versions prior to 8.2.7. | 2026-05-07 | 6.5 | CVE-2026-8063 | https://jira.mongodb.org/browse/SERVER-121851 |
| router-for-me–CLIProxyAPI | A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/api_tools.go of the component API Interface. The manipulation of the argument url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-07 | 6.3 | CVE-2026-8081 | VDB-361836 | router-for-me CLIProxyAPI api_tools.go server-side request forgery VDB-361836 | CTI Indicators (IOB, IOC, IOA) Submit #807811 | router-for-me CLIProxyAPI 6.9.29 Server-Side Request Forgery https://github.com/m3ngx1ng/cve/blob/main/CLIProxyAPI-SSRF.md |
| CodeAstro–Online Classroom | A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of the argument squeryx results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. | 2026-05-07 | 6.3 | CVE-2026-8097 | VDB-361849 | CodeAstro Online Classroom askquery.php sql injection VDB-361849 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808115 | codeastro Online Classroom V1.0 SQL Injection http://github.com/suze233/CVE/issues/1 https://codeastro.com/ |
| 8421bit–MiniClaw | A vulnerability was found in 8421bit MiniClaw up to 223c16a1088e138838dcbd18cd65a37c35ac5a84. Affected is the function executeCognitivePulse of the file src/kernel.ts. Performing a manipulation results in os command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 028f62216dee9f64833d0f1cfda7c217067ceba8. To fix this issue, it is recommended to deploy a patch. | 2026-05-07 | 6.3 | CVE-2026-8112 | VDB-361900 | 8421bit MiniClaw kernel.ts executeCognitivePulse os command injection VDB-361900 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808166 | 8421bit MiniClaw 0 OS Command Injection https://github.com/8421bit/MiniClaw/issues/4 https://github.com/8421bit/MiniClaw/pull/7 https://github.com/8421bit/MiniClaw/commit/028f62216dee9f64833d0f1cfda7c217067ceba8 https://github.com/8421bit/MiniClaw/ |
| n/a–JeecgBoot | A vulnerability was identified in JeecgBoot up to 3.9.1. Affected by this issue is some unknown functionality of the file /sys/dict/loadTreeData of the component JSON Object Handler. The manipulation of the argument condition leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor confirms (translated from Chinese): “It should have been fixed; a batch of issues were recently resolved.” | 2026-05-07 | 6.3 | CVE-2026-8114 | VDB-361902 | JeecgBoot JSON Object loadTreeData sql injection VDB-361902 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808186 | https://github.com/jeecgboot/JeecgBoot <=3.91 SQL Injection https://github.com/jeecgboot/JeecgBoot/issues/9571 https://github.com/jeecgboot/JeecgBoot/ |
| huangjunsen0406–xiaozhi-mcphub | A weakness has been identified in huangjunsen0406 xiaozhi-mcphub up to 1.0.3. This vulnerability affects unknown code of the file src/controllers/dxtController.ts. This manipulation of the argument manifest.name causes path traversal. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-07 | 6.3 | CVE-2026-8116 | VDB-361904 | huangjunsen0406 xiaozhi-mcphub dxtController.ts path traversal VDB-361904 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808260 | huangjunsen0406 xiaozhi-mcphub 1.0.3 Path Traversal https://github.com/huangjunsen0406/xiaozhi-mcphub/issues/29 https://github.com/huangjunsen0406/xiaozhi-mcphub/ |
| code-projects–Simple Chat System | A vulnerability was detected in code-projects Simple Chat System 1.0. This vulnerability affects unknown code of the file sendMessage.php. The manipulation of the argument type/length/business parameter validity results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. | 2026-05-08 | 6.3 | CVE-2026-8125 | VDB-361915 | code-projects Simple Chat System sendMessage.php sql injection VDB-361915 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808679 | code-projects Simple Chat System v1.0 SQL Injection https://github.com/MICHEY-Ben/cve/issues/1 https://code-projects.org/ |
| n/a–eladmin | A vulnerability has been found in eladmin up to 2.7. Impacted is the function checkLevel of the file /rest/UserController.java of the component Users API Endpoint. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 6.3 | CVE-2026-8127 | VDB-361917 | eladmin Users API Endpoint UserController.java checkLevel access control VDB-361917 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808771 | eladmin 2.7 Improper Access Controls https://github.com/elunez/eladmin/issues/897 |
| UGREEN–CM933 | A security vulnerability has been detected in UGREEN CM933 1.1.59.4319. The impacted element is an unknown function of the component Administrative Interface. Such manipulation leads to missing authentication. The attack requires being on the local network. You should upgrade the affected component. The vendor replied: “We have successfully confirmed and reproduced the issue. We take this matter very seriously and have incorporated the fix into our development schedule. The issue is scheduled to be resolved in the release version coming in late April.” | 2026-05-09 | 6.3 | CVE-2026-8185 | VDB-362337 | UGREEN CM933 Administrative missing authentication VDB-362337 | CTI Indicators (IOB, IOC) Submit #793588 | UGREEN CM933 Managed Network Switch 1.1.59.4319 CWE-306: Missing Authentication for Critical Function |
| Wavlink–NU516U1 | A vulnerability has been found in Wavlink NU516U1 M16U1_V240425. Affected is the function change_wifi_password of the file /cgi-bin/adm.cgi. The manipulation of the argument wl_channel/wl_Pass/EncrypType leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8188 | VDB-362340 | Wavlink NU516U1 adm.cgi change_wifi_password os command injection VDB-362340 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800727 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_1/1.md |
| Wavlink–NU516U1 | A vulnerability was found in Wavlink NU516U1 M16U1_V240425. Affected by this vulnerability is the function wzdrepeater of the file /cgi-bin/adm.cgi. The manipulation of the argument wlan_bssid/sel_Automode/sel_EncrypTyp results in os command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8189 | VDB-362341 | Wavlink NU516U1 adm.cgi wzdrepeater os command injection VDB-362341 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800728 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_2/2.md |
| Wavlink–NU516U1 | A vulnerability was determined in Wavlink NU516U1 M16U1_V240425. Affected by this issue is the function wan of the file /cgi-bin/adm.cgi. This manipulation of the argument ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway is directly passed by the attacker/so we can control the ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway causes os command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8190 | VDB-362342 | Wavlink NU516U1 adm.cgi wan os command injection VDB-362342 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800729 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_3/3.md |
| Wavlink–NU516U1 | A vulnerability was identified in Wavlink NU516U1 M16U1_V240425. This affects the function wifi_region of the file /cgi-bin/adm.cgi. Such manipulation of the argument skiplist1/skiplist2 leads to os command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8191 | VDB-362343 | Wavlink NU516U1 adm.cgi wifi_region os command injection VDB-362343 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800730 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_4/4.md |
| Wavlink–NU516U1 | A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425. This vulnerability affects the function wzdap of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument EncrypType/wl_Pass is directly passed by the attacker/so we can control the EncrypType/wl_Pass results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8192 | VDB-362344 | Wavlink NU516U1 adm.cgi wzdap os command injection VDB-362344 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800731 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_5/5.md |
| n/a–Akaunting | A weakness has been identified in Akaunting 3.1.21. This issue affects some unknown processing of the file config/dompdf.php of the component Invoice PDF Rendering. Executing a manipulation can lead to server-side request forgery. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 6.3 | CVE-2026-8193 | VDB-362345 | Akaunting Invoice PDF Rendering dompdf.php server-side request forgery VDB-362345 | CTI Indicators (IOB, IOC, IOA) Submit #800984 | akaunting 3.1.21 Server-Side Request Forgery https://drive.google.com/file/d/1zC8gMYeIfZi3CsK6RXBQINU_mllXH_6n/view?usp=drive_link |
| Industrial Application Software IAS–Canias ERP | A security flaw has been discovered in Industrial Application Software IAS Canias ERP 8.03. Impacted is the function Runtime.getRuntime.exec of the component RMI Interface. Performing a manipulation of the argument troiaCode results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 6.3 | CVE-2026-8217 | VDB-362434 | Industrial Application Software IAS Canias ERP RMI Runtime.getRuntime.exec os command injection VDB-362434 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808262 | Industrial Application Software – IAS Canias ERP 8.03– Code Injection – Remote Code Execution – (CWE-94/CWE-78) https://hawktrace.com/blog/caniaserp https://gist.github.com/0xb1lal/6ccc2356e7e0a26f7b8a6bd6f0d84bbb |
| Wavlink–NU516U1 | A weakness has been identified in Wavlink NU516U1 240425. This issue affects the function wzdapMesh of the file /cgi-bin/adm.cgi. This manipulation causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure. | 2026-05-10 | 6.3 | CVE-2026-8227 | VDB-362444 | Wavlink NU516U1 adm.cgi wzdapMesh os command injection VDB-362444 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800732 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_6/6.md |
| Wavlink–NU516U1 | A security vulnerability has been detected in Wavlink NU516U1 240425. Impacted is the function advance of the file /cgi-bin/wireless.cgi. Such manipulation of the argument wlan_conf/Channel/skiplist/ieee_80211h leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure. | 2026-05-10 | 6.3 | CVE-2026-8228 | VDB-362445 | Wavlink NU516U1 wireless.cgi advance os command injection VDB-362445 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800733 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_7/7.md |
| Wavlink–NU516U1 | A vulnerability was detected in Wavlink NU516U1 240425. The affected element is the function WifiBasic of the file /cgi-bin/wireless.cgi. Performing a manipulation of the argument AuthMethod/EncrypType results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure. | 2026-05-10 | 6.3 | CVE-2026-8229 | VDB-362446 | Wavlink NU516U1 wireless.cgi WifiBasic os command injection VDB-362446 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800734 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_8/8.md |
| Wavlink–NU516U1 | A flaw has been found in Wavlink NU516U1 240425. The impacted element is the function sys_login1 of the file /cgi-bin/login.cgi. Executing a manipulation of the argument ipaddr can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure. | 2026-05-10 | 6.3 | CVE-2026-8230 | VDB-362447 | Wavlink NU516U1 login.cgi sys_login1 os command injection VDB-362447 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800735 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_9/9.md |
| CodeAstro–Online Catering Ordering System | A vulnerability has been found in CodeAstro Online Catering Ordering System 1.0. This affects an unknown function of the file /deleteorder.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2026-05-10 | 6.3 | CVE-2026-8231 | VDB-362448 | CodeAstro Online Catering Ordering System deleteorder.php sql injection VDB-362448 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808783 | codeastro Online Catering Ordering System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/63 https://codeastro.com/ |
| Opencart–OpenCart | OpenCart 3.0.36 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and account information, then use password reset functionality to gain unauthorized access to compromised accounts. | 2026-05-10 | 5.3 | CVE-2021-47946 | ExploitDB-49407 Official Product Homepage Product Reference VulnCheck Advisory: OpenCart 3.0.36 Account Takeover via Cross Site Request Forgery |
| invoicing–Payments Plugin GetPaid | WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during payment form creation, which gets stored in the database and executed in the browser when the form is viewed. | 2026-05-10 | 5.4 | CVE-2021-47948 | ExploitDB-50246 Product Reference VulnCheck Advisory: WordPress GetPaid Plugin 2.4.6 HTML Injection via Help Text |
| Getaawp–WordPress Plugin AAWP | WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Attackers can craft URLs with XSS payloads in the tab parameter of the aawp-settings admin page to execute arbitrary JavaScript in the context of authenticated users. | 2026-05-10 | 5.4 | CVE-2022-50970 | ExploitDB-50643 Official Product Homepage VulnCheck Advisory: WordPress Plugin AAWP 3.16 Reflected XSS via tab Parameter |
| Hitachi–Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900 | Improper restriction of excessive authentication attempts vulnerability in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28. This issue affects Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28 : before DKCMAIN Ver 88-08-16-xx/00, GUM Ver. 88-08-20/00, before DKCMAIN Ver 93-07-26-xx/00, GUM Ver. 93-07-26/00, before DKCMAIN Ver A3-04-02-xx/00, EMS Ver. A3-04-02/00, before DKCMAIN Ver A3-03-41-xx/00, EMS Ver. A3-03-41/00, before DKCMAIN Ver A3-03-03-xx/00, EMS Ver. A3-03-02/00. | 2026-05-07 | 5.3 | CVE-2025-2514 | https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_306.html |
| HCL–BigFix Service Management (SM) | HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the application to trigger an unhandled exception. | 2026-05-06 | 5.3 | CVE-2025-31960 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL–DFXAnalytics | HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS) | 2026-05-06 | 5.3 | CVE-2025-31970 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| WEN Themes–WEN Logo Slider | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WEN Themes WEN Logo Slider allows DOM-Based XSS. This issue affects WEN Logo Slider: from n/a through 3.4.0. | 2026-05-07 | 5.9 | CVE-2025-62127 | https://patchstack.com/database/wordpress/plugin/wen-logo-slider/vulnerability/wordpress-wen-logo-slider-plugin-3-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Magepeople inc.–Bus Ticket Booking with Seat Reservation | Missing Authorization vulnerability in Magepeople inc. Bus Ticket Booking with Seat Reservation allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bus Ticket Booking with Seat Reservation: from n/a before 5.6.8. | 2026-05-07 | 5.3 | CVE-2025-66105 | https://patchstack.com/database/wordpress/plugin/bus-ticket-booking-with-seat-reservation/vulnerability/wordpress-bus-ticket-booking-with-seat-reservation-plugin-5-6-8-broken-access-control-vulnerability?_s_id=cve |
| WPGraphQL–WPGraphQL | Cross-Site Request Forgery (CSRF) vulnerability in WPGraphQL allows Cross Site Request Forgery. This issue affects WPGraphQL: from n/a through 2.5.3. | 2026-05-07 | 5.4 | CVE-2025-68604 | https://patchstack.com/database/wordpress/plugin/wp-graphql/vulnerability/wordpress-wpgraphql-plugin-2-5-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Cisco–Cisco Identity Services Engine Software | A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exploit this vulnerability by sending a series of crafted requests to the affected endpoint and analyzing the differentiated responses. A successful exploit could allow the attacker to compile a list of valid usernames on an affected system. | 2026-05-06 | 5.3 | CVE-2026-20195 | cisco-sa-ise-unauth-bypass-uxjRXGpb |
| Cisco–Cisco Webex Meetings | A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This vulnerability existed because of the presence of an insecure direct object reference. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by sending a crafted request to the vulnerable API endpoint. A successful exploit could have allowed the attacker to view the social profiles of other users or affect quiz and poll results. | 2026-05-06 | 5.4 | CVE-2026-20219 | cisco-sa-slido-idor-CpsFmKxN |
| Qualcomm, Inc.–Snapdragon | Memory corruption while processing IOCTL command when device is in power-save state. | 2026-05-04 | 5.5 | CVE-2026-25266 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| WProyal–Royal Elementor Addons | Missing Authorization vulnerability in WProyal Royal Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal Elementor Addons: from n/a before 1.7.1053. | 2026-05-07 | 5.3 | CVE-2026-25436 | https://patchstack.com/database/wordpress/plugin/royal-elementor-addons/vulnerability/wordpress-royal-elementor-addons-plugin-1-7-1053-broken-access-control-vulnerability?_s_id=cve |
| weDevs–Happy Addons for Elementor | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs Happy Addons for Elementor allows Retrieve Embedded Sensitive Data. This issue affects Happy Addons for Elementor: from n/a through 3.20.8. | 2026-05-07 | 5.3 | CVE-2026-25468 | https://patchstack.com/database/wordpress/plugin/happy-elementor-addons/vulnerability/wordpress-happy-addons-for-elementor-plugin-3-20-8-sensitive-data-exposure-vulnerability?_s_id=cve |
| wpmudev–Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions. | 2026-05-05 | 5.3 | CVE-2026-2729 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1afb94ab-b3ba-4598-8ff4-f9ffc6717371?source=cve https://plugins.trac.wordpress.org/changeset/3500669/forminator |
| YITH–YITH WooCommerce Wishlist | Authorization Bypass Through User-Controlled Key vulnerability in YITH YITH WooCommerce Wishlist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YITH WooCommerce Wishlist: from n/a through 4.12.0. | 2026-05-07 | 5.3 | CVE-2026-27329 | https://patchstack.com/database/wordpress/plugin/yith-woocommerce-wishlist/vulnerability/wordpress-yith-woocommerce-wishlist-plugin-4-12-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| bPlugins–PDF Poster | Missing Authorization vulnerability in bPlugins PDF Poster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF Poster: from n/a through 2.4.1. | 2026-05-07 | 5.3 | CVE-2026-27416 | https://patchstack.com/database/wordpress/plugin/pdf-poster/vulnerability/wordpress-pdf-poster-plugin-2-4-1-broken-access-control-vulnerability?_s_id=cve |
| traccar–traccar | Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0. | 2026-05-05 | 5.4 | CVE-2026-27693 | https://github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656 https://github.com/traccar/traccar/blob/v6.11.0/src/main/java/org/traccar/reports/GpxExportProvider.java#L52-L54 |
| traccar–traccar | Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0. | 2026-05-05 | 5.4 | CVE-2026-27694 | https://github.com/traccar/traccar/security/advisories/GHSA-6hfr-mj4m-hrvv |
| elabftw–elabftw | eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an attacker-controlled TOTP secret and bypass the additional factor. This could result in unauthorized account access. This issue is fixed in version 5.4.2. | 2026-05-05 | 5.9 | CVE-2026-28510 | https://github.com/elabftw/elabftw/security/advisories/GHSA-x5wv-c9q4-fj65 https://github.com/elabftw/elabftw/commit/8b7a575aef128870861187eaa2b2f0f08654ecf9 |
| n/a–Pluck CMS | Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to escalate privileges via the editpage.php and the sanitizePageContent function | 2026-05-04 | 5.7 | CVE-2026-31205 | https://github.com/pluck-cms/pluck/blob/main/data/inc/functions.all.php#L207 https://github.com/pluck-cms/pluck/blob/main/data/inc/editpage.php https://github.com/pluck-cms/pluck/issues/141 https://medium.com/@nakah_/pluck-cms-stored-xss-in-page-editor-cve-2026-31205-3b0526743e1d?postPublishedType=initial |
| mercadopago–Mercado Pago payments for WooCommerce | The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘mp_pix_image’ WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes contain sensitive merchant information including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references. | 2026-05-06 | 5.3 | CVE-2026-3208 | https://www.wordfence.com/threat-intel/vulnerabilities/id/986e0252-b94d-4ac8-9083-0218fa8a651e?source=cve https://plugins.trac.wordpress.org/browser/woocommerce-mercadopago/tags/8.7.10/src/Gateways/PixGateway.php#L358 https://plugins.trac.wordpress.org/browser/woocommerce-mercadopago/tags/8.7.10/src/Gateways/PixGateway.php#L92 https://plugins.trac.wordpress.org/changeset?old_path=%2Fwoocommerce-mercadopago/tags/8.7.11&new_path=%2Fwoocommerce-mercadopago/tags/8.7.12 |
| EZVIZ–EZVIZ APP | Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit this by eavesdropping on network requests to obtain data.Users are advised to upgrade the app to the latest version and enable the video encryption feature. | 2026-05-09 | 5.3 | CVE-2026-32683 | https://www.ezviz.com/inter/trust-center/security/security-notice/2026.05.08 https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-cloud-function-modules-of-some-hikvisi/ |
| Red Hat–Fast Datapath for RHEL 7 | A flaw was found in Open vSwitch. When Open vSwitch is configured with a conntrack flow using FTP helpers over the userspace datapath, a remote attacker can send a specially crafted FTP stream with an EPASV command exceeding 255 characters. This heap access error can lead to a crash, resulting in a Denial of Service (DoS) for the affected system. | 2026-05-05 | 5.9 | CVE-2026-34956 | https://access.redhat.com/security/cve/CVE-2026-34956 RHBZ#2453459 |
| ZTE–ZTE PROCESS Guard service | There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary code execution, privilege escalation and path traversal bypass. | 2026-05-06 | 5.2 | CVE-2026-40001 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/1477954674427011121 |
| ZTE–ZX297520V3 BootROM | ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB download mode to write data to any location in BootROM runtime memory, thereby overwriting the stack, hijacking the execution flow, bypassing the Secure Boot signature verification mechanism, and achieving unauthorized code execution. | 2026-05-07 | 5.1 | CVE-2026-40003 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2144487415169560645 |
| ZTE–ZXCLOUD iRAI | There exists an openssl.cnf privilege escalation vulnerability in ZTE Cloud PC client uSmartview. An attacker can execute arbitrary code locally and escalate privileges. | 2026-05-07 | 5.5 | CVE-2026-40004 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3126272076755775573 |
| PHPOffice–PhpSpreadsheet | PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell’s formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example “. @”, “@ “, or “x@”), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4. | 2026-05-06 | 5.4 | CVE-2026-40296 | https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hrmw-qprp-wgmc |
| open-telemetry–opentelemetry-dotnet | OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size. | 2026-05-06 | 5.3 | CVE-2026-41310 | https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-88hf-wf7h-7w4m https://github.com/open-telemetry/opentelemetry-dotnet/pull/7081 |
| istio–istio | Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhost or link local ips. This can result in sensitive data being distributed to Envoy proxies via xDS configuration. This issue has been patched in versions 1.28.6 and 1.29.2. | 2026-05-07 | 5 | CVE-2026-41413 | https://github.com/istio/istio/security/advisories/GHSA-fgw5-hp8f-xfhc https://github.com/istio/istio/releases/tag/1.28.6 https://github.com/istio/istio/releases/tag/1.29.2 |
| netty–netty | Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final. | 2026-05-06 | 5.3 | CVE-2026-41417 | https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv |
| open-telemetry–opentelemetry-dotnet-contrib | OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size limit. An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, disable the Azure VM resource detector or use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the Azure VM instance metadata endpoint. This issue is fixed in version 1.15.1-beta.1, which streams responses rather than buffering them entirely in memory and ignores responses larger than 4 MiB. | 2026-05-06 | 5.9 | CVE-2026-41483 | https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-vc24-j8c5-2vw4 https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4121 |
| open-telemetry–opentelemetry-dotnet-contrib | OpenTelemetry.Exporter.OneCollector is a .NET exporter that sends telemetry to a OneCollector back-end over HTTP. In versions 1.15.0 and earlier, when a request to the configured back-end or collector results in an unsuccessful HTTP 4xx or 5xx response, the HttpJsonPostTransport class reads the entire response body into memory with no upper bound on the number of bytes consumed in order to include the error response in operator logs. An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the configured back-end or collector endpoint. This issue is fixed in version 1.15.1, which limits the number of bytes read from the response body in an error condition to 4 MiB. | 2026-05-06 | 5.3 | CVE-2026-41484 | https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-55m9-299j-53c7 https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4117 |
| czlonkowski–n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.11, when n8n-mcp runs in HTTP transport mode, incoming requests to the POST /mcp endpoint had their request metadata written to server logs regardless of the authentication outcome. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: bearer tokens from the Authorization header, per-tenant API keys from the, x-n8n-key header in multi-tenant setups, JSON-RPC request payloads sent to the MCP endpoint. Access control itself was not bypassed – unauthenticated requests were correctly rejected with 401 Unauthorized – but sensitive values from those rejected requests could still be persisted in logs. This issue has been patched in version 2.47.11. | 2026-05-08 | 5.3 | CVE-2026-41495 | https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-pfm2-2mhg-8wpx https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.11 |
| enchant97–note-mark | Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM’s soft-delete scope does not reach the raw “JOIN books …” clauses used by the note and asset queries. This issue has been patched in version 0.19.3. | 2026-05-04 | 5.3 | CVE-2026-41572 | https://github.com/enchant97/note-mark/security/advisories/GHSA-3gr9-485j-v4xf https://github.com/enchant97/note-mark/releases/tag/v0.19.3 |
| projectdiscovery–nuclei | Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei’s expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response data containing helper/function syntax gets reused by multi-step templates. If the -env-vars / -ev option is explicitly enabled, this can expose host environment variables. That option is off by default, so standard configurations are not affected by the information disclosure risk. This issue has been patched in version 3.8.0. | 2026-05-08 | 5.3 | CVE-2026-41645 | https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-jm34-66cf-qpvr https://github.com/projectdiscovery/nuclei/pull/7221 https://github.com/projectdiscovery/nuclei/pull/7321 https://github.com/projectdiscovery/nuclei/commit/6c803c74d193f85f8a6d9803ce493fd302cad0eb https://github.com/projectdiscovery/nuclei/commit/d2217320162d5782ca7cb95bef9dda17063818f3 https://github.com/projectdiscovery/nuclei/releases/tag/v3.8.0 |
| projectdiscovery–nuclei | Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei’s JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file access restriction. This issue has been patched in version 3.8.0. | 2026-05-08 | 5.5 | CVE-2026-41646 | https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-29rg-wmcw-hpf4 https://github.com/projectdiscovery/nuclei/pull/7332 https://github.com/projectdiscovery/nuclei/commit/6f2ade6a9b427c284c15a43445f9c7f055e60e5d |
| Admidio–admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership() does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership() contains this safety check, but the current code path bypasses it. Any administrator can remove the last remaining other administrator, locking the entire system out of administrative access. The exploit does not require concurrent requests; sequential removals produce the same result. This issue has been patched in version 5.0.9. | 2026-05-07 | 5.2 | CVE-2026-41662 | https://github.com/Admidio/admidio/security/advisories/GHSA-c7xm-r6vj-8vg6 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| freescout-help-desk–freescout | FreeScout is a free help desk and shared inbox built with PHP’s Laravel framework. Prior to version 1.8.217, a user holding the PERM_EDIT_USERS permission (intended for general user-profile editing) can read and modify the notification subscriptions of any other user, including admins, by sending a single POST request. This is a sibling of CVE-2025-48472’s notification authorization bypass – the prior fix did not cover this code path. A non-admin attacker can silently disable an admin’s email/browser/mobile notifications, suppressing security alerts and conversation-assignment notices. This issue has been patched in version 1.8.217. | 2026-05-07 | 5.4 | CVE-2026-41903 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-f489-qxv6-gvgg https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217 |
| givanz–Vvveb | Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application’s secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule. | 2026-05-07 | 5.3 | CVE-2026-41928 | https://github.com/givanz/Vvveb/commit/517bc09faf44136e72de391aacc8b90a706f7ae7 https://www.vulncheck.com/advisories/vvveb-information-disclosure-via-cron-controller |
| givanz–Vvveb | Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests. | 2026-05-06 | 5.3 | CVE-2026-41931 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-xgvg-r47g-786r https://www.vulncheck.com/advisories/vvveb-information-disclosure-via-debug-exception-handler |
| novafacile–novagallery | novaGallery is a php image gallery. Prior to version 2.1.1, a path traversal vulnerability has been identified in novaGallery. This allows unauthenticated users to read image files outside the intended gallery root directory. This issue has been patched in version 2.1.1. | 2026-05-08 | 5.3 | CVE-2026-42028 | https://github.com/novafacile/novagallery/security/advisories/GHSA-wv5j-98c7-frm9 https://github.com/novafacile/novagallery/commit/46fe7b0f79f429e18c8cff3f92360c4513732ba6 https://github.com/novafacile/novagallery/releases/tag/v2.1.1 |
| EvoMap–evolver | Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. This issue has been patched in version 1.69.3. | 2026-05-04 | 5.2 | CVE-2026-42077 | https://github.com/EvoMap/evolver/security/advisories/GHSA-2cjr-5v3h-v2w4 https://github.com/EvoMap/evolver/releases/tag/v1.69.3 |
| GreycLab–CImg | CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nb_colors value triggers an out-of-memory condition, crashing any application that uses CImg to load untrusted BMP files. This issue has been patched via commit c3aacf5. | 2026-05-04 | 5.5 | CVE-2026-42146 | https://github.com/GreycLab/CImg/security/advisories/GHSA-g54r-qmgx-c6fv https://github.com/GreycLab/CImg/issues/477 https://github.com/GreycLab/CImg/commit/c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3 https://github.com/GreycLab/CImg/releases/tag/v.3.7.5 |
| WeblateOrg–wlc | wlc is a Weblate command-line client using Weblate’s REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0. | 2026-05-08 | 5.1 | CVE-2026-42150 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3 https://github.com/WeblateOrg/wlc/pull/1327 https://github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05d48ef40f579a172c4c8b8469 https://github.com/WeblateOrg/wlc/releases/tag/2.0.0 |
| suitenumerique–people | People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the Owner role. The exploit requires a single authenticated HTTP request and grants full domain ownership immediately, without any acceptance step from the target. This issue has been patched in version 1.25.0. | 2026-05-08 | 5.5 | CVE-2026-42185 | https://github.com/suitenumerique/people/security/advisories/GHSA-42cf-rv2h-v8rf https://github.com/suitenumerique/people/commit/6a51b96d8e907483fa8fc489d8714cc35fb4099b https://github.com/suitenumerique/people/releases/tag/v1.25.0 |
| redwoodjs–sdk | RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim’s session cookie attached. This issue has been patched in version 1.2.3. | 2026-05-08 | 5.3 | CVE-2026-42190 | https://github.com/redwoodjs/sdk/security/advisories/GHSA-m2m6-cff5-3w7c https://github.com/redwoodjs/sdk/releases/tag/v1.2.3 |
| useplunk–plunk | Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React’s dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign’s email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0. | 2026-05-08 | 5.4 | CVE-2026-42192 | https://github.com/useplunk/plunk/security/advisories/GHSA-mjqc-qrv3-24hq https://github.com/useplunk/plunk/releases/tag/v0.9.0 |
| G-Research–ParquetSharp | ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this could lead to a stack overflow. In a service environment, this would potentially take down a service. This affects applications using ParquetSharp to read untrusted Parquet files in a network service. This issue has been patched in version 23.0.0.1. | 2026-05-07 | 5.3 | CVE-2026-42241 | https://github.com/G-Research/ParquetSharp/security/advisories/GHSA-rrjr-v56m-ww88 https://github.com/G-Research/ParquetSharp/releases/tag/23.0.0.1 |
| solidtime-io–solidtime | solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller’s organization. This issue has been patched in version 0.12.1. | 2026-05-08 | 5.8 | CVE-2026-42279 | https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832c https://github.com/solidtime-io/solidtime/releases/tag/v0.12.1 |
| OpenStack–Horizon | An issue was discovered in OpenStack Horizon 25.6 and 25.7 before 25.7.3. There is a write operation to the session storage backend before authentication and thus storage can be exhausted by unauthenticated requests. This is a regression of the CVE-2014-8124 fix. | 2026-05-05 | 5.3 | CVE-2026-43002 | https://bugs.launchpad.net/horizon/+bug/2150331 https://www.openwall.com/lists/oss-security/2026/05/05/7 https://security.openstack.org/ossa/OSSA-2026-009.html |
| OpenClaw–OpenClaw | OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation, allowing unauthorized access to Teams SSO signin functionality. | 2026-05-05 | 5.3 | CVE-2026-43572 | GitHub Security Advisory (GHSA-gc9r-867r-j85f) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.10 < 2026.4.14 – Missing Sender Authorization in Microsoft Teams SSO Invoke Handler |
| OpenClaw–OpenClaw | OpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue recovery for media replay. Attackers can exploit recovered queued outbound media to bypass group tool policy enforcement and weaken channel media restrictions after service restart or recovery. | 2026-05-06 | 5.3 | CVE-2026-43583 | GitHub Security Advisory (GHSA-r77c-2cmr-7p47) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.10 < 2026.4.14 – Loss of Group Tool-Policy Context in Delivery Queue Recovery |
| electerm–electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, the getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context). An attacker who achieves any JavaScript execution within the renderer can trivially exfiltrate these secrets to a remote server, leading to cloud account compromise, supply chain attacks, and lateral movement. At time of publication, there are no publicly available patches. | 2026-05-08 | 5.5 | CVE-2026-43942 | https://github.com/electerm/electerm/security/advisories/GHSA-37j4-88rp-2f6h |
| NixOS–Nix | An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via “nix-prefetch-url –unpack” or “nix store prefetch-file –unpack” directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7); | 2026-05-05 | 5.3 | CVE-2026-44029 | https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407 https://www.openwall.com/lists/oss-security/2026/05/04/33 https://github.com/NixOS/nix/security/advisories/GHSA-gr92-w2r5-qw5p |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root. | 2026-05-06 | 5.3 | CVE-2026-44112 | GitHub Security Advisory (GHSA-wppj-c6mr-83jj) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 – Symlink Swap Race Condition in OpenShell FS Bridge Writes |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and access unauthorized file contents. | 2026-05-06 | 5.3 | CVE-2026-44113 | GitHub Security Advisory (GHSA-5h3g-6xhh-rg6p) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 – Time-of-Check/Time-of-Use Race Condition in OpenShell FS Bridge |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests. | 2026-05-06 | 5.8 | CVE-2026-44117 | GitHub Security Advisory (GHSA-c4qg-j8jg-42q5) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.20 – Server-Side Request Forgery in QQBot Direct Media Upload |
| ZTE–ZXCLOUD iRAI | ZTE Cloud PC client uSmartView contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking enables local arbitrary code execution, privilege escalation, and memory corruption.contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking enables local arbitrary code execution, privilege escalation, and memory corruption. | 2026-05-07 | 5.7 | CVE-2026-44406 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/8107253322107965601 |
| ZcashFoundation–zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0. | 2026-05-08 | 5.3 | CVE-2026-44500 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv |
| publishpress–Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories | The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wrapper’ attribute of the [futureaction] shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The plugin uses esc_html() to escape the value, but esc_html() only encodes HTML entities and does not prevent attribute injection when the value is used as an HTML tag name in a sprintf() call. An attacker can inject event handler attributes via spaces in the wrapper value. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Since it is also possible for administrators to make this functionality available to lower-privileged users, this introduces the possibility of abuse by contributors. | 2026-05-05 | 5.5 | CVE-2026-5247 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9acf80aa-8354-4430-9836-18fa17854521?source=cve https://plugins.trac.wordpress.org/browser/post-expirator/trunk/src/Modules/Expirator/Controllers/ShortcodeController.php#L173 https://plugins.trac.wordpress.org/browser/post-expirator/tags/4.9.4/src/Modules/Expirator/Controllers/ShortcodeController.php#L173 https://github.com/publishpress/publishpress-future/releases |
| djangoproject–Django | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue. | 2026-05-05 | 5.3 | CVE-2026-5766 | Django security archive Django releases announcements Django security releases issued: 6.0.5 and 5.2.14 |
| wpmudev–Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions – including export, delete, clone, delete-entries, publish/draft, and bulk variants – after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook – which fires before WordPress enforces page-level capability checks – a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status. | 2026-05-07 | 5.3 | CVE-2026-6222 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e860aa70-b8ef-4b2a-a035-b01efce30a79?source=cve https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/abstracts/class-admin-module-edit-page.php#L1008 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/abstracts/class-admin-module-edit-page.php#L1008 https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/abstracts/class-admin-module-edit-page.php#L951 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/abstracts/class-admin-module-edit-page.php#L951 https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/classes/class-admin-data.php#L141 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/classes/class-admin-data.php#L141 https://plugins.trac.wordpress.org/browser/forminator/tags/1.52/admin/abstracts/class-admin-module-edit-page.php#L988 |
| www[.]pgbouncer[.]org–PgBouncer | A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE field. | 2026-05-09 | 5.9 | CVE-2026-6666 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| Velocidex–velociraptor | An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request. | 2026-05-06 | 5 | CVE-2026-7573 | https://docs.velociraptor.app/announcements/advisories/cve-2026-7573/ |
| latepoint–LatePoint Calendar Booking Plugin for Appointments and Events | The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer’s email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow’s ability to overwrite an existing customer’s email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected. | 2026-05-09 | 5.3 | CVE-2026-7652 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bdaa32cd-a148-4554-9fd5-f5b0a5b2d1c3?source=cve https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1940 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/customer_helper.php#L238 https://plugins.trac.wordpress.org/browser/latepoint/trunk/latepoint.php#L1165 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/latepoint.php#L1165 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/steps_helper.php#L1972 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1972 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/steps_helper.php#L1940 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1940 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/customer_helper.php#L238 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/customer_helper.php#L238 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/latepoint.php#L1165 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1972 https://plugins.trac.wordpress.org/changeset/3522933/latepoint/trunk/latepoint.php https://plugins.trac.wordpress.org/changeset?old_path=%2Flatepoint/tags/5.5.0&new_path=%2Flatepoint/tags/5.5.1 |
| PrefectHQ–prefect | A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. The patch is named e21617125335025b4b27e7d6f0ca028e8e8f3b79. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-04 | 5.3 | CVE-2026-7722 | VDB-360898 | PrefectHQ prefect Health Check API health endswith improper authentication VDB-360898 | CTI Indicators (IOB, IOC, IOA) Submit #807255 | PrefectHQ Perfect <=3.6.21 Improper Authentication https://gist.github.com/nedlir/f576abbb0e491dc9bb7e106c140dda04 https://github.com/PrefectHQ/prefect/pull/21063 https://github.com/PrefectHQ/prefect/commit/e21617125335025b4b27e7d6f0ca028e8e8f3b79 https://github.com/PrefectHQ/prefect/releases/tag/3.6.22 https://github.com/PrefectHQ/prefect/ |
| PrefectHQ–prefect | A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.6.28.dev2 addresses this issue. The identifier of the patch is 7c70ac54a5e101431d83b9f2681ec88d5e0021ed. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-04 | 5 | CVE-2026-7724 | VDB-360900 | PrefectHQ prefect Webhook/Notification validate_restricted_url toctou VDB-360900 | CTI Indicators (IOB, IOC, IOA) Submit #807303 | PerfectHQ Perfect >=3.6.26 Time-of-check Time-of-use https://linear.app/prefect/issue/OSS-7874/fix-dns-rebinding-toctou-bypass-in-validate-restricted-url https://github.com/PrefectHQ/prefect/pull/21591 https://gist.github.com/nedlir/fa99777e8989414585d08c3625bf044a https://github.com/PrefectHQ/prefect/commit/7c70ac54a5e101431d83b9f2681ec88d5e0021ed https://github.com/PrefectHQ/prefect/releases/tag/3.6.28.dev2 https://github.com/PrefectHQ/prefect/ |
| osrg–GoBGP | A vulnerability has been found in osrg GoBGP up to 4.3.0. This impacts the function SRv6L3ServiceAttribute.DecodeFromBytes of the file pkg/packet/bgp/prefix_sid.go of the component SRv6 L3 Service. Such manipulation of the argument data leads to denial of service. The attack may be performed from remote. Upgrading to version 4.4.0 will fix this issue. The name of the patch is f9f7b55ec258e514be0264871fa645a2c3edad11. You should upgrade the affected component. | 2026-05-04 | 5.3 | CVE-2026-7734 | VDB-360909 | osrg GoBGP SRv6 L3 Service prefix_sid.go SRv6L3ServiceAttribute.DecodeFromBytes denial of service VDB-360909 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807581 | GoBGP 4.3.0 Infinite Loop https://github.com/osrg/gobgp/commit/f9f7b55ec258e514be0264871fa645a2c3edad11 https://github.com/osrg/gobgp/releases/tag/v4.4.0 https://github.com/osrg/gobgp/ |
| osrg–GoBGP | A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by this issue is the function BMPPeerUpNotification.ParseBody/BMPStatisticsReport.ParseBody of the file pkg/packet/bmp/bmp.go of the component BMP Parser. The manipulation leads to out-of-bounds read. The attack can be initiated remotely. Upgrading to version 4.4.0 can resolve this issue. The identifier of the patch is bc77597d42335c78464bc8e15a471d887bbdf260. Upgrading the affected component is recommended. | 2026-05-04 | 5.3 | CVE-2026-7737 | VDB-360912 | osrg GoBGP BMP Parser bmp.go BMPStatisticsReport.ParseBody out-of-bounds VDB-360912 | CTI Indicators (IOB, IOC, IOA) Submit #807605 | osrg GoBGP <= 4.3.0 Out-of-Bounds Read https://github.com/osrg/gobgp/commit/bc77597d42335c78464bc8e15a471d887bbdf260 https://github.com/osrg/gobgp/releases/tag/v4.4.0 https://github.com/osrg/gobgp/ |
| runZero–Platform | An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (5.0, Medium). This issue was fixed in version v4.0.260416.0 of the runZero Platform. | 2026-05-05 | 5 | CVE-2026-7778 | https://www.runzero.com/advisories/runzero-platform-dashboard-configuration-exposure-cve-2026-7778/ https://help.runzero.com/docs/release-notes/#402604160 |
| PicoTronica–e-Clinic Healthcare System ECHS | A vulnerability was detected in PicoTronica e-Clinic Healthcare System ECHS 5.7. The affected element is an unknown function of the file /cdemos/echs/api/v2/patient-records of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 5.7.1 is sufficient to fix this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-06 | 5.3 | CVE-2026-8031 | VDB-361357 | PicoTronica e-Clinic Healthcare System ECHS API Endpoint patient-records missing authentication VDB-361357 | CTI Indicators (IOB, IOC, IOA) Submit #800781 | PicoTronica e-Clinic Healthcare System (ECHS) v5.7 Exposure of Private Personal Information to an Unauthorized Acto https://docs.google.com/document/d/1FByC9x21c5503cQg6lkxjffIwWlEAHtHi_83vk2eUdk/edit?usp=sharing |
| PicoTronica–e-Clinic Healthcare System ECHS | A vulnerability has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. This affects an unknown function of the file /cdemos/echs/api/v2/ of the component Response Header Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. Upgrading to version 5.7.1 mitigates this issue. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-06 | 5.3 | CVE-2026-8033 | VDB-361359 | PicoTronica e-Clinic Healthcare System ECHS Response Header v2 information disclosure VDB-361359 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800793 | PicoTronica e-Clinic Healthcare System (ECHS) v5.7 Information Disclosure https://docs.google.com/document/d/1dBJAAYyNpktnOBSCJPJGUMdfjb-Vj3PTy5oNj8RjeQ8/edit?usp=sharing |
| OSGeo–gdal | A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This issue affects the function SWnentries of the file frmts/hdf4/hdf-eos/SWapi.c. Such manipulation of the argument DimensionName leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. Upgrading to version 3.12.4RC1 is capable of addressing this issue. The name of the patch is 9491e794f1757f08063ea2f7a274ad2994afa636. It is advisable to upgrade the affected component. | 2026-05-07 | 5.3 | CVE-2026-8086 | VDB-361839 | OSGeo gdal SWapi.c SWnentries heap-based overflow VDB-361839 | CTI Indicators (IOB, IOC, IOA) Submit #808038 | OSGeo GDAL 3.13.0dev Heap-based Buffer Overflow https://github.com/OSGeo/gdal/issues/14356 https://github.com/OSGeo/gdal/pull/14361 https://github.com/biniamf/pocs/tree/main/gdal-swinqdims_bof https://github.com/OSGeo/gdal/commit/9491e794f1757f08063ea2f7a274ad2994afa636 https://github.com/OSGeo/gdal/releases/tag/v3.12.4RC1 https://github.com/OSGeo/gdal/ |
| OSGeo–gdal | A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.13.0RC1 is recommended to address this issue. The patch is named 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the affected component. | 2026-05-07 | 5.3 | CVE-2026-8087 | VDB-361840 | OSGeo gdal GDapi.c GDnentries heap-based overflow VDB-361840 | CTI Indicators (IOB, IOC, IOA) Submit #808039 | OSGeo GDAL 3.13.0dev Heap-based Buffer Overflow https://github.com/OSGeo/gdal/issues/14363 https://github.com/biniamf/pocs/tree/main/gdal-gdinqfields_bof https://github.com/OSGeo/gdal/commit/184f77dbcc74118c062c05e464c88161d3c37b9b https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| gyoridavid–short-video-maker | A security flaw has been discovered in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the component REST API. The manipulation of the argument req.params.tmpFile results in path traversal. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-07 | 5.3 | CVE-2026-8115 | VDB-361903 | gyoridavid short-video-maker REST API rest.ts path traversal VDB-361903 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808258 | gyoridavid short-video-maker 1.3.4 Path Traversal https://github.com/gyoridavid/short-video-maker/issues/73 https://github.com/gyoridavid/short-video-maker/ |
| n/a–Open5GS | A vulnerability was detected in Open5GS up to 2.7.7. This affects the function ogs_sbi_client_send_via_scp_or_sepp in the library lib/sbi/client.c of the component NF. Performing a manipulation results in out-of-bounds read. The attack is possible to be carried out remotely. The patch is named d5bc487fcf9ea87d2b03f2ef95123af344773bfb. It is suggested to install a patch to address this issue. | 2026-05-09 | 5.3 | CVE-2026-8186 | VDB-362338 | Open5GS NF client.c ogs_sbi_client_send_via_scp_or_sepp out-of-bounds VDB-362338 | CTI Indicators (IOB, IOC, IOA) Submit #800024 | Open5GS 2.7.7 Out-of-bounds Read (CWE-125) / Denial of Service (CWE-400) https://github.com/open5gs/open5gs/issues/4491 https://github.com/open5gs/open5gs/pull/4496 https://github.com/open5gs/open5gs/commit/d5bc487fcf9ea87d2b03f2ef95123af344773bfb https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A flaw has been found in Open5GS up to 2.7.7. This impacts the function _gtpv1_u_recv_cb of the file src/upf/gtp-path.c of the component UPF. Executing a manipulation can lead to resource consumption. The attack may be performed from remote. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-09 | 5.3 | CVE-2026-8187 | VDB-362339 | Open5GS UPF gtp-path.c _gtpv1_u_recv_cb resource consumption VDB-362339 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800025 | Open5GS 2.7.7 Denial of Service (DoS) (CWE-400) https://github.com/open5gs/open5gs/issues/4492 https://github.com/open5gs/open5gs/ |
| logtivity–Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity | The Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin for WordPress is vulnerable to Authentication Bypass to Information Disclosure in versions up to, and including, 3.3.6. This is due to a logic flaw in the verifyAuthorization method where requests without an Authorization header skip Bearer token validation and fall through to an unconditional return true statement, bypassing all authentication checks. This makes it possible for unauthenticated attackers to access the /wp-json/logtivity/v1/options REST API endpoint and retrieve all plugin configuration options, including the logtivity_site_api_key which can be used to impersonate the site in API calls to the Logtivity service. | 2026-05-09 | 5.3 | CVE-2026-8198 | https://www.wordfence.com/threat-intel/vulnerabilities/id/65ca20b0-0831-4f60-9021-679be6c145ef?source=cve https://plugins.trac.wordpress.org/browser/logtivity/tags/3.3.7/Core/Services/Logtivity_Rest_Endpoints.php#L78 https://plugins.trac.wordpress.org/browser/logtivity/tags/3.3.7/Core/Services/Logtivity_Rest_Endpoints.php#L47 https://plugins.trac.wordpress.org/browser/logtivity/tags/3.3.6/Core/Services/Logtivity_Rest_Endpoints.php#L78 https://plugins.trac.wordpress.org/browser/logtivity/tags/3.3.6/Core/Services/Logtivity_Rest_Endpoints.php#L47 https://plugins.trac.wordpress.org/changeset/3507386/ |
| aandrew-me–tgpt | A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of the file helper.go of the component Update Handler. The manipulation leads to command injection. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 5.3 | CVE-2026-8210 | VDB-362418 | aandrew-me tgpt Update helper.go helper.Update command injection VDB-362418 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803594 | aandrew-me tgpt v2.11.1 Command Injection https://drive.google.com/file/d/19wRsehbhotZXgE1TjenFtS3w-zRtp-PW/view?usp=sharing |
| OSGeo–gdal | A flaw has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this vulnerability is the function SWSDfldsrch of the file frmts/hdf4/hdf-eos/SWapi.c. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The exploit has been published and may be used. Upgrading to version 3.13.0RC1 addresses this issue. This patch is called 3e04c0385630e4d42517046d9a4967dfccfeb7fd. The affected component should be upgraded. | 2026-05-09 | 5.3 | CVE-2026-8212 | VDB-362429 | OSGeo gdal SWapi.c SWSDfldsrch heap-based overflow VDB-362429 | CTI Indicators (IOB, IOC, IOA) Submit #808127 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read https://github.com/OSGeo/gdal/issues/14398 https://github.com/biniamf/pocs/tree/main/gdal-swsdfldsrch_oob-read https://github.com/OSGeo/gdal/commit/3e04c0385630e4d42517046d9a4967dfccfeb7fd https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| OSGeo–gdal | A vulnerability has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this issue is the function GDSDfldsrch of the file frmts/hdf4/hdf-eos/GDapi.c of the component Grid File Handler. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 3.13.0RC1 can resolve this issue. The identifier of the patch is 3e04c0385630e4d42517046d9a4967dfccfeb7fd. It is suggested to upgrade the affected component. | 2026-05-09 | 5.3 | CVE-2026-8213 | VDB-362430 | OSGeo gdal Grid File GDapi.c GDSDfldsrch heap-based overflow VDB-362430 | CTI Indicators (IOB, IOC, IOA) Submit #808128 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read https://github.com/OSGeo/gdal/issues/14399 https://github.com/biniamf/pocs/tree/main/gdal-gdsdfldsrch_oob-read https://github.com/OSGeo/gdal/commit/3e04c0385630e4d42517046d9a4967dfccfeb7fd https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| Industrial Application Software IAS–Canias ERP | A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. This affects the function doAction of the component RMI Interface. The manipulation of the argument sessionId results in improper authentication. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8214 | VDB-362431 | Industrial Application Software IAS Canias ERP RMI doAction improper authentication VDB-362431 | CTI Indicators (IOB, IOC, IOA) Submit #808238 | Industrial Application Software – IAS Canias ERP 8.03– Information Disclosure https://hawktrace.com/blog/caniaserp/ https://gist.github.com/0xb1lal/3ef872a445310c5866d07d6a5b1803fa |
| Industrial Application Software IAS–Canias ERP | A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This vulnerability affects the function iasRequestFileEvent of the component RMI Interface. This manipulation of the argument m_strSourceFileName causes path traversal. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8215 | VDB-362432 | Industrial Application Software IAS Canias ERP RMI iasRequestFileEvent path traversal VDB-362432 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808242 | Industrial Application Software – IAS Canias ERP 8.03– Directory traversal / Arbitrary file read https://hawktrace.com/blog/caniaserp/ https://gist.github.com/0xb1lal/3885c69998516685e3ea833403b9db2b |
| n/a–Open5GS | A vulnerability has been found in Open5GS up to 2.7.7. Affected is the function pcf_nbsf_management_handle_register of the file src/pcf/nbsf-handler.c of the component sm-policies Endpoint. Such manipulation leads to denial of service. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 5.3 | CVE-2026-8222 | VDB-362439 | Open5GS sm-policies Endpoint nbsf-handler.c pcf_nbsf_management_handle_register denial of service VDB-362439 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808427 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4437 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A vulnerability was found in Open5GS up to 2.7.7. Affected by this vulnerability is the function pcf_sess_sbi_discover_and_send of the component sm-policies Endpoint. Performing a manipulation results in denial of service. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 5.3 | CVE-2026-8223 | VDB-362440 | Open5GS sm-policies Endpoint pcf_sess_sbi_discover_and_send denial of service VDB-362440 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808442 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4438 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. Affected by this issue is the function pcf_sess_set_ipv6prefix of the file /src/pcf/context.c of the component PCF. Executing a manipulation of the argument SmPolicyContextData.ipv6AddressPrefix can lead to denial of service. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8224 | VDB-362441 | Open5GS PCF context.c pcf_sess_set_ipv6prefix denial of service VDB-362441 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808443 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4439 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A vulnerability was identified in Open5GS up to 2.7.7. This affects the function pcf_npcf_smpolicycontrol_handle_delete of the file src/pcf/sm-sm.c of the component delete Endpoint. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 5.3 | CVE-2026-8225 | VDB-362442 | Open5GS delete Endpoint sm-sm.c pcf_npcf_smpolicycontrol_handle_delete denial of service VDB-362442 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808444 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4440 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A security flaw has been discovered in Open5GS up to 2.7.7. This vulnerability affects the function ogs_pcc_rule_install_flow_from_media in the library /lib/proto/types.c. The manipulation results in denial of service. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 5.3 | CVE-2026-8226 | VDB-362443 | Open5GS types.c ogs_pcc_rule_install_flow_from_media denial of service VDB-362443 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808445 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4441 https://github.com/open5gs/open5gs/ |
| 8421bit–MiniClaw | A vulnerability was detected in 8421bit MiniClaw 0.8.0/0.9.0. This issue affects the function resolveSkillScriptPath of the file src/kernel.ts of the component System Command Handler. The manipulation results in os command injection. The exploit is now public and may be used. The patch is identified as 223c16a1088e138838dcbd18cd65a37c35ac5a84. It is best practice to apply a patch to resolve this issue. | 2026-05-10 | 5.5 | CVE-2026-8235 | VDB-362455 | 8421bit MiniClaw System kernel.ts resolveSkillScriptPath os command injection VDB-362455 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #809001 | 8421bit MiniClaw 0 OS Command Injection https://github.com/8421bit/MiniClaw/issues/6 https://github.com/8421bit/MiniClaw/pull/7 https://github.com/8421bit/MiniClaw/issues/6#issue-4290453729 https://github.com/8421bit/MiniClaw/commit/223c16a1088e138838dcbd18cd65a37c35ac5a84 https://github.com/8421bit/MiniClaw/ |
| Industrial Application Software IAS–Canias ERP | A vulnerability has been found in Industrial Application Software IAS Canias ERP 8.03. The affected element is the function iasGetServerInfoEvent of the component RMI Interface. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8241 | VDB-362457 | Industrial Application Software IAS Canias ERP RMI iasGetServerInfoEvent improper authorization VDB-362457 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808270 | Industrial Application Software – IAS Canias ERP 8.03– Exposure of Sensitive Information to an Unauthorized Actor https://hawktrace.com/blog/caniaserp https://gist.github.com/0xb1lal/6f3f050f08cff569ecbde586e63c6bea |
| Industrial Application Software IAS–Canias ERP | A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This affects an unknown function of the component JNLP Deployment Endpoint. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8243 | VDB-362459 | Industrial Application Software IAS Canias ERP JNLP Deployment Endpoint hard-coded key VDB-362459 | CTI Indicators (IOB, IOC, TTP) Submit #808296 | Industrial Application Software – IAS Canias ERP 8.03– Use of Hard-coded Cryptographic Key (CWE-321) |
| Industrial Application Software IAS–Canias ERP | A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This impacts an unknown function of the component Login RMI Interface. The manipulation of the argument clientVersion leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8244 | VDB-362460 | Industrial Application Software IAS Canias ERP Login RMI improper authentication VDB-362460 | CTI Indicators (IOB, IOC, IOA) Submit #808326 | Industrial Application Software – IAS Canias ERP 8.03– Improper Authentication (CWE-287), (CWE-200) https://gist.github.com/0xb1lal/758bbc5e4d82efea248e675da934ac69 |
| Opencart–OpenCart | OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the ‘password’ and ‘confirm’ parameters to hijack accounts. | 2026-05-10 | 4.3 | CVE-2021-47953 | ExploitDB-49970 VulnCheck Advisory: OpenCart 3.0.3.7 Cross-Site Request Forgery via account/password |
| curtain–Curtain | WordPress Plugin Curtain 1.0.2 contains a cross-site request forgery vulnerability that allows attackers to activate or deactivate site maintenance mode by crafting malicious requests. Attackers can trick authenticated administrators into submitting forged requests to the options-general.php page with curtain parameters to toggle maintenance mode without valid nonce validation. | 2026-05-10 | 4.3 | CVE-2022-50955 | ExploitDB-50842 Official Product Homepage VulnCheck Advisory: WordPress Plugin Curtain 1.0.2 Cross-site Request Forgery |
| HCL Software–BigFix Service Management (SM) | HCL BigFix Service Management (SM) is vulnerable to insufficiently protected credentials for a short duration while communicating with a backend, internal application which could allow an attacker to potentially misuse them, if exfiltrated. . | 2026-05-06 | 4.8 | CVE-2025-31976 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL Software–BigFix Service Management (SM) | HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content. | 2026-05-06 | 4.6 | CVE-2025-31978 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL–BigFix Service Management (SM) | HCL BigFix Service Management (SM) is affected by use of a vulnerable WSGI Server was identified. Deploying an outdated or insecure WSGI server may expose the application to known security weaknesses, potentially increasing the risk of exploitation and unauthorized access. | 2026-05-06 | 4.6 | CVE-2025-52613 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| timwhitlock–Loco Translate | The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom `loco_admin` capability required, granted to the `translator` role and administrators by default), to read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the server filesystem outside the intended translation directory. Files named wp-config.php are excluded. | 2026-05-05 | 4.9 | CVE-2026-1921 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f9ff3058-a08c-40ed-b756-81e703b2277a?source=cve https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.php#L12 https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.php#L12 https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.php#L92 https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.php#L92 https://plugins.trac.wordpress.org/changeset/3482475/loco-translate/trunk/tpl/admin/config/version.php https://plugins.trac.wordpress.org/changeset?old_path=%2Floco-translate/tags/2.8.2&new_path=%2Floco-translate/tags/2.8.3 |
| Cisco–Cisco Enterprise Chat and Email | A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Agent. This vulnerability is due to inadequate validation of file contents during file upload operations. An attacker could exploit this vulnerability by uploading a file that contains malicious scripts or HTML code, which the application could make available to other users to access. A successful exploit could allow the attacker to execute the contents of that file in the browser of a user and conduct browser-based attacks. | 2026-05-06 | 4.3 | CVE-2026-20172 | cisco-sa-ece-lite-agent-BCgSN8eb |
| Cisco–Cisco Prime Infrastructure | A vulnerability in the log file download functionality of Cisco Prime Infrastructure could allow an authenticated, remote attacker to download arbitrary log files from the server. This vulnerability is due to insufficient authorization checks on the download service API. An attacker could exploit this vulnerability by submitting a crafted URL request to an affected device. A successful exploit could allow the attacker to download sensitive log files that they would otherwise not have authorization to access. To exploit this vulnerability, the attacker must have valid credentials to access the web-based management interface of the affected device. | 2026-05-06 | 4.3 | CVE-2026-20189 | cisco-sa-pi-unauth-infodiscl-LFnLgmey |
| Cisco–Cisco Identity Services Engine Software | A vulnerability in the RADIUS Policy API endpoints of Cisco ISE could allow an authenticated, remote attacker with read-only Administrator privileges to gain unauthorized access to sensitive information on an affected device. This vulnerability is due to improper role-based access control (RBAC) permissions on the RADIUS Policy API endpoints. An attacker could exploit this vulnerability by bypassing the web-based management interface and directly calling an affected endpoint. A successful exploit could allow the attacker to gain unauthorized read access to sensitive RADIUS Policy details that are restricted for their role. | 2026-05-06 | 4.3 | CVE-2026-20193 | cisco-sa-ise-unauth-bypass-uxjRXGpb |
| techjewel–Ninja Tables Easy Data Table Builder | The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary Ninja Tables in the database which can lead to database pollution and resource exhaustion. | 2026-05-06 | 4.3 | CVE-2026-2306 | https://www.wordfence.com/threat-intel/vulnerabilities/id/592d42eb-4025-44af-a519-672656ad8b0e?source=cve https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/app/Modules/FluentCart/Handlers/FluentCartHandler.php#L44 https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.2.6/app/Modules/FluentCart/Handlers/FluentCartHandler.php#L44 https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/app/Modules/FluentCart/FluentCartModule.php#L23 https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.2.6/app/Modules/FluentCart/FluentCartModule.php#L23 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3453522%40ninja-tables%2Ftrunk&old=3447894%40ninja-tables%2Ftrunk&sfp_email=&sfph_mail= |
| PluginUs.Net–BEAR | Cross-Site Request Forgery (CSRF) vulnerability in PluginUs.Net BEAR allows Cross Site Request Forgery. This issue affects BEAR: from n/a through 1.1.5. | 2026-05-07 | 4.3 | CVE-2026-27415 | https://patchstack.com/database/wordpress/plugin/woo-bulk-editor/vulnerability/wordpress-bear-plugin-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Oracle Corporation–Oracle Macaron Tool of Oracle Open Source Projects | Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Macaron Tool. Successful attacks of this vulnerability can result in Oracle Macaron Tool failing host address validation. | 2026-05-06 | 4.7 | CVE-2026-35253 | Oracle Advisory |
| wpeverest–User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to append shortcode content to arbitrary pages they do not own or have permission to edit. | 2026-05-05 | 4.3 | CVE-2026-3601 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c8798fb2-4cab-4960-9e32-fd74bb4a5091?source=cve https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/class-ur-ajax.php#L1003 https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.2/includes/class-ur-ajax.php#L1003 https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/admin/class-ur-admin-assets.php#L370 https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.2/includes/admin/class-ur-admin-assets.php#L370 https://plugins.trac.wordpress.org/changeset/3485702/user-registration/trunk/includes/class-ur-ajax.php?contextall=1 |
| Spring–Spring Cloud Config | When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater. | 2026-05-07 | 4.4 | CVE-2026-41004 | https://spring.io/security/cve-2026-41004 |
| go-git–go-git | go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2. | 2026-05-08 | 4.7 | CVE-2026-41506 | https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963 https://github.com/go-git/go-git/releases/tag/v5.18.0 https://github.com/go-git/go-git/releases/tag/v6.0.0-alpha.2 |
| WeblateOrg–weblate | Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via “cycle_session_keys()”, but DRF API tokens (“wlu_*” prefix) stored in “authtoken_token” are not revoked. This issue has been patched in version 5.17.1. | 2026-05-07 | 4.2 | CVE-2026-41519 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6j8j-4qp3-36p2 https://github.com/WeblateOrg/weblate/pull/19057 https://github.com/WeblateOrg/weblate/commit/649a2da81700542f95c0807b3c625fc3bb0eaf95 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1 |
| Admidio–admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as ‘string’ type (HTML encoding), allowing path traversal characters (../) to pass through unfiltered. Combined with the absence of CSRF protection on this endpoint and SameSite=Lax session cookies, a low-privileged attacker can trick a documents administrator into clicking a crafted link that registers an arbitrary server file (e.g., install/config.php containing database credentials) into a documents folder accessible to the attacker. This issue has been patched in version 5.0.9. | 2026-05-07 | 4.5 | CVE-2026-41656 | https://github.com/Admidio/admidio/security/advisories/GHSA-m9h6-8pqm-xrhf https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio–admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the contacts_data.php endpoint uses a weaker permission check (isAdministratorUsers(), requiring only rol_edit_user=true) than the frontend UI (contacts.php) which correctly requires the stronger isAdministrator() (requiring rol_administrator=true) and the contacts_show_all system setting. A user manager who is not a full administrator can directly request contacts_data.php?mem_show_filter=3 to retrieve all user records across all organizations in the Admidio instance, bypassing multi-tenant organization isolation. This issue has been patched in version 5.0.9. | 2026-05-07 | 4.9 | CVE-2026-41657 | https://github.com/Admidio/admidio/security/advisories/GHSA-g8p8-94f2-28gr https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| lxc–incus | Incus is a system container and virtual machine manager. Prior to version 7.0.0, uploads of large amount of data by authenticated users can run the Incus server out of disk space, potentially taking down the host system. The impact here is limited for anyone using storage.images_volume and storage.backups_volume as those users will have large uploads be stored on those volumes rather than directly on the host filesystem. This is the default behavior on IncusOS. This issue has been patched in version 7.0.0. | 2026-05-07 | 4.3 | CVE-2026-41685 | https://github.com/lxc/incus/security/advisories/GHSA-98vh-x9cx-9cfp https://github.com/lxc/incus/releases/tag/v7.0.0 |
| ellite–Wallos | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php (line 42) and endpoints/payments/add.php (line 40) uses an inline IP validation check (FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) that does not block CGNAT addresses (100.64.0.0/10, RFC 6598). The includes/ssrf_helper.php file explicitly defines is_cgnat_ip() to cover this gap (used by notification endpoints), but the logo/icon URL fetching in subscription and payment endpoints performs its own inline validation that misses this range. This allows authenticated users to perform Blind SSRF to internal services in Tailscale, Carrier-Grade NAT, and other environments using 100.64.0.0/10 addresses. This issue has been patched in version 4.8.1. | 2026-05-07 | 4.3 | CVE-2026-41687 | https://github.com/ellite/Wallos/security/advisories/GHSA-4v59-hghw-7gc2 https://github.com/ellite/Wallos/commit/e79f28be6be0435fbc93563fb3c0e62206b48e85 https://github.com/ellite/Wallos/releases/tag/v4.8.1 |
| i18next–i18nextify | i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute {{key}} interpolation tokens inside src and href attribute values with the raw string returned by i18next.t(). The substitution logic in src/localize.js (the replaceInside handler) only guards against a duplicated http:// origin prefix – it does not validate the URL scheme of the substituted value. A translated value such as javascript:alert(1) or data:text/html,<script>…</script> is applied unchanged to the live DOM attribute when an attacker can influence the content of a translation file or the translation-backend response – for example, via a compromised translation CDN, user-contributed locales, a MITM on a plain-HTTP backend, or write access to the translation JSON. This issue was patched in version 4.0.8. | 2026-05-07 | 4.7 | CVE-2026-41692 | https://github.com/i18next/i18nextify/security/advisories/GHSA-6457-mxpq-4fqq https://github.com/i18next/i18nextify/commit/16f23dbcdcf893673587f7a03355bf7ce0a0e49e |
| flarum–framework | Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum’s patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via ExtendSettings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) ‘<path>’, an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched in versions 1.8.16 and 2.0.0-rc.1. | 2026-05-08 | 4.9 | CVE-2026-41887 | https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878 https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410 https://github.com/flarum/framework/releases/tag/v1.8.16 https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1 |
| icip-cas–PPTAgent | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary file write and directory creation via markdown_table_to_image. This issue has been patched via commit 418491a. | 2026-05-04 | 4.6 | CVE-2026-42078 | https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-hrcw-xc63-g29m https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00 |
| icip-cas–PPTAgent | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, there is an arbitrary file write vulnerability via `save_generated_slides`. This issue has been patched via commit 418491a. | 2026-05-04 | 4.6 | CVE-2026-42080 | https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-pxhg-7xr2-w7xg https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00 |
| OpenC3–cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, OpenC3 COSMOS contains a design flaw in the save_tool_config() function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path traversal attacks, by canonicalizing filename to an absolute path, all plugins share this same root directory. That enables users to create arbitrary file structures and overwrite existing configuration files within the shared /plugins directory. This issue has been patched in versions 6.10.5 and 7.0.0-rc3. | 2026-05-04 | 4.3 | CVE-2026-42085 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h https://github.com/OpenC3/cosmos/commit/9957a9fa460c0c0cf5cdbf6a5931bbdd025246a5 https://github.com/OpenC3/cosmos/commit/e6efccbd148ba0e3361c5891027f2373aa140d42 https://github.com/OpenC3/cosmos/releases/tag/v6.10.5 https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 |
| OpenC3–cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0. | 2026-05-04 | 4.6 | CVE-2026-42086 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x |
| xwiki-contrib–macro-plantuml | PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to “render” the diagram. This issue has been patched in version 2.4.1. | 2026-05-04 | 4.4 | CVE-2026-42140 | https://github.com/xwiki-contrib/macro-plantuml/security/advisories/GHSA-42fc-7w97-8vrc https://github.com/xwiki-contrib/macro-plantuml/commit/c8b19bda93058794e04c8862fc7ca85c59b5fe5c https://jira.xwiki.org/browse/PLANTUML-25 |
| onyx-dot-app–onyx | Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user’s active chat session. The endpoint checks authentication but never verifies the session belongs to the caller. An attacker who knows a chat session UUID can kill another user’s LLM generation mid-stream. This issue has been patched in versions 3.0.9, 3.1.6, and 3.2.6. | 2026-05-08 | 4.3 | CVE-2026-42276 | https://github.com/onyx-dot-app/onyx/security/advisories/GHSA-rw6w-hp62-gc8w |
| czlonkowski–n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.13, when n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the request dispatcher and several sibling code paths before any redaction. When a tool call carries credential material – most notably n8n_manage_credentials.data – the raw values can be persisted in logs. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: bearer tokens and OAuth credentials sent through n8n_manage_credentials, per-tenant API keys and webhook auth headers embedded in tool arguments, arbitrary secret-bearing payloads passed to any MCP tool. The issue requires authentication (AUTH_TOKEN accepted by the server), so unauthenticated callers cannot trigger it; the runtime exposure is also reduced by an existing console-silencing layer in HTTP mode, but that layer is fragile and the values are still constructed and passed into the logger. This issue has been patched in version 2.47.13. | 2026-05-08 | 4.3 | CVE-2026-42282 | https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-wg4g-395p-mqv3 https://github.com/czlonkowski/n8n-mcp/commit/59b665bda36797823df238aeaf20adb862c9f451 https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.13 |
| vim–vim | Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383. | 2026-05-08 | 4.4 | CVE-2026-42307 | https://github.com/vim/vim/security/advisories/GHSA-85ch-p2qr-m5gx https://github.com/vim/vim/commit/405e2fb6d54d5653523809e2853d99d1c000a5fc https://github.com/vim/vim/releases/tag/v9.2.0383 |
| Mintplex-Labs–anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user’s chat response within the same workspace because the route validates workspace membership but does not enforce ownership of the targeted chat row. As a result, an authenticated user can access another user’s private assistant response in audio form if the chatId is known or guessed. This constitutes an insecure direct object reference (IDOR) affecting private chat response content exposed through the TTS endpoint. This issue has been patched in version 1.12.1. | 2026-05-08 | 4.3 | CVE-2026-42456 | https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwqg-jfg3-x5vv https://github.com/Mintplex-Labs/anything-llm/commit/4f3f77119d342e5489d1ba7533ad6d51bdcd565f https://github.com/Mintplex-Labs/anything-llm/releases/tag/v1.12.1 |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_get function that allows callers to read any Markdown files within the workspace root. Attackers with access to the memory tool can bypass path restrictions by providing arbitrary workspace Markdown paths to read files outside canonical memory locations or indexed QMD result sets. | 2026-05-06 | 4.3 | CVE-2026-44111 | GitHub Security Advisory (GHSA-f934-5rqf-xx47) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.15 – Arbitrary Markdown File Read via QMD memory_get |
| WeblateOrg–weblate | Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1. | 2026-05-07 | 4.3 | CVE-2026-44263 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gcg5-86jr-f7jg https://github.com/WeblateOrg/weblate/pull/19258 https://github.com/WeblateOrg/weblate/commit/6cf892c7bd50b667a65a99d716a90694f7d9f203 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1 |
| WeblateOrg–weblate | Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn’t properly sanitize some attributes. This issue has been patched in version 5.17.1. | 2026-05-07 | 4.3 | CVE-2026-44264 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-5cmv-3rc4-7279 https://github.com/WeblateOrg/weblate/pull/19259 https://github.com/WeblateOrg/weblate/commit/85abc9df88b7464f4c0e794aef752e45f4230f75 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1 |
| kimai–kimai | Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption(‘associated_files’, …) inside the sandboxed Twig render. This is forwarded to mPDF’s SetAssociatedFiles(), whose writer calls file_get_contents($entry[‘path’]) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. Any file readable by the PHP worker is returned to the attacker inside the rendered invoice. This issue has been patched in version 2.56.0. | 2026-05-08 | 4.1 | CVE-2026-44298 | https://github.com/kimai/kimai/security/advisories/GHSA-h5fh-7hwr-97mw https://github.com/kimai/kimai/releases/tag/2.56.0 |
| ZTE–ZXCLOUD iRAI | A remote denial-of-service vulnerability exists in the ZTE Cloud PC client uSmartview, which may lead to memory corruption and remote denial of service. | 2026-05-07 | 4.7 | CVE-2026-44407 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/4783596796997009530 |
| techjewel–Fluent Forms Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without verifying that the resolved path stays inside the WordPress uploads directory: a strpos() prefix check on the raw URL can be bypassed with traversal sequences, wp_normalize_path() does not resolve “…” segments, and file_exists() then resolves them at the kernel level. This makes it possible for authenticated attackers with administrator access to read arbitrary files readable by the web-server user – including wp-config.php with its database credentials and authentication salts – by submitting a form whose admin notification is configured to attach a file-upload field and supplying a crafted URL of the shape <upload_baseurl>/../../<target> as the file-field value. The resolved file is attached to the outbound admin-notification email via wp_mail(). While the email can be triggered by unauthenticated users, the email recipient is not user-controlled. | 2026-05-06 | 4.9 | CVE-2026-6344 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0101113b-70c2-4db4-b6b1-b2412f6e1214?source=cve https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L121 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L130 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L133 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L135 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L137 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L151 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Hooks/Ajax.php#L17 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Modules/SubmissionHandler/SubmissionHandler.php#L17 https://plugins.trac.wordpress.org/changeset/3513845/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php |
| n/a–PgBouncer | PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter. | 2026-05-09 | 4.3 | CVE-2026-6667 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| xavortm–DX Sources | The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_build function. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a forged request that modifies the plugin’s configuration options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-05 | 4.3 | CVE-2026-6700 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c96e57-0300-4ea7-a0c6-5d060b6e979d?source=cve https://plugins.trac.wordpress.org/browser/dx-sources/trunk/inc/settings.class.php#L46 https://plugins.trac.wordpress.org/browser/dx-sources/tags/2.0.1/inc/settings.class.php#L46 https://plugins.trac.wordpress.org/browser/dx-sources/trunk/inc/settings.class.php#L79 https://plugins.trac.wordpress.org/browser/dx-sources/tags/2.0.1/inc/settings.class.php#L79 |
| kazunii–addfreespace | The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-05 | 4.3 | CVE-2026-6701 | https://www.wordfence.com/threat-intel/vulnerabilities/id/40eaeb28-c721-4977-951d-582b7dc2bd12?source=cve https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace.php#L45 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace.php#L45 https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L30 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L30 https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L59 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L59 https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace.php#L312 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace.php#L312 https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L83 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L83 |
| djangoproject–Django | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`’*’`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue. | 2026-05-05 | 4.3 | CVE-2026-6907 | Django security archive Django releases announcements Django security releases issued: 6.0.5 and 5.2.14 |
| Velocidex–velociraptor | An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin. | 2026-05-06 | 4.4 | CVE-2026-7572 | https://docs.velociraptor.app/announcements/advisories/cve-2026-7572/ |
| n/a–Open5GS | A security flaw has been discovered in Open5GS up to 2.7.7. Affected is the function udm_nudr_dr_handle_subscription_authentication of the file /src/udm/nudr-handler.c of the component authentication-subscription Endpoint. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 4.3 | CVE-2026-7779 | VDB-360976 | Open5GS authentication-subscription Endpoint nudr-handler.c udm_nudr_dr_handle_subscription_authentication denial of service VDB-360976 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806249 | Open5gs UDM v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4418 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A weakness has been identified in Open5GS up to 2.7.7. Affected by this vulnerability is the function udm_state_operational of the file /src/udm/udm-sm.c of the component smf-registrations Endpoint. Executing a manipulation can lead to denial of service. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 4.3 | CVE-2026-7780 | VDB-360977 | Open5GS smf-registrations Endpoint udm-sm.c udm_state_operational denial of service VDB-360977 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806250 | Open5gs UDM v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4419 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A security vulnerability has been detected in Open5GS up to 2.7.7. Affected by this issue is the function udm_nudm_uecm_handle_amf_registration_update of the file /src/udm/nudm-handler.c of the component amf-3gpp-access Endpoint. The manipulation leads to denial of service. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 4.3 | CVE-2026-7781 | VDB-360978 | Open5GS amf-3gpp-access Endpoint nudm-handler.c udm_nudm_uecm_handle_amf_registration_update denial of service VDB-360978 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806251 | Open5gs UDM v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4420 https://github.com/open5gs/open5gs/ |
| FlowiseAI–Flowise | A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded. | 2026-05-06 | 4.3 | CVE-2026-8027 | VDB-361274 | FlowiseAI Flowise User Controller authorization VDB-361274 | CTI Indicators (IOB, IOC, IOA) Submit #777657 | FlowiseAI Flowise <= 3.0.12 Authorization Bypass Through User-Controlled Key (CWE-639) https://gist.github.com/YLChen-007/3584e6ffa0bba6367328ecf0b46b0e4b |
| 8421bit–MiniClaw | A vulnerability was determined in 8421bit MiniClaw up to 43905b934cf76489ab28e4d17da28ee97970f91f. Affected by this vulnerability is the function isPathInside of the file src/kernel.ts of the component executeSkillScript. Executing a manipulation can lead to path traversal. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. This patch is called e8bd4e17e9428260f2161378356affc5ce90d6ed. It is advisable to implement a patch to correct this issue. | 2026-05-07 | 4.3 | CVE-2026-8113 | VDB-361901 | 8421bit MiniClaw executeSkillScript kernel.ts isPathInside path traversal VDB-361901 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808167 | 8421bit MiniClaw 0 Path Traversal https://github.com/8421bit/MiniClaw/issues/5 https://github.com/8421bit/MiniClaw/pull/8 https://github.com/8421bit/MiniClaw/commit/e8bd4e17e9428260f2161378356affc5ce90d6ed https://github.com/8421bit/MiniClaw/ |
| SourceCodester–Pizzafy Ecommerce System | A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. This issue affects some unknown processing of the file /admin/index.php. Such manipulation of the argument page leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-05-07 | 4.3 | CVE-2026-8117 | VDB-361905 | SourceCodester Pizzafy Ecommerce System index.php cross site scripting VDB-361905 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808327 | sourcecodester Pizzafy Ecommerce System V1.0 Cross Site Scripting https://github.com/redshadowword-cell/CVE/issues/5 https://www.sourcecodester.com/ |
| n/a–Open5GS | A flaw has been found in Open5GS up to 2.7.7. The affected element is the function nssf_nnrf_nsselection_handle_get_from_amf_or_vnssf of the file /src/nssf/nnssf-handler.c of the component NSSF. Executing a manipulation can lead to denial of service. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 4.3 | CVE-2026-8120 | VDB-361907 | Open5GS NSSF nnssf-handler.c denial of service VDB-361907 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808421 | Open5gs NSSF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4432 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A vulnerability has been found in Open5GS up to 2.7.7. The impacted element is the function ogs_sbi_parse_plmn_list in the library /lib/sbi/conv.c of the component NSSF. The manipulation leads to denial of service. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 4.3 | CVE-2026-8121 | VDB-361908 | Open5GS NSSF conv.c ogs_sbi_parse_plmn_list denial of service VDB-361908 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808422 | Open5gs NSSF v2.7.7 Denial of Service Submit #808424 | Open5gs NSSF v2.7.7 Denial of Service (Duplicate) https://github.com/open5gs/open5gs/issues/4433 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A vulnerability was found in Open5GS up to 2.7.7. This affects the function ogs_sbi_discovery_option_add_service_names in the library /lib/sbi/message.c of the component NSSF. The manipulation results in denial of service. The attack may be performed from remote. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 4.3 | CVE-2026-8122 | VDB-361909 | Open5GS NSSF message.c ogs_sbi_discovery_option_add_service_names denial of service VDB-361909 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808425 | Open5gs NSSF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4435 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. This impacts the function ogs_sbi_discovery_option_add_snssais in the library /lib/sbi/message.c of the component NSSF. This manipulation causes denial of service. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 4.3 | CVE-2026-8123 | VDB-361910 | Open5GS NSSF message.c ogs_sbi_discovery_option_add_snssais denial of service VDB-361910 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808426 | Open5gs NSSF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4436 https://github.com/open5gs/open5gs/ |
| n/a–osTicket | A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component Dispatcher. The manipulation of the argument _method leads to cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-09 | 4.3 | CVE-2026-8194 | VDB-362346 | osTicket Dispatcher class.dispatcher.php cross-site request forgery VDB-362346 | CTI Indicators (IOB, IOC, IOA) Submit #802755 | osTicket 1.18.3 Cross-Site Request Forgery https://github.com/osTicket/osTicket/pull/6945 https://github.com/az10b/security-advisories/blob/main/csrf_bypass_osTicket.md https://github.com/osTicket/osTicket/ |
| n/a–JeecgBoot | A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java of the component SVG File Handler. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 4.3 | CVE-2026-8195 | VDB-362347 | JeecgBoot SVG File CommonController.java cross site scripting VDB-362347 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803528 | jeecgboot JeecgBoot 3.9.1 Doubled Character XSS Manipulations https://github.com/xpp3901/CVE_APPLY/blob/main/V-006_SVG_Stored_XSS/README.md |
| codelibs–Fess | A vulnerability was detected in codelibs Fess up to 15.5.1. Affected by this issue is the function update of the file org/codelibs/fess/app/web/admin/design/AdminDesignAction.java of the component JSP File Handler. The manipulation of the argument content results in code injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 4.7 | CVE-2026-8211 | VDB-362419 | codelibs Fess JSP File AdminDesignAction.java update code injection VDB-362419 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #804293 | CodeLibs Fess 15.5.1 Arbitrary File Write https://bv3acdnplbr.feishu.cn/docx/Kk1tdEAfAoV6kZxVozUc8UA4nog?from=from_copylink |
| Dotouch–XproUPF | A vulnerability was determined in Dotouch XproUPF 2.0.0-release-088aa7c4. Affected is an unknown function of the component UPF. This manipulation causes improper access controls. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The vendor was contacted early about this disclosure. | 2026-05-10 | 4.6 | CVE-2026-8233 | VDB-362450 | Dotouch XproUPF access control VDB-362450 | CTI Indicators (IOB, IOC, TTP) Submit #808799 | Dotouch XproUPF v2.0.0-release-088aa7c4 imp |
| n/a–Open5GS | A vulnerability was detected in Open5GS up to 2.7.7. The affected element is the function update_authorized_pcc_rule_and_qos of the file /src/smf/npcf-handler.c of the component SMF. The manipulation results in denial of service. The attack may be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8248 | VDB-362545 | Open5GS SMF npcf-handler.c update_authorized_pcc_rule_and_qos denial of service VDB-362545 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808472 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4442 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A flaw has been found in Open5GS up to 2.7.7. The impacted element is the function update_authorized_pcc_rule_and_qos of the file /src/smf/npcf-handler.c of the component SMF. This manipulation causes denial of service. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8249 | VDB-362546 | Open5GS SMF npcf-handler.c update_authorized_pcc_rule_and_qos denial of service VDB-362546 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808473 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4443 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A vulnerability has been found in Open5GS up to 2.7.7. This affects the function smf_n4_build_qos_flow_to_modify_list of the file /src/smf/n4-build.c of the component SMF. Such manipulation leads to denial of service. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8250 | VDB-362547 | Open5GS SMF n4-build.c smf_n4_build_qos_flow_to_modify_list denial of service VDB-362547 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808476 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4444 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A vulnerability was found in Open5GS up to 2.7.7. This impacts the function update_authorized_pcc_rule_and_qos of the file /src/smf/npcf-handler.c of the component SMF. Performing a manipulation results in denial of service. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8251 | VDB-362548 | Open5GS SMF npcf-handler.c update_authorized_pcc_rule_and_qos denial of service VDB-362548 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808480 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4445 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. Affected is the function smf_nsmf_handle_create_data_in_hsmf of the component SMF. Executing a manipulation can lead to null pointer dereference. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8252 | VDB-362549 | Open5GS SMF smf_nsmf_handle_create_data_in_hsmf null pointer dereference VDB-362549 | CTI Indicators (IOB, IOC, IOA) Submit #808482 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4446 https://github.com/open5gs/open5gs/ |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| HCL Software–BigFix Service Management (SM) | HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared. . | 2026-05-06 | 3.5 | CVE-2025-31959 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL Software–BigFix Service Management (SM) | HCL BigFix Service Management (SM) is susceptible to a Root File System Not Mounted as Read-Only. An improperly configured root file system may allow unintended modifications to critical system components, potentially increasing the risk of system compromise or unauthorized changes. | 2026-05-06 | 3.9 | CVE-2025-31974 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL Software–BigFix Service Management (SM) | HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directly. This could allow an increased risk of information disclosure or misuse of sensitive functionality. | 2026-05-06 | 3.7 | CVE-2025-31982 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL–BigFix Service Management (SM) | HCL BigFix Service Management (SM) is affected by a security misconfiguration vulnerability due to CSP header. This could allow attackers to inject malicious scripts increasing the risk of cross-site scripting (XSS) and potential exposure of sensitive information. | 2026-05-06 | 3.7 | CVE-2025-31983 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL–BigFix Service Management (SM) | HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly. | 2026-05-06 | 3.7 | CVE-2025-31984 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL–DFXAnalytics | HCL DFXAnalytics is affected by a Using Components with Known Vulnerabilities flaw where the application utilizes unpatched libraries or sub-components, which could allow an attacker to identify and exploit publicly known security vulnerabilities to gain unauthorized access or compromise the application. | 2026-05-06 | 3.7 | CVE-2025-59851 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| HCL–DFXAnalytics | HCL DFXAnalytics is affected by an Insufficient Transport Layer Protection vulnerability where data is transmitted over the network without encryption, which could allow an attacker to compromise the confidentiality, integrity, and authentication of sensitive information. | 2026-05-06 | 3.7 | CVE-2025-59852 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| HCL–DFXAnalytics | HCL DFXAnalytics is affected by an Improper Error Handling vulnerability where the application exposes detailed stack traces in responses, which could allow an attacker to gain insights into the application’s internal structure, code logic, and environment configurations. | 2026-05-06 | 3.1 | CVE-2025-59853 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| HCL–DFXAnalytics | HCL DFXAnalytics is affected by an Insecure Security Header Configuration vulnerability where the application utilizes the outdated X-XSS-Protection header, which could allow an attacker to exploit browser-specific rendering flaws or bypass security controls that should instead be managed by a robust Content Security Policy (CSP). | 2026-05-06 | 3.1 | CVE-2025-59854 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| Dell–PowerScale OneFS | Dell PowerScale OneFS versions 9.5.0.0 through 9.5.1.6, 9.6.0.0 through 9.7.1.13, 9.8.0.0 through 9.10.1.5 and 9.11.0.0 through 9.12.0.1 contains an Insufficient Logging vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering. | 2026-05-08 | 3.3 | CVE-2026-32803 | https://www.dell.com/support/kbdoc/en-us/000461228/dsa-2026-172-security-update-for-dell-powerscale-onefs-insufficient-logging-vulnerability |
| kimai–kimai | Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted(‘edit_team’)] instead of #[IsGranted(‘edit’, ‘team’)], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0. | 2026-05-08 | 3.3 | CVE-2026-41498 | https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm https://github.com/kimai/kimai/releases/tag/2.54.0 |
| Admidio–admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio’s preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. This issue has been patched in version 5.0.9. | 2026-05-07 | 3.5 | CVE-2026-41663 | https://github.com/Admidio/admidio/security/advisories/GHSA-rw74-vc9h-534j https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| jgraph–drawio | draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user’s click on draw.io’s “Authorize in GitLab” dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9. | 2026-05-08 | 3.4 | CVE-2026-42195 | https://github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8x https://github.com/jgraph/drawio/issues/493 https://github.com/jgraph/drawio/releases/tag/v29.7.9 |
| mutt–mutt | mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest. | 2026-05-04 | 3.7 | CVE-2026-43859 | https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8662a31caed129f136f4805 |
| mutt–mutt | mutt before 2.3.2 sometimes truncates the hash_passwd by one byte for IMAP auth_cram MD5 digest. | 2026-05-04 | 3.7 | CVE-2026-43860 | https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8662a31caed129f136f4805 |
| mutt–mutt | mutt before 2.3.2 does not check for ‘�’ in url_pct_decode. | 2026-05-04 | 3.7 | CVE-2026-43861 | https://github.com/muttmua/mutt/commit/12f54fe3b61f761c096fe95e95d5e3072af00ed2 |
| mutt–mutt | In mutt before 2.3.2, the imap_auth_gss security level is mishandled. | 2026-05-04 | 3.7 | CVE-2026-43862 | https://github.com/muttmua/mutt/commit/f547a849cdacb512800a5f477c27de217e1c8151 |
| mutt–mutt | mutt before 2.3.2 has an infinite loop in data_object_to_stream in crypt-gpgme.c. | 2026-05-04 | 3.7 | CVE-2026-43863 | https://github.com/muttmua/mutt/commit/fdc04a171777327218a1e78db504926c388b48c4 |
| Postfix–Postfix | Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number. | 2026-05-04 | 3.7 | CVE-2026-43964 | https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html |
| Paramiko–Paramiko | In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm. | 2026-05-05 | 3.4 | CVE-2026-44405 | https://github.com/paramiko/paramiko/commit/a4489456b6f65281e172380cc4826cee5e851dbb https://ostif.org/wp-content/uploads/2026/05/25-11-2415-REP_paramiko-security-audit_v1.1.pdf |
| torproject–Tor | Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011. | 2026-05-07 | 3.7 | CVE-2026-44597 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41254 https://gitlab.torproject.org/tpo/core/tor/-/commit/8f98054b1982d00a14639864d03e9afd90b87481 |
| torproject–Tor | Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008. | 2026-05-07 | 3.7 | CVE-2026-44599 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41243 https://gitlab.torproject.org/tpo/core/tor/-/commit/50f90ba849088247734786922855c22661c6fa03 |
| torproject–Tor | Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue, aka TROVE-2026-010. | 2026-05-07 | 3.7 | CVE-2026-44600 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41251 https://gitlab.torproject.org/tpo/core/tor/-/commit/a198185ed863677d60eec120126730628dac35bb |
| torproject–Tor | Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009. | 2026-05-07 | 3.7 | CVE-2026-44601 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41237 https://gitlab.torproject.org/tpo/core/tor/-/commit/d4e3f6a440b58c2be661decf20c09548704907dc |
| torproject–Tor | Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006. | 2026-05-07 | 3.7 | CVE-2026-44602 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41240 https://gitlab.torproject.org/tpo/core/tor/-/commit/df7d5174ef41814d806c8ede776e230cd30ac12b |
| torproject–Tor | Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007. | 2026-05-07 | 3.7 | CVE-2026-44603 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41245 https://gitlab.torproject.org/tpo/core/tor/-/commit/1703df3d439c83c2184e259fad1cfa19240f9c89 |
| OpenStack–Ironic | In OpenStack Ironic through 35.x, instance_info[‘ks_template’] is rendered without sandboxing. | 2026-05-08 | 3 | CVE-2026-44916 | https://bugs.launchpad.net/ironic/+bug/2148307 |
| Syslifters–sysreptor | SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with “User Admin” permissions can change the email addresses of users with “Superuser” permissions. If the SysReptor installation has the “Forgot Password” functionality enabled (non-default), they can reset the Superusers’ passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves “Project Admin” permissions. This is intentional and by design. This issue has been patched in version 2026.29. | 2026-05-08 | 3.8 | CVE-2026-44987 | https://github.com/Syslifters/sysreptor/security/advisories/GHSA-6x8f-v3cf-cvr3 https://github.com/Syslifters/sysreptor/releases/tag/2026.29 |
| justdan96–tsMuxer | A weakness has been identified in justdan96 tsMuxer up to 2.7.0. This vulnerability affects the function HevcVpsUnit::setFPS of the file /AFLplusplus/tsMuxer_prev/tsMuxer/hevc.cpp. This manipulation of the argument track_id causes denial of service. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-04 | 3.3 | CVE-2026-7739 | VDB-360914 | justdan96 tsMuxer hevc.cpp setFPS denial of service VDB-360914 | CTI Indicators (IOB, IOC, IOA) Submit #807647 | tsMuxer git-7f8667d crash https://github.com/justdan96/tsMuxer/issues/895 https://github.com/user-attachments/files/16812270/poc1.zip https://github.com/justdan96/tsMuxer/ |
| justdan96–tsMuxer | A security vulnerability has been detected in justdan96 tsMuxer up to 2.7.0. This issue affects the function VvcVpsUnit::setFPS of the file tsMuxer/vvc.cpp. Such manipulation of the argument track_id leads to denial of service. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-04 | 3.3 | CVE-2026-7740 | VDB-360915 | justdan96 tsMuxer vvc.cpp setFPS denial of service VDB-360915 | CTI Indicators (IOB, IOC, IOA) Submit #807651 | tsMuxer git-7f8667d crash https://github.com/justdan96/tsMuxer/issues/899 https://github.com/user-attachments/files/16812319/poc5.zip https://github.com/justdan96/tsMuxer/ |
| FlowiseAI–Flowise | A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. You should upgrade the affected component. | 2026-05-06 | 3.7 | CVE-2026-8026 | VDB-361273 | FlowiseAI Flowise API Response account.service.ts login information disclosure VDB-361273 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #777656 | FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200) https://gist.github.com/YLChen-007/50a553f09aa1c7c04ce18cec13986a91 |
| FlowiseAI–Flowise | A vulnerability was detected in FlowiseAI Flowise up to 3.0.12. This affects the function verify of the file packages/server/src/enterprise/services/account.service.ts of the component Endpoint. Performing a manipulation results in information disclosure. Remote exploitation of the attack is possible. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit is now public and may be used. Upgrading the affected component is recommended. | 2026-05-06 | 3.7 | CVE-2026-8028 | VDB-361276 | FlowiseAI Flowise Endpoint account.service.ts verify information disclosure VDB-361276 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #777659 | FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200) https://gist.github.com/YLChen-007/1d52497b0221835f99367be61612746b |
| OSGeo–gdal | A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This vulnerability affects the function memmove of the file frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File Handler. This manipulation causes out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.13.0RC1 is able to resolve this issue. Patch name: a791f70f8eaec540974ec989ca6fb00266b7646c. Upgrading the affected component is advised. | 2026-05-07 | 3.3 | CVE-2026-8084 | VDB-361838 | OSGeo gdal HDF-EOS Grid File SWapi.c memmove out-of-bounds VDB-361838 | CTI Indicators (IOB, IOC, IOA) Submit #808034 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read https://github.com/biniamf/pocs/tree/main/gdal_swfinfo_dimlist_oob-rw https://github.com/OSGeo/gdal/issues/14378 https://github.com/biniamf/pocs/blob/main/gdal_swfinfo_dimlist_oob-rw https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| OSGeo–gdal | A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patch is called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component should be upgraded. | 2026-05-07 | 3.3 | CVE-2026-8088 | VDB-361841 | OSGeo gdal GDapi.c GDfieldinfo out-of-bounds VDB-361841 | CTI Indicators (IOB, IOC, IOA) Submit #808040 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read https://github.com/OSGeo/gdal/issues/14379 https://github.com/biniamf/pocs/tree/main/gdal-gdapi-gdfinfo-dimlist-oob-read https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| n/a–Open5GS | A vulnerability was detected in Open5GS up to 2.7.7. Impacted is the function ogs_sbi_stream_find_by_id in the library /lib/sbi/nghttp2-server.c of the component NSSF. Performing a manipulation results in denial of service. Attacking locally is a requirement. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 3.3 | CVE-2026-8119 | VDB-361906 | Open5GS NSSF nghttp2-server.c ogs_sbi_stream_find_by_id denial of service VDB-361906 | CTI Indicators (IOB, IOC, IOA) Submit #808420 | Open5gs NSSF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4431 https://github.com/open5gs/open5gs/ |
| n/a–GPAC | A security vulnerability has been detected in GPAC up to 26.02.0. This affects the function sidx_box_read of the file src/isomedia/box_code_base.c. The manipulation leads to allocation of resources. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The identifier of the patch is 442e2299530138d8f874fd885c565ba98a6318ba. It is suggested to install a patch to address this issue. | 2026-05-08 | 3.3 | CVE-2026-8124 | VDB-361914 | GPAC box_code_base.c sidx_box_read allocation of resources VDB-361914 | CTI Indicators (IOB, IOC, IOA) Submit #808611 | gpac latest Denial of Service (DoS) https://github.com/gpac/gpac/issues/3519 https://github.com/gpac/gpac/commit/442e2299530138d8f874fd885c565ba98a6318ba https://github.com/gpac/gpac/ |
| n/a–JeecgBoot | A flaw has been found in JeecgBoot 3.9.1. The impacted element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginController.java of the component mLogin Endpoint. This manipulation causes authorization bypass. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 3.7 | CVE-2026-8196 | VDB-362348 | JeecgBoot mLogin Endpoint LoginController.java authorization VDB-362348 | CTI Indicators (IOB, IOC, IOA) Submit #803529 | jeecgboot JeecgBoot 3.9.1 Authorization Bypass https://github.com/xpp3901/CVE_APPLY/tree/main/V-009_mLogin_Captcha_Bypass |
| Dotouch–XproUPF | A vulnerability was found in Dotouch XproUPF 2.0.0-release-088aa7c4. This impacts the function vlib_worker_loop in the library /usr/xpro/upf/tools/libs/libvlib.so of the component UPF Process. The manipulation results in denial of service. The vendor was contacted early about this disclosure. | 2026-05-10 | 3.5 | CVE-2026-8232 | VDB-362449 | Dotouch XproUPF UPF Process libvlib.so vlib_worker_loop denial of service VDB-362449 | CTI Indicators (IOB, IOC, IOA) Submit #808794 | Dotouch XproUPF v2.0.0-release-088aa7c4 Denial of Service |
| Industrial Application Software IAS–Canias ERP | A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 3.7 | CVE-2026-8242 | VDB-362458 | Industrial Application Software IAS Canias ERP Login RMI doAction response discrepancy VDB-362458 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808295 | Industrial Application Software – IAS Canias ERP 8.03– Observable Response Discrepancy (CWE-204) https://hawktrace.com/blog/caniaserp https://gist.github.com/0xb1lal/85422a63c10a001c75a22365457de624 |
| HCL Software–BigFix Service Management (SM) | HHCL BigFix Service Management (SM) is affected by a Cross‑Site Request Forgery (CSRF) vulnerability. This could lead to unauthorized changes or exposure of sensitive data. | 2026-05-06 | 2.6 | CVE-2025-31957 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL–BigFix Service Management (SM) | HCL BigFix Service Management (SM) is affected by an Information Disclosure – Server Banner issue was identified. Exposed server banners may reveal software versions and system details, potentially aiding attackers in targeting known vulnerabilities. | 2026-05-06 | 2.6 | CVE-2025-31975 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL–BigFix RunBookAI | HCL BigFix RunBookAI is affected by a Continued availability of Less-Secure “Input Text” Vulnerability . A component contains a security weakness in its input handling implementation, increasing the risk of misconfiguration and operational errors. | 2026-05-06 | 2.7 | CVE-2025-62345 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130444 |
| Admidio–admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint (members_assignment_data.php) includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) in its SQL search condition regardless of field visibility settings. While the JSON output correctly suppresses hidden columns via isVisible() checks, the server-side search operates at the SQL level before any visibility filtering. This allows a role leader with assign-only permissions to infer hidden PII values by observing which users appear in search results for specific values. This issue has been patched in version 5.0.9. | 2026-05-07 | 2.7 | CVE-2026-41659 | https://github.com/Admidio/admidio/security/advisories/GHSA-68pr-7prh-mpv4 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-condition swap the target file between validation and preflight read, causing the validator to inspect a different file identity than the one that passed the initial boundary check. | 2026-05-05 | 2.5 | CVE-2026-43529 | GitHub Security Advisory (GHSA-gj9q-8w99-mp8j) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 – Time-of-Check-Time-of-Use (TOCTOU) Race Condition in exec Script Preflight Validator |
| mutt–mutt | mutt before 2.3.2 has a show_sig_summary NULL pointer dereference. | 2026-05-04 | 2.5 | CVE-2026-43864 | https://github.com/muttmua/mutt/commit/ebfa2969042d89303d15334193fcc32866c8a8df |
| uriparser–uriparser | In uriparser before 1.0.2, there is pointer difference truncation to int in various places. | 2026-05-08 | 2.9 | CVE-2026-44927 | https://github.com/uriparser/uriparser/pull/304 |
| uriparser–uriparser | In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal. | 2026-05-08 | 2.9 | CVE-2026-44928 | https://github.com/uriparser/uriparser/pull/305 |
| GrapheneOS–GrapheneOS | GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let system_server transmit UDP traffic on its behalf. This occurs when the “Block connections without VPN” and “Always-on VPN” settings are enabled. | 2026-05-09 | 2.2 | CVE-2026-45182 | https://lowlevel.fun/posts/tiny-udp-cannon-android-vpn-bypass/ https://grapheneos.org/releases#2026050400 https://cyberinsider.com/grapheneos-fixes-android-vpn-leak-google-refused-to-patch/ |
| libexpat project–libexpat | In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input. | 2026-05-10 | 2.9 | CVE-2026-45186 | https://github.com/libexpat/libexpat/pull/1216 |
| chatchat-space–Langchain-Chatchat | A flaw has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. This issue affects the function PIL.Image.tobytes of the file libs/chatchat-server/chatchat/webui_pages/dialogue/dialogue.py of the component Vision Chat Paste Image Handler. This manipulation of the argument paste_image.image_data causes use of weak hash. The attacker needs to be present on the local network. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 2.6 | CVE-2026-7845 | VDB-361124 | chatchat-space Langchain-Chatchat Vision Chat Paste Image dialogue.py PIL.Image.tobytes weak hash VDB-361124 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807794 | chatchat-space Langchain-Chatchat 0.3.1.3 Weak Hash / CWE-328 https://github.com/chatchat-space/Langchain-Chatchat/issues/5462 https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-1-tobytes-Hash-Collision.md https://github.com/chatchat-space/Langchain-Chatchat/ |
| chatchat-space–Langchain-Chatchat | A vulnerability has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. Impacted is the function files of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component OpenAI-Compatible File Upload API. Such manipulation of the argument file.filename leads to time-of-check time-of-use. Access to the local network is required for this attack to succeed. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 2.6 | CVE-2026-7846 | VDB-361125 | chatchat-space Langchain-Chatchat OpenAI-Compatible File Upload API openai_routes.py files toctou VDB-361125 | CTI Indicators (IOB, IOC, IOA) Submit #807795 | chatchat-space Langchain-Chatchat 0.3.1.3 TOCTOU Race Condition / CWE-367 https://github.com/chatchat-space/Langchain-Chatchat/issues/5463 https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-2-Silent-File-Overwrite.md https://github.com/chatchat-space/Langchain-Chatchat/ |
| chatchat-space–Langchain-Chatchat | A vulnerability was found in chatchat-space Langchain-Chatchat up to 0.3.1.3. The affected element is the function _get_file_id of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Uploaded File Handler. Performing a manipulation results in insufficiently random values. Access to the local network is required for this attack. The attack’s complexity is rated as high. The exploitability is described as difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 2.6 | CVE-2026-7847 | VDB-361126 | chatchat-space Langchain-Chatchat Uploaded File openai_routes.py _get_file_id random values VDB-361126 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807796 | chatchat-space Langchain-Chatchat 0.3.1.3 Use of Insufficiently Random Values / CWE-330 https://github.com/chatchat-space/Langchain-Chatchat/issues/5464 https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-3-Predictable-File-ID.md https://github.com/chatchat-space/Langchain-Chatchat/ |
| SourceCodester–Pharmacy Sales and Inventory System | A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /index.php?page=users. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used. | 2026-05-08 | 2.4 | CVE-2026-8136 | VDB-361925 | SourceCodester Pharmacy Sales and Inventory System index.php users cross site scripting VDB-361925 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808839 | SourceCodester Pharmacy Sales and Inventory System V1.0 cross site scripting https://github.com/timeflies123/cve/issues/1 https://www.sourcecodester.com/ |
| Devs Palace–ERP Online | A weakness has been identified in Devs Palace ERP Online up to 4.0.0. The affected element is an unknown function of the file /inventory/purchase_return_save. Executing a manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8218 | VDB-362435 | Devs Palace ERP Online purchase_return_save cross site scripting VDB-362435 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808252 | Devs Palace ERP Online 4.0.0 Code Injection Submit #808259 | Devs Palace ERP Online 4.0.0 Code Injection in “inventory/purchase_return_save” (Duplicate) https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace–ERP Online | A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. The impacted element is an unknown function of the file /inventory/supplier-save. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8219 | VDB-362436 | Devs Palace ERP Online supplier-save cross site scripting VDB-362436 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808257 | Devs Palace ERP Online 4.0.0 Code Injection in “/inventory/supplier-save” https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace–ERP Online | A vulnerability was detected in Devs Palace ERP Online up to 4.0.0. This affects an unknown function of the file /inventory/customer-save. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8220 | VDB-362437 | Devs Palace ERP Online customer-save cross site scripting VDB-362437 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808261 | Devs Palace ERP Online 4.0.0 Code Injection in “inventory/customer-save” https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace–ERP Online | A flaw has been found in Devs Palace ERP Online up to 4.0.0. This impacts an unknown function of the file /inventory/item-save. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8221 | VDB-362438 | Devs Palace ERP Online item-save cross site scripting VDB-362438 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808263 | Devs Palace ERP Online 4.0.0 Code Injection in “inventory/item-save” https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace–ERP Online | A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. Affected by this vulnerability is an unknown functionality of the file /inventory/purchase_save. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8253 | VDB-362550 | Devs Palace ERP Online purchase_save cross site scripting VDB-362550 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808277 | Devs Palace ERP Online 4.0.0 Code Injection https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace–ERP Online | A security flaw has been discovered in Devs Palace ERP Online up to 4.0.0. Affected by this issue is some unknown functionality of the file /inventory/sales_save. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8254 | VDB-362551 | Devs Palace ERP Online sales_save cross site scripting VDB-362551 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808279 | Devs Palace ERP Online 4.0.0 Code Injection https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| CHORNY–Apache::Session | Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted. | 2026-05-08 | not yet calculated | CVE-2013-10075 | https://rt.cpan.org/Public/Bug/Display.html?id=83525 |
| www[.]thruk[.]org–Thruk Monitoring | In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the monitoring interface. | 2026-05-08 | not yet calculated | CVE-2022-23961 | https://herolab.usd.de/security-advisories/ https://herolab.usd.de/security-advisories/usd-2021-0034/ |
| www[.]avast[.]com—Avast/AVG Windows Anti Rootkit driver | The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3. | 2026-05-08 | not yet calculated | CVE-2022-26522 | https://www.avast.com/bug-bounty https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk/ |
| www[.]avast[.]com–Avast/AVG Windows Anti Rootkit driver | The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xbb94. | 2026-05-08 | not yet calculated | CVE-2022-26523 | https://www.avast.com/bug-bounty https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk/ |
| www[.]nokia[.]com–Nokia Broadcast Message Center (BMC) | Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as root via shell metacharacters in the Log Scanner Search Pattern field. | 2026-05-08 | not yet calculated | CVE-2022-45899 | https://nokia.com https://www.exploit-db.com/exploits/51896 |
| n/a–Alkacon OpenCms | A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type. | 2026-05-08 | not yet calculated | CVE-2023-42343 | https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/ |
| n/a–Alkacon OpenCms | Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet. | 2026-05-08 | not yet calculated | CVE-2023-42344 | https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/ |
| n/a–Alkacon OpenCms | A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp. | 2026-05-08 | not yet calculated | CVE-2023-42345 | https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/ |
| n/a–Alkacon OpenCms | Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host. | 2026-05-08 | not yet calculated | CVE-2023-42346 | https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/ |
| www[.]gl-inet[.]com—Gl.iNet devices v.4x | Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-MT2500 GL-AXT1800 GL-X3000 and GL-SFT1200. | 2026-05-08 | not yet calculated | CVE-2023-46453 | https://www.exploit-db.com/exploits/51865 |
| n/a– Prusa PrusaSlicer v2.6.1 | In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported. | 2026-05-08 | not yet calculated | CVE-2023-47268 | https://help.prusa3d.com/article/post-processing-scripts_283913 https://www.prusa3d.com/page/prusaslicer_424/ https://slic3r.org/download/ https://raw.githubusercontent.com/vulncheck-oss/0day.today.archive/main/local-exploits/39547.txt |
| mikrotik[.]com—RouterOS v.6.40.5 to 6.49.10 | Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allows a remote attacker to cause a denial of service (device crash) via crafted packet data to the SMB service on TCP port 445. | 2026-05-08 | not yet calculated | CVE-2024-27686 | https://github.com/ice-wzl/RouterOS-SMB-DOS-POC https://www.exploit-db.com/exploits/51931 |
| n/a– Matrix Switcher v1.1.2 | /cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter. | 2026-05-08 | not yet calculated | CVE-2024-30167 | https://exchange.xforce.ibmcloud.com/vulnerabilities/285733 |
| n/a–PMS (Prison Management System) PHP v1.0 | Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page. | 2026-05-08 | not yet calculated | CVE-2024-33288 | https://www.sourcecodester.com/sql/17287/prison-management-system.html https://www.exploit-db.com/exploits/52017 |
| n/a–SOPlanning v1.52.00 | SOPlanning 1.52.00 is vulnerable to SQL Injection by an authenticated user via projets.php with statut[]. | 2026-05-08 | not yet calculated | CVE-2024-33722 | https://github.com/fuzzlove/soplanning-1.52-exploits |
| n/a–SOPlanning v1.52.00 | SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php. | 2026-05-08 | not yet calculated | CVE-2024-33724 | https://github.com/fuzzlove/soplanning-1.52-exploits |
| n/a– BYOB (Build Your Own Botnet) 2.0 | A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server via a crafted build parameter. This occurs in freeze in core/generators.py. | 2026-05-08 | not yet calculated | CVE-2024-45257 | https://github.com/malwaredllc/byob https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob/ https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/byob_unauth_rce.rb |
| n/a–yeti-platform | A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server. | 2026-05-08 | not yet calculated | CVE-2024-46507 | https://rhinosecuritylabs.com/research/cve-2024-46507-yeti-server-side-template-injection-ssti/ |
| n/a–yeti-platform | yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than SECRET). | 2026-05-08 | not yet calculated | CVE-2024-46508 | https://rhinosecuritylabs.com/research/cve-2024-46507-yeti-server-side-template-injection-ssti/ |
| n/a–LibreNMS | LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php’s index(), SettingsController.php’s update(), and PollDevice.php’s initRrdDirectory(). | 2026-05-08 | not yet calculated | CVE-2024-51092 | https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/librenms_authenticated_rce_cve_2024_51092.rb https://github.com/librenms/librenms/security/advisories/GHSA-x645-6pf9-xwxw |
| bitcoincore[.]org—bitcoincore v28.x | Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. The earliest affected version is 0.14. | 2026-05-05 | not yet calculated | CVE-2024-52911 | https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures https://bitcoincore.org https://bitcoincore.org/en/2026/05/05/disclose-cve-2024-52911/ |
| linqpad[.]net—Linqpad Pro | LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution. | 2026-05-08 | not yet calculated | CVE-2024-53326 | https://www.linqpad.net/ https://trustedsec.com/blog/discovering-a-deserialization-vulnerability-in-linqpad |
| 3onedata–GW1101-1D(RS-485)-TB-P | 3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P (hardware version V2.2.0) allows authenticated users to execute arbitrary shell commands in the context of the root user by providing payload in the “IP address” field of the diagnosis test tools. This issue has been resolved in firmware version 3.0.59B2024080600R4353 | 2026-05-04 | not yet calculated | CVE-2025-13605 | https://cert.pl/en/posts/2026/05/CVE-2025-13605 |
| PHP Group–PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements. | 2026-05-10 | not yet calculated | CVE-2025-14179 | https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm |
| HCLSoftware–BigFix WebUI | An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers. | 2026-05-09 | not yet calculated | CVE-2025-15633 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130587 |
| HCLSoftware–BigFix WebUI | A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized page. | 2026-05-09 | not yet calculated | CVE-2025-15634 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130587 |
| ispconfig[.]com–ISPConfig 3.3.0 | ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS) via the system status webpage. | 2026-05-05 | not yet calculated | CVE-2025-52206 | http://ispconfig.com https://www.ispconfig.org/blog/ispconfig-3-3-0p2-released-security-update/ |
| n/a–AstrBot 3.5.15 | AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT. | 2026-05-08 | not yet calculated | CVE-2025-55449 | https://github.com/AstrBotDevs/AstrBot https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE |
| jupyter-server–jupyter_server | Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0. | 2026-05-05 | not yet calculated | CVE-2025-61669 | https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w |
| www[.]npmjs[.]com—NPM Package Parse-ini v1.0.6 | npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js(). | 2026-05-07 | not yet calculated | CVE-2025-63703 | https://www.npmjs.com/package/parse-ini?activeTab=code https://gist.github.com/6en6ar/bdc8e0d472406ab98431f10273cbdbf3 |
| www[.]npmjs[.]com—NPM Package Parse-string | NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object. | 2026-05-07 | not yet calculated | CVE-2025-63704 | https://www.npmjs.com/package/query-string-parser?activeTab=readme https://github.com/victorteokw/query-string-parser/issues/3 https://gist.github.com/6en6ar/d62f614dbb2b1032b5e45a56fe26ec8b |
| www[.]npmjs[.]com—NPM Package Node v1.0.15 | NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js. | 2026-05-07 | not yet calculated | CVE-2025-63705 | https://www.npmjs.com/package/node-ts-ocr https://gist.github.com/6en6ar/a2ac44da0f4e580190be3e66cfbb9a4a |
| www[.]npmjs[.]com—NPM Package npn v1.0.1 | NPM package next-npm-version1.0.1 is vulnerable to Command injection. | 2026-05-07 | not yet calculated | CVE-2025-63706 | https://github.com/afeiship/next-npm-version/issues/1 https://www.npmjs.com/package/@jswork/next-npm-version https://gist.github.com/6en6ar/607368f1fc8fe429f03c6e0d9486ba72 |
| n/a–youtubeRegex | Regex Denial of Service in youtube-regex npm package through version 1.0.5. | 2026-05-07 | not yet calculated | CVE-2025-65122 | https://github.com/regexhq/youtube-regex/issues/14 https://gist.github.com/6en6ar/66ef99397068c0a5e0d963bc47d7172c |
| Apache Software Foundation–Apache CloudStack | The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. This vulnerability does not allow them to see the contents of the backup. Users are recommended to upgrade to version 4.22.0.1, which fixes the issue. | 2026-05-08 | not yet calculated | CVE-2025-66170 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Apache Software Foundation–Apache CloudStack | The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue. | 2026-05-08 | not yet calculated | CVE-2025-66171 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Apache Software Foundation–Apache CloudStack | The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user’s backups and attach the volume to their own VMs. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue. | 2026-05-08 | not yet calculated | CVE-2025-66172 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| www[.]Samsung[.]com–Samsung Mobile Processor | An issue was discovered in MM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, W920, W930, W1000, Modem 5123, and Modem 5300. Incorrect handling of 5G NR NAS registration accept messages leads to a Denial of Service. | 2026-05-05 | not yet calculated | CVE-2025-66369 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-66369/ |
| n/a–Sidekiq-cron | Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb. | 2026-05-07 | not yet calculated | CVE-2025-67202 | https://github.com/sidekiq-cron/sidekiq-cron/issues/569 https://github.com/sidekiq-cron/sidekiq-cron/releases/tag/v2.4.0 |
| Dolibarr–dolibarr | Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the “computed value” field is passed to PHP’s `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available. | 2026-05-08 | not yet calculated | CVE-2025-67486 | https://medium.com/@abduxalilovjavohir/dolibarr-erp-authenticated-remote-code-execution-via-eval-injection-in-user-extrafields-dfc305d0118e https://github.com/Dolibarr/dolibarr/blob/22.0.2/htdocs/core/lib/functions.lib.php |
| n/a–IKUS Rdiffweb | IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6. | 2026-05-04 | not yet calculated | CVE-2025-67796 | https://gitlab.com/ikus-soft/rdiffweb https://gitlab.com/ikus-soft/rdiffweb#2106-2025-10-02 |
| www[.]bitrix24[.]com—bitrix24 | Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website. | 2026-05-08 | not yet calculated | CVE-2025-67886 | https://www.bitrix24.com/self-hosted/ https://seclists.org/fulldisclosure/2025/Dec/21 https://karmainsecurity.com/pocs/CVE-2025-67886.php https://dev.1c-bitrix.ru/learning/course/?COURSE_ID=43&LESSON_ID=3055 https://dev.1c-bitrix.ru/api_help/translate/index.php |
| www[.]bitrix24[.]com—bitrix24 | 1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website. | 2026-05-08 | not yet calculated | CVE-2025-67887 | https://www.1c-bitrix.ru/support/index.php https://dev.1c-bitrix.ru/learning/course/?COURSE_ID=43&LESSON_ID=3055 https://dev.1c-bitrix.ru/api_help/translate/index.php https://seclists.org/fulldisclosure/2025/Dec/22 https://karmainsecurity.com/pocs/CVE-2025-67887.php |
| wiki[.]centos-webpanel[.]com—Control Web Panel | An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the “key” GET parameter to /admin/index.php (when the “api” parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present. | 2026-05-08 | not yet calculated | CVE-2025-67888 | https://wiki.centos-webpanel.com/cwp-security-instructions https://karmainsecurity.com/KIS-2025-09 |
| n/a–RayVentory Scan Engine | RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. NOTE: this is disputed because ability of an attacker to control the environment is a site-specific misconfiguration. | 2026-05-08 | not yet calculated | CVE-2025-69599 | https://support.raynet.de/hc/en-us/articles/19518792826132-RVY200865-RayVentory-12-6 https://github.com/Wise-Security/CVE-2025-69599 |
| n/a–Netgate pfSense CE | Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code. | 2026-05-08 | not yet calculated | CVE-2025-69690 | https://www.linkedin.com/in/nelson-adhepeau/ https://seclists.org/fulldisclosure/2026/Feb/16 |
| n/a–Netgate pfSense CE | Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code. | 2026-05-08 | not yet calculated | CVE-2025-69691 | https://www.linkedin.com/in/nelson-adhepeau/ https://seclists.org/fulldisclosure/2026/Feb/16 |
| Assimp[.]com–Assimp v6.0.2 | Buffer Overflow vulnerability exists in Assimp versions up to 6.0.2 in the FBX Importer. The vulnerability occurs in aiMaterial::AddBinaryProperty, where a property key string from a crafted FBX file is copied into a fixed-size heap buffer using strcpy() without runtime length validation | 2026-05-04 | not yet calculated | CVE-2025-70067 | http://assimp.com https://github.com/assimp/assimp https://gist.github.com/GunP4ng/b6653184a4c5c3e608e6368227397505 |
| Assimp[.]com–Assimp v6.0.2 | An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp and ConvertMeshMultiMaterial() method | 2026-05-04 | not yet calculated | CVE-2025-70069 | http://assimp.com https://gist.github.com/GunP4ng/9080ae7f0470c889a59cc3bfca445223 |
| Assimp[.]com–Assimp v6.0.2 | An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXMeshGeometry.cpp, MeshGeometry::MeshGeometry() | 2026-05-04 | not yet calculated | CVE-2025-70070 | http://assimp.com https://gist.github.com/GunP4ng/a2118ba977b10074a4477322afa7b763 |
| Assimp[.]com–Assimp v6.0.2 | An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXParser.cpp, ParseVectorDataArray() | 2026-05-04 | not yet calculated | CVE-2025-70071 | http://assimp.com https://gist.github.com/GunP4ng/6d80919905037929ce9266ccd207b9ea |
| Assimp[.]com–Assimp v6.0.2 | An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp, FBXConverter::ConvertMeshMultiMaterial() components | 2026-05-04 | not yet calculated | CVE-2025-70072 | http://assimp.com https://gist.github.com/GunP4ng/cdaf0cb89dc6f1d09a9e88fa1135894e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: ensure sb->s_fs_info is always cleaned up When hfsplus was converted to the new mount api a bug was introduced by changing the allocation pattern of sb->s_fs_info. If setup_bdev_super() fails after a new superblock has been allocated by sget_fc(), but before hfsplus_fill_super() takes ownership of the filesystem-specific s_fs_info data it was leaked. Fix this by freeing sb->s_fs_info in hfsplus_kill_super(). | 2026-05-06 | not yet calculated | CVE-2025-71271 | https://git.kernel.org/stable/c/0bcfebb83b5460d5be4e5c9dfb19cdaf3d4cb1db https://git.kernel.org/stable/c/1e38d32bb04d85a2c81204a85a34878a497128c8 https://git.kernel.org/stable/c/126fb0ce99431126b44a6c360192668c818f641f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: most: core: fix resource leak in most_register_interface error paths The function most_register_interface() did not correctly release resources if it failed early (before registering the device). In these cases, it returned an error code immediately, leaking the memory allocated for the interface. Fix this by initializing the device early via device_initialize() and calling put_device() on all error paths. The most_register_interface() is expected to call put_device() on error which frees the resources allocated in the caller. The put_device() either calls release_mdev() or dim2_release(), depending on the caller. Switch to using device_add() instead of device_register() to handle the split initialization. | 2026-05-06 | not yet calculated | CVE-2025-71272 | https://git.kernel.org/stable/c/a49028a796d7b94f8e3ab9bd34b18f36be235459 https://git.kernel.org/stable/c/af0b99b2214a10554adb5b868240d23af6e64e71 https://git.kernel.org/stable/c/2f483f3817fb0e4209ac5de928778b1da0cc8574 https://git.kernel.org/stable/c/1f4c9d8a1021281750c6cda126d6f8a40cc24e71 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band() Simplify the code by using device managed memory allocations. This also fixes a memory leak in rtw_register_hw(). The supported bands were not freed in the error path. Copied from commit 145df52a8671 (“wifi: rtw89: Convert rtw89_core_set_supported_band to use devm_*”). | 2026-05-06 | not yet calculated | CVE-2025-71273 | https://git.kernel.org/stable/c/9b5418070ee8468fac9e8bf641c83d46b85bff30 https://git.kernel.org/stable/c/ad9b80ee310ed734482a2e5da874b67f88ac0ef8 https://git.kernel.org/stable/c/1bd90e0a99fdc8dc5deb3c92bf865e4496b4b311 https://git.kernel.org/stable/c/2ba12401cc1f2d970fa2e7d5b15abde3f5abd40d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rpmsg: core: fix race in driver_override_show() and use core helper The driver_override_show function reads the driver_override string without holding the device_lock. However, the store function modifies and frees the string while holding the device_lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free. To fix this, replace the rpmsg_string_attr macro with explicit show and store functions. The new driver_override_store uses the standard driver_set_override helper. Since the introduction of driver_set_override, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver_override, but the implementation was not updated until now. Because driver_set_override modifies and frees the string while holding the device_lock, the new driver_override_show now correctly holds the device_lock during the read operation to prevent the race. Additionally, since rpmsg_string_attr has only ever been used for driver_override, removing the macro simplifies the code. | 2026-05-06 | not yet calculated | CVE-2025-71274 | https://git.kernel.org/stable/c/392c6b68334aa0e0ae9aba95c0a366bcb0d92f5d https://git.kernel.org/stable/c/d66b8074c555e8abb0ae19eea1c9f3635498bdde https://git.kernel.org/stable/c/47615557447185917afa432b7958f87583c417cb https://git.kernel.org/stable/c/90c8353f471821d7ccd4fe573a2402e056192494 https://git.kernel.org/stable/c/7654e6e3cd6bdee9602f6063b3c670bd556d7e61 https://git.kernel.org/stable/c/2e4a70f3c30910427e5ea848b799066d67b963d5 https://git.kernel.org/stable/c/954557957177c3c13d7c655976665b1170da5e50 https://git.kernel.org/stable/c/42023d4b6d2661a40ee2dcf7e1a3528a35c638ca |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels MHI stack offers the ‘auto_queue’ feature, which allows the MHI stack to auto queue the buffers for the RX path (DL channel). Though this feature simplifies the client driver design, it introduces race between the client drivers and the MHI stack. For instance, with auto_queue, the ‘dl_callback’ for the DL channel may get called before the client driver is fully probed. This means, by the time the dl_callback gets called, the client driver’s structures might not be initialized, leading to NULL ptr dereference. Currently, the drivers have to workaround this issue by initializing the internal structures before calling mhi_prepare_for_transfer_autoqueue(). But even so, there is a chance that the client driver’s internal code path may call the MHI queue APIs before mhi_prepare_for_transfer_autoqueue() is called, leading to similar NULL ptr dereference. This issue has been reported on the Qcom X1E80100 CRD machines affecting boot. So to properly fix all these races, drop the MHI ‘auto_queue’ feature altogether and let the client driver (QRTR) manage the RX buffers manually. In the QRTR driver, queue the RX buffers based on the ring length during probe and recycle the buffers in ‘dl_callback’ once they are consumed. This also warrants removing the setting of ‘auto_queue’ flag from controller drivers. Currently, this ‘auto_queue’ feature is only enabled for IPCR DL channel. So only the QRTR client driver requires the modification. | 2026-05-06 | not yet calculated | CVE-2025-71285 | https://git.kernel.org/stable/c/7bdff9b9b0c65ac7105416fe3a40686832515e20 https://git.kernel.org/stable/c/8c464e00e0754e016816b1860fa9592dcad80eb2 https://git.kernel.org/stable/c/51731792a25cb312ca94cdccfa139eb46de1b2ef |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls The size of the data behind of scontrol->ipc_control_data for bytes controls is: [1] sizeof(struct sof_ipc4_control_data) + // kernel only struct [2] sizeof(struct sof_abi_hdr)) + payload The max_size specifies the size of [2] and it is coming from topology. Change the function to take this into account and allocate adequate amount of memory behind scontrol->ipc_control_data. With the change we will allocate [1] amount more memory to be able to hold the full size of data. | 2026-05-06 | not yet calculated | CVE-2025-71286 | https://git.kernel.org/stable/c/59fe643f21b9d59bcbedb0dfbf988ee455c23736 https://git.kernel.org/stable/c/491956b45b5f4933632ea6d8a8bdfdf045ab81e1 https://git.kernel.org/stable/c/a704a1a4394b5877b9adc31b2c3165ad0b541896 https://git.kernel.org/stable/c/1237cd9ff198cb882402572f29569e5247190974 https://git.kernel.org/stable/c/a653820700b81c9e6f05ac23b7969ecec1a18e85 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: memory: mtk-smi: fix device leak on larb probe Make sure to drop the reference taken when looking up the SMI device during larb probe on late probe failure (e.g. probe deferral) and on driver unbind. | 2026-05-06 | not yet calculated | CVE-2025-71287 | https://git.kernel.org/stable/c/04057b86fdac3d4847913a97dc6552c0bff9b85e https://git.kernel.org/stable/c/357e16a7fc9c1fef2ea37dce9bb6b9bcb1d1687d https://git.kernel.org/stable/c/b9eccd59697f7e1cb9a714501d9af826e7f7e073 https://git.kernel.org/stable/c/1f23a48ff2b8ab47e514f7c84a4b1dbf9b848168 https://git.kernel.org/stable/c/f69535b77fa0518ad39870c00dd2995439ed5c34 https://git.kernel.org/stable/c/1288bb394d464975cea18f69940f206e235e0fe7 https://git.kernel.org/stable/c/9dae65913b32d05dbc8ff4b8a6bf04a0e49a8eb6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: memory: mtk-smi: fix device leaks on common probe Make sure to drop the reference taken when looking up the SMI device during common probe on late probe failure (e.g. probe deferral) and on driver unbind. | 2026-05-06 | not yet calculated | CVE-2025-71288 | https://git.kernel.org/stable/c/b8b2cf42b94c0a8efe43279643935256a6f58b9f https://git.kernel.org/stable/c/b16599fedf49fd42d174fba342a0b56103df3169 https://git.kernel.org/stable/c/984992f31cfb71b25cd0a72ef51ceb5dd6f187e8 https://git.kernel.org/stable/c/b44d090d6ca159d94b59ad4cc44ffdaca094df82 https://git.kernel.org/stable/c/9704564a70399c2787f5a7c5d347add721056e9d https://git.kernel.org/stable/c/6cfa038bddd710f544076ea2ef7792fc82fbedd6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: handle attr_set_size() errors when truncating files If attr_set_size() fails while truncating down, the error is silently ignored and the inode may be left in an inconsistent state. | 2026-05-06 | not yet calculated | CVE-2025-71289 | https://git.kernel.org/stable/c/6dfea43d11513b7f2892529de55e8f0855108a2c https://git.kernel.org/stable/c/576248a34b927e93b2fd3fff7df735ba73ad7d01 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: misc: ti_fpc202: fix a potential memory leak in probe function Use for_each_child_of_node_scoped() to simplify the code and ensure the device node reference is automatically released when the loop scope ends. | 2026-05-06 | not yet calculated | CVE-2025-71290 | https://git.kernel.org/stable/c/d2975604bf1ba36ffc5a08fe8da97fd63b91c4f1 https://git.kernel.org/stable/c/dd16f314cb10e6807c74402efdfa2cccc1f15907 https://git.kernel.org/stable/c/dad9f13d967b4e53e8eaf5f9c690f8e778ad9802 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read() In the function bcm_vk_read(), the pointer entry is checked, indicating that it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, the following code may cause null-pointer dereferences: struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; set_msg_id(&tmp_msg, entry->usr_msg_id); tmp_msg.size = entry->to_h_blks – 1; To prevent these possible null-pointer dereferences, copy to_h_msg, usr_msg_id, and to_h_blks from iter into temporary variables, and return these temporary variables to the application instead of accessing them through a potentially NULL entry. | 2026-05-06 | not yet calculated | CVE-2025-71291 | https://git.kernel.org/stable/c/741c5a3a0cd893a4218fc0fc8c18403e54fcfb22 https://git.kernel.org/stable/c/ece3722169ba93734bfd1f06255e8ab7f19fe964 https://git.kernel.org/stable/c/aa97ccc3dc1eba9f4537f0410e9dbb0b05ccf2fb https://git.kernel.org/stable/c/3842f93e6e29d5cc1dcb9e5bda70587b444bed69 https://git.kernel.org/stable/c/20f2d9dbe5e972516f8f9948d7ae5b95d1ad77bd https://git.kernel.org/stable/c/ba75ecb97d3f4e95d59002c13afb6519205be6cb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: jfs: nlink overflow in jfs_rename If nlink is maximal for a directory (-1) and inside that directory you perform a rename for some child directory (not moving from the parent), then the nlink of the first directory is first incremented and later decremented. Normally this is fine, but when nlink = -1 this causes a wrap around to 0, and then drop_nlink issues a warning. After applying the patch syzbot no longer issues any warnings. I also ran some basic fs tests to look for any regressions. | 2026-05-06 | not yet calculated | CVE-2025-71292 | https://git.kernel.org/stable/c/2108829a59f081e822fdab8c2cd7131deb8aa8a1 https://git.kernel.org/stable/c/b4330a0d0947fbdc9d445cbbeabd8cc910a8c9ca https://git.kernel.org/stable/c/a3d66089e50a6e0142f8884471f74292102ea9aa https://git.kernel.org/stable/c/f70fcbc2ac7c24f087a2c895c5753aa730b1e479 https://git.kernel.org/stable/c/5d77c36cd4b698649f5c30c5f6c084f4f61d1880 https://git.kernel.org/stable/c/fe136426e30ca6debcf916fd6a141555ed9fde74 https://git.kernel.org/stable/c/93c325746ae59709b4f9bad4e3e4761c8d566c70 https://git.kernel.org/stable/c/9218dc26fd922b09858ecd3666ed57dfd8098da8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/ras: Move ras data alloc before bad page check In the rare event if eeprom has only invalid address entries, allocation is skipped, this causes following NULL pointer issue [ 547.103445] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 547.118897] #PF: supervisor read access in kernel mode [ 547.130292] #PF: error_code(0x0000) – not-present page [ 547.141689] PGD 124757067 P4D 0 [ 547.148842] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 547.158504] CPU: 49 PID: 8167 Comm: cat Tainted: G OE 6.8.0-38-generic #38-Ubuntu [ 547.177998] Hardware name: Supermicro AS -8126GS-TNMR/H14DSG-OD, BIOS 1.7 09/12/2025 [ 547.195178] RIP: 0010:amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu] [ 547.210375] Code: e8 63 78 82 c0 45 31 d2 45 3b 75 08 48 8b 45 a0 73 44 44 89 f1 48 8b 7d 88 48 89 ca 48 c1 e2 05 48 29 ca 49 8b 4d 00 48 01 d1 <48> 83 79 10 00 74 17 49 63 f2 48 8b 49 08 41 83 c2 01 48 8d 34 76 [ 547.252045] RSP: 0018:ffa0000067287ac0 EFLAGS: 00010246 [ 547.263636] RAX: ff11000167c28130 RBX: ff11000127600000 RCX: 0000000000000000 [ 547.279467] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ff11000125b1c800 [ 547.295298] RBP: ffa0000067287b50 R08: 0000000000000000 R09: 0000000000000000 [ 547.311129] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 547.326959] R13: ff11000217b1de00 R14: 0000000000000000 R15: 0000000000000092 [ 547.342790] FS: 0000746e59d14740(0000) GS:ff11017dfda80000(0000) knlGS:0000000000000000 [ 547.360744] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 547.373489] CR2: 0000000000000010 CR3: 000000019585e001 CR4: 0000000000f71ef0 [ 547.389321] PKRU: 55555554 [ 547.395316] Call Trace: [ 547.400737] <TASK> [ 547.405386] ? show_regs+0x6d/0x80 [ 547.412929] ? __die+0x24/0x80 [ 547.419697] ? page_fault_oops+0x99/0x1b0 [ 547.428588] ? do_user_addr_fault+0x2ee/0x6b0 [ 547.438249] ? exc_page_fault+0x83/0x1b0 [ 547.446949] ? asm_exc_page_fault+0x27/0x30 [ 547.456225] ? amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu] [ 547.470040] ? mas_wr_modify+0xcd/0x140 [ 547.478548] sysfs_kf_bin_read+0x63/0xb0 [ 547.487248] kernfs_file_read_iter+0xa1/0x190 [ 547.496909] kernfs_fop_read_iter+0x25/0x40 [ 547.506182] vfs_read+0x255/0x390 This also result in space left assigned to negative values. Moving data alloc call before bad page check resolves both the issue. | 2026-05-06 | not yet calculated | CVE-2025-71293 | https://git.kernel.org/stable/c/0b7f78caeffa51a1afa521c284e863ec3b5a36df https://git.kernel.org/stable/c/5c685235b60459381e959109b416a63db4d8dbac https://git.kernel.org/stable/c/bd68a1404b6fa2e7e9957b38ba22616faba43e75 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix NULL pointer issue buffer funcs If SDMA block not enabled, buffer_funcs will not initialize, fix the null pointer issue if buffer_funcs not initialized. | 2026-05-06 | not yet calculated | CVE-2025-71294 | https://git.kernel.org/stable/c/29fd416e0e08aa6d5a97fd313749d08d83de0826 https://git.kernel.org/stable/c/276028fd9b60bbcc68796d1124b6b58298f4ca8a https://git.kernel.org/stable/c/3e849a93bff40f0c88a8aafba062b1de0ec2797b https://git.kernel.org/stable/c/9877a865d62c9c3e0f4cc369dc9ca9f7f24f5ee9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/buffer: add alert in try_to_free_buffers() for folios without buffers try_to_free_buffers() can be called on folios with no buffers attached when filemap_release_folio() is invoked on a folio belonging to a mapping with AS_RELEASE_ALWAYS set but no release_folio operation defined. In such cases, folio_needs_release() returns true because of the AS_RELEASE_ALWAYS flag, but the folio has no private buffer data. This causes try_to_free_buffers() to call drop_buffers() on a folio with no buffers, leading to a null pointer dereference. Adding a check in try_to_free_buffers() to return early if the folio has no buffers attached, with WARN_ON_ONCE() to alert about the misconfiguration. This provides defensive hardening. | 2026-05-06 | not yet calculated | CVE-2025-71295 | https://git.kernel.org/stable/c/1b111a69a6e33a922622bf9870e4e63fb2b649c8 https://git.kernel.org/stable/c/c1b6227555c52781178132b7a06466711855795c https://git.kernel.org/stable/c/727e5140e0cf83b4ce6a11b89bb73bff5d96f8f3 https://git.kernel.org/stable/c/42c32d7571ccd8ef32351cac506f00b0fae99fd2 https://git.kernel.org/stable/c/c6246ca15999053d2632fbcc7b86e6eef7f077cb https://git.kernel.org/stable/c/b68f91ef3b3fe82ad78c417de71b675699a8467c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tests: shmem: Hold reservation lock around purge Acquire and release the GEM object’s reservation lock around calls to the object’s purge operation. The tests use drm_gem_shmem_purge_locked(), which led to errors such as show below. [ 58.709128] WARNING: CPU: 1 PID: 1354 at drivers/gpu/drm/drm_gem_shmem_helper.c:515 drm_gem_shmem_purge_locked+0x51c/0x740 Only export the new helper drm_gem_shmem_purge() for Kunit tests. This is not an interface for regular drivers. | 2026-05-08 | not yet calculated | CVE-2025-71296 | https://git.kernel.org/stable/c/cdf8bbbd9017adcfb91ad9a902198d4b507719a9 https://git.kernel.org/stable/c/8baeee2c1c0cdb3a8eac3b8f38156cce6ee1a69f https://git.kernel.org/stable/c/3f41307d589c2f25d556d47b165df808124cd0c4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode() rtw8822b_set_antenna() can be called from userspace when the chip is powered off. In that case a WARNING is triggered in rtw8822b_config_trx_mode() because trying to read the RF registers when the chip is powered off returns an unexpected value. Call rtw8822b_config_trx_mode() in rtw8822b_set_antenna() only when the chip is powered on. ————[ cut here ]———— write RF mode table fail WARNING: CPU: 0 PID: 7183 at rtw8822b.c:824 rtw8822b_config_trx_mode.constprop.0+0x835/0x840 [rtw88_8822b] CPU: 0 UID: 0 PID: 7183 Comm: iw Tainted: G W OE 6.17.5-arch1-1 #1 PREEMPT(full) 01c39fc421df2af799dd5e9180b572af860b40c1 Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: LENOVO 82KR/LNVNB161216, BIOS HBCN18WW 08/27/2021 RIP: 0010:rtw8822b_config_trx_mode.constprop.0+0x835/0x840 [rtw88_8822b] Call Trace: <TASK> rtw8822b_set_antenna+0x57/0x70 [rtw88_8822b 370206f42e5890d8d5f48eb358b759efa37c422b] rtw_ops_set_antenna+0x50/0x80 [rtw88_core 711c8fb4f686162be4625b1d0b8e8c6a5ac850fb] ieee80211_set_antenna+0x60/0x100 [mac80211 f1845d85d2ecacf3b71867635a050ece90486cf3] nl80211_set_wiphy+0x384/0xe00 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda] ? netdev_run_todo+0x63/0x550 genl_family_rcv_msg_doit+0xfc/0x160 genl_rcv_msg+0x1aa/0x2b0 ? __pfx_nl80211_pre_doit+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda] ? __pfx_nl80211_set_wiphy+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda] ? __pfx_nl80211_post_doit+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda] ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x59/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x285/0x3c0 ? __alloc_skb+0xdb/0x1a0 netlink_sendmsg+0x20d/0x430 ____sys_sendmsg+0x39f/0x3d0 ? import_iovec+0x2f/0x40 ___sys_sendmsg+0x99/0xe0 ? refill_obj_stock+0x12e/0x240 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x81/0x970 ? do_syscall_64+0x81/0x970 ? ksys_read+0x73/0xf0 ? do_syscall_64+0x81/0x970 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> —[ end trace 0000000000000000 ]— | 2026-05-08 | not yet calculated | CVE-2025-71297 | https://git.kernel.org/stable/c/7852ca1cc65ad43fb8b620e6a65d5cb15e4e4487 https://git.kernel.org/stable/c/a96d161cfdb11cd2c35d5e498b93431164823338 https://git.kernel.org/stable/c/0d0c2fb80ca4c284c397dd7546743a3b5fdf4020 https://git.kernel.org/stable/c/509becaee5680a39bde00c2c7d448dfeb39a8e05 https://git.kernel.org/stable/c/44510ff07b5198e4a835a3074b716cec8357695b https://git.kernel.org/stable/c/44d1f624bbdd2d60319374ba85f7195a28d00c90 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tests: shmem: Hold reservation lock around madvise Acquire and release the GEM object’s reservation lock around calls to the object’s madvide operation. The tests use drm_gem_shmem_madvise_locked(), which led to errors such as show below. [ 58.339389] WARNING: CPU: 1 PID: 1352 at drivers/gpu/drm/drm_gem_shmem_helper.c:499 drm_gem_shmem_madvise_locked+0xde/0x140 Only export the new helper drm_gem_shmem_madvise() for Kunit tests. This is not an interface for regular drivers. | 2026-05-08 | not yet calculated | CVE-2025-71298 | https://git.kernel.org/stable/c/9cc77691b5fd615625955cedf726da57543088f1 https://git.kernel.org/stable/c/07cfcab370da06f26c273306571cbb0bfa3b9c52 https://git.kernel.org/stable/c/607d07d8cc0b835a8701259f08a03dc149b79b4f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsing The recent refactoring of where runtime PM is enabled done in commit f1eb4e792bb1 (“spi: spi-cadence-quadspi: Enable pm runtime earlier to avoid imbalance”) made the fact that when we do a pm_runtime_disable() in the error paths of probe() we can trigger a runtime disable which in turn results in duplicate clock disables. This is particularly likely to happen when there is missing or broken DT description for the flashes attached to the controller. Early on in the probe function we do a pm_runtime_get_noresume() since the probe function leaves the device in a powered up state but in the error path we can’t assume that PM is enabled so we also manually disable everything, including clocks. This means that when runtime PM is active both it and the probe function release the same reference to the main clock for the IP, triggering warnings from the clock subsystem: [ 8.693719] clk:75:7 already disabled [ 8.693791] WARNING: CPU: 1 PID: 185 at /usr/src/kernel/drivers/clk/clk.c:1188 clk_core_disable+0xa0/0xb … [ 8.694261] clk_core_disable+0xa0/0xb4 (P) [ 8.694272] clk_disable+0x38/0x60 [ 8.694283] cqspi_probe+0x7c8/0xc5c [spi_cadence_quadspi] [ 8.694309] platform_probe+0x5c/0xa4 Dealing with this issue properly is complicated by the fact that we don’t know if runtime PM is active so can’t tell if it will disable the clocks or not. We can, however, sidestep the issue for the flash descriptions by moving their parsing to when we parse the controller properties which also save us doing a bunch of setup which can never be used so let’s do that. | 2026-05-08 | not yet calculated | CVE-2025-71299 | https://git.kernel.org/stable/c/08dca4c8099a41a9fa3be128a793387603f73a17 https://git.kernel.org/stable/c/dcaa104ad9c860a6dbd5797919e0ec0b1cd5a57a https://git.kernel.org/stable/c/9f0736a4e136a6eb61e0cf530ddc18ab6d816ba3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Revert “arm64: zynqmp: Add an OP-TEE node to the device tree” This reverts commit 06d22ed6b6635b17551f386b50bb5aaff9b75fbe. OP-TEE logic in U-Boot automatically injects a reserved-memory node along with optee firmware node to kernel device tree. The injection logic is dependent on that there is no manually defined optee node. Having the node in zynqmp.dtsi effectively breaks OP-TEE’s insertion of the reserved-memory node, causing memory access violations during runtime. | 2026-05-08 | not yet calculated | CVE-2025-71300 | https://git.kernel.org/stable/c/eece81eeda10eb42c687399fb5aa69977ae15664 https://git.kernel.org/stable/c/3983ef126e439900bbf419724a9759863c146660 https://git.kernel.org/stable/c/2a833c730d4e8d1cc10953270ce0f3a156145d81 https://git.kernel.org/stable/c/c197179990124f991fca220d97fac56779a02c6d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tests: shmem: Hold reservation lock around vmap/vunmap Acquire and release the GEM object’s reservation lock around vmap and vunmap operations. The tests use vmap_locked, which led to errors such as show below. [ 122.292030] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:390 drm_gem_shmem_vmap_locked+0x3a3/0x6f0 [ 122.468066] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:293 drm_gem_shmem_pin_locked+0x1fe/0x350 [ 122.563504] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:234 drm_gem_shmem_get_pages_locked+0x23c/0x370 [ 122.662248] WARNING: CPU: 2 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:452 drm_gem_shmem_vunmap_locked+0x101/0x330 Only export the new vmap/vunmap helpers for Kunit tests. These are not interfaces for regular drivers. | 2026-05-08 | not yet calculated | CVE-2025-71301 | https://git.kernel.org/stable/c/6b953d92f2f29e74b125617c6f00300fa1bed97e https://git.kernel.org/stable/c/e7b7022f11d3cf281c726117478696b83681bf11 https://git.kernel.org/stable/c/cda83b099f117f2a28a77bf467af934cb39e49cf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: fix for dma-fence safe access rules Commit 506aa8b02a8d6 (“dma-fence: Add safe access helpers and document the rules”) details the dma-fence safe access rules. The most common culprit is that drm_sched_fence_get_timeline_name may race with group_free_queue. | 2026-05-08 | not yet calculated | CVE-2025-71302 | https://git.kernel.org/stable/c/ab8c0de60f16d7e0b162ccbbb35fcf1f277c97c2 https://git.kernel.org/stable/c/eae60933abd11df013876f647c9edbd35ce67615 https://git.kernel.org/stable/c/efe24898485c5c831e629d9c6fb9350c35cb576f |
| Google–Android | In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-05-04 | not yet calculated | CVE-2026-0073 | https://source.android.com/docs/security/bulletin/2026/2026-05-01 |
| Palo Alto Networks–Cloud NGFW | A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability. | 2026-05-06 | not yet calculated | CVE-2026-0300 | https://security.paloaltonetworks.com/CVE-2026-0300 |
| MediaTek, Inc.–MediaTek chipset | In geniezone, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10724073; Issue ID: MSV-6296. | 2026-05-04 | not yet calculated | CVE-2026-20447 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| MediaTek, Inc.–MediaTek chipset | In geniezone, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10708513; Issue ID: MSV-6281. | 2026-05-04 | not yet calculated | CVE-2026-20448 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| MediaTek, Inc.–MediaTek chipset | In Modem, there is a possible system crash due to a heap buffer overflow. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01760138; Issue ID: MSV-6148. | 2026-05-04 | not yet calculated | CVE-2026-20449 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| MediaTek, Inc.–MediaTek chipset | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01753620; Issue ID: MSV-6100. | 2026-05-04 | not yet calculated | CVE-2026-20450 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| MediaTek, Inc.–MediaTek chipset | In slbc, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10828685; Issue ID: MSV-6504. | 2026-05-04 | not yet calculated | CVE-2026-20451 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| JohnsonControls–AC2000 | Uncontrolled Search Path Element vulnerability in JohnsonControls AC2000 on Windows allows Leveraging/Manipulating Configuration File Search Paths. This issue affects AC2000: from 10.6 before release 10, from 11.0 before release 9, from 12 before release 3. | 2026-05-06 | not yet calculated | CVE-2026-21661 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories |
| redis–redis | Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3. | 2026-05-05 | not yet calculated | CVE-2026-23479 | https://github.com/redis/redis/security/advisories/GHSA-93m2-935m-8rj3 https://github.com/redis/redis/releases/tag/8.6.3 |
| redis–redis | Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3. | 2026-05-05 | not yet calculated | CVE-2026-23631 | https://github.com/redis/redis/security/advisories/GHSA-8ghh-qpmp-7826 https://github.com/redis/redis/releases/tag/8.6.3 |
| Apache Software Foundation–Apache HTTP Server | Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-23918 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Zabbix–Zabbix | An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip. | 2026-05-06 | not yet calculated | CVE-2026-23926 | https://support.zabbix.com/browse/ZBX-27758 |
| Zabbix–Zabbix | A user able to connect to Agent 2 can inject an Oracle TNS connection string via the ‘service’ parameter. This can lead to Agent 2 connecting to an attacker-controlled server and leaking Oracle database credentials if they are saved in a named session. | 2026-05-06 | not yet calculated | CVE-2026-23927 | https://support.zabbix.com/browse/ZBX-27759 |
| Zabbix–Zabbix | The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0. | 2026-05-06 | not yet calculated | CVE-2026-23928 | https://support.zabbix.com/browse/ZBX-27760 |
| Apache Software Foundation–Apache HTTP Server | An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue. | 2026-05-04 | not yet calculated | CVE-2026-24072 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation–Apache CloudStack | Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue. | 2026-05-08 | not yet calculated | CVE-2026-25077 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Apache Software Foundation–Apache CloudStack | Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0. The Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine. Users are recommended to upgrade to version 4.22.0.1, which fixes this issue. As a workaround for the existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter – user.vm.denied.details. | 2026-05-08 | not yet calculated | CVE-2026-25199 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| redis–redis | Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3. | 2026-05-05 | not yet calculated | CVE-2026-25243 | https://github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4 https://github.com/redis/redis/releases/tag/8.6.3 |
| RedisTimeSeries–RedisTimeSeries | RedisTimeSeries is a time-series module for Redis. In all versions before 1.12.14 of RedisTimeSeries, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisTimeSeries module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This has been patched in version 1.12.14. | 2026-05-05 | not yet calculated | CVE-2026-25588 | https://github.com/RedisTimeSeries/RedisTimeSeries/security/advisories/GHSA-7jwr-g5qv-w3gw https://github.com/RedisTimeSeries/RedisTimeSeries/releases/tag/v1.12.14 |
| RedisBloom–RedisBloom | RedisBloom is a probabilistic data structures module for Redis. In all versions of RedisBloom before 2.8.20, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisBloom module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This issue is fixed in version 2.8.20. | 2026-05-05 | not yet calculated | CVE-2026-25589 | https://github.com/RedisBloom/RedisBloom/security/advisories/GHSA-7862-34pw-44wv https://github.com/RedisBloom/RedisBloom/releases/tag/v2.8.20 |
| Open Notebook–Open Notebook | An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible. | 2026-05-07 | not yet calculated | CVE-2026-28201 | https://github.com/lfnovo/open-notebook/security/advisories/GHSA-5wj9-f8q5-8f9c |
| Apache Software Foundation–Apache HTTP Server | Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-28780 | https://httpd.apache.org/security/vulnerabilities_24.html |
| rucio–rucio | A SQL injection vulnerability in `FilterEngine.create_sqla_query()` allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint (`GET /dids/<scope>/dids/search`). On Oracle deployments attacker-controlled filter keys and values are interpolated directly into `sqlalchemy.text()` via Python `.format()`, completely bypassing parameterization. This enables full database compromise including extraction of authentication tokens, password hashes, and all managed data identifiers. This affects versions 1.27.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1. The vulnerability exists in `lib/rucio/core/did_meta_plugins/filter_engine.py` within the `create_sqla_query()` method. When the database dialect is Oracle, filter expressions for JSON metadata columns are constructed using `text()` with Python string formatting. Both `key` and `value` are attacker-controlled strings derived from HTTP query parameters. The `text()` function creates a raw SQL fragment – it does **not** escape or parameterize its contents. Any authenticated Rucio user can exploit this through the DID search API to execute arbitrary SQL against the backend database. This can expose all managed data identifiers and sensitive tables such as identities, tokens, accounts, rse_settings, and rules, and may allow modification of database contents. The issue affects Oracle deployments using the default json_meta plugin and does not affect PostgreSQL or MySQL deployments using that plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1. | 2026-05-06 | not yet calculated | CVE-2026-29080 | https://github.com/rucio/rucio/security/advisories/GHSA-vjr5-c9qv-hgm3 |
| rucio–rucio | ### Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in `FilterEngine.create_postgres_query()`. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the `postgres_meta` metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL strings via Python `.format()`, then passed to `psycopg3`’s `sql.SQL()` which treats the string as trusted SQL syntax. Depending on the database privileges assigned to the service account, exploitation can expose sensitive tables, modify or delete metadata, access server-side files, or achieve code execution through PostgreSQL features such as COPY … FROM PROGRAM. This issue affects deployments that explicitly use the postgres_meta metadata plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1. | 2026-05-06 | not yet calculated | CVE-2026-29090 | https://github.com/rucio/rucio/security/advisories/GHSA-6j7p-qjhg-9947 |
| Apache Software Foundation–Apache HTTP Server | Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server’s mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-29168 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation–Apache HTTP Server | A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock. | 2026-05-04 | not yet calculated | CVE-2026-29169 | https://httpd.apache.org/security/vulnerabilities_24.html |
| phpBB–phpBB | phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover. | 2026-05-04 | not yet calculated | CVE-2026-29199 | https://hackerone.com/reports/3543246 |
| WebPros–Comet Backup | A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call. | 2026-05-04 | not yet calculated | CVE-2026-29200 | https://support.cometbackup.com/hc/en-us/articles/40090945484823–CVE-2026-29200-%D0%A1ritical-IDOR-vulnerability-in-Comet-Backup |
| WebPros–cPanel | Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed. | 2026-05-08 | not yet calculated | CVE-2026-29201 | https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026 |
| WebPros–cPanel | Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account’s system user. | 2026-05-08 | not yet calculated | CVE-2026-29202 | https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026 |
| WebPros–cPanel | A chmod call in the cPanel Nova plugin’s Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory. | 2026-05-08 | not yet calculated | CVE-2026-29203 | https://support.cpanel.net/hc/en-us/articles/40311543760407-Security-CVE-2026-29203-cPanel-WHM-WP2-Security-Update-May-08-2026 |
| n/a–nanoMODBUS | nanoMODBUS through v1.22.0 has a stack-based buffer overflow in recv_read_registers_res() in nanomodbus.c. When a client calls nmbs_read_holding_registers() or nmbs_read_input_registers(), the library writes register data from the server response to the caller-provided buffer based on the response’s byte_count field before validating that byte_count matches the requested quantity. A malicious Modbus TCP server can send a response with byte_count=250 (125 registers) regardless of the requested quantity, causing up to 248 bytes of attacker-controlled data to overflow the buffer, potentially allowing remote code execution. | 2026-05-08 | not yet calculated | CVE-2026-29972 | https://github.com/debevv/nanoMODBUS https://github.com/debevv/nanoMODBUS/blob/master/nanomodbus.c#L580-L615 https://gist.github.com/dwilliams27/a4e26fe747c8561d608f7549804bd85f |
| n/a– kosma minmea 0.3.0 | An issue was discovered in kosma minmea 0.3.0. The minmea_scan functions format specifier copies NMEA field data to a caller-provided buffer without a size parameter. Applications using minmea_scan on untrusted input are vulnerable to a stack buffer overflow. | 2026-05-08 | not yet calculated | CVE-2026-29974 | https://github.com/kosma/minmea/blob/master/minmea.c#L231-L240 https://gist.github.com/dwilliams27/6d4d8077b970f35e1a921c897ce13852 |
| n/a–lwjson 1.8.1 | lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser (lwjson_stream.c). The end-of-string detection logic incorrectly identifies escaped quote characters by only checking the immediately preceding character rather than counting consecutive backslashes, causing valid JSON strings ending with an escaped backslash (like “\”) to never terminate parsing. A remote attacker can send well-formed JSON to cause applications using lwjson_stream_parse() to hang indefinitely, resulting in denial of service. | 2026-05-08 | not yet calculated | CVE-2026-29975 | https://github.com/MaJerle/lwjson/tree/develop https://github.com/MaJerle/lwjson/blob/develop/lwjson/src/lwjson/lwjson_stream.c#L362-L364 https://gist.github.com/dwilliams27/b99fd41be5d6848691797042cbfc1103 |
| Optomausa[.]com– Optoma CinemaX P2 | The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes Android Debug Bridge (ADB) on TCP port 5555 over the network without requiring authentication. The device is configured with ro.adb.secure=0, which disables RSA key verification. Additionally, a functional su binary exists at /system/xbin/su that grants root privileges without authentication. An attacker on the same network can connect to the device via ADB, obtain a shell, and escalate to root privileges, gaining complete control of the device. This allows extraction of stored WiFi credentials, installation of persistent malware, and access to all device data. | 2026-05-07 | not yet calculated | CVE-2026-30495 | https://whitelabel.org/security/2026-02-01-smart-projector/ |
| Optomausa[.]com– Optoma CinemaX P2 | The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration (74 endpoints) and writing/modifying settings including volume, mute, brightness, power, network protocols enable/disable (including TELNET), display modes, and other projector functions. Any device on the same network can control the projector without authentication. | 2026-05-07 | not yet calculated | CVE-2026-30496 | https://whitelabel.org/security/2026-02-01-smart-projector/ |
| owasp-modsecurity–ModSecurity | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a single character. An attacker can exploit this to crash worker processes, causing a denial of service. Service resumes once the attack stops as worker processes recover from the segfault. All versions before 3.0.15 of libModSecurity3 are affected. This has been patched in version 3.0.15. | 2026-05-05 | not yet calculated | CVE-2026-30923 | https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qrjc-3jpc-3h2g https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.15 |
| www[.]alticelabs[.]com– GR140DG/GR140IG router gateway | The ping diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution. | 2026-05-05 | not yet calculated | CVE-2026-31195 | http://altice.com http://gr140dg.com https://xerod.io/advisories/XEROD-2026-0001 |
| www[.]alticelabs[.]com– GR140DG/GR140IG router gateway | The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution. | 2026-05-05 | not yet calculated | CVE-2026-31196 | http://altice.com http://gr140dg.com https://xerod.ai/advisories/XEROD-2026-0002 |
| dani-garcia–vaultwarden | Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1backup_eligible1 and 1backup_state flags1) based on unverified `authenticatorData` before signature validation is performed. An attacker who knows a user’s password but cannot produce a valid WebAuthn signature can permanently modify the stored backup flags for that user’s credential. If signature verification fails, the database update is not rolled back. This can result in a persistent denial of service of WebAuthn two-factor authentication for affected credentials. This issue has been fixed in version 1.35.5. | 2026-05-05 | not yet calculated | CVE-2026-31835 | https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-x7g7-cgx5-jhx2 https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.5 |
| Tunnelblick–Tunnelblick | Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02. | 2026-05-05 | not yet calculated | CVE-2026-31893 | https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69 https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.0beta02 |
| sandboxie-plus–Sandboxie | Sandboxie is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a local denial of service vulnerability exists in the Sandboxie kernel driver. An unprivileged process running inside a Standard Sandbox can send a malformed IOCTL to the DeviceSandboxieDriverApi driver, triggering an immediate kernel crash (BSOD). The vulnerability affects the Standard Sandbox configuration both with and without dropped administrator privileges, but does not affect the Security Hardened Sandbox configuration. This issue has been fixed in version 1.17.3. Users who cannot update can use the Security Hardened Sandbox configuration as a workaround. | 2026-05-05 | not yet calculated | CVE-2026-32603 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-vvf8-cf4j-v8fv https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3 |
| ericmj–decimal | Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new(“1e1000000000”)) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM. Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash. This issue affects decimal: from 0.1.0 before 3.0.0. | 2026-05-07 | not yet calculated | CVE-2026-32686 | https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v https://cna.erlef.org/cves/CVE-2026-32686.html https://osv.dev/vulnerability/EEF-CVE-2026-32686 https://github.com/ericmj/decimal/commit/6a523f3a73b8c9974540e21c7aa88f1258bb35ae |
| phoenixframework–phoenix | Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport’s NDJSON body handling. In ‘Elixir.Phoenix.Transports.LongPoll’:publish/4, when a POST request is received with Content-Type: application/x-ndjson, the request body is split on newline characters using String.split/2 with no limit on the number of resulting segments. An attacker can send a body consisting entirely of newline bytes, causing a 1:1 amplification into a list of empty binaries – a 1 MB body produces approximately one million list elements, an 8 MB body approximately 8.4 million. Each element is then walked by Enum.map, materializing another list of the same size. This exhausts BEAM memory and schedulers, crashing the node and terminating all active sessions. A session token required to reach the vulnerable endpoint is freely obtainable by any client via an unauthenticated GET request to the same URL with a matching Origin header, making this attack effectively unauthenticated. This issue affects phoenix: from 1.7.0 before 1.7.22 and 1.8.6. | 2026-05-05 | not yet calculated | CVE-2026-32689 | https://github.com/phoenixframework/phoenix/security/advisories/GHSA-628h-q48j-jr6q https://cna.erlef.org/cves/CVE-2026-32689.html https://osv.dev/vulnerability/EEF-CVE-2026-32689 https://github.com/phoenixframework/phoenix/commit/1a67c61ff9ce0a7711662ac7354861917a7c80f7 https://github.com/phoenixframework/phoenix/commit/912ea181fd247c21dbcc49fb97d0053b947d81bf |
| NeoRazorX–facturascripts | FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable. | 2026-05-05 | not yet calculated | CVE-2026-32699 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3 |
| HP, Inc–Samsung Print Service Plugin | Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities. | 2026-05-06 | not yet calculated | CVE-2026-3291 | https://support.hp.com/us-en/document/ish_14864662-14864690-16/hpsbgn04093 |
| coredns–coredns | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist. | 2026-05-05 | not yet calculated | CVE-2026-32934 | https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5 https://github.com/coredns/coredns/releases/tag/v1.14.3 |
| coredns–coredns | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3. | 2026-05-05 | not yet calculated | CVE-2026-32936 | https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr https://github.com/coredns/coredns/releases/tag/v1.14.3 |
| Apache Software Foundation–Apache HTTP Server | A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue. | 2026-05-04 | not yet calculated | CVE-2026-33006 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation–Apache HTTP Server | A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue. | 2026-05-04 | not yet calculated | CVE-2026-33007 | https://httpd.apache.org/security/vulnerabilities_24.html |
| lepture–mistune | In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping alternatives that can trigger catastrophic backtracking. In both the double-quoted and single-quoted branches, a backslash followed by punctuation can be matched either as an escaped punctuation sequence or as two ordinary characters, creating an ambiguous pattern inside a repeated group. If an attacker supplies Markdown containing repeated ! sequences with no closing quote, the regex engine explores an exponential number of backtracking paths. This is reachable through normal Markdown parsing of inline links and block link reference definitions. A small crafted input can therefore cause significant CPU consumption and make applications using Mistune unresponsive. | 2026-05-06 | not yet calculated | CVE-2026-33079 | https://github.com/lepture/mistune/security/advisories/GHSA-8mp2-v27r-99xp https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L20-L25 |
| Cradle–e-commerce | Open redirection vulnerability in the latest demo version of the Cradle eCommerce platform. The vulnerability occurs in the login form endpoint, where the ‘returnUrl’ parameter allows redirection because the web application accepts a URL as a parameter without properly validating it. As a result, it is possible to redirect users from the legitimate website to external pages. An attacker could exploit this vulnerability to deceive users and redirect them from a trusted URL to a malicious one without their knowledge. | 2026-05-08 | not yet calculated | CVE-2026-3318 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cradle-e-commerce |
| coredns–coredns | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer’s TsigStatus() instead of performing verification itself. The DoH and DoH3 writer’s TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3. | 2026-05-05 | not yet calculated | CVE-2026-33190 | https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh https://github.com/coredns/coredns/releases/tag/v1.14.3 |
| dataease–SQLBot | SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided question parameter is directly concatenated into the LLM prompt without filtering or escaping, and the SQL extracted from the LLM response is executed against the database without validation or sanitization. An authenticated attacker can craft a malicious question to manipulate the LLM into generating and executing arbitrary SQL statements. When connected to a PostgreSQL data source, this can lead to remote code execution via COPY FROM PROGRAM. This issue has been fixed in version 1.7.1. | 2026-05-05 | not yet calculated | CVE-2026-33324 | https://github.com/dataease/SQLBot/security/advisories/GHSA-q2q6-gqqh-4xrx |
| dani-garcia–vaultwarden | Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get_org_collections_details endpoint (GET /api/organizations/{org_id}/collections/details) is missing the has_full_access() authorization check that exists on the sibling get_org_collections endpoint. This allows any Manager-role user with accessAll=False and no collection assignments to retrieve the names, UUIDs, user-to-collection mappings, and group-to-collection mappings for all collections in the organization. This issue has been fixed in version 1.35.5. | 2026-05-05 | not yet calculated | CVE-2026-33420 | https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-jjxg-p3v6-52ww https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.5 |
| coredns–coredns | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic string comparison instead of an actual longest-suffix match to select the winning zone. As a result, a permissive parent-zone transfer rule can override a restrictive subzone rule depending on zone name ordering (e.g., “example.org.” > “a.example.org.” lexicographically). This allows an unauthorized remote client to perform AXFR/IXFR for the subzone and retrieve its full zone contents. This issue has been fixed in version 1.14.3. | 2026-05-05 | not yet calculated | CVE-2026-33489 | https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3 https://github.com/coredns/coredns/releases/tag/v1.14.3 |
| Apache Software Foundation–Apache HTTP Server | HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-33523 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Open Notebook–Open Notebook | Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and subsequently OS commands) on the docker container via Server-Side Template Injection (SSTI) for user-created transformations. | 2026-05-07 | not yet calculated | CVE-2026-33587 | https://github.com/lfnovo/open-notebook/security/advisories/GHSA-f35w-wx37-26q7 |
| Open Notebook–Open Notebook | Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to create or modify files on the docker container via path traversal. | 2026-05-07 | not yet calculated | CVE-2026-33588 | https://github.com/lfnovo/open-notebook/security/advisories/GHSA-x4q2-89g5-594v |
| Open Notebook–Open Notebook | Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to access local files content from the docker container via path traversal. | 2026-05-07 | not yet calculated | CVE-2026-33589 | https://github.com/lfnovo/open-notebook/security/advisories/GHSA-842v-h4cj-r646 |
| Go standard library–net | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. | 2026-05-07 | not yet calculated | CVE-2026-33811 | https://go.dev/issue/78803 https://go.dev/cl/767860 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4981 |
| golang.org/x/net–golang.org/x/net/http2 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. | 2026-05-07 | not yet calculated | CVE-2026-33814 | https://go.dev/cl/761581 https://go.dev/cl/761640 https://go.dev/issue/78476 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4918 |
| Apache Software Foundation–Apache HTTP Server | Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-33857 | https://httpd.apache.org/security/vulnerabilities_24.html |
| twentyhq–twenty | Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server’s SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js’s URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex form (e.g., ::ffff:169.254.169.254 becomes ::ffff:a9fe:a9fe), but the isPrivateIp utility only recognizes the dotted-decimal notation. As a result, the hex form passes the SSRF check unchecked. Additionally, the socket lookup validation event does not fire for IP literal addresses, bypassing the second validation layer. An authenticated user can reach any internal IP, including cloud metadata endpoints, to exfiltrate credentials such as IAM keys. | 2026-05-05 | not yet calculated | CVE-2026-33975 | https://github.com/twentyhq/twenty/security/advisories/GHSA-vrcj-hv2q-c58m |
| Apache Software Foundation–Apache HTTP Server | Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-34032 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation–Apache HTTP Server | Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-34059 | https://httpd.apache.org/security/vulnerabilities_24.html |
| PHPOffice–PhpSpreadsheet | PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0. | 2026-05-05 | not yet calculated | CVE-2026-34084 | https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-q4q6-r8wh-5cgh |
| www[.]gambio[.]com–Gambio 4.9.2.0 | An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known. | 2026-05-05 | not yet calculated | CVE-2026-34408 | https://www.gambio.de/forum/threads/wichtiges-security-update-2024-02-v1-0-fuer-gx4-v4-0-0-0-bis-v4-9-2-0.50896/ https://herolab.usd.de/security-advisories/usd-2024-0002/ |
| sandboxie-plus–Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions (EditAdminOnly and ConfigPassword) and inject arbitrary directives into the global Sandboxie.ini configuration file. The background service skips authorization checks for IPC messages targeting sections beginning with UserSettings_, but does not sanitize CRLF characters in either the value parameter (via MSGID_SBIE_INI_ADD_SETTING) or the setting name parameter (via MSGID_SBIE_INI_SET_SETTING). An attacker can inject a new sandbox section header with unrestricted permissions, enabling sandbox escape and SYSTEM privilege escalation. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34458 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-6xqg-2cjq-95qf https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3 |
| sandboxie-plus–Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieSvc proxy service’s GetRawInputDeviceInfoSlave handler contains two vulnerabilities that can be chained for sandbox escape. First, when a sandboxed process sends an IPC request with cbSize set to 0, up to 32KB of uninitialized stack memory from the service process is returned, leaking return addresses and stack cookies which bypass ASLR and /GS protections. Second, the handler performs a memcpy with an attacker-controlled length without verifying it fits within the 32KB stack buffer, enabling a stack buffer overflow. By chaining the information leak with the overflow, a sandboxed process can execute a ROP chain to achieve SYSTEM privilege escalation, even from a Security Hardened Sandbox. Hardware-enforced shadow stacks (Intel CET) prevent the ROP chain execution but do not mitigate the information leak. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34459 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-7cpc-5hv7-rfmh |
| sandboxie-plus–Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieIniServer RunSbieCtrl handler contains a stack buffer overflow. The MSGID_SBIE_INI_RUN_SBIE_CTRL message is handled before normal sandbox and impersonation checks, and for non-sandboxed callers, the handler copies the trailing message payload into a fixed-size WCHAR ctrlCmd[128] stack buffer using memcpy without verifying the length fits within the buffer. The service pipe is created with a NULL DACL, allowing any local interactive process to connect and send an oversized payload to overflow the stack. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34461 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-wpjw-jh2p-gwx7 |
| sandboxie-plus–Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, several ProcessServer handlers (KillAllHandler, SuspendAllHandler, and RunSandboxedHandler) copy a WCHAR boxname[34] field from request structures into WCHAR[40] stack buffers using wcscpy without verifying null termination. Because the service pipe accepts variable-length packets larger than the request structure, an attacker can fill the boxname field with non-zero data and append additional controlled wide characters after the structure. wcscpy then reads past the fixed field and overflows the destination stack buffer. The service pipe is created with a NULL DACL, allowing any local process to connect, and the unsafe copy occurs before authorization checks. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34462 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-9cjg-vh9m-hhx4 |
| sandboxie-plus–Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, NamedPipeServer::OpenHandler copies the server field from NAMED_PIPE_OPEN_REQ into a fixed WCHAR pipename[160] stack buffer using wcscat without verifying null termination. The handler only enforces a minimum packet size, and since the service pipe accepts variable-length messages, a sandboxed caller can fill the server[48] field with non-zero data and append additional controlled wide characters after the structure. wcscat then reads past the fixed field and overflows the stack buffer in the SYSTEM service. This message is restricted to sandboxed callers, making it a sandbox escape vector. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34464 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-cf8x-f33g-vwfg |
| www[.]zte[.]com–Routers H8102E, H168N, H167A, H199A and more | Unauthenticated DoS in ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, and H196Q. A denial-of-service condition can be triggered against the router’s web interface by sending an oversized application/x-www-form-urlencoded POST body. After triggering, the management interface may become unresponsive until the device is rebooted. This may affect any firmware version prior to 2022 (reporter observation). The supplier stated that devices are not vulnerable since 2021-03-23; operator firmware may vary. | 2026-05-06 | not yet calculated | CVE-2026-34473 | https://www.zte.com.cn/global/ https://gist.github.com/minanagehsalalma/7a8516b9b00d0008f2f25750320560c9 |
| www[.]zte[.]com–Routers ZTE ZXHN H298A 1.1 and H108N 2.6 | Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A 1.1 and H108N 2.6. A crafted request to the router web interface can expose sensitive device and account information. In affected builds, the response may include the administrator password and WLAN PSK, enabling authentication bypass and network compromise. Some firmware versions may expose only partial identifiers (e.g., serial number, ESSID, MAC addresses). | 2026-05-06 | not yet calculated | CVE-2026-34474 | https://www.zte.com.cn/global/ https://gist.github.com/minanagehsalalma/7a8516b9b00d0008f2f25750320560c9 |
| sandboxie-plus–Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, SbieIniServer::HashPassword converts a SHA-1 digest to hexadecimal incorrectly. The high nibble of each byte is shifted right by 8 instead of 4, which always produces zero for an 8-bit value. As a result, the stored EditPassword hash only preserves the low nibble of each digest byte, reducing the effective entropy from 160 bits to 80 bits. This is layered on top of an unsalted SHA-1 scheme. The reduced entropy makes leaked or backed-up password hashes materially easier to brute-force. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34527 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w37h-qm9p-h4x2 |
| sandboxie-plus–Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation. When a user installs an addon through the SandMan interface, UpdUtil.exe is spawned as SYSTEM by SbieSvc but stages files in the user-writable %TEMP%sandboxie-updater directory. After UpdUtil verifies file hashes against the signed addon manifest, install.bat extracts files.cab and executes config.exe from its contents. Between hash verification and extraction, an unprivileged user can replace files.cab with a crafted cabinet containing a malicious executable, which is then run as SYSTEM. No UAC prompt is required. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34596 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-xjvp-63f2-v585 |
| ASUS–ASUS System Control Interface | An Out-of-bounds Read vulnerability in the IOCTL handler in ASUS System Control Interface allows a local user to cause system crash (BSOD) via a read size that exceeds the buffer size.Refer to the ‘ Security Update for MyASUS ‘ section on the ASUS Security Advisory for more information. | 2026-05-08 | not yet calculated | CVE-2026-3508 | https://www.asus.com/security-advisory |
| djangoproject–Django | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user’s session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue. | 2026-05-05 | not yet calculated | CVE-2026-35192 | Django security archive Django releases announcements Django security releases issued: 6.0.5 and 5.2.14 |
| jupyter-server–jupyter_server | Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the root_dir. For example, with a root_dir named “test”, the API permits access to a sibling directory named “testtest” through a crafted request to the /api/contents endpoint using encoded path components. An attacker can read, write, and delete files in affected sibling directories. Multi-tenant deployments using predictable naming schemes are particularly at risk, as a user with a directory named “user1” could access directories for user10 through user19 and beyond. A user who can choose a single-character folder name could gain access to a significant number of sibling directories. Version 2.18.0 contains a fix. As a workaround, ensure folder names do not share a common prefix with any sibling directory. | 2026-05-05 | not yet calculated | CVE-2026-35397 | https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3 |
| PHPOffice–PhpSpreadsheet | PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ “items”). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0. | 2026-05-05 | not yet calculated | CVE-2026-35453 | https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6wpp-88cp-7q68 |
| lxc–incus | Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD request to a user-supplied URL before validating the request against project restrictions such as restricted.images.servers. The imgPostURLInfo function constructs and sends a HEAD request directly from the attacker-supplied source URL to resolve image metadata, and this network interaction occurs before the flow reaches the point where the import would be rejected by policy. Although the actual image download is blocked by the project restriction, an authenticated user can coerce the daemon into making blind HEAD requests to arbitrary destinations. These requests include server metadata in custom headers (Incus-Server-Architectures, Incus-Server-Version), which discloses information about the host environment to the attacker-controlled endpoint. This blind SSRF primitive can be used to probe internal services, unroutable address space, or cloud metadata endpoints reachable from the host. This vulnerability pattern is similar to CVE-2026-24767. This issue has been fixed in version 7.0.0. | 2026-05-05 | not yet calculated | CVE-2026-35527 | https://github.com/lxc/incus/security/advisories/GHSA-8gw4-p4wq-4hcv https://github.com/lxc/incus/blob/v6.22.0/cmd/incusd/images.go |
| coredns–coredns | CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containing a TSIG record is treated as authenticated over DoH and DoH3, even if the key name is invalid and the MAC is arbitrary. An unauthenticated network attacker can exploit this to bypass TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behavior. The DoH and DoH3 variants have a lower exploitation bar because the attacker does not need to know a valid TSIG key name. This issue has been fixed in version 1.14.3. As a workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required, or restrict network-level access to affected transport ports to trusted sources only. | 2026-05-05 | not yet calculated | CVE-2026-35579 | https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9 |
| n/a–Webkul Krayin CRM v2.1.5 | Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint | 2026-05-07 | not yet calculated | CVE-2026-36341 | https://github.com/krayin/laravel-crm/releases/tag/v2.1.6 https://github.com/krayin/laravel-crm/pull/2401 https://drive.google.com/file/d/1Y_WjD4Tiq_z7zQUlddFCFMDoyyN300r9/view https://cyber.spool.co.jp/vulnerabilities/cve-2026-36341/ https://github.com/cybercrewinc/CVE-2026-36341 |
| www[.]Realtek[.]com–Realtek rtl819x Jungle SDK | The rtl8192cd Wi-Fi kernel driver in the Realtek rtl819x Jungle SDK (all known versions through v3.4.14B) does not perform any access control checks on the write_mem (ioctl 0x89F5) and read_mem (ioctl 0x89F6) debug handlers, which are compiled into production builds via the unconditionally defined _IOCTL_DEBUG_CMD_ macro in 8192cd_cfg.h | 2026-05-05 | not yet calculated | CVE-2026-36355 | http://realtek.com https://github.com/totekuh/CVE-2026-36355 |
| https://en[.]meigsmart[.]com– MeiG Smart FORGE_SLT711 devices | The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint. | 2026-05-05 | not yet calculated | CVE-2026-36356 | http://forgeslt711.com http://meig.com https://github.com/totekuh/CVE-2026-36356 |
| n/a–Juzaweb CMS v.5.0.0 | Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute arbitrary code via a crafted script to the Add Banner Ads function | 2026-05-06 | not yet calculated | CVE-2026-36358 | https://juzaweb.com/ http://juzaweb.com https://gist.github.com/yuhuamiao/2c984b2d7f2adb90020818f9308b5862 |
| n/a–Lymphatus caesium-image-compressor | An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp | 2026-05-04 | not yet calculated | CVE-2026-36365 | https://github.com/Lymphatus/caesium-image-compressor https://github.com/Lymphatus/caesium-image-compressor/blob/main/src/utils/PostCompressionActions.cpp https://github.com/Lymphatus/caesium-image-compressor/pull/376 https://github.com/mertsatilmaz/vulnerability-research/blob/main/advisories/CVE-2026-36365.md |
| codeastro[.]com– CODEASTRO MMS v1.0 | A Remote Code Execution vulnerability was found in CODEASTRO Membership Management System v1.0 in /add_members.php. This vulnerability affects the file upload functionality, where improper file sanitization allows attackers to inject malicious files which leads RCE. | 2026-05-07 | not yet calculated | CVE-2026-36387 | http://codeastro.com https://github.com/raneishajustin/CVE/tree/main/CVE-2026-36387 |
| n/a–PHPGurukal Hospital Management System v4.0 | A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to inject a malicious script payload into the User Name parameter, which is stored in the application and later rendered in the doctor s interface. | 2026-05-07 | not yet calculated | CVE-2026-36388 | http://phpgurukal.com https://github.com/raneishajustin/CVE/tree/main/CVE-2026-36388 |
| n/a–ChestnutCMS v1.5.10 | ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered. | 2026-05-07 | not yet calculated | CVE-2026-36458 | https://github.com/liweiyi/ChestnutCMS.git https://github.com/errors11/CVE/blob/main/CVE-2026-36458.md |
| n/a–Beauty Parlour Management System v1.1 | Beauty Parlour Management System v1.1 was discovered to contain a SQL injection vulnerability via the aptnumber parameter in the /appointment-detail.php endpoint. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement. | 2026-05-08 | not yet calculated | CVE-2026-37431 | https://github.com/Y4y17/CVE/blob/main/Beauty%20Parlour%20Management%20System/SQL%20Injection-2.md |
| n/a–FRRouting (FRR) | Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message. | 2026-05-04 | not yet calculated | CVE-2026-37458 | https://github.com/FRRouting/frr/commit/8102a8aeceb9f86fdfe1f80cd77080522bab69c8 https://github.com/mertsatilmaz/vulnerability-research/blob/main/advisories/CVE-2026-36365.md |
| n/a–FRRouting (FRR) | An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. | 2026-05-04 | not yet calculated | CVE-2026-37459 | https://github.com/FRRouting/frr/commit/693a2e02687cdc9d16501275e05136edea9650d9 |
| n/a–ParseIP6Extended | An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. | 2026-05-04 | not yet calculated | CVE-2026-37461 | https://github.com/osrg/gobgp/blob/v4.3.0/pkg/packet/bgp/bgp.go https://github.com/osrg/gobgp/commit/362cce3e325f56e7a4f792ccb9689b3bdda9e682 https://github.com/osrg/gobgp/commit/9ce8936672ebc07df524da77fa4c6ae26d92be6d |
| grok[.]com– grokability snipe-it v.8.4.0 | Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component | 2026-05-07 | not yet calculated | CVE-2026-37709 | https://github.com/grokability/snipe-it/commit/676a9958895a77de340565e7a0b17ae744664904 https://github.com/grokability/snipe-it/security/advisories/GHSA-xg82-2hrv-hf64 |
| n/a–fohrloop dash-uploader v.0.1.0 | Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, aseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components | 2026-05-08 | not yet calculated | CVE-2026-38360 | https://github.com/fohrloop/dash-uploader https://pypi.org/project/dash-uploader/ https://github.com/fohrloop/dash-uploader/blob/stable/dash_uploader/httprequesthandler.py https://github.com/fohrloop/dash-uploader/blob/dev/dash_uploader/httprequesthandler.py https://github.com/fohrloop/dash-uploader/issues/153 https://github.com/a1ohadance/CVE-2026-38360 |
| n/a–fohrloop dash-uploader v.0.1.0 | An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components | 2026-05-08 | not yet calculated | CVE-2026-38361 | https://github.com/fohrloop/dash-uploader https://pypi.org/project/dash-uploader/ https://github.com/fohrloop/dash-uploader/blob/stable/dash_uploader/httprequesthandler.py https://github.com/fohrloop/dash-uploader/issues/153 https://pypistats.org/packages/dash-uploader https://libraries.io/pypi/dash-uploader https://pepy.tech/project/dash-uploader https://docs.python.org/3/library/functions.html#all https://github.com/a1ohadance/CVE-2026-38361 |
| n/a–Kestra v1.3.3 | Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query. | 2026-05-05 | not yet calculated | CVE-2026-38428 | https://www.link.com https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x |
| n/a–OpenCMS v20 | OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml. | 2026-05-05 | not yet calculated | CVE-2026-38429 | https://github.com/alkacon/opencms-core/commit/e3e41e5a96d71383279e7d23c627efc9934008c1 |
| n/a–ERPNext v15.103.1 | ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered. | 2026-05-05 | not yet calculated | CVE-2026-38431 | https://c0wking.hashnode.dev/ssti-in-erpnext-frappe-email-template-engine |
| n/a–ERPNext v15.103.1 | ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim’s browser when the template is applied. | 2026-05-05 | not yet calculated | CVE-2026-38432 | https://c0wking.hashnode.dev/stored-xss-in-erpnext-frappe-email-template-engine |
| n/a–wCMS v.1.4 | wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog. | 2026-05-04 | not yet calculated | CVE-2026-38669 | https://github.com/thv930/yumeng_wu/tree/main/1/readme.md |
| n/a–OpenSTAManager version 2.10 | OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php) | 2026-05-04 | not yet calculated | CVE-2026-38751 | https://github.com/devcode-it/openstamanager https://github.com/fuutianyii/poc |
| n/a–FluentCMS 1.2.3 | FluentCMS 1.2.3 is vulnerable to Cross Site Scripting (XSS) in TextHTML plugin. | 2026-05-05 | not yet calculated | CVE-2026-38947 | https://github.com/fluentcms/FluentCMS/issues/2405 |
| n/a–GPAC | Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svg_attributes.c, svg_parse_strings(), gf_svg_parse_attribute() | 2026-05-05 | not yet calculated | CVE-2026-39103 | https://github.com/gpac/gpac/issues/3506 https://github.com/gpac/gpac/commit/391dc7f4d234988ea0bc3cc294eb725eddf8f702 |
| gotenberg–gotenberg | Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The FilterDeadline function in filter.go is intended to gate outbound URLs, but when both the allow-list and deny-list are empty (the default configuration), it returns nil unconditionally and permits any URL. This is a blind SSRF: Gotenberg POSTs the converted document to the webhook URL and only checks whether the response status code is an error, but never returns the target’s response body to the attacker. An attacker can use this to probe internal network infrastructure by observing whether the error callback is invoked, force POST requests against internal services that perform side effects, and confirm reachability of cloud metadata endpoints. The retryable HTTP client issues up to 4 automatic retries per request, amplifying each probe. This issue has been fixed in version 8.31.0. As a workaround, configure the GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to restrict webhook URLs to known receivers, or set GOTENBERG_API_WEBHOOK_DENY_LIST to block RFC-1918 and link-local address ranges. | 2026-05-05 | not yet calculated | CVE-2026-39383 | https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5vh4-rgv7-p9g4 |
| lxc–lxc | lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a deletion request, the interface name comparison can set the authorization flag based on a name match alone, even when the ownership, type, and link fields in that database entry belong to a different user. The vulnerable check sits after the goto next label handling, meaning it is reachable on lines where earlier ownership checks failed or were skipped. Because nothing downstream of this authorization signal re-verifies that the matched database line actually belongs to the caller, an unprivileged attacker with a valid lxc-usernet policy entry can trigger deletion of another user’s OVS port on the same bridge. This is limited to multi-tenant environments using lxc-user-nic with OpenVSwitch bridges. The impact is denial of service – one tenant can repeatedly disconnect networking from containers run by another tenant on shared infrastructure. This is patched in version 7.0.0. | 2026-05-05 | not yet calculated | CVE-2026-39402 | https://github.com/lxc/lxc/security/advisories/GHSA-3m9j-g9gc-vcvq |
| Apache Software Foundation–Apache NiFi | The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy Script execution in the service prior to submitting the query. The missing Restricted annotation allows users without the Execute Code Permission to configure the Service in installations that use fine-grained authorization and have the optional TinkerpopClientService installed. Apache NiFi installations that do not have the nifi-other-graph-services-nar installed are not subject to this vulnerability. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation. | 2026-05-08 | not yet calculated | CVE-2026-39816 | https://lists.apache.org/thread/gh9g7xwvv4l20gzff6q3367snf35ctcb |
| Go toolchain–cmd/go | The “go tool pack” subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the “pack” subcommand can write files to arbitrary locations on the filesystem. | 2026-05-07 | not yet calculated | CVE-2026-39817 | https://go.dev/issue/78778 https://go.dev/cl/767520 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4979 |
| Go toolchain–cmd/go | The “go bug” command writes to two files with predictable names in the system temporary directory (for example, “/tmp”). An attacker with access to the temporary directory can create a symlink in one of these names, causing “go bug” to overwrite the target of the symlink. | 2026-05-07 | not yet calculated | CVE-2026-39819 | https://go.dev/issue/78584 https://go.dev/cl/763882 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4978 |
| Go standard library–net/mail | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. | 2026-05-07 | not yet calculated | CVE-2026-39820 | https://go.dev/issue/78566 https://go.dev/cl/759940 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4986 |
| Go standard library–html/template | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag’s <content> attribute. If the URL content were to insert ASCII whitespaces around the ‘=’ rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS. | 2026-05-07 | not yet calculated | CVE-2026-39823 | https://go.dev/issue/78913 https://go.dev/cl/769920 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4982 |
| Go standard library–net/http/httputil | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery’s limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query “a1=x&a2=x&…&a10000=x&hidden=y” can forward the parameter “hidden=y” while hiding it from the proxy’s Rewrite function. | 2026-05-07 | not yet calculated | CVE-2026-39825 | https://go.dev/cl/770541 https://go.dev/issue/78948 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4976 |
| Go standard library–html/template | If a trusted template author were to write a <script> tag containing an empty ‘type’ attribute or a ‘type’ attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block. | 2026-05-07 | not yet calculated | CVE-2026-39826 | https://go.dev/issue/78981 https://go.dev/cl/771180 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4980 |
| Go standard library–net | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | 2026-05-07 | not yet calculated | CVE-2026-39836 | https://go.dev/issue/79006 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://go.dev/cl/775320 https://pkg.go.dev/vuln/GO-2026-4971 |
| pi-hole–FTL | Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1. | 2026-05-05 | not yet calculated | CVE-2026-39849 | https://github.com/pi-hole/FTL/security/advisories/GHSA-9cqv-839p-gpq2 https://github.com/pi-hole/FTL/commit/0c46e4ec7fe57f762fce261625f2cf5d43806e6d https://github.com/pi-hole/FTL/releases/tag/v6.6.1 |
| quarkusio–quarkus | Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus’s security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive’s routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2. | 2026-05-05 | not yet calculated | CVE-2026-39852 | https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9 |
| Apache Software Foundation–Apache Wicket | Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | 2026-05-06 | not yet calculated | CVE-2026-40010 | https://lists.apache.org/thread/61wsc0xdtfd5oozojfx7by9w3jwgkmv1 |
| anthropics–claude-code | In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code to bypass its trust confirmation dialog and immediately execute hooks defined in `.claude/settings.json`. Exploitation requires the victim to clone the malicious repository and run Claude Code within it, and the attacker must know or guess a path the victim had already trusted. This issue has been fixed in version 2.1.84. | 2026-05-05 | not yet calculated | CVE-2026-40068 | https://github.com/anthropics/claude-code/security/advisories/GHSA-q5hj-mxqh-vv77 |
| openmrs–openmrs-core | OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a filesystem path from user-controlled input without performing path boundary validation – the getFile() method concatenates the user-supplied path into an absolute filesystem path without calling normalize() or checking that the result stays within the allowed module resources directory. Because this endpoint serves static resources required for rendering the login page, it is not protected by authentication filters, allowing unauthenticated exploitation. An attacker can traverse directories and read arbitrary files from the server filesystem, including /etc/passwd and application configuration files containing database credentials. Successful exploitation requires the target deployment to run on Apache Tomcat versions prior to 8.5.31, where the ..; path parameter bypass is not mitigated by the container. Deployments on Tomcat 8.5.31 or later and Tomcat 9.0.10 or later are protected at the container level, though the underlying code defect remains. This issue has been fixed in versions after 2.7.8 (within the 2.7.x branch) and in version 2.8.6 and later. | 2026-05-05 | not yet calculated | CVE-2026-40075 | https://github.com/openmrs/openmrs-core/security/advisories/GHSA-jjgj-cx3q-pw4w |
| openmrs–openmrs-core | OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint at POST `/openmrs/ws/rest/v1/module` is vulnerable to a Zip Slip path traversal attack. During automatic extraction of uploaded .omod archives in `WebModuleUtil.startModule()`, ZIP entries under web/module/ are checked only to see whether the full entry path starts with `..,` and the remaining path is then concatenated into the destination path without normalization or a boundary check. A crafted archive can therefore include entries such as `web/module/../../../../malicious.jsp` and cause files to be written outside the intended module directory. An authenticated attacker with module upload access can write arbitrary files to locations such as the web application root and achieve remote code execution by uploading a JSP file and then requesting it. The issue is compounded by the fact that the module.allow_web_admin runtime property is enforced in the legacy UI controller but not in the REST API upload path, so deployments relying on that property to block web-based module administration remain exposed through the REST endpoint. This issue has been fixed in versions after 2.7.8 in the 2.7.x line and in version 2.8.6 and later. | 2026-05-06 | not yet calculated | CVE-2026-40076 | https://github.com/openmrs/openmrs-core/security/advisories/GHSA-78fc-9688-w8xw |
| jupyter-server–jupyter_server | Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python’s re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended to match only a trusted domain (e.g., trusted.example.com) will also match any origin that begins with that domain followed by additional characters (e.g., trusted.example.com.evil.com). An attacker who controls such a domain can bypass the CORS origin restriction and make cross-origin requests to the Jupyter Server API from an untrusted site. This issue has been fixed in version 2.18.0. | 2026-05-05 | not yet calculated | CVE-2026-40110 | https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p https://github.com/jupyter-server/jupyter_server/pull/603 https://github.com/jupyter-server/jupyter_server/commit/057869a327c46730afede3eab0ca2d2e3e74acea https://github.com/jupyter-server/jupyter_server/commit/49b34392feaa97735b3b777e3baf8f22f2a14ed8 |
| jupyter–notebook | In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user’s authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration. | 2026-05-06 | not yet calculated | CVE-2026-40171 | https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9 |
| MasaCMS–MasaCMS | Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations. An attacker can induce a logged-in administrator to submit a forged request that adds, modifies, or deletes user address records, including email addresses and phone numbers. This can be used to alter contact information, redirect organizational communications, and corrupt address data in the user directory. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, or deploy filtering rules to block forged requests to the affected endpoint | 2026-05-06 | not yet calculated | CVE-2026-40174 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-572m-p246-4356 |
| lxc–incus | Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage bucket import logic allows an authenticated user with access to the storage bucket feature to cause the Incus daemon to crash. The vulnerability is present in the backup metadata handling logic, where the daemon processes the index.yaml file from an imported archive and accesses members of the parsed backup configuration without first verifying that the configuration object was initialized. A malicious or malformed index.yaml that omits the config block causes a nil-pointer dereference during bucket import operations and terminates the daemon. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0. | 2026-05-06 | not yet calculated | CVE-2026-40195 | https://github.com/lxc/incus/security/advisories/GHSA-gc7j-g665-rxr9 |
| lxc–incus | Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The custom volume backup import subsystem contains a nil-pointer dereference vulnerability during import operations. In the snapshot import loop, the daemon iterates over entries from `srcBackup.Config.VolumeSnapshots` and assumes that each slice element is initialized, then dereferences fields such as `Name`, `Config`, `Description`, `CreatedAt`, and `ExpiresAt` without first validating the element itself. Because the yaml unmarshaler accepts explicit null array elements from an attacker-controlled index.yaml and converts them into nil pointers inside the slice, an attacker can supply a backup archive containing a null entry in the volume_snapshots array. This causes a nil-pointer dereference during custom volume import and terminates the daemon, resulting in denial of service on the affected node. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0. | 2026-05-06 | not yet calculated | CVE-2026-40197 | https://github.com/lxc/incus/security/advisories/GHSA-r7w7-mmxr-47r9 |
| lxc–incus | Incus is a system container and virtual machine manager. In versions before 7.0.0, broken TLS validation logic in the OVN database connection logic can allow connections to an attacker’s OVN database. The OVN client implementations disable Go standard TLS server verification and replace it with custom peer-certificate verification logic. That replacement verifier does not anchor trust in the configured CA certificate. Instead, it constructs the verification root set from certificates supplied by the peer during the handshake, so the configured CA is parsed but not used as the trust anchor for the final verification decision. In OVN-enabled deployments that use these SSL database connection paths, an attacker able to impersonate or intercept the OVN endpoint on the management network can present a rogue self-signed certificate chain, and Incus will accept this certificate as valid. This issue defeats the intended CA-based trust model for OVN database connections and permits endpoint impersonation by an active attacker in a suitable network position. This issue is fixed in version 7.0.0. | 2026-05-06 | not yet calculated | CVE-2026-40243 | https://github.com/lxc/incus/security/advisories/GHSA-c839-4qxr-j4x3 https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_icnb.go https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_icsb.go https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_nb.go https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_sb.go |
| lxc–incus | Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The backup restore subsystem contains an out-of-bounds panic vulnerability caused by an invalid bounds check when indexing snapshot metadata arrays, and the same flawed pattern also appears in the migration path. When iterating through physical snapshots provided in a backup archive, the loop uses the index to look up corresponding metadata in the parsed `Config.Snapshots` and `Config.VolumeSnapshots` slices. The guard condition `len(slice) >= i-1` is incorrect because it can still evaluate to true when the subsequent slice[i] access is out of bounds. An attacker can submit a backup archive that contains physical snapshot directories while supplying a tampered `index.yaml` with an empty or truncated snapshot metadata array, causing the daemon to index beyond the end of the metadata slice and crash. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0. | 2026-05-06 | not yet calculated | CVE-2026-40251 | https://github.com/lxc/incus/security/advisories/GHSA-4m88-wxj4-9qj6 https://github.com/lxc/incus/blob/v6.22.0/internal/server/storage/backend.go |
| gotenberg–gotenberg | Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the –webhook-deny-list and –api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go’s net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/. This bypasses the same security control that was patched in CVE-2026-27018. This issue has been fixed in version 8.31.0. | 2026-05-05 | not yet calculated | CVE-2026-40280 | https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5q7p-7jgv-ww56 https://github.com/gotenberg/gotenberg/commit/3f01ca18d3cc21375a1e2da4b5a3f261c8548e47 https://github.com/advisories/GHSA-jjwv-57xh-xr6r |
| MasaCMS–MasaCMS | Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanently deletes all deleted content. This can cause irreversible data loss and disrupt recovery of content intended for restoration. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and maintain current database backups to recover from unauthorized deletion. | 2026-05-06 | not yet calculated | CVE-2026-40309 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-9f35-q62j-vm5j |
| MasaCMS–MasaCMS | Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the `cTrash.restore` function does not properly validate anti-CSRF tokens for content restoration requests. An attacker can trick a logged-in administrator to submit a forged request that restores deleted items from the trash and places them at an attacker-controlled location in the site structure through the parentid parameter. This can restore previously deleted malicious or outdated content, expose sensitive documents by moving them into publicly accessible locations, and disrupt site structure or content integrity. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and regularly empty the trash to reduce the amount of content available for unauthorized restoration. | 2026-05-06 | not yet calculated | CVE-2026-40325 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-3mpf-gq73-crxf |
| MasaCMS–MasaCMS | Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in `csettings.cfc` does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when visited by a logged-in administrator, triggers the silent creation of a comprehensive site bundle. This bundle is saved to a predictable, publicly accessible web directory. An unauthenticated attacker can then retrieve the bundle and obtain site content, user account data, password hashes, form submissions, email lists, plugins, and configuration data. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, remove unexpected bundle files from public directories, restrict access to the affected endpoint, and limit exposure of administrative sessions. | 2026-05-06 | not yet calculated | CVE-2026-40326 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-622v-h7vf-w4gm |
| MasaCMS–MasaCMS | Masa CMS is an open source content management system. In versions 7.5.2 and earlier, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function’s processing of the sortBy parameter. The application fails to properly sanitize or parameterize this input before incorporating it into dynamic SQL statements. An unauthenticated remote attacker can execute arbitrary SQL commands against the database, potentially gaining access to sensitive data, modifying or deleting records, or escalating privileges to administrative control. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, configure WAF rules to block malicious SQL patterns in the sortBy parameter sent to beanFeed.cfc. | 2026-05-05 | not yet calculated | CVE-2026-40329 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-3xpq-q494-8qq4 |
| MasaCMS–MasaCMS | Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function’s handling of the sortDirection parameter. The parameter value is concatenated directly into SQL queries without sanitization or parameterization. An unauthenticated remote attacker can exploit this to extract sensitive information, modify or delete database records, or potentially achieve remote code execution on the underlying database server. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, use a WAF to block or restrict access to the beanFeed.cfc component, or deploy rules to detect SQL injection patterns targeting the sortDirection parameter. | 2026-05-05 | not yet calculated | CVE-2026-40330 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-56cc-gxfr-hqp8 |
| MasaCMS–MasaCMS | Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the unauthenticated JSON API accepts an altTable parameter that is stored via the setAltTable() method without validation or sanitization. This value is injected directly into a SQL FROM clause within feedGateway.cfc. An unauthenticated attacker can pass an arbitrary subquery into the altTable parameter to read sensitive data from any table in the database in a single HTTP request, including administrative credentials and password reset tokens. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, apply validation to the setAltTable function in core/mura/content/feed/feedBean.cfc to restrict input to simple alphanumeric table names, or disable the JSON API if it is not required. | 2026-05-05 | not yet calculated | CVE-2026-40331 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-jphh-r686-6w7j |
| MasaCMS–MasaCMS | Masa CMS is affected by an Open Redirect vulnerability due to improper handling of scheme-relative URLs. The application incorrectly interprets paths beginning with double slashes (//) as internal paths, failing to validate the redirect target before processing. The application treats these values as internal paths and processes them without confirming that the redirect target remains on the local site. An attacker can craft a URL on the trusted Masa CMS domain that redirects a victim to an external attacker-controlled site. This can be used for phishing and, in some authentication flows, may expose tokens or other sensitive data to the external site. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, reject or rewrite redirect parameters that begin with // and consider disabling forceDirectoryStructure if compatible with the deployment. | 2026-05-06 | not yet calculated | CVE-2026-40332 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-xw99-h3mw-wj47 |
| KAZEBURO–Gazelle | Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Gazelle incorrectly prioritizes “Content-Length” over “Transfer-Encoding: chunked” when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy. | 2026-05-06 | not yet calculated | CVE-2026-40562 | https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3 https://security.metacpan.org/patches/G/Gazelle/0.49/CVE-2026-40562-r1.patch https://metacpan.org/release/KAZEBURO/Gazelle-0.50/changes |
| Apache Software Foundation–Apache Atlas | Description: Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Atlas Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data Affect Version: This issue affects Apache Atlas: from 0.8 through 2.4.0. For the affect version >= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration. atlas.dsl.executor.traversal=false Mitigation: Users are recommended to upgrade to version 2.5.0, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-40563 | https://lists.apache.org/thread/vd0oggmqxl2k1skm0z2f9p0plx7jhmfl |
| Apache Software Foundation–Apache OpenNLP | XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURE_SECURE_PROCESSING or disabling DTD processing. When create(InputStream, EntryInserter) is invoked, the only feature set on the XMLReader is namespace support – external entity resolution and DOCTYPE declarations remain fully enabled. An attacker who can supply a crafted dictionary file (e.g., a stop-word list or domain dictionary) containing a malicious DOCTYPE declaration can trigger local file disclosure via file:// entity references or server-side request forgery via http:// entity references during SAX parsing, before the application processes a single dictionary entry. This is inconsistent with the project’s own XmlUtil.createSaxParser() helper, which correctly sets FEATURE_SECURE_PROCESSING and disallow-doctype-decl and is used by all other XML parsing paths in the codebase. The public Dictionary(InputStream) constructor delegates directly to this method and is the documented API for loading user-supplied dictionaries, making untrusted input a realistic scenario. Mitigation: 2.x users should upgrade to 2.5.9. 3.x users should upgrade to 3.0.0-M3. Users who cannot upgrade immediately should ensure that all dictionary files are sourced from trusted origins and should consider wrapping the Dictionary(InputStream) constructor with input validation that rejects any XML containing a DOCTYPE declaration before it reaches the parser. | 2026-05-04 | not yet calculated | CVE-2026-40682 | https://lists.apache.org/thread/r6jpt0qr9nj67gqhppqg7jxf8vsbo0w6 |
| jupyter-server–jupyter_server | Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0. | 2026-05-05 | not yet calculated | CVE-2026-40934 | https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f |
| josdejong–mathjs | Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0. | 2026-05-07 | not yet calculated | CVE-2026-41139 | https://github.com/josdejong/mathjs/security/advisories/GHSA-5v89-rwgr-qj6g https://github.com/josdejong/mathjs/pull/3656 https://github.com/josdejong/mathjs/commit/0aee2f61866e35ffa0aef915221cdf6b026ffdd4 https://github.com/josdejong/mathjs/commit/bcf0da46f0b8577ec03c9ecd7bff8b5c2543a611 https://github.com/josdejong/mathjs/releases/tag/v15.2.0 |
| Sync-in–server | Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application’s response time. This issue has been patched in version 2.2.0. | 2026-05-08 | not yet calculated | CVE-2026-41161 | https://github.com/Sync-in/server/security/advisories/GHSA-43fj-qp3h-hrh5 https://github.com/Sync-in/server/releases/tag/v2.2.0 |
| containers–bubblewrap | bubblewrap is a low-level unprivileged sandboxing tool. From version 0.11.0 to before version 0.11.2, if bubblewrap is installed in setuid mode then the user can use ptrace to attach to bubblewrap and control the unprivileged part of the sandbox setup phase. This allows the attacker to arbitrarily use the privileged operations, and in particular the “overlay mount” operation, allowing the creation of overlay mounts which is otherwise not allowed in the setuid version of bubblewrap. This issue has been patched in version 0.11.2. | 2026-05-09 | not yet calculated | CVE-2026-41163 | https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp https://github.com/containers/bubblewrap/releases/tag/v0.11.2 |
| ci4-cms-erp–ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0. | 2026-05-07 | not yet calculated | CVE-2026-41202 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xp9f-pvvc-57p4 https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0 |
| ci4-cms-erp–ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0. | 2026-05-07 | not yet calculated | CVE-2026-41203 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xv3r-vr59-95rg https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0 |
| WatchGuard Technologies–WatchGuard Agent | Stack-based Buffer Overflow vulnerability in the WatchGuard Agent discovery service on Windows allows Overflow Buffers. An unauthenticated attacker on the same local network could exploit this vulnerability to crash the agent service. | 2026-05-06 | not yet calculated | CVE-2026-41286 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00011 |
| WatchGuard–WatchGuard Agent | Stack-based Buffer Overflow vulnerability in the WatchGuard Agent discovery service on Windows allows Overflow Buffers. An unauthenticated attacker on the same local network could exploit this vulnerability to crash the agent service. | 2026-05-06 | not yet calculated | CVE-2026-41287 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00010 |
| WatchGuard–WatchGuard Agent | Incorrect permission assignment for a resource in the patch management component of the WatchGuard Agent on Windows allows an authenticated local user to elevate their privileges to NT AUTHORITY\SYSTEM. | 2026-05-06 | not yet calculated | CVE-2026-41288 | https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00011 |
| angular–angular | Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering (SSR). When an attacker sends a request such as GET /evil.com/ HTTP/1.1 the server engine (Express, etc.) passes the URL string to Angular’s rendering functions. Because the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, the internal state of the application is hijacked to believe the current origin is evil.com. This misinterpretation tricks the application into treating the attacker’s domain as the local origin. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This issue has been patched in versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8. | 2026-05-08 | not yet calculated | CVE-2026-41423 | https://github.com/angular/angular/security/advisories/GHSA-45q2-gjvg-7973 https://github.com/angular/angular/pull/68194 https://github.com/angular/angular/commit/ede7c58a2aa13fdccc8f0b67ce93ba1c11749412 |
| ray-project–ray | Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field’s metadata bytes. Ray’s implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0. | 2026-05-08 | not yet calculated | CVE-2026-41486 | https://github.com/ray-project/ray/security/advisories/GHSA-mw35-8rx3-xf9r https://github.com/ray-project/ray/pull/62056 https://github.com/ray-project/ray/commit/c02bd31ae31996805868baa446a131a8d304525f https://github.com/ray-project/ray/releases/tag/ray-2.55.0 |
| langfuse–langfuse | Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an existing LLM connection to an attacker-controlled baseUrl, causing Langfuse to reuse the stored provider secret and redirect the test request to an attacker-controlled endpoint. This could expose the plaintext provider LLM API key for that connection. The attack is only possible if a user is already part of a project and has “member” scoped access. This issue has been patched in version 3.167.0. | 2026-05-08 | not yet calculated | CVE-2026-41487 | https://github.com/langfuse/langfuse/security/advisories/GHSA-2524-j966-gfgh https://github.com/langfuse/langfuse/pull/13027 https://github.com/langfuse/langfuse/pull/13055 https://github.com/langfuse/langfuse/commit/7527bb0d84bc0a3dc24a4b16d22ed2e46e6dddff https://github.com/langfuse/langfuse/commit/e12386f9d4368bbfff24a4ad7fd53641091605ff https://github.com/langfuse/langfuse/releases/tag/v3.167.0 |
| lsegal–yard | YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. This issue has been patched in version 0.9.42. | 2026-05-08 | not yet calculated | CVE-2026-41493 | https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46×4-xgfj https://github.com/lsegal/yard/releases/tag/v0.9.42 |
| CROSS-signature–CROSS-implementation | CROSS implementation contains reference and optimized implementations of the CROSS post-quantum signature algorithm. Prior to commit fc6b7e7, there is a buffer overflow in crypto_sign_open() caused by an underflow of the integer mlen. This issue has been patched via commit fc6b7e7. | 2026-05-08 | not yet calculated | CVE-2026-41509 | https://github.com/CROSS-signature/CROSS-implementation/security/advisories/GHSA-w72c-hgx8-p7cv https://github.com/CROSS-signature/CROSS-implementation/commit/fc6b7e78cdf789bb5c395a81dc601356f1383da0 |
| emlog–emlog | Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in version 2.6.11. | 2026-05-08 | not yet calculated | CVE-2026-41517 | https://github.com/emlog/emlog/security/advisories/GHSA-8qwx-6jx6-94×4 |
| nhost–nhost | Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.49.1, Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost’s controller trusts a profile.EmailVerified boolean that is set by each provider adapter. The vulnerability is that several provider adapters do not correctly populate this field they either silently drop a verified field the provider API actually returns (Discord), or they fall back to accepting unconfirmed emails and marking them as verified (Bitbucket). Two Microsoft providers (AzureAD, EntraID) derive the email from non-ownership-proving fields like the user principal name, then mark it verified. The result is that an attacker can present an email they don’t own to Nhost, have the OAuth identity merged into the victim’s account, and receive a full authenticated session. This issue has been patched in version 0.49.1. | 2026-05-08 | not yet calculated | CVE-2026-41574 | https://github.com/nhost/nhost/security/advisories/GHSA-6g38-8j4p-j3pr https://github.com/nhost/nhost/pull/4162 https://github.com/nhost/nhost/commit/ec8dab3f2cf46e1131ddaf893d56c37aa00380b2 https://github.com/nhost/nhost/releases/tag/auth%400.49.1 |
| ZcashFoundation–zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-script version 5.0.2, after a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and eventually mine a block that would be considered invalid by zcashd nodes, creating a consensus split between Zebra and zcashd nodes. In a similar vein, for V4 transactions, Zebra mistakenly used the “canonical” hash type when computing the sighash while zcashd (correctly per the spec) uses the raw value, which could also crate a consensus split. This issue has been patched in zebrad version 4.3.1 and zebra-script version 5.0.2. | 2026-05-08 | not yet calculated | CVE-2026-41583 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj |
| ZcashFoundation–zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a “zero” value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash. This issue has been patched in zebrad version 4.3.1 and zebra-chain version 6.0.2. | 2026-05-08 | not yet calculated | CVE-2026-41584 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-452v-w3gx-72wg |
| ZcashFoundation–zebra | ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra’s JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2. | 2026-05-08 | not yet calculated | CVE-2026-41585 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-29×4-r6jv-ff4w |
| hyperledger–fabric | Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches. | 2026-05-07 | not yet calculated | CVE-2026-41586 | https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7 https://hyperledger.github.io/fabric-gateway |
| ci4-cms-erp–ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version 0.31.7.0, a theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files inside the ZIP are installed into the web-accessible public/ directory with no extension or content filtering, making them directly executable via HTTP. This issue has been patched in version 0.31.7.0. | 2026-05-07 | not yet calculated | CVE-2026-41587 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fw49-9xq4-gmx6 https://github.com/ci4-cms-erp/ci4ms/commit/b969465e71eacd9eb57014ad1fce1fc34fa7bca0 |
| monetr–monetr | monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr’s Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream responses reflected back in the API error message. This issue has been patched in version 1.12.5. | 2026-05-07 | not yet calculated | CVE-2026-41644 | https://github.com/monetr/monetr/security/advisories/GHSA-29v9-frvh-c426 https://github.com/monetr/monetr/pull/3122 https://github.com/monetr/monetr/commit/c260caa3c573a4a396ec2d264c7641a5d958385b https://github.com/monetr/monetr/releases/tag/v1.12.5 |
| lxc–incus | Incus is a system container and virtual machine manager. Prior to version 7.0.0, user provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. This was making it easy for an authenticated user to provide a crafted image or backup tarball that when parsed by Incus would lead to a very large YAML document being loaded into memory, potentially causing the entire server to run out of memory. This issue has been patched in version 7.0.0. | 2026-05-07 | not yet calculated | CVE-2026-41648 | https://github.com/lxc/incus/security/advisories/GHSA-67wx-r9xr-x75x https://github.com/lxc/incus/releases/tag/v7.0.0 |
| alam00000–bentopdf | BentoPDF is a client-side PDF toolkit that is self hostable. Prior to version 2.8.3, a cross-site scripting vulnerability was identified in BentoPD. An attacker may be able to execute arbitrary JavaScript in certain circumstances in Markdown to PDF Tool. This issue has been patched in version 2.8.3. | 2026-05-07 | not yet calculated | CVE-2026-41653 | https://github.com/alam00000/bentopdf/security/advisories/GHSA-6vh8-4frx-647f https://github.com/alam00000/bentopdf/releases/tag/v2.8.3 |
| WeblateOrg–weblate | Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/<name>.json contains an attacker-chosen repo URL pointing at a private address (e.g. http://127.0.0.1:9999/) or using a non-allow-listed scheme (e.g. file://, git://). Weblate persists the component via Component.objects.bulk_create([component])[0], which bypasses Django’s full_clean() and therefore never runs the validate_repo_url validator. The URL is subsequently written verbatim into .git/config by configure_repo(pull=False). This issue has been patched in version 5.17.1. | 2026-05-07 | not yet calculated | CVE-2026-41654 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-cwcx-382v-8m9g https://github.com/WeblateOrg/weblate/pull/19061 https://github.com/WeblateOrg/weblate/pull/19062 https://github.com/WeblateOrg/weblate/commit/e1eff1f517c1ee315d69581910baaabb724e5ef0 https://github.com/WeblateOrg/weblate/commit/e4b67a76d95d5165ecb9937f7485fd79223b7f14 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1 |
| xmldom–xmldom | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. | 2026-05-07 | not yet calculated | CVE-2026-41672 | https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8 https://github.com/xmldom/xmldom/pull/987 https://github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7 https://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1 https://github.com/xmldom/xmldom/releases/tag/0.8.13 https://github.com/xmldom/xmldom/releases/tag/0.9.10 |
| xmldom–xmldom | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. | 2026-05-07 | not yet calculated | CVE-2026-41673 | https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw https://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2da90f3d47dc23da9cef81aa https://github.com/xmldom/xmldom/commit/291257493cb0eb6980eda83b162a9c4e6d7d2597 https://github.com/xmldom/xmldom/commit/2d6d6916ed8a4c223db1f6d7560ab4544c465b0f https://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe https://github.com/xmldom/xmldom/commit/8834218c85ac2a4d757b9587c9028e67c2f7b6c3 https://github.com/xmldom/xmldom/commit/8b7cfd1491314abdc347261921d7334ff15f7112 https://github.com/xmldom/xmldom/commit/b0620383abc1df067f3ce1014c43ae1bc1161eeb https://github.com/xmldom/xmldom/commit/e6edcab6bef5bcdba0b220bb35442aa72f452b84 https://github.com/xmldom/xmldom/releases/tag/0.8.13 https://github.com/xmldom/xmldom/releases/tag/0.9.10 |
| xmldom–xmldom | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. | 2026-05-07 | not yet calculated | CVE-2026-41674 | https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h https://github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314 https://github.com/xmldom/xmldom/releases/tag/0.8.13 https://github.com/xmldom/xmldom/releases/tag/0.9.10 |
| xmldom–xmldom | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. | 2026-05-07 | not yet calculated | CVE-2026-41675 | https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2 https://github.com/xmldom/xmldom/releases/tag/0.8.13 https://github.com/xmldom/xmldom/releases/tag/0.9.10 |
| pupnp–pupnp | pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5. | 2026-05-08 | not yet calculated | CVE-2026-41682 | https://github.com/pupnp/pupnp/security/advisories/GHSA-q522-6w45-4j58 https://github.com/pupnp/pupnp/commit/def5f9a2bc42f5b3d713e37c516fbe840ce54b7b https://github.com/pupnp/pupnp/releases/tag/release-1.18.5 |
| anthropics–anthropic-sdk-typescript | Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes (0o666 for files, 0o777 for directories), leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. This issue has been patched in version 0.91.1. | 2026-05-04 | not yet calculated | CVE-2026-41686 | https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-p7fg-763f-g4gf |
| jackc–pgx | pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2. | 2026-05-08 | not yet calculated | CVE-2026-41889 | https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da https://github.com/jackc/pgx/releases/tag/v5.9.2 |
| ci4-cms-erp–ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess() action accepts a POST parameter tables[] containing arbitrary table names. These are passed directly to $forge->dropTable() without validating that the tables belong to the theme being deleted. The deleteConfirm view correctly populates tables[] from the theme’s own migration files, but the server-side deleteProcess does not verify the received values against those files. An authenticated admin can craft a POST request with arbitrary table names and drop any table in the database. This issue has been patched in version 0.31.8.0. | 2026-05-07 | not yet calculated | CVE-2026-41890 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vgrf-pr28-vf98 https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0 |
| ci4-cms-erp–ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been patched in version 0.31.8.0. | 2026-05-07 | not yet calculated | CVE-2026-41891 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5hfv-c864-qcq9 https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0 |
| SignalK–signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path – sending {login: {username, password}} messages over an established WebSocket connection – calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0. | 2026-05-09 | not yet calculated | CVE-2026-41893 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-vmfm-ch9h-5c7g https://github.com/SignalK/signalk-server/pull/2568 https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d https://github.com/SignalK/signalk-server/releases/tag/v2.25.0 |
| Shenzhen Yipu Commercial and Trading Co., Ltd–WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication. | 2026-05-04 | not yet calculated | CVE-2026-41922 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-wireless-cgi |
| Shenzhen Yipu Commercial and Trading Co., Ltd–WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsanitized parameter concatenation in the set_add_routing function to inject shell commands that are executed via popen() with partial output reflected in the HTTP response. | 2026-05-04 | not yet calculated | CVE-2026-41923 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-internet-cgi |
| Shenzhen Yipu Commercial and Trading Co., Ltd–WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions. Attackers can craft a POST request with specially crafted ampersand-delimited parameters to bypass input sanitization and execute commands with a maximum length of 31 bytes through the date command or channel parameter processing. | 2026-05-04 | not yet calculated | CVE-2026-41924 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-makerequest-cgi |
| Shenzhen Yipu Commercial and Trading Co., Ltd–WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary’s reboot_time function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter. Attackers can send a crafted request with shell metacharacters in the reboot_time parameter when reboot_enabled=1 to achieve remote code execution. | 2026-05-04 | not yet calculated | CVE-2026-41925 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-adm-cgi-reboot-time |
| Shenzhen Yipu Commercial and Trading Co., Ltd–WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request. | 2026-05-04 | not yet calculated | CVE-2026-41926 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-firewall-cgi |
| Shenzhen Yipu Commercial and Trading Co., Ltd–WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains a stack-based buffer overflow vulnerability in the firewall.cgi and makeRequest.cgi binaries that allows unauthenticated attackers to overwrite the saved return address by sending a POST request with a Content-Length header exceeding 512 bytes. Attackers can exploit insufficient length validation in the fgets() call to achieve arbitrary code execution through return-oriented programming or return-to-libc techniques. | 2026-05-04 | not yet calculated | CVE-2026-41927 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-stack-based-buffer-overflow-via-firewall-cgi |
| Apache Software Foundation–Apache OpenNLP | Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName() and invokes its no-arg constructor, with the class name sourced from the manifest.properties entry of a model archive. The existing isAssignableFrom check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory for factory=, ArtifactSerializer for serializer-class-*), but the check runs after Class.forName() has already loaded and initialized the named class. Class.forName() with default initialization semantics executes the target class’s static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. Exploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory or ArtifactSerializer subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load. Mitigation: * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces a package-prefix allowlist that is consulted before Class.forName() is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp. prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.* must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String) before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES system property to a comma-separated list of allowed package prefixes. Users who cannot upgrade immediately should ensure that all model files are sourced from trusted origins and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization. | 2026-05-04 | not yet calculated | CVE-2026-42027 | https://lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7q1gcb2y |
| getkirby–kirby | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0. | 2026-05-09 | not yet calculated | CVE-2026-42051 | https://github.com/getkirby/kirby/security/advisories/GHSA-x68m-c7jf-2572 https://github.com/getkirby/kirby/releases/tag/4.9.0 https://github.com/getkirby/kirby/releases/tag/5.4.0 |
| beetbox–beets | Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= … %> for untrusted metadata fields. In this runtime, <%= … %> is raw insertion and HTML escaping is only performed by <%- … %>. Rendered output is then inserted with .html(…), allowing attacker-controlled markup to become active DOM. This issue has been patched in version 2.10.0. | 2026-05-04 | not yet calculated | CVE-2026-42052 | https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847 https://github.com/beetbox/beets/releases/tag/v2.10.0 |
| getkirby–kirby | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0. | 2026-05-09 | not yet calculated | CVE-2026-42069 | https://github.com/getkirby/kirby/security/advisories/GHSA-2h7v-4372-f6x2 https://github.com/getkirby/kirby/releases/tag/4.9.0 https://github.com/getkirby/kirby/releases/tag/5.4.0 |
| getkirby–kirby | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0. | 2026-05-09 | not yet calculated | CVE-2026-42137 | https://github.com/getkirby/kirby/security/advisories/GHSA-85×2-r8xv-ww8c https://github.com/getkirby/kirby/releases/tag/4.9.0 https://github.com/getkirby/kirby/releases/tag/5.4.0 |
| langgenius–dify | Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/files/upload, which requires authentication through the application API, is also vulnerable. This issue has been patched in version 1.13.1. | 2026-05-04 | not yet calculated | CVE-2026-42138 | https://github.com/langgenius/dify/security/advisories/GHSA-cg94-8v83-7hjj https://github.com/langgenius/dify/releases/tag/1.13.1 |
| sovity–dataspace-portal | Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered “PENDING” organization / user accounts. This issue has been patched in version 7.3.2. | 2026-05-08 | not yet calculated | CVE-2026-42160 | https://github.com/sovity/dataspace-portal/security/advisories/GHSA-989g-wpfv-6vxx https://github.com/sovity/dataspace-portal/releases/tag/v7.3.2 |
| getkirby–kirby | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0. | 2026-05-09 | not yet calculated | CVE-2026-42174 | https://github.com/getkirby/kirby/security/advisories/GHSA-39cp-6679-8xv2 https://github.com/getkirby/kirby/releases/tag/4.9.0 https://github.com/getkirby/kirby/releases/tag/5.4.0 |
| argoproj–argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO users whose claims match a namespace-level RBAC rule but not an SSO-namespace rule, when SSO_DELEGATE_RBAC_TO_NAMESPACE=true. This issue has been patched in version 4.0.5. | 2026-05-09 | not yet calculated | CVE-2026-42183 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-p4gq-3vxj-f4jq https://github.com/argoproj/argo-workflows/commit/c4cc17d0c034fa9a9cc01ef1af6c8016c93071d4 https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| BerriAI–litellm | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7. | 2026-05-08 | not yet calculated | CVE-2026-42203 | https://github.com/BerriAI/litellm/security/advisories/GHSA-xqmj-j6mv-4862 https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable |
| roadiz–core-bundle-dev-app | Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value. This issue has been patched in versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18. | 2026-05-08 | not yet calculated | CVE-2026-42206 | https://github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-3gx8-q682-38mx |
| BerriAI–litellm | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy’s error-handling path. An attacker could read data from the proxy’s database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7. | 2026-05-08 | not yet calculated | CVE-2026-42208 | https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable |
| anzory–SolidCAM-GPPL-IDE | SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (naming convention: foo.gpp to foo.vmid). The VMID parser called XDocument.Load(path) without any XmlReaderSettings, inheriting the framework defaults which in .NET 8 allow DTD processing. A malicious .vmid file could therefore: disclose local files via external entity references, exhaust memory via recursive entity expansion, and cause denial of service via oversized or deeply nested XML. This issue has been patched in version 1.0.2. | 2026-05-08 | not yet calculated | CVE-2026-42212 | https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-92vg-f4fq-fxm9 https://github.com/anzory/SolidCAM-GPPL-IDE/commit/9d0ba808afd143ede448026a5dc681bfdc5c138d https://github.com/anzory/SolidCAM-GPPL-IDE/blob/master/CHANGELOG.md#102–2026-04-20 https://github.com/anzory/SolidCAM-GPPL-IDE/releases/tag/v1.0.2 |
| anzory–SolidCAM-GPPL-IDE | SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, the inc “filename” directive in GPPL postprocessor files is resolved by GpplDocumentLinkHandler into a clickable link (VS Code textDocument/documentLink). The handler accepted arbitrary paths – absolute, relative with parent-directory segments (……), UNC (\servershare), and arbitrary subfolders – and called File.Exists on each to decide whether to render the link. Two distinct attack surfaces resulted: information disclosure via File.Exists probing and NTLM hash leak via UNC path probing. This issue has been patched in version 1.0.2. | 2026-05-08 | not yet calculated | CVE-2026-42213 | https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-xvpx-9p39-g62m https://github.com/anzory/SolidCAM-GPPL-IDE/commit/9d0ba808afd143ede448026a5dc681bfdc5c138d https://github.com/anzory/SolidCAM-GPPL-IDE/releases/tag/v1.0.2 |
| AcademySoftwareFoundation–openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11. | 2026-05-07 | not yet calculated | CVE-2026-42216 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-65j8-95g9-jgj4 |
| AcademySoftwareFoundation–openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, readVariableLengthInteger() decodes a variable-length integer from untrusted EXR input without bounding the shift count. After enough continuation bytes, the code executes a left shift by 70 on a 64-bit value, which is undefined behavior. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11. | 2026-05-07 | not yet calculated | CVE-2026-42217 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3c67-4wwp-w52m https://github.com/AcademySoftwareFoundation/openexr/pull/2378 https://github.com/AcademySoftwareFoundation/openexr/commit/21eaa33bcbbb0c83a5fc42f6b6d65b70a996e63c |
| pjsip–pjproject | PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS transport (sip_transport_tls) can accept connections with invalid or untrusted certificates even when the application explicitly enables certificate verification via verify_server = PJ_TRUE or verify_client = PJ_TRUE. This issue has been patched in version 2.17. | 2026-05-07 | not yet calculated | CVE-2026-42225 | https://github.com/pjsip/pjproject/security/advisories/GHSA-x2fv-6j6c-pxmx https://github.com/pjsip/pjproject/commit/ef684252bb62b0716675b6e99ad7fe4c90e28920 https://github.com/pjsip/pjproject/releases/tag/2.17 |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supply a foreign credential ID in the request body, causing the backend to decrypt and use that credential in a helper execution path where the caller also controls the destination URL. This allowed the caller to force the backend to authenticate against attacker-controlled infrastructure using a credential belonging to another user, effectively exfiltrating a reusable API key. The issue is not limited to any single node type; any node that resolves credentials dynamically through these endpoints may be affected. This issue has been patched in versions 1.123.33, 2.17.5, and 2.18.0. | 2026-05-04 | not yet calculated | CVE-2026-42226 | https://github.com/n8n-io/n8n/security/advisories/GHSA-r4v6-9fqc-w5jr |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller. If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately. This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42227 | https://github.com/n8n-io/n8n/security/advisories/GHSA-756q-gq9h-fp22 |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /chat WebSocket endpoint used by the Chat Trigger node’s Hosted Chat feature did not verify that an incoming connection was authorized to interact with the target execution. An unauthenticated remote attacker who could identify a valid execution ID for a workflow in a waiting state could attach to that execution, receive the pending prompt intended for the legitimate user, and submit arbitrary input to resume or influence downstream workflow behavior. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42228 | https://github.com/n8n-io/n8n/security/advisories/GHSA-f77h-j2v7-g6mw |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node’s row:search and row:get operations allowed user-controlled input to be concatenated directly into SQL query strings without escaping or parameterization. In workflows where external user input is passed via expressions into the SeaTable node’s search or row retrieval parameters, an attacker could manipulate the constructed query to retrieve unintended rows from the connected SeaTable base, bypassing row-level filtering logic implemented in the workflow. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42229 | https://github.com/n8n-io/n8n/security/advisories/GHSA-mp4j-h6gh-f6mp |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing arbitrary redirect_uri values to be registered. When a user denies the MCP OAuth consent dialog, the handleDeny handler redirects the user to the registered redirect_uri without validation, enabling an open redirect to an attacker-controlled URL. An attacker can craft a phishing link and send it to a victim; if the victim clicks “Deny” on the consent page, they are silently redirected to an external site. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42230 | https://github.com/n8n-io/n8n/security/advisories/GHSA-f6x8-65q6-j9m9 |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n’s webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node’s SSH operations, achieve remote code execution on the n8n host. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42231 | https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5 |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42232 | https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node’s select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42233 | https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755 |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42234 | https://github.com/n8n-io/n8n/security/advisories/GHSA-44v6-jhgm-p3m4 |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim’s authenticated n8n browser session, enabling credential and session token theft, workflow manipulation, or privilege escalation. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42235 | https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the MCP OAuth client registration endpoint accepted unauthenticated requests and stored client data without adequate resource controls. An unauthenticated remote attacker could exhaust server memory resources by sending large registration payloads, rendering the n8n instance unavailable. The MCP enable/disable toggle gates MCP access but did not restrict client registrations, meaning the endpoint is reachable regardless of whether MCP access is enabled on the instance. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42236 | https://github.com/n8n-io/n8n/security/advisories/GHSA-49m9-pgww-9vq6 |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42237 | https://github.com/n8n-io/n8n/security/advisories/GHSA-hp3c-vfpm-q4f7 |
| 0xJacky–nginx-ui | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application’s configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui – typically root in Docker deployments. This issue has been patched in version 2.3.8. | 2026-05-04 | not yet calculated | CVE-2026-42238 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8 |
| ruby–net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client’s CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42245 | https://github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcw https://github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96 https://github.com/ruby/net-imap/commit/88d95231fc8afef11c1f074453f7d75b68c9dfda https://github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819 https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 https://github.com/ruby/net-imap/releases/tag/v0.6.4 |
| ruby–net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return “successfully”, without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42246 | https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618 https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da https://github.com/ruby/net-imap/releases/tag/v0.3.10 https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 |
| ruby–net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42256 | https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7 https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612 https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4 https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758 https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 https://github.com/ruby/net-imap/releases/tag/v0.6.4 |
| ruby–net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42257 | https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 https://github.com/ruby/net-imap/releases/tag/v0.6.4 |
| ruby–net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42258 | https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 https://github.com/ruby/net-imap/releases/tag/v0.6.4 |
| saltcorn–saltcorn | Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes () to forward slashes (/) for special schemes, a payload such as /evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL. This issue has been patched in versions 1.4.6, 1.5.6, and 1.6.0-beta.5. | 2026-05-07 | not yet calculated | CVE-2026-42259 | https://github.com/saltcorn/saltcorn/security/advisories/GHSA-f3g8-9xv5-77gv |
| kimai–kimai | Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing <f>SUM(54+51)</f> into the XLSX archive. Excel evaluates the formula when the file is opened. This issue has been patched in version 2.54.0. | 2026-05-08 | not yet calculated | CVE-2026-42267 | https://github.com/kimai/kimai/security/advisories/GHSA-3xc2-h5r3-wv3r https://github.com/kimai/kimai/releases/tag/2.54.0 |
| BerriAI–litellm | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it – POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list – accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user – including holders of low-privilege internal-user keys – could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7. | 2026-05-08 | not yet calculated | CVE-2026-42271 | https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable |
| dadrus–heimdall | Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14. | 2026-05-08 | not yet calculated | CVE-2026-42272 | https://github.com/dadrus/heimdall/security/advisories/GHSA-43jv-5j4x-qv67 https://github.com/dadrus/heimdall/pull/3207 https://github.com/dadrus/heimdall/commit/8b0de6aba23a047cfee3081df878271bb17f4351 https://github.com/dadrus/heimdall/releases/tag/v0.17.14 |
| dadrus–heimdall | Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than intended. This issue has been patched in version 0.17.14. | 2026-05-08 | not yet calculated | CVE-2026-42273 | https://github.com/dadrus/heimdall/security/advisories/GHSA-72h4-mxfc-jx37 https://github.com/dadrus/heimdall/pull/3208 https://github.com/dadrus/heimdall/commit/3d05e56a9e7ef0355f17482b4322054af4e85943 https://github.com/dadrus/heimdall/releases/tag/v0.17.14 |
| dadrus–heimdall | Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14. | 2026-05-08 | not yet calculated | CVE-2026-42274 | https://github.com/dadrus/heimdall/security/advisories/GHSA-3q34-rx83-r6mq https://github.com/dadrus/heimdall/pull/3209 https://github.com/dadrus/heimdall/commit/b5dfa484b7a8c2ce6d8691c026f9da867719947a https://github.com/dadrus/heimdall/releases/tag/v0.17.14 |
| UltraDAGcom–core | UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline. When a transaction originates from a “Pocket” (a derived sub-address documented in the protocol as a way to organize funds), the engine fails to resolve the pocket’s parent account before checking the spending policy. Because pockets are “virtual” addresses that exist only as entries in the pocket_to_parent map and do not have their own SmartAccountConfig entries, the check_spending_policy method defaults to an “authorized/no policy” result. This allow any user (or attacker in possession of a parent key) to instantly drain every pocket on an account, even if the parent account has a strict 24-hour vault delay or a 1 UDAG daily limit. This issue has been patched via commit fb6ef59. | 2026-05-08 | not yet calculated | CVE-2026-42278 | https://github.com/UltraDAGcom/core/security/advisories/GHSA-9chc-gjfr-6hrq https://github.com/UltraDAGcom/core/commit/fb6ef59d6c1385400e7acea7ae31fc6a473c3051 |
| emlog–emlog | Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This issue has been patched in version 2.6.11. | 2026-05-08 | not yet calculated | CVE-2026-42286 | https://github.com/emlog/emlog/security/advisories/GHSA-cqqp-rx28-gv2q |
| emlog–emlog | Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been patched in version 2.6.11. | 2026-05-08 | not yet calculated | CVE-2026-42287 | https://github.com/emlog/emlog/security/advisories/GHSA-xxj8-fc63-j3gw |
| argoproj–argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5. | 2026-05-09 | not yet calculated | CVE-2026-42294 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-jcc8-g2q4-9fxq https://github.com/argoproj/argo-workflows/commit/7abb4de6c3599e2d5d960ba4d5de4cf1df109965 https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14 https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| argoproj–argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. This issue has been patched in version 4.0.5. | 2026-05-09 | not yet calculated | CVE-2026-42295 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-7vf8-2cr6-54mf https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| argoproj–argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service’s ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user – including those using fake Bearer tokens – can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5. | 2026-05-09 | not yet calculated | CVE-2026-42297 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xchc-cqwg-g76q https://github.com/argoproj/argo-workflows/commit/09fff05e0830c14a5e36cc40597ad84881db1ab6 https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| python-pillow–Pillow | Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0. | 2026-05-09 | not yet calculated | CVE-2026-42308 | https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j https://github.com/python-pillow/Pillow/releases/tag/12.2.0 |
| python-pillow–Pillow | Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0. | 2026-05-09 | not yet calculated | CVE-2026-42309 | https://github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2 https://github.com/python-pillow/Pillow/releases/tag/12.2.0 |
| python-pillow–Pillow | Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0. | 2026-05-09 | not yet calculated | CVE-2026-42310 | https://github.com/python-pillow/Pillow/security/advisories/GHSA-r73j-pqj5-w3x7 https://github.com/python-pillow/Pillow/pull/9519 https://github.com/python-pillow/Pillow/commit/3bf614e4b8615d0ce1d5039efaf6db447fe7c468 https://github.com/python-pillow/Pillow/releases/tag/12.2.0 |
| python-pillow–Pillow | Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0. | 2026-05-09 | not yet calculated | CVE-2026-42311 | https://github.com/python-pillow/Pillow/security/advisories/GHSA-pwv6-vv43-88gr https://github.com/python-pillow/Pillow/pull/9520 https://github.com/python-pillow/Pillow/commit/58f9a1d166dcb0c274807d4423522d205b0c35ea https://github.com/python-pillow/Pillow/releases/tag/12.2.0 |
| quarkiverse–quarkus-openapi-generator | Quarkus OpenAPI Generator is Quarkus’ extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints. This issue has been patched in versions 2.11.1-lts, 2.16.0-lts, and 2.17.0. | 2026-05-09 | not yet calculated | CVE-2026-42333 | https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586 https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0 |
| QuantumNous–new-api | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified address 0.0.0.0. A regular (non-admin) user holding any valid API token can send a multimodal request to /v1/chat/completions, /v1/responses, or /v1/messages with 0.0.0.0 as the image/file URL host, bypassing the private-IP filter and causing the server to issue HTTP requests to localhost. This constitutes at minimum a blind SSRF; when the request is routed through an AWS/Bedrock Claude adaptor, the fetched content is inlined into the model response, upgrading it to a full-read SSRF. At time of publication, there are no publicly available patches. | 2026-05-08 | not yet calculated | CVE-2026-42339 | https://github.com/QuantumNous/new-api/security/advisories/GHSA-v5c3-6wvc-pc2q |
| labring–FastGPT | FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit (a 500ms polling interval) for memory management and lacks strict OS-level constraints such as cgroups or kernel-level namespaces. This architectural weakness allows attackers to easily bypass memory checks via time-window attacks, or exhaust the entire JavaScript worker pool via concurrent CPU-intensive requests, resulting in a complete Denial of Service (DoS) for legitimate users. At time of publication, there are no publicly available patches. | 2026-05-08 | not yet calculated | CVE-2026-42343 | https://github.com/labring/FastGPT/security/advisories/GHSA-qv7v-r94x-6x3x |
| akuity–kargo | Kargo manages and automates the promotion of software artifacts. Prior to versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2, Kargo is vulnerable to open redirect in UI OIDC login flow via the redirectTo query parameter. This issue has been patched in versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2. | 2026-05-08 | not yet calculated | CVE-2026-42350 | https://github.com/akuity/kargo/security/advisories/GHSA-g7gw-m874-7rmf |
| Apache Software Foundation–Apache OpenNLP | OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader Versions Affected: before 2.5.9 before 3.0.0-M3 Description: The AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and getPredicates() each read a 32-bit signed integer count field from a binary model stream and pass that value directly to an array allocation (new String[numOutcomes], new int[numOCTypes][], new String[NUM_PREDS]) without validating that the value is non-negative or within a reasonable bound. The count is therefore fully attacker-controlled when the model file originates from an untrusted source. A crafted .bin model file in which any of these count fields is set to Integer.MAX_VALUE (or any value large enough to exhaust the available heap) triggers an OutOfMemoryError at the array allocation itself, before the corresponding label or pattern data is consumed from the stream. The error occurs very early in deserialization: for a GIS model, getOutcomes() is reached after only the model-type string, the correction constant, and the correction parameter have been read; so the attacker pays no meaningful size cost to weaponize a payload, and a single small file can crash a JVM that loads it. Any code path that deserializes a .bin model is affected, including direct use of GenericModelReader and any higher-level component that delegates to it during model load. The practical impact is denial of service against processes that load model files from untrusted or semi-trusted origins. Mitigation: * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces an upper bound on each of the three count fields, checked before array allocation; counts that are negative or exceed the bound cause an IllegalArgumentException to be thrown and the read to fail fast with no large allocation. The default bound is 10,000,000, which is well above the entry counts of legitimate OpenNLP models but far below any value that would threaten heap exhaustion. Deployments that legitimately need to load models with more entries than the default can raise the limit at JVM startup by setting the OPENNLP_MAX_ENTRIES system property to the desired positive integer (e.g. -DOPENNLP_MAX_ENTRIES=50000000); invalid or non-positive values fall back to the default. Users who cannot upgrade immediately should treat all .bin model files as untrusted input unless their provenance is verified, and should avoid loading models supplied by end users or fetched from third-party repositories without integrity checks. | 2026-05-04 | not yet calculated | CVE-2026-42440 | https://lists.apache.org/thread/s8xlkx1gqbxfsq48py5h6jphjvgqp1jo |
| Termix-SSH–Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, the extractArchive and compressFiles endpoints in file-manager.ts use double-quoted strings for shell command construction, unlike all other file manager operations which use single-quote escaping. Double quotes allow $(command) substitution, enabling command injection on the remote SSH host. This issue has been patched in version 2.1.0. | 2026-05-08 | not yet calculated | CVE-2026-42453 | https://github.com/Termix-SSH/Termix/security/advisories/GHSA-rvg4-7vvq-9c2w https://github.com/Termix-SSH/Termix/releases/tag/release-2.1.0-tag |
| linkwarden–linkwarden | Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In versions 2.14.0 and prior, the archive upload endpoint (POST /api/v1/archives/[linkId]?format=4) accepts HTML files (text/html) without sanitizing JavaScript content. When the archive is later accessed via GET /api/v1/archives/[linkId]?format=4, the HTML is served with Content-Type: text/html from the Linkwarden origin, without any Content-Security-Policy header. This allows arbitrary JavaScript execution in the context of the authenticated Linkwarden sessio. At time of publication, there are no publicly available patches. | 2026-05-08 | not yet calculated | CVE-2026-42455 | https://github.com/linkwarden/linkwarden/security/advisories/GHSA-fjvg-mch3-j3vg |
| getarcaneapp–arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates* in Arcane’s Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full Compose YAML and .env content of every custom template stored in the instance. Because Arcane’s UI exposes a “Save as Template” flow on the project / swarm-stack creation pages that persists the operator’s real env content (database passwords, API keys, etc.) verbatim, this missing authorization is an unauthenticated read of operator secrets in practice – not a theoretical info-disclosure. The frontend explicitly treats /customize/templates/* as an authenticated area (PROTECTED_PREFIXES in frontend/src/lib/utils/redirect.util.ts), and every CRUD operation (POST/PUT/DELETE) on the same paths requires a Bearer/API key, so this is a clear backend authorization gap, not intended public access. This issue has been patched in version 1.18.0. | 2026-05-09 | not yet calculated | CVE-2026-42461 | https://github.com/getarcaneapp/arcane/security/advisories/GHSA-cxx3-hr75-4q96 https://github.com/getarcaneapp/arcane/releases/tag/v1.18.0 |
| Go standard library–net/mail | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | 2026-05-07 | not yet calculated | CVE-2026-42499 | https://go.dev/issue/78987 https://go.dev/cl/771520 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4977 |
| Go toolchain–cmd/go | A malicious module proxy can exploit a flaw in the go command’s validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go command will download and execute a toolchain provided by the module proxy. A malicious module proxy can bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it, so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts go.sum files to contain accurate hashes of the current module’s dependencies. A malicious proxy exploiting this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by running “rm go.sum ; go mod tidy ; go mod verify”, which will revalidate all dependencies of the current module. The specific flaw in more detail: The go command consults the checksum database to validate downloaded modules, when a module is not listed in the go.sum file. It verifies that the module hash reported by the checksum database matches the hash of the downloaded module. If, however, the checksum database returns a successful response that contains no entry for the module, the go command incorrectly permitted validation to succeed. A module proxy may mirror or proxy the checksum database, in which case the go command will not connect to the checksum database directly. Checksums reported by the checksum database are cryptographically signed, so a malicious proxy cannot alter the reported checksum for a module. However, a proxy which returns an empty checksum response, or a checksum response for an unrelated module, could cause the go command to proceed as if a downloaded module has been validated. | 2026-05-07 | not yet calculated | CVE-2026-42501 | https://go.dev/cl/775321 https://go.dev/issue/79070 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4984 |
| golang.org/x/tools–golang.org/x/tools/gopls | gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0. As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls. | 2026-05-06 | not yet calculated | CVE-2026-42503 | https://go.dev/issue/79211 https://go.dev/cl/774381 |
| Apache Software Foundation–Apache Wicket | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | 2026-05-06 | not yet calculated | CVE-2026-42509 | https://lists.apache.org/thread/52nrq4tt07gxz4r6sj5gyocz5s6bprjp |
| PelicanPlatform–pelican | Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican’s Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2. | 2026-05-09 | not yet calculated | CVE-2026-42571 | https://github.com/PelicanPlatform/pelican/security/advisories/GHSA-rpfr-x88x-xwcw https://github.com/PelicanPlatform/pelican/commit/7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854 |
| ArchiveBox–ArchiveBox | ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. At time of publication, there are no publicly available patches. | 2026-05-09 | not yet calculated | CVE-2026-42601 | https://github.com/ArchiveBox/ArchiveBox/security/advisories/GHSA-3h23-7824-pj8r |
| absinthe-graphql–absinthe | Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe’s SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node. Any application that passes attacker-controlled GraphQL SDL through Absinthe’s parser is exposed – for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents. This issue affects absinthe: from 1.5.0 before 1.10.2. | 2026-05-08 | not yet calculated | CVE-2026-42793 | https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7 https://cna.erlef.org/cves/CVE-2026-42793.html https://osv.dev/vulnerability/EEF-CVE-2026-42793 https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838 |
| absinthe-graphql–absinthe_plug | Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. ‘Elixir.Absinthe.Plug.GraphiQL’:js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. ‘), breaking out of the string context and executing arbitrary JavaScript in the victim’s browser. This issue affects absinthe_plug: from 1.2.0. | 2026-05-08 | not yet calculated | CVE-2026-42794 | https://github.com/absinthe-graphql/absinthe_plug/issues/275 https://cna.erlef.org/cves/CVE-2026-42794.html https://osv.dev/vulnerability/EEF-CVE-2026-42794 https://github.com/absinthe-graphql/absinthe_plug/commit/23a0d5658d32420086711adf4ce8f05febb09963 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers Commit 302a1f674c00 (“Bluetooth: MGMT: Fix possible UAFs”) introduced mgmt_pending_valid(), which not only validates the pending command but also unlinks it from the pending list if it is valid. This change in semantics requires updates to several completion handlers to avoid list corruption and memory safety issues. This patch addresses two left-over issues from the aforementioned rework: 1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove() is replaced with mgmt_pending_free() in the success path. Since mgmt_pending_valid() already unlinks the command at the beginning of the function, calling mgmt_pending_remove() leads to a double list_del() and subsequent list corruption/kernel panic. 2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error path is removed. Since the current command is already unlinked by mgmt_pending_valid(), this foreach loop would incorrectly target other pending mesh commands, potentially freeing them while they are still being processed concurrently (leading to UAFs). The redundant mgmt_cmd_status() is also simplified to use cmd->opcode directly. | 2026-05-05 | not yet calculated | CVE-2026-43059 | https://git.kernel.org/stable/c/695b45b2262fcb5e71bed1175aad59c72f92aa78 https://git.kernel.org/stable/c/b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77 https://git.kernel.org/stable/c/02023ff760cc104a5d86a82ef5b8dd89098ad78d https://git.kernel.org/stable/c/17f89341cb4281d1da0e2fb0de5406ab7c4e25ef |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: serial: 8250: Fix TX deadlock when using DMA `dmaengine_terminate_async` does not guarantee that the `__dma_tx_complete` callback will run. The callback is currently the only place where `dma->tx_running` gets cleared. If the transaction is canceled and the callback never runs, then `dma->tx_running` will never get cleared and we will never schedule new TX DMA transactions again. This change makes it so we clear `dma->tx_running` after we terminate the DMA transaction. This is “safe” because `serial8250_tx_dma_flush` is holding the UART port lock. The first thing the callback does is also grab the UART port lock, so access to `dma->tx_running` is serialized. | 2026-05-05 | not yet calculated | CVE-2026-43061 | https://git.kernel.org/stable/c/8190f9ab6ad90cb97652adbebd238b874a4ef70d https://git.kernel.org/stable/c/79a19bd936bb35f56ef0ccab1b3b59ebce8c762d https://git.kernel.org/stable/c/f76d91271bcacbd759a2e4ee3ea61faa6a727ccf https://git.kernel.org/stable/c/d2719a0a9c3439abf67843a5504b7afccd9ded93 https://git.kernel.org/stable/c/2a72403b985aea6b4aac3171830492f9a387f9e1 https://git.kernel.org/stable/c/5f6b17562f03fc65c7d3474ef8f1959b19d1ca41 https://git.kernel.org/stable/c/b5ad887339503103d0fbe9827b16ad287597c275 https://git.kernel.org/stable/c/a424a34b8faddf97b5af41689087e7a230f79ba7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix not releasing workqueue on .release() The workqueue associated with an DSA/IAA device is not released when the object is freed. | 2026-05-05 | not yet calculated | CVE-2026-43064 | https://git.kernel.org/stable/c/fd4cb61bbd0fc3a749a8da6145cbb56d8f6dba35 https://git.kernel.org/stable/c/2bb9e9e93adff9cc8a138ae9a3a8d59b3452272e https://git.kernel.org/stable/c/d02c24af126dee45247dc7890409c86d1831859d https://git.kernel.org/stable/c/958e96533ddbd1edd127feb7624a7eed0cc379dc https://git.kernel.org/stable/c/fc34f199eb576b3a73089452fdf0056cc9a9301d https://git.kernel.org/stable/c/3d33de353b1ff9023d5ec73b9becf80ea87af695 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: always drain queued discard work in ext4_mb_release() While reviewing recent ext4 patch[1], Sashiko raised the following concern[2]: > If the filesystem is initially mounted with the discard option, > deleting files will populate sbi->s_discard_list and queue > s_discard_work. If it is then remounted with nodiscard, the > EXT4_MOUNT_DISCARD flag is cleared, but the pending s_discard_work is > neither cancelled nor flushed. [1] https://lore.kernel.org/r/20260319094545.19291-1-qiang.zhang@linux.dev/ [2] https://sashiko.dev/#/patchset/20260319094545.19291-1-qiang.zhang%40linux.dev The concern was valid, but it had nothing to do with the patch[1]. One of the problems with Sashiko in its current (early) form is that it will detect pre-existing issues and report it as a problem with the patch that it is reviewing. In practice, it would be hard to hit deliberately (unless you are a malicious syzkaller fuzzer), since it would involve mounting the file system with -o discard, and then deleting a large number of files, remounting the file system with -o nodiscard, and then immediately unmounting the file system before the queued discard work has a change to drain on its own. Fix it because it’s a real bug, and to avoid Sashiko from raising this concern when analyzing future patches to mballoc.c. | 2026-05-05 | not yet calculated | CVE-2026-43065 | https://git.kernel.org/stable/c/e96c2354b170aaa53300c8e8fd59e41b133160f7 https://git.kernel.org/stable/c/c360e9d0def4f4ae03254a67c683103908555b75 https://git.kernel.org/stable/c/1c82f863f090ab899085bdfade073313384b514b https://git.kernel.org/stable/c/9b4d9dda6a71ad3425c8109d27c4c6bfb9da97b8 https://git.kernel.org/stable/c/812b6a7cd3e7f3a3e8a24db85bc6313c26cb1098 https://git.kernel.org/stable/c/b4737e26d4688b8aea88ad6ea4dbfeb6e78b0327 https://git.kernel.org/stable/c/9ee29d20aab228adfb02ca93f87fb53c56c2f3af |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths During code review, Joseph found that ext4_fc_replay_inode() calls ext4_get_fc_inode_loc() to get the inode location, which holds a reference to iloc.bh that must be released via brelse(). However, several error paths jump to the ‘out’ label without releasing iloc.bh: – ext4_handle_dirty_metadata() failure – sync_dirty_buffer() failure – ext4_mark_inode_used() failure – ext4_iget() failure Fix this by introducing an ‘out_brelse’ label placed just before the existing ‘out’ label to ensure iloc.bh is always released. Additionally, make ext4_fc_replay_inode() propagate errors properly instead of always returning 0. | 2026-05-05 | not yet calculated | CVE-2026-43066 | https://git.kernel.org/stable/c/0892f12cd49fde5d5db68137923db107f894f3a3 https://git.kernel.org/stable/c/5a63033696e60b5d70816f1d119645ac5b0b0a03 https://git.kernel.org/stable/c/9c90449a9ac2cd1ba540ad2561b8b70c1bfb0a25 https://git.kernel.org/stable/c/ca99cbcc316cdfd2040cc2b13d1426ccb3b3b50b https://git.kernel.org/stable/c/19782b4c793b49a6aa4abbb307ddff3610009d21 https://git.kernel.org/stable/c/f7817ad399d604e8639005d87d148b5ec626ad26 https://git.kernel.org/stable/c/c426231e3d51916e83b6d1ab7ed8a65e83bca5b4 https://git.kernel.org/stable/c/ec0a7500d8eace5b4f305fa0c594dd148f0e8d29 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal() There’s issue as follows: … EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2243 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2239 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): error count since last fsck: 1 EXT4-fs (mmcblk0p1): initial error at time 1765597433: ext4_mb_generate_buddy:760 EXT4-fs (mmcblk0p1): last error at time 1765597433: ext4_mb_generate_buddy:760 … According to the log analysis, blocks are always requested from the corrupted block group. This may happen as follows: ext4_mb_find_by_goal ext4_mb_load_buddy ext4_mb_load_buddy_gfp ext4_mb_init_cache ext4_read_block_bitmap_nowait ext4_wait_block_bitmap ext4_validate_block_bitmap if (!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp)) return -EFSCORRUPTED; // There’s no logs. if (err) return err; // Will return error ext4_lock_group(ac->ac_sb, group); if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) // Unreachable goto out; After commit 9008a58e5dce (“ext4: make the bitmap read routines return real error codes”) merged, Commit 163a203ddb36 (“ext4: mark block group as corrupt on block bitmap error”) is no real solution for allocating blocks from corrupted block groups. This is because if ‘EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)’ is true, then ‘ext4_mb_load_buddy()’ may return an error. This means that the block allocation will fail. Therefore, check block group if corrupted when ext4_mb_load_buddy() returns error. | 2026-05-05 | not yet calculated | CVE-2026-43068 | https://git.kernel.org/stable/c/fea6b2e250ff48f10d166011b57a8516ae5438c9 https://git.kernel.org/stable/c/0b84571c886719823d537f05f4f07cad6357c4b7 https://git.kernel.org/stable/c/ffc0a282462d45fee5957621be5afa29752f3b6d https://git.kernel.org/stable/c/2d31a5073f86a177edf44015e0dedb0c47cfd6d8 https://git.kernel.org/stable/c/9370207b36d26e45a8c8ef0500706d37036edd6b https://git.kernel.org/stable/c/1895f7904be71c48f1e6f338b28f24dabd6b8aeb https://git.kernel.org/stable/c/1c0d7c4cde38a887c6d74e0c89ddb25226943c78 https://git.kernel.org/stable/c/46066e3a06647c5b186cc6334409722622d05c44 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_ll: Fix firmware leak on error path Smatch reports: drivers/bluetooth/hci_ll.c:587 download_firmware() warn: ‘fw’ from request_firmware() not released on lines: 544. In download_firmware(), if request_firmware() succeeds but the returned firmware content is invalid (no data or zero size), the function returns without releasing the firmware, resulting in a resource leak. Fix this by calling release_firmware() before returning when request_firmware() succeeded but the firmware content is invalid. | 2026-05-05 | not yet calculated | CVE-2026-43069 | https://git.kernel.org/stable/c/95e8601af227b2b4390eecf8db6abdb9f6a91f17 https://git.kernel.org/stable/c/e6d95488c8c964d1df0d3e1db44c958706311e86 https://git.kernel.org/stable/c/b2dfbf1b5ff192cefd49574b951a4af9ddd32213 https://git.kernel.org/stable/c/28904375d54b436a757641fb0331537778c0de5a https://git.kernel.org/stable/c/5213ef54528dd1ac79b846e30d8f72ce092794aa https://git.kernel.org/stable/c/9ecbfd93cd6de6c78cb7fd51fe079e36c7ff074b https://git.kernel.org/stable/c/a7803df606a7d22e896b030f619e1d9d20ae0c6b https://git.kernel.org/stable/c/31148a7be723aa9f2e8fbd62424825ab8d577973 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vc4: platform_get_irq_byname() returns an int platform_get_irq_byname() will return a negative value if an error happens, so it should be checked and not just passed directly into devm_request_threaded_irq() hoping all will be ok. | 2026-05-05 | not yet calculated | CVE-2026-43072 | https://git.kernel.org/stable/c/63c11b19cdc154fa848a6c3b535bfb1dc7b60378 https://git.kernel.org/stable/c/ef2ee9db13b68c5e332b77c0a7108a2d4d56e114 https://git.kernel.org/stable/c/0185e0494a561edfc482507f9de89c2ad798b33d https://git.kernel.org/stable/c/9c10b83a004442c93d7a484c3d221a06a45821e1 https://git.kernel.org/stable/c/0c1b117f7ba46fb8f6ebc5e0bfe5b58568c301ba https://git.kernel.org/stable/c/e597a809a2b97e927060ba182f58eb3e6101bc70 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86-64: rename misleadingly named ‘__copy_user_nocache()’ function This function was a masterclass in bad naming, for various historical reasons. It claimed to be a non-cached user copy. It is literally _neither_ of those things. It’s a specialty memory copy routine that uses non-temporal stores for the destination (but not the source), and that does exception handling for both source and destination accesses. Also note that while it works for unaligned targets, any unaligned parts (whether at beginning or end) will not use non-temporal stores, since only words and quadwords can be non-temporal on x86. The exception handling means that it _can_ be used for user space accesses, but not on its own – it needs all the normal “start user space access” logic around it. But typically the user space access would be the source, not the non-temporal destination. That was the original intention of this, where the destination was some fragile persistent memory target that needed non-temporal stores in order to catch machine check exceptions synchronously and deal with them gracefully. Thus that non-descriptive name: one use case was to copy from user space into a non-cached kernel buffer. However, the existing users are a mix of that intended use-case, and a couple of random drivers that just did this as a performance tweak. Some of those random drivers then actively misused the user copying version (with STAC/CLAC and all) to do kernel copies without ever even caring about the exception handling, _just_ for the non-temporal destination. Rename it as a first small step to actually make it halfway sane, and change the prototype to be more normal: it doesn’t take a user pointer unless the caller has done the proper conversion, and the argument size is the full size_t (it still won’t actually copy more than 4GB in one go, but there’s also no reason to silently truncate the size argument in the caller). Finally, use this now sanely named function in the NTB code, which mis-used a user copy version (with STAC/CLAC and all) of this interface despite it not actually being a user copy at all. | 2026-05-05 | not yet calculated | CVE-2026-43073 | https://git.kernel.org/stable/c/14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd https://git.kernel.org/stable/c/c6d4e0599e7e73abc04e2488dfeb7940c4039660 https://git.kernel.org/stable/c/d993e1723aa2a085aa0d72e70ea889031fc225b4 https://git.kernel.org/stable/c/efea91ad1729ff1853d7418e4d3bc27d085e72d0 https://git.kernel.org/stable/c/d187a86de793f84766ea40b9ade7ac60aabbb4fe |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead – Fix minimum RX size check for decryption The check for the minimum receive buffer size did not take the tag size into account during decryption. Fix this by adding the required extra length. | 2026-05-06 | not yet calculated | CVE-2026-43077 | https://git.kernel.org/stable/c/74a66fdb5282d89e348b00c42cfca3a936946d94 https://git.kernel.org/stable/c/fd427dd84f224309afbcc2cb67c7bb770a01265c https://git.kernel.org/stable/c/1c76b5675119f694458293a2a81f40731c69bd32 https://git.kernel.org/stable/c/e86ab1e5661386a874fbb8551f0c04b8e9f8ad22 https://git.kernel.org/stable/c/af2fa2fbbced26129813274b8b3f7705f280e174 https://git.kernel.org/stable/c/78cea133daf721698876e56135049a96d39d610a https://git.kernel.org/stable/c/3afdc15d6173614d7d834517d9b65e7aa5a08548 https://git.kernel.org/stable/c/3d14bd48e3a77091cbce637a12c2ae31b4a1687c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Skip discovery table for offline dies This warning can be triggered if NUMA is disabled and the system boots with fewer CPUs than the number of CPUs in die 0. WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore] Currently, the discovery table continues to be parsed even if all CPUs in the associated die are offline. This can lead to an array overflow at “pmu->boxes[die] = box” in uncore_pci_pmu_register(), which may trigger the warning above or cause other issues. | 2026-05-06 | not yet calculated | CVE-2026-43079 | https://git.kernel.org/stable/c/cfab2c817d2e7e0bee98d66850246ce842ed5f18 https://git.kernel.org/stable/c/6cfc187d85f18f976d0fe527d4c6f6171542cc19 https://git.kernel.org/stable/c/f34feda8e0c9535fee3f8870ce8bab53c2798f71 https://git.kernel.org/stable/c/7a2cb02437d92ed14fe494d8994056d5bd2c72b4 https://git.kernel.org/stable/c/7b568e9eba2fad89a696f22f0413d44cf4a1f892 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: l2tp: Drop large packets with UDP encap syzbot reported a WARN on my patch series [1]. The actual issue is an overflow of 16-bit UDP length field, and it exists in the upstream code. My series added a debug WARN with an overflow check that exposed the issue, that’s why syzbot tripped on my patches, rather than on upstream code. syzbot’s repro: r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c) connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={‘x00’, ‘xffxff’, @empty}}}}, 0x32) writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)=”ee”, 0x34000}], 0x1) It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP encapsulation, and l2tp_xmit_core doesn’t check for overflows when it assigns the UDP length field. The value gets trimmed to 16 bites. Add an overflow check that drops oversized packets and avoids sending packets with trimmed UDP length to the wire. syzbot’s stack trace (with my patch applied): len >= 65536u WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957 WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957 WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957 Modules linked in: CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline] RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline] RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327 Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f RSP: 0018:ffffc90003d67878 EFLAGS: 00010293 RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000 RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004 R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900 R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000 FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0 Call Trace: <TASK> pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x503/0x550 net/socket.c:1195 do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 vfs_writev+0x33c/0x990 fs/read_write.c:1059 do_writev+0x154/0x2e0 fs/read_write.c:1105 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f636479c629 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629 RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003 RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0 </TASK> [1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/ | 2026-05-06 | not yet calculated | CVE-2026-43080 | https://git.kernel.org/stable/c/9ccce02d501335f59a02f26c878c5e095b16302f https://git.kernel.org/stable/c/77c1489398c85a844f90205f5e76fd6bc8bb4089 https://git.kernel.org/stable/c/86534c97abd6365a9a021fd767a2023e63c44469 https://git.kernel.org/stable/c/f295fe86e22ff0a2ecebf05e30a387e5cf6f6ddc https://git.kernel.org/stable/c/ebe560ea5f54134279356703e73b7f867c89db13 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+ Fix the field masks to match the hardware layout documented in downstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*). Notably this fixes a WARN I was seeing when I tried to send “stop” to the MPSS remoteproc while IPA was up. | 2026-05-06 | not yet calculated | CVE-2026-43081 | https://git.kernel.org/stable/c/a7d326dfb13b5a0763eccfd78836fe15199fc499 https://git.kernel.org/stable/c/d1c66396796f23f7201b1addf06f62515035354d https://git.kernel.org/stable/c/bafc45ea30d297002750396d5f10e3018bf2cd60 https://git.kernel.org/stable/c/2aa50d2c1f631b405849da246043c6f683af7489 https://git.kernel.org/stable/c/9709b56d908acc120fe8b4ae250b3c9d749ea832 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: txgbe: leave space for null terminators on property_entry Lists of struct property_entry are supposed to be terminated with an empty property, this driver currently seems to be allocating exactly the amount of entry used. Change the struct definition to leave an extra element for all property_entry. | 2026-05-06 | not yet calculated | CVE-2026-43082 | https://git.kernel.org/stable/c/00e1d650fa4b228ef1faea8e29effe4b4861e6e4 https://git.kernel.org/stable/c/16eb3c2f86de9a21aefe7a6386607d4cd3947a77 https://git.kernel.org/stable/c/8eff73e58e1f8fe991522acb863164319a7f7dd3 https://git.kernel.org/stable/c/92c09262dac565a6b831fd724b81fe4ff76f51b4 https://git.kernel.org/stable/c/5a37d228799b0ec2c277459c83c814a59d310bc3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() helper only zeroes alignment padding after the payload, not the payload itself, so four bytes of stale kernel heap data are leaked to userspace in the NLMSG_DONE message body. Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes the nfgenmsg payload via nfnl_fill_hdr(), consistent with how __build_packet_message() already constructs NFULNL_MSG_PACKET headers. | 2026-05-06 | not yet calculated | CVE-2026-43085 | https://git.kernel.org/stable/c/368c22aea490f6f50df831b4f9e3623787686c5b https://git.kernel.org/stable/c/d1399632ba255d2e02c757af5d9f5d9279ce168c https://git.kernel.org/stable/c/d552bcfca323d175664d7444989b04f55666978a https://git.kernel.org/stable/c/15d209bccf9273b4a8b4e579ba0e92d065b6ec8c https://git.kernel.org/stable/c/1f3083aec8836213da441270cdb1ab612dd82cf4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipvs: fix NULL deref in ip_vs_add_service error path When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local variable sched is set to NULL. If ip_vs_start_estimator() subsequently fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched) with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL check (because svc->scheduler was set by the successful bind) but then dereferences the NULL sched parameter at sched->done_service, causing a kernel panic at offset 0x30 from NULL. Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69) Call Trace: <TASK> ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500) do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809) nf_setsockopt (net/netfilter/nf_sockopt.c:102) [..] Fix by simply not clearing the local sched variable after a successful bind. ip_vs_unbind_scheduler() already detects whether a scheduler is installed via svc->scheduler, and keeping sched non-NULL ensures the error path passes the correct pointer to both ip_vs_unbind_scheduler() and ip_vs_scheduler_put(). While the bug is older, the problem popups in more recent kernels (6.2), when the new error path is taken after the ip_vs_start_estimator() call. | 2026-05-06 | not yet calculated | CVE-2026-43086 | https://git.kernel.org/stable/c/730663352c9178f33fcf5929f4a37c1f1ca5a693 https://git.kernel.org/stable/c/4039959315008888dd53c37674d33351817a5166 https://git.kernel.org/stable/c/a32dabacee111cea083ddd57a03635672e1bff29 https://git.kernel.org/stable/c/c2ddbe577e2ebf63f2d8fb15cdc7503af70f3e94 https://git.kernel.org/stable/c/9a91797e61d286805ae10a92cc48959c30800556 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Disable all pin interrupts during probe A chip being probed may have the interrupt-on-change feature enabled on some of its pins, for example after a reboot. This can cause the chip to generate interrupts for pins that don’t have a registered nested handler, which leads to a kernel crash such as below: [ 7.928897] Unable to handle kernel read from unreadable memory at virtual address 00000000000000ac [ 7.932314] Mem abort info: [ 7.935081] ESR = 0x0000000096000004 [ 7.938808] EC = 0x25: DABT (current EL), IL = 32 bits [ 7.944094] SET = 0, FnV = 0 [ 7.947127] EA = 0, S1PTW = 0 [ 7.950247] FSC = 0x04: level 0 translation fault [ 7.955101] Data abort info: [ 7.957961] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 7.963421] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 7.968447] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 7.973734] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000089b7000 [ 7.980148] [00000000000000ac] pgd=0000000000000000, p4d=0000000000000000 [ 7.986913] Internal error: Oops: 0000000096000004 [#1] SMP [ 7.992545] Modules linked in: [ 8.073678] CPU: 0 UID: 0 PID: 81 Comm: irq/18-4-0025 Not tainted 7.0.0-rc6-gd2b5a1f931c8-dirty #199 [ 8.073689] Hardware name: Khadas VIM3 (DT) [ 8.073692] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 8.094639] pc : _raw_spin_lock_irq+0x40/0x80 [ 8.098970] lr : handle_nested_irq+0x2c/0x168 [ 8.098979] sp : ffff800082b2bd20 [ 8.106599] x29: ffff800082b2bd20 x28: ffff800080107920 x27: ffff800080104d88 [ 8.106611] x26: ffff000003298080 x25: 0000000000000001 x24: 000000000000ff00 [ 8.113707] x23: 0000000000000001 x22: 0000000000000000 x21: 000000000000000e [ 8.120850] x20: 0000000000000000 x19: 00000000000000ac x18: 0000000000000000 [ 8.135046] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 8.135062] x14: ffff800081567ea8 x13: ffffffffffffffff x12: 0000000000000000 [ 8.135070] x11: 00000000000000c0 x10: 0000000000000b60 x9 : ffff800080109e0c [ 8.135078] x8 : 1fffe0000069dbc1 x7 : 0000000000000001 x6 : ffff0000034ede00 [ 8.135086] x5 : 0000000000000000 x4 : ffff0000034ede08 x3 : 0000000000000001 [ 8.163460] x2 : 0000000000000000 x1 : 0000000000000001 x0 : 00000000000000ac [ 8.170560] Call trace: [ 8.180094] _raw_spin_lock_irq+0x40/0x80 (P) [ 8.184443] mcp23s08_irq+0x248/0x358 [ 8.184462] irq_thread_fn+0x34/0xb8 [ 8.184470] irq_thread+0x1a4/0x310 [ 8.195093] kthread+0x13c/0x150 [ 8.198309] ret_from_fork+0x10/0x20 [ 8.201850] Code: d65f03c0 d2800002 52800023 f9800011 (885ffc01) [ 8.207931] —[ end trace 0000000000000000 ]— This issue has always been present, but has been latent until commit “f9f4fda15e72” (“pinctrl: mcp23s08: init reg_defaults from HW at probe and switch cache type”), which correctly removed reg_defaults from the regmap and as a side effect changed the behavior of the interrupt handler so that the real value of the MCP_GPINTEN register is now being read from the chip instead of using a bogus 0 default value; a non-zero value for this register can trigger the invocation of a nested handler which may not exist (yet). Fix this issue by disabling all pin interrupts during initialization. | 2026-05-06 | not yet calculated | CVE-2026-43087 | https://git.kernel.org/stable/c/f8c3258541a0680a4ebc08b05b2bc5fdad3288a9 https://git.kernel.org/stable/c/db5b8cecbdf479ad13156af750377e5b43853fab |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: af_key: zero aligned sockaddr tail in PF_KEY exports PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, `pfkey_sockaddr_fill()` initializes only the first 28 bytes of `struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized. Not every PF_KEY message is affected. The state and policy dump builders already zero the whole message buffer before filling the sockaddr payloads. Keep the fix to the export paths that still append aligned sockaddr payloads with plain `skb_put()`: – `SADB_ACQUIRE` – `SADB_X_NAT_T_NEW_MAPPING` – `SADB_X_MIGRATE` Fix those paths by clearing only the aligned sockaddr tail after `pfkey_sockaddr_fill()`. | 2026-05-06 | not yet calculated | CVE-2026-43088 | https://git.kernel.org/stable/c/2e74f974359b5382ecbe8536abbb5b837eb6c724 https://git.kernel.org/stable/c/426c355742f02cf743b347d9d7dbdc1bfbfa31ef |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in build_mapping() struct xfrm_usersa_id has a one-byte padding hole after the proto field, which ends up never getting set to zero before copying out to userspace. Fix that up by zeroing out the whole structure before setting individual variables. | 2026-05-06 | not yet calculated | CVE-2026-43089 | https://git.kernel.org/stable/c/d3125c541a96fb3c0fc7210112684baf22b6c24d https://git.kernel.org/stable/c/5a1a4b049ddde41466ccac0daeec326254b133f2 https://git.kernel.org/stable/c/f779a6b6cdb6e12baa0663063ac59ab2a8f20c0c https://git.kernel.org/stable/c/700c9622b23c33b5933e6dcea816492c064e4e10 https://git.kernel.org/stable/c/1beb76b2053b68c491b78370794b8ff63c8f8c02 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: fix refcount leak in xfrm_migrate_policy_find syzkaller reported a memory leak in xfrm_policy_alloc: BUG: memory leak unreferenced object 0xffff888114d79000 (size 1024): comm “syz.1.17”, pid 931 … xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432 The root cause is a double call to xfrm_pol_hold_rcu() in xfrm_migrate_policy_find(). The lookup function already returns a policy with held reference, making the second call redundant. Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount imbalance and prevent the memory leak. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2026-05-06 | not yet calculated | CVE-2026-43090 | https://git.kernel.org/stable/c/21e235a36cfb6d145cefb10728f12f5dc5412f54 https://git.kernel.org/stable/c/836ee1b0426ea3db31531e9581cc32f513d24e32 https://git.kernel.org/stable/c/70c2a89a3bc207c3bfbf6f21bb439809e0a4a27a https://git.kernel.org/stable/c/83317cce60a032c49480dcdabe146435bd689d03 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xsk: validate MTU against usable frame size on bind AF_XDP bind currently accepts zero-copy pool configurations without verifying that the device MTU fits into the usable frame space provided by the UMEM chunk. This becomes a problem since we started to respect tailroom which is subtracted from chunk_size (among with headroom). 2k chunk size might not provide enough space for standard 1500 MTU, so let us catch such settings at bind time. Furthermore, validate whether underlying HW will be able to satisfy configured MTU wrt XSK’s frame size multiplied by supported Rx buffer chain length (that is exposed via net_device::xdp_zc_max_segs). | 2026-05-06 | not yet calculated | CVE-2026-43092 | https://git.kernel.org/stable/c/a55793e5a97d4e39bdb380873a9780fe0010bff6 https://git.kernel.org/stable/c/f669d60db11dbabb96279f2b20f9d1cba43cddb2 https://git.kernel.org/stable/c/25e1e91a8da819924df0b16e3812d7b24c8ce133 https://git.kernel.org/stable/c/b2f4daa6422fd6cc0cec969794dab4a88ea4cea1 https://git.kernel.org/stable/c/36ee60b569ba0dfb6f961333b90d19ab5b323fa9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ixgbevf: add missing negotiate_features op to Hyper-V ops table Commit a7075f501bd3 (“ixgbevf: fix mailbox API compatibility by negotiating supported features”) added the .negotiate_features callback to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL on Hyper-V VMs. During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), which unconditionally dereferences hw->mac.ops.negotiate_features(). On Hyper-V this results in a NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000000 […] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine […] Workqueue: events work_for_cpu_fn RIP: 0010:0x0 […] Call Trace: ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] ixgbevf_probe+0x20f/0x4a0 [ixgbevf] local_pci_probe+0x50/0xa0 work_for_cpu_fn+0x1a/0x30 […] Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP gracefully. | 2026-05-06 | not yet calculated | CVE-2026-43094 | https://git.kernel.org/stable/c/d8a747057a17ffc79e31df1abb11d05e1669d8e5 https://git.kernel.org/stable/c/2270ebab53128fb73c4a70a292be09094074737f https://git.kernel.org/stable/c/4db7b61ec1d1b2b67c0881b62fc4f9583bc21484 https://git.kernel.org/stable/c/1455ff8809843e6e83f1f5b5c0bcc2224c99a3cb https://git.kernel.org/stable/c/4821d563cd7f251ae728be1a6d04af82a294a5b9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SDCA: Fix errors in IRQ cleanup IRQs are enabled through sdca_irq_populate() from component probe using devm_request_threaded_irq(), this however means the IRQs can persist if the sound card is torn down. Some of the IRQ handlers store references to the card and the kcontrols which can then fail. Some detail of the crash was explained in [1]. Generally it is not advised to use devm outside of bus probe, so the code is updated to not use devm. The IRQ requests are not moved to bus probe time as it makes passing the snd_soc_component into the IRQs very awkward and would the require a second step once the component is available, so it is simpler to just register the IRQs at this point, even though that necessitates some manual cleanup. | 2026-05-06 | not yet calculated | CVE-2026-43095 | https://git.kernel.org/stable/c/b022da127bd9d2217e8f285e643caf5aff6f7f14 https://git.kernel.org/stable/c/4e53116437e919c4b9a9d95fb73ae14fe0cfc8f9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mshv: Fix infinite fault loop on permission-denied GPA intercepts Prevent infinite fault loops when guests access memory regions without proper permissions. Currently, mshv_handle_gpa_intercept() attempts to remap pages for all faults on movable memory regions, regardless of whether the access type is permitted. When a guest writes to a read-only region, the remap succeeds but the region remains read-only, causing immediate re-fault and spinning the vCPU indefinitely. Validate intercept access type against region permissions before attempting remaps. Reject writes to non-writable regions and executes to non-executable regions early, returning false to let the VMM handle the intercept appropriately. This also closes a potential DoS vector where malicious guests could intentionally trigger these fault loops to consume host resources. | 2026-05-06 | not yet calculated | CVE-2026-43096 | https://git.kernel.org/stable/c/02226839079ccc558820a3b25c4c46812927b4ba https://git.kernel.org/stable/c/16cbec24897624051b324aa3a85859c38ca65fde |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: hv: Fix double ida_free in hv_pci_probe error path If hv_pci_probe() fails after storing the domain number in hbus->bridge->domain_nr, there is a call to free this domain_nr via pci_bus_release_emul_domain_nr(), however, during cleanup, the bridge release callback pci_release_host_bridge_dev() also frees the domain_nr causing ida_free to be called on same ID twice and triggering following warning: ida_free called for id=28971 which is not allocated. WARNING: lib/idr.c:594 at ida_free+0xdf/0x160, CPU#0: kworker/0:2/198 Call Trace: pci_bus_release_emul_domain_nr+0x17/0x20 pci_release_host_bridge_dev+0x4b/0x60 device_release+0x3b/0xa0 kobject_put+0x8e/0x220 devm_pci_alloc_host_bridge_release+0xe/0x20 devres_release_all+0x9a/0xd0 device_unbind_cleanup+0x12/0xa0 really_probe+0x1c5/0x3f0 vmbus_add_channel_work+0x135/0x1a0 Fix this by letting pci core handle the free domain_nr and remove the explicit free called in pci-hyperv driver. | 2026-05-06 | not yet calculated | CVE-2026-43097 | https://git.kernel.org/stable/c/21bc8e0ba5c2a081b0a2808c976d4c9dbddf1e48 https://git.kernel.org/stable/c/b6422dff0e518245019233432b6bccfc30b73e2f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfc: s3fwrn5: allocate rx skb before consuming bytes s3fwrn82_uart_read() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recv_skb and may already deliver a complete frame before allocating a fresh receive buffer. If that alloc_skb() fails, the callback returns 0 even though it has already consumed bytes, and it leaves recv_skb as NULL for the next receive callback. That breaks the receive_buf() accounting contract and can also lead to a NULL dereference on the next skb_put_u8(). Allocate the receive skb lazily before consuming the next byte instead. If allocation fails, return the number of bytes already accepted. | 2026-05-06 | not yet calculated | CVE-2026-43098 | https://git.kernel.org/stable/c/d8c2aa3c4a1ec530a485e46a1c4f1a118bb00156 https://git.kernel.org/stable/c/7c31f7a599cf00fad3c204092a91a924126c67e4 https://git.kernel.org/stable/c/6d931680a9851481c3243689488eafed08eeff71 https://git.kernel.org/stable/c/09822d3d6f68a0cdc4626e0c507324a4927f55a9 https://git.kernel.org/stable/c/5c14a19d5b1645cce1cb1252833d70b23635b632 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bridge: guard local VLAN-0 FDB helpers against NULL vlan group When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and nbp_vlan_group() return NULL (br_private.h stub definitions). The BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and reaches br_fdb_delete_locals_per_vlan_port() and br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist). The observed crash is in the delete path, triggered when creating a bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0 via RTM_NEWLINK. The insert helper has the same bug pattern. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7] RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310 Call Trace: br_fdb_toggle_local_vlan_0+0x452/0x4c0 br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276 br_boolopt_toggle net/bridge/br.c:313 br_boolopt_multi_toggle net/bridge/br.c:364 br_changelink net/bridge/br_netlink.c:1542 br_dev_newlink net/bridge/br_netlink.c:1575 Add NULL checks for the vlan group pointer in both helpers, returning early when there are no VLANs to iterate. This matches the existing pattern used by other bridge FDB functions such as br_fdb_add() and br_fdb_delete(). | 2026-05-06 | not yet calculated | CVE-2026-43100 | https://git.kernel.org/stable/c/fb612d436ff0317659e45a91c25fd7d9516f5b1b https://git.kernel.org/stable/c/ddf0ec2d600e7dad62b89692749534d7900a732a https://git.kernel.org/stable/c/1979645e1842cb7017525a61a0e0e0beb924d02a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: airoha: Fix memory leak in airoha_qdma_rx_process() If an error occurs on the subsequents buffers belonging to the non-linear part of the skb (e.g. due to an error in the payload length reported by the NIC or if we consumed all the available fragments for the skb), the page_pool fragment will not be linked to the skb so it will not return to the pool in the airoha_qdma_rx_process() error path. Fix the memory leak partially reverting commit ‘d6d2b0e1538d (“net: airoha: Fix page recycling in airoha_qdma_rx_process()”)’ and always running page_pool_put_full_page routine in the airoha_qdma_rx_process() error path. | 2026-05-06 | not yet calculated | CVE-2026-43102 | https://git.kernel.org/stable/c/4429b761874fb9c7767d12d98913a467ef2654f1 https://git.kernel.org/stable/c/7ee0063fbab8aea8f4e4e3165f541bf898b77b80 https://git.kernel.org/stable/c/285fa6b1e03cff78ead0383e1b259c44b95faf90 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE lapbeth_data_transmit() expects the underlying device type to be ARPHRD_ETHER. Returning NOTIFY_BAD from lapbeth_device_event() makes sure bonding driver can not break this expectation. | 2026-05-06 | not yet calculated | CVE-2026-43103 | https://git.kernel.org/stable/c/363a38044b8cd5b496d241651a1fb666e7c5fe3e https://git.kernel.org/stable/c/328bb2cff5c2ed973f595ded769e15f4b7a117be https://git.kernel.org/stable/c/63851f60781aa89258c8f0952cd13940aab0888e https://git.kernel.org/stable/c/b117056768ab7deb434e7d72065e48d2083a0c2a https://git.kernel.org/stable/c/b120e4432f9f56c7103133d6a11245e617695adb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Fix a memory leak in hang state error path When vc4_save_hang_state() encounters an early return condition, it returns without freeing the previously allocated `kernel_state`, leaking memory. Add the missing kfree() calls by consolidating the early return paths into a single place. | 2026-05-06 | not yet calculated | CVE-2026-43104 | https://git.kernel.org/stable/c/dd5c49787a32da96a2b154427eb17cbf12a83c28 https://git.kernel.org/stable/c/d8fdd6adc07b78ad3e9ee0004876d90cb59ca941 https://git.kernel.org/stable/c/e352e9adc9f6df54d63150ff832f71c04e30744b https://git.kernel.org/stable/c/3eb7dd55021d0f4308fbea0bea21d2118984d8e7 https://git.kernel.org/stable/c/9525d169e5fd481538cf8c663cc5839e54f2e481 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Fix memory leak of BO array in hang state The hang state’s BO array is allocated separately with kzalloc() in vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the missing kfree() for the BO array before freeing the hang state struct. | 2026-05-06 | not yet calculated | CVE-2026-43105 | https://git.kernel.org/stable/c/a812008fe3a0aebb778d277b35717f64e23d0302 https://git.kernel.org/stable/c/0d3c014a84396a147705f523a8fd6fc873e76502 https://git.kernel.org/stable/c/421cea4f71f7cf65abaae878562ee4aa2b684628 https://git.kernel.org/stable/c/b8138567c4a80fd76a647849ebd4284996cf4b17 https://git.kernel.org/stable/c/f4dfd6847b3e5d24e336bca6057485116d17aea4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: account XFRMA_IF_ID in aevent size calculation xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is set. xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0) in xfrm_get_ae(), turning a malformed netlink interaction into a kernel panic. Account XFRMA_IF_ID in the size calculation unconditionally and replace the BUG_ON with normal error unwinding. | 2026-05-06 | not yet calculated | CVE-2026-43107 | https://git.kernel.org/stable/c/2c41283d94af943a05f7f2cc1a01f0c872f3cf43 https://git.kernel.org/stable/c/e62e322ea20be78e346e4b49f9a6b9f03313af4c https://git.kernel.org/stable/c/58e5735d1a5373652f405a0c16e54ac04aaab0ad https://git.kernel.org/stable/c/7081d46d32312f1a31f0e0e99c6835a394037599 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_ei It looks element length declared in servreg_loc_pfr_req_ei for reason not matching servreg_loc_pfr_req’s reason field due which we could observe decoding error on PD crash. qmi_decode_string_elem: String len 81 >= Max Len 65 Fix this by matching with servreg_loc_pfr_req’s reason field. | 2026-05-06 | not yet calculated | CVE-2026-43108 | https://git.kernel.org/stable/c/c93ca7c5a72e23a83a0b96f7f5c41a7a72f1dc47 https://git.kernel.org/stable/c/7d75145672cf2ec7c5417e3243af72c48314f7bb https://git.kernel.org/stable/c/cba84132c2ac7c08b215ce4962bc6f522c08a88c https://git.kernel.org/stable/c/641f6fda143b879da1515f821ee475073678cf2a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86: shadow stacks: proper error handling for mmap lock 김영민 reports that shstk_pop_sigframe() doesn’t check for errors from mmap_read_lock_killable(), which is a silly oversight, and also shows that we haven’t marked those functions with “__must_check”, which would have immediately caught it. So let’s fix both issues. | 2026-05-06 | not yet calculated | CVE-2026-43109 | https://git.kernel.org/stable/c/c64cebcc5c4f223dbcbe7dcdf74908fc092a0aa4 https://git.kernel.org/stable/c/262b6d38a81d51b135db81e1f30c13d30e38feee https://git.kernel.org/stable/c/52f657e34d7b21b47434d9d8b26fa7f6778b63a0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: srcu: Use irq_work to start GP in tiny SRCU Tiny SRCU’s srcu_gp_start_if_needed() directly calls schedule_work(), which acquires the workqueue pool->lock. This causes a lockdep splat when call_srcu() is called with a scheduler lock held, due to: call_srcu() [holding pi_lock] srcu_gp_start_if_needed() schedule_work() -> pool->lock workqueue_init() / create_worker() [holding pool->lock] wake_up_process() -> try_to_wake_up() -> pi_lock Also add irq_work_sync() to cleanup_srcu_struct() to prevent a use-after-free if a queued irq_work fires after cleanup begins. Tested with rcutorture SRCU-T and no lockdep warnings. [ Thanks to Boqun for similar fix in patch “rcu: Use an intermediate irq_work to start process_srcu()” ] | 2026-05-06 | not yet calculated | CVE-2026-43115 | https://git.kernel.org/stable/c/bb37286db65368cb72ba8757ad86299c4e4a73fc https://git.kernel.org/stable/c/a6fc88b22bc8d12ad52e8412c667ec0f5bf055af |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix zero size inode with non-zero size after log replay When logging that an inode exists, as part of logging a new name or logging new dir entries for a directory, we always set the generation of the logged inode item to 0. This is to signal during log replay (in overwrite_item()), that we should not set the i_size since we only logged that an inode exists, so the i_size of the inode in the subvolume tree must be preserved (as when we log new names or that an inode exists, we don’t log extents). This works fine except when we have already logged an inode in full mode or it’s the first time we are logging an inode created in a past transaction, that inode has a new i_size of 0 and then we log a new name for the inode (due to a new hardlink or a rename), in which case we log an i_size of 0 for the inode and a generation of 0, which causes the log replay code to not update the inode’s i_size to 0 (in overwrite_item()). An example scenario: mkdir /mnt/dir xfs_io -f -c “pwrite 0 64K” /mnt/dir/foo sync xfs_io -c “truncate 0” -c “fsync” /mnt/dir/foo ln /mnt/dir/foo /mnt/dir/bar xfs_io -c “fsync” /mnt/dir <power fail> After log replay the file remains with a size of 64K. This is because when we first log the inode, when we fsync file foo, we log its current i_size of 0, and then when we create a hard link we log again the inode in exists mode (LOG_INODE_EXISTS) but we set a generation of 0 for the inode item we add to the log tree, so during log replay overwrite_item() sees that the generation is 0 and i_size is 0 so we skip updating the inode’s i_size from 64K to 0. Fix this by making sure at fill_inode_item() we always log the real generation of the inode if it was logged in the current transaction with the i_size we logged before. Also if an inode created in a previous transaction is logged in exists mode only, make sure we log the i_size stored in the inode item located from the commit root, so that if we log multiple times that the inode exists we get the correct i_size. A test case for fstests will follow soon. | 2026-05-06 | not yet calculated | CVE-2026-43118 | https://git.kernel.org/stable/c/fddb157536e67a055597f00a8b4922d5f5ed0826 https://git.kernel.org/stable/c/03e966b63df5b06790310c1faaf3e0cb43adea8b https://git.kernel.org/stable/c/5254d4181add9dfaa5e3519edd71cc8f752b2f85 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: annotate data-races around hdev->req_status __hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock: hdev->req_status = HCI_REQ_PEND; However, several other functions read or write hdev->req_status without holding any lock: – hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue) – hci_cmd_sync_complete() reads/writes from HCI event completion – hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write – hci_abort_conn() reads in connection abort path Since __hci_cmd_sync_sk() runs on hdev->req_workqueue while hci_send_cmd_sync() runs on hdev->workqueue, these are different workqueues that can execute concurrently on different CPUs. The plain C accesses constitute a data race. Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses to hdev->req_status to prevent potential compiler optimizations that could affect correctness (e.g., load fusing in the wait_event condition or store reordering). | 2026-05-06 | not yet calculated | CVE-2026-43119 | https://git.kernel.org/stable/c/6e539907c0d11f514c5e0b049b27b04dff48a5b1 https://git.kernel.org/stable/c/a7a1cdb4a64ca74eb95cc46648fccb8cd3f9af27 https://git.kernel.org/stable/c/40734ce8efc34c4a0d0222855798c0dc14b65f2e https://git.kernel.org/stable/c/b6807cfc195ef99e1ac37b2e1e60df40295daa8c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_ref race between scrub and refill paths The io_zcrx_put_niov_uref() function uses a non-atomic check-then-decrement pattern (atomic_read followed by separate atomic_dec) to manipulate user_refs. This is serialized against other callers by rq_lock, but io_zcrx_scrub() modifies the same counter with atomic_xchg() WITHOUT holding rq_lock. On SMP systems, the following race exists: CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock) put_niov_uref: atomic_read(uref) – 1 // window opens atomic_xchg(uref, 0) – 1 return_niov_freelist(niov) [PUSH #1] // window closes atomic_dec(uref) – wraps to -1 returns true return_niov(niov) return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE] The same niov is pushed to the freelist twice, causing free_count to exceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds write (a u32 value) past the kvmalloc’d freelist array into the adjacent slab object. Fix this by replacing the non-atomic read-then-dec in io_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically tests and decrements user_refs. This makes the operation safe against concurrent atomic_xchg from scrub without requiring scrub to acquire rq_lock. [pavel: removed a warning and a comment] | 2026-05-06 | not yet calculated | CVE-2026-43121 | https://git.kernel.org/stable/c/a94f096e28bfc7975163a6b80f1c8f323efe317a https://git.kernel.org/stable/c/485dc691257b96e6d3bdc25b0eff2daadcc5c46c https://git.kernel.org/stable/c/003049b1c4fb8aabb93febb7d1e49004f6ad653b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Update cpuidle driver check in __acpi_processor_start() Commit 7a8c994cbb2d (“ACPI: processor: idle: Optimize ACPI idle driver registration”) moved the ACPI idle driver registration to acpi_processor_driver_init() and acpi_processor_power_init() does not register an idle driver any more. Accordingly, the cpuidle driver check in __acpi_processor_start() needs to be updated to avoid calling acpi_processor_power_init() without a cpuidle driver, in which case the registration of the cpuidle device in that function would lead to a NULL pointer dereference in __cpuidle_register_device(). | 2026-05-06 | not yet calculated | CVE-2026-43122 | https://git.kernel.org/stable/c/68f38f648e4b5bed2aeadd2f711e25302e6490f8 https://git.kernel.org/stable/c/6cfed39c2ce64ac024bbde458a9727105e0b8c66 https://git.kernel.org/stable/c/0089ce1c056aee547115bdc25c223f8f88c08498 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fbcon: check return value of con2fb_acquire_newinfo() If fbcon_open() fails when called from con2fb_acquire_newinfo() then info->fbcon_par pointer remains NULL which is later dereferenced. Add check for return value of the function con2fb_acquire_newinfo() to avoid it. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-05-06 | not yet calculated | CVE-2026-43123 | https://git.kernel.org/stable/c/d3e535533767c85788529e626478718b7e95a59f https://git.kernel.org/stable/c/3b5a754ec86bc6064af9aca76eb191c2405e6b0c https://git.kernel.org/stable/c/a785c4e2a999c2d51dfcf40d317cfb30cc735d2c https://git.kernel.org/stable/c/0b038c0be6827dd2dbb1ce4f8d92d97c80cbe9cc https://git.kernel.org/stable/c/11a93180a70bb3095a9bd80d113d9277e30d9959 https://git.kernel.org/stable/c/f57b61624c86ef8f87f6e6b7dd0755de03d90e89 https://git.kernel.org/stable/c/011a0502801c8536f64141a2b61362c14f456544 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pstore: ram_core: fix incorrect success return when vmap() fails In persistent_ram_vmap(), vmap() may return NULL on failure. If offset is non-zero, adding offset_in_page(start) causes the function to return a non-NULL pointer even though the mapping failed. persistent_ram_buffer_map() therefore incorrectly returns success. Subsequent access to prz->buffer may dereference an invalid address and cause crashes. Add proper NULL checking for vmap() failures. | 2026-05-06 | not yet calculated | CVE-2026-43124 | https://git.kernel.org/stable/c/d47234840aeb4182ed3ee795c578b1dfa9cbd25b https://git.kernel.org/stable/c/49918dd52615097529811d21ec6074dd02ebe77c https://git.kernel.org/stable/c/8baa234181f632cabacf73e4834a910859e9fcc9 https://git.kernel.org/stable/c/1da904e84de608907662ad8a51ba9c571d61e003 https://git.kernel.org/stable/c/8d849adfbc3e98417fb541620568db1a759ef441 https://git.kernel.org/stable/c/2c99326dc1c79b7ce3c8dd92929b5ce724ff70eb https://git.kernel.org/stable/c/88d5b28f63c7aac1271784e3b800ed405d1cde75 https://git.kernel.org/stable/c/05363abc7625cf18c96e67f50673cd07f11da5e9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: fix circular locking dependency in run_unpack_ex Syzbot reported a circular locking dependency between wnd->rw_lock (sbi->used.bitmap) and ni->file.run_lock. The deadlock scenario: 1. ntfs_extend_mft() takes ni->file.run_lock then wnd->rw_lock. 2. run_unpack_ex() takes wnd->rw_lock then tries to acquire ni->file.run_lock inside ntfs_refresh_zone(). This creates an AB-BA deadlock. Fix this by using down_read_trylock() instead of down_read() when acquiring run_lock in run_unpack_ex(). If the lock is contended, skip ntfs_refresh_zone() – the MFT zone will be refreshed on the next MFT operation. This breaks the circular dependency since we never block waiting for run_lock while holding wnd->rw_lock. | 2026-05-06 | not yet calculated | CVE-2026-43127 | https://git.kernel.org/stable/c/b014372b62237521444ee51384549bdf48b79015 https://git.kernel.org/stable/c/b8d22d9d8260b0f4f4d8e2898c98037c9982ea66 https://git.kernel.org/stable/c/08ce2fee1b869ecbfbd94e0eb2630e52203a2e03 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ima: verify the previous kernel’s IMA buffer lies in addressable RAM Patch series “Address page fault in ima_restore_measurement_list()”, v3. When the second-stage kernel is booted via kexec with a limiting command line such as “mem=<size>” we observe a pafe fault that happens. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) not-present page This happens on x86_64 only, as this is already fixed in aarch64 in commit: cbf9c4b9617b (“of: check previous kernel’s ima-kexec-buffer against memory bounds”) This patch (of 3): When the second-stage kernel is booted with a limiting command line (e.g. “mem=<size>”), the IMA measurement buffer handed over from the previous kernel may fall outside the addressable RAM of the new kernel. Accessing such a buffer can fault during early restore. Introduce a small generic helper, ima_validate_range(), which verifies that a physical [start, end] range for the previous-kernel IMA buffer lies within addressable memory: – On x86, use pfn_range_is_mapped(). – On OF based architectures, use page_is_ram(). | 2026-05-06 | not yet calculated | CVE-2026-43129 | https://git.kernel.org/stable/c/f11d7d088f5ed54b31c6735854c12845eb60eb4a https://git.kernel.org/stable/c/9e1f51c1ad57cc76a0e8b5eb27038f8973fff4fa https://git.kernel.org/stable/c/5366ec7d2f793ce703c403d7fd4c25a3db365b9d https://git.kernel.org/stable/c/10d1c75ed4382a8e79874379caa2ead8952734f9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode Commit 4fc82cd907ac (“iommu/vt-d: Don’t issue ATS Invalidation request when device is disconnected”) relies on pci_dev_is_disconnected() to skip ATS invalidation for safely-removed devices, but it does not cover link-down caused by faults, which can still hard-lock the system. For example, if a VM fails to connect to the PCIe device, “virsh destroy” is executed to release resources and isolate the fault, but a hard-lockup occurs while releasing the group fd. Call Trace: qi_submit_sync qi_flush_dev_iotlb intel_pasid_tear_down_entry device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fput Although pci_device_is_present() is slower than pci_dev_is_disconnected(), it still takes only ~70 µs on a ConnectX-5 (8 GT/s, x2) and becomes even faster as PCIe speed and width increase. Besides, devtlb_invalidation_with_pasid() is called only in the paths below, which are far less frequent than memory map/unmap. 1. mm-struct release 2. {attach,release}_dev 3. set/remove PASID 4. dirty-tracking setup The gain in system stability far outweighs the negligible cost of using pci_device_is_present() instead of pci_dev_is_disconnected() to decide when to skip ATS invalidation, especially under GDR high-load conditions. | 2026-05-06 | not yet calculated | CVE-2026-43130 | https://git.kernel.org/stable/c/581ce094d9eafb78ec4f9de77bd24b780c151236 https://git.kernel.org/stable/c/e2c78c69f8faf2885ea4ceee08c71ac738f401a0 https://git.kernel.org/stable/c/ead67d0378e90f419e385a43af29435242d80c12 https://git.kernel.org/stable/c/01aed2f1d7cb8fdf4c60c5bb4727608cb82b401d https://git.kernel.org/stable/c/9813306610d0d718c863aaa70928bf57d7570ec0 https://git.kernel.org/stable/c/9deaacc8dcaddb6ddc5b52e1e63b457450ec0f94 https://git.kernel.org/stable/c/0da6697e577023d8867c7beb2d16a22510e4eea9 https://git.kernel.org/stable/c/10e60d87813989e20eac1f3eda30b3bae461e7f9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Fix null pointer dereference issue If SMU is disabled, during RAS initialization, there will be null pointer dereference issue here. | 2026-05-06 | not yet calculated | CVE-2026-43131 | https://git.kernel.org/stable/c/8e035505fa0e5b7c4306fd3f4e27f8e8f5bfad8c https://git.kernel.org/stable/c/1197366cca89a4c44c541ddedb8ce8bf0757993d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm-verity: correctly handle dm_bufio_client_create() failure If either of the calls to dm_bufio_client_create() in verity_fec_ctr() fails, then dm_bufio_client_destroy() is later called with an ERR_PTR() argument. That causes a crash. Fix this. | 2026-05-06 | not yet calculated | CVE-2026-43132 | https://git.kernel.org/stable/c/6283e49af87a9c121bb01e5a64a7fe5706c210bc https://git.kernel.org/stable/c/d3e1f1adc8a0289efe2d2cdc90edb8c6ffe0b5ef https://git.kernel.org/stable/c/5c2217ddb3b7e7ac25f4ebe9061258fc8f1c9167 https://git.kernel.org/stable/c/031f2adc1499b112a39ac316bbab3c80bba16cf2 https://git.kernel.org/stable/c/9b8dc1d327e2928f3da59ced0595d850d31c0936 https://git.kernel.org/stable/c/451cc650e40e8c3222d37877a9e4be0fcaacb9c8 https://git.kernel.org/stable/c/b154a868a3856fb5216c4f82981d8a503832e095 https://git.kernel.org/stable/c/119f4f04186fa4f33ee6bd39af145cdaff1ff17f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: cx23885: Add missing unmap in snd_cx23885_hw_params() In error path, add cx23885_alsa_dma_unmap() to release the resource acquired by cx23885_alsa_dma_map(). | 2026-05-06 | not yet calculated | CVE-2026-43135 | https://git.kernel.org/stable/c/fda46c9025b755ea50a969b960f333be62421b71 https://git.kernel.org/stable/c/0b7f56084cc3d7766bf274b71cd14cc9674b76bf https://git.kernel.org/stable/c/505630dd1ebf4b53d3f2866c057ddd93157a24d8 https://git.kernel.org/stable/c/544215cc37d032ccaf1919852c05e2439a4d7540 https://git.kernel.org/stable/c/9c0a6ff538660c36a98081916a24f08d55a91331 https://git.kernel.org/stable/c/9544b73cad4ee667fed6a60f71570c58a870a735 https://git.kernel.org/stable/c/fc4df593a8ffded2f77d69a73ecb51d364932ca5 https://git.kernel.org/stable/c/141c81849fab2ad4d6e3fdaff7cbaa873e8b5eb2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Check maxfield in hidpp_get_report_length() Do not crash when a report has no fields. Fake USB gadgets can send their own HID report descriptors and can define report structures without valid fields. This can be used to crash the kernel over USB. | 2026-05-06 | not yet calculated | CVE-2026-43136 | https://git.kernel.org/stable/c/ae81fac9ce81917817d787e6b74e68482d99bdf2 https://git.kernel.org/stable/c/2dc023dbc11b8dfa8afa63242762acd8cddcad03 https://git.kernel.org/stable/c/7f59999fcd699af06ad2aef446a635ea6aa87db3 https://git.kernel.org/stable/c/b74bf7d0d01fa9b53653f58c29aa00772121f6e9 https://git.kernel.org/stable/c/f1ceaaf93ea32d0f2b95c95f784ee155962c52ad https://git.kernel.org/stable/c/1acb28123e57b50d737377f400f57eec889fe5e4 https://git.kernel.org/stable/c/fb1725c0804dbec9dd01c4cb5c9f1f77a69e36dc https://git.kernel.org/stable/c/1547d41f9f19d691c2c9ce4c29f746297baef9e9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix NULL pointer dereference If there’s a mismatch between the DAI links in the machine driver and the topology, it is possible that the playback/capture widget is not set, especially in the case of loopback capture for echo reference where we use the dummy DAI link. Return the error when the widget is not set to avoid a null pointer dereference like below when the topology is broken. RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common] | 2026-05-06 | not yet calculated | CVE-2026-43137 | https://git.kernel.org/stable/c/10411f1f2c76be67103b1f95822ff629aa25e2aa https://git.kernel.org/stable/c/42068f7dd42b559c4eeae645e1455ff36518866a https://git.kernel.org/stable/c/7750d78b4014902bc0ac03d4bb30faa076a913ab https://git.kernel.org/stable/c/16c589567a956d46a7c1363af3f64de3d420af20 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: reset: gpio: suppress bind attributes in sysfs This is a special device that’s created dynamically and is supposed to stay in memory forever. We also currently don’t have a devlink between it and the actual reset consumer. Suppress sysfs bind attributes so that user-space can’t unbind the device because – as of now – it will cause a use-after-free splat from any user that puts the reset control handle. | 2026-05-06 | not yet calculated | CVE-2026-43138 | https://git.kernel.org/stable/c/09d6efc6abd42809956d598906c222ccd1c8ae92 https://git.kernel.org/stable/c/76801c3dfca0ac6339a23e9615b5f23e25b8644c https://git.kernel.org/stable/c/1d7d869f074f98c34fe23f6a56e5f3acc1f95a2b https://git.kernel.org/stable/c/16de4c6a8fe9ff497ca1aba33ef0dbee09f11952 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HID: magicmouse: Do not crash on missing msc->input Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, msc->input stays NULL, leading to a crash at a later time. Detect this condition in the input_configured() hook and reject the device. This is not supposed to happen with actual magic mouse devices, but can be provoked by imposing as a magic mouse USB device. | 2026-05-06 | not yet calculated | CVE-2026-43140 | https://git.kernel.org/stable/c/db5ba06e7af9325519a03e52fccf4a9e7c1fd9b2 https://git.kernel.org/stable/c/165912d4321c692321c02793068d30700b4e0f1a https://git.kernel.org/stable/c/f6a3860241fbb556fd72332fa31c5e787004413b https://git.kernel.org/stable/c/243e1165eb03aca97d87aafa9c3130593837a1c2 https://git.kernel.org/stable/c/922bd3e498a4b8e445def6e6ffea2ad3682ad516 https://git.kernel.org/stable/c/5bbe266272d86c0657e8253600f3d5b74fb7b2ae https://git.kernel.org/stable/c/36c83c1329dd881f290f7df2feadfb9a21775108 https://git.kernel.org/stable/c/17abd396548035fbd6179ee1a431bd75d49676a7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut Number of MW LUTs depends on NTB configuration and can be set to zero, in such scenario rounddown_pow_of_two will cause undefined behaviour and should not be performed. This patch ensures that rounddown_pow_of_two is called on valid value. | 2026-05-06 | not yet calculated | CVE-2026-43141 | https://git.kernel.org/stable/c/d652ef399f131fcd5f8f34266167449ee7c9e5b3 https://git.kernel.org/stable/c/5590cd04d6845c01a6bad985a491c58af6fb5389 https://git.kernel.org/stable/c/a11d03d116eef138a7249202bd772c8e61915aec https://git.kernel.org/stable/c/d0559d07afabfddaaded6a61a16154486b956764 https://git.kernel.org/stable/c/2e4d5e8d86a969318340be95470bb76e52392082 https://git.kernel.org/stable/c/a133e3caf844a3f56b6eef89ddaa66115874f6bd https://git.kernel.org/stable/c/1a867d0d79a4a570a33f2f433919ad2bd7a27b67 https://git.kernel.org/stable/c/186615f8855a0be4ee7d3fcd09a8ecc10e783b08 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: gen1: Destroy internal buffers after FW releases After the firmware releases internal buffers, the driver was not destroying them. This left stale allocations that were no longer used, especially across resolution changes where new buffers are allocated per the updated requirements. As a result, memory was wasted until session close. Destroy internal buffers once the release response is received from the firmware. | 2026-05-06 | not yet calculated | CVE-2026-43142 | https://git.kernel.org/stable/c/7cde76db8883ec8a3d1456068079ecadbfb15ca5 https://git.kernel.org/stable/c/d4457f23ac0130240053a34be663f0fade3bb371 https://git.kernel.org/stable/c/1dabf00ee206eceb0f08a1fe5d1ce635f9064338 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mfd: core: Add locking around ‘mfd_of_node_list’ Manipulating a list in the kernel isn’t safe without some sort of mutual exclusion. Add a mutex any time we access / modify ‘mfd_of_node_list’ to prevent possible crashes. | 2026-05-06 | not yet calculated | CVE-2026-43143 | https://git.kernel.org/stable/c/dcfa679bba02412f2087be21cf06ae88b1f4e0ef https://git.kernel.org/stable/c/e2e7c275f557e2b75e3128f4818063798248774c https://git.kernel.org/stable/c/db131ef9d8980cf60dcac8cf94c036eccf75e5d0 https://git.kernel.org/stable/c/9b02e3fec3a7fcb990b4d3bd3b13d7edf123dca6 https://git.kernel.org/stable/c/45341856ecda1d56689451abd5cf1d1aa57dbe47 https://git.kernel.org/stable/c/20117c92bcf9c11afd64d7481d8f94fdf410726e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential kernel oops when probe fails When probe of the sdio brcmfmac device fails for some reasons (i.e. missing firmware), the sdiodev->bus is set to error instead of NULL, thus the cleanup later in brcmf_sdio_remove() tries to free resources via invalid bus pointer. This happens because sdiodev->bus is set 2 times: first in brcmf_sdio_probe() and second time in brcmf_sdiod_probe(). Fix this by chaning the brcmf_sdio_probe() function to return the error code and set sdio->bus only there. | 2026-05-06 | not yet calculated | CVE-2026-43144 | https://git.kernel.org/stable/c/64ccb0aac41c5055780c2a58bbe2c1b362ceccde https://git.kernel.org/stable/c/379aac7ee8240848aa35f605b06addb4617c863e https://git.kernel.org/stable/c/243307a0d1b0d01538e202c00454c28b21d4432e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: remoteproc: imx_rproc: Fix invalid loaded resource table detection imx_rproc_elf_find_loaded_rsc_table() may incorrectly report a loaded resource table even when the current firmware does not provide one. When the device tree contains a “rsc-table” entry, priv->rsc_table is non-NULL and denotes where a resource table would be located if one is present in memory. However, when the current firmware has no resource table, rproc->table_ptr is NULL. The function still returns priv->rsc_table, and the remoteproc core interprets this as a valid loaded resource table. Fix this by returning NULL from imx_rproc_elf_find_loaded_rsc_table() when there is no resource table for the current firmware (i.e. when rproc->table_ptr is NULL). This aligns the function’s semantics with the remoteproc core: a loaded resource table is only reported when a valid table_ptr exists. With this change, starting firmware without a resource table no longer triggers a crash. | 2026-05-06 | not yet calculated | CVE-2026-43145 | https://git.kernel.org/stable/c/91baf24d972ea3c04a75dd18821c03d223c0dbc0 https://git.kernel.org/stable/c/fcec79b6a3649ae7b1f659267602ca402c240d6e https://git.kernel.org/stable/c/9bd98d088f47153a81a6ec8162b4415c64aa7f39 https://git.kernel.org/stable/c/65379adf7d231c930572db45933ff4538f4c5128 https://git.kernel.org/stable/c/500778df9e4c313190368908ff40c23948508e97 https://git.kernel.org/stable/c/198c629bd03863591f3fbf5ce8ff974a33f13dc9 https://git.kernel.org/stable/c/26aa5295010ffaebcf8f1991c53fa7cf2ee1b20d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: Add buffer to list only after successful allocation Move `list_add_tail()` to after `dma_alloc_attrs()` succeeds when creating internal buffers. Previously, the buffer was enqueued in `buffers->list` before the DMA allocation. If the allocation failed, the function returned `-ENOMEM` while leaving a partially initialized buffer in the list, which could lead to inconsistent state and potential leaks. By adding the buffer to the list only after `dma_alloc_attrs()` succeeds, we ensure the list contains only valid, fully initialized buffers. | 2026-05-06 | not yet calculated | CVE-2026-43146 | https://git.kernel.org/stable/c/45b30f65feeb4d5570d5337793bb0f298be813d2 https://git.kernel.org/stable/c/98b4c4c90f1e11caecbe2093dbe3a901d338bc81 https://git.kernel.org/stable/c/2d0bbd982dfdd67da488a772f7a8a1bdca7642bf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Revert “PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV” This reverts commit 05703271c3cd (“PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV”), which causes a deadlock by recursively taking pci_rescan_remove_lock when sriov_del_vfs() is called as part of pci_stop_and_remove_bus_device(). For example with the following sequence of commands: $ echo <NUM> > /sys/bus/pci/devices/<pf>/sriov_numvfs $ echo 1 > /sys/bus/pci/devices/<pf>/remove A trimmed trace of the deadlock on a mlx5 device is as below: zsh/5715 is trying to acquire lock: 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: sriov_disable+0x34/0x140 but task is already holding lock: 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_stop_and_remove_bus_device_locked+0x24/0x80 … Call Trace: [<00000259778c4f90>] dump_stack_lvl+0xc0/0x110 [<00000259779c844e>] print_deadlock_bug+0x31e/0x330 [<00000259779c1908>] __lock_acquire+0x16c8/0x32f0 [<00000259779bffac>] lock_acquire+0x14c/0x350 [<00000259789643a6>] __mutex_lock_common+0xe6/0x1520 [<000002597896413c>] mutex_lock_nested+0x3c/0x50 [<00000259784a07e4>] sriov_disable+0x34/0x140 [<00000258f7d6dd80>] mlx5_sriov_disable+0x50/0x80 [mlx5_core] [<00000258f7d5745e>] remove_one+0x5e/0xf0 [mlx5_core] [<00000259784857fc>] pci_device_remove+0x3c/0xa0 [<000002597851012e>] device_release_driver_internal+0x18e/0x280 [<000002597847ae22>] pci_stop_bus_device+0x82/0xa0 [<000002597847afce>] pci_stop_and_remove_bus_device_locked+0x5e/0x80 [<00000259784972c2>] remove_store+0x72/0x90 [<0000025977e6661a>] kernfs_fop_write_iter+0x15a/0x200 [<0000025977d7241c>] vfs_write+0x24c/0x300 [<0000025977d72696>] ksys_write+0x86/0x110 [<000002597895b61c>] __do_syscall+0x14c/0x400 [<000002597896e0ee>] system_call+0x6e/0x90 This alone is not a complete fix as it restores the issue the cited commit tried to solve. A new fix will be provided as a follow on. | 2026-05-06 | not yet calculated | CVE-2026-43147 | https://git.kernel.org/stable/c/f61cdd7e9b67bb8961b0a81bf294b78343e5db05 https://git.kernel.org/stable/c/0de341b2365bad430aade0853fe09c2cbe468f59 https://git.kernel.org/stable/c/83651d37474c762920e345a3a0828f975ca4d732 https://git.kernel.org/stable/c/639265296fe6ee21b6f00e00ee2bab65f3b07252 https://git.kernel.org/stable/c/d47f27e145f8bd13f3c230da5e3af29225b4a2f7 https://git.kernel.org/stable/c/40f67686a5002c0c322fac918406bbc8d9c2ec2f https://git.kernel.org/stable/c/58677783c89681871077f50a7042b0c6380c4fd8 https://git.kernel.org/stable/c/2fa119c0e5e528453ebae9e70740e8d2d8c0ed5a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/smp: Add check for kcalloc() failure in parse_thread_groups() As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing it to of_property_read_u32_array(). | 2026-05-06 | not yet calculated | CVE-2026-43148 | https://git.kernel.org/stable/c/1de31dba19c3cd0c1caf388a286b46df638f0b91 https://git.kernel.org/stable/c/b265e53d9adfbb5751713185843f7188aa9dd066 https://git.kernel.org/stable/c/9d0ca11258e7b452653d04310addfec1753de1a2 https://git.kernel.org/stable/c/ca46d2092f307385a7acfb42632056570d6dbbbc https://git.kernel.org/stable/c/9b85c8f624b0f8cf9b932f5a65dacd56a1f47a72 https://git.kernel.org/stable/c/8b221db0b7d24675e465e98d9326d298025a4e8d https://git.kernel.org/stable/c/33c1c6d8a28a2761ac74b0380b2563cf546c2a3a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean() The priv->rx_buffer and priv->tx_buffer are alloc’d together as contiguous buffers in uhdlc_init() but freed as two buffers in uhdlc_memclean(). Change the cleanup to only call dma_free_coherent() once on the whole buffer. | 2026-05-06 | not yet calculated | CVE-2026-43149 | https://git.kernel.org/stable/c/6496fb830cbb741d831225cc4e7e5601c6e42970 https://git.kernel.org/stable/c/ba8d8429e5d6c36f9a654d2b96b9e043c43d92b4 https://git.kernel.org/stable/c/011ae5dd84dc9f05eb9b8e1adff44252ac776e7b https://git.kernel.org/stable/c/0f85a9655445e67bb0238cfc983d7c383b54938e https://git.kernel.org/stable/c/84b932bc9899d43e5829e6cf088b72d73a922b2b https://git.kernel.org/stable/c/d8a522085d09b30aba1016daf1dddac37c0f0285 https://git.kernel.org/stable/c/d68994e37ac3b285692559776e0279a88a3b5f8d https://git.kernel.org/stable/c/36bd7d5deef936c4e1e3cd341598140e5c14c1d3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Revert “media: iris: Add sanity check for stop streaming” This reverts commit ad699fa78b59241c9d71a8cafb51525f3dab04d4. Revert the check that skipped stop_streaming when the instance was in IRIS_INST_ERROR, as it caused multiple regressions: 1. Buffers were not returned to vb2 when the instance was already in error state, triggering warnings in the vb2 core because buffer completion was skipped. 2. If a session failed early (e.g. unsupported configuration), the instance transitioned to IRIS_INST_ERROR. When userspace attempted to stop streaming for cleanup, stop_streaming was skipped due to the added check, preventing proper teardown and leaving the firmware in an inconsistent state. | 2026-05-06 | not yet calculated | CVE-2026-43151 | https://git.kernel.org/stable/c/bd4f8fa216182f33c06d4c1e162975a0c42fb14e https://git.kernel.org/stable/c/a58b9d1c1cf81c0b29f1983c63c3e0c0caa68398 https://git.kernel.org/stable/c/370e19042fb8ac68109f8bdb0fdd8118baf39318 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HID: hid-pl: handle probe errors Errors in init must be reported back or we’ll follow a NULL pointer the first time FF is used. | 2026-05-06 | not yet calculated | CVE-2026-43152 | https://git.kernel.org/stable/c/78df3de826668fe842c6061a91bc1ed68f493e80 https://git.kernel.org/stable/c/8a84149337eb5e716e6d59f48ff0374dae8d8b2b https://git.kernel.org/stable/c/926e6715b48b575ed7754bf163a67686bb2eb111 https://git.kernel.org/stable/c/449004434e1f55be85604b2645f2d07c4a92fe53 https://git.kernel.org/stable/c/04e50f45b5175bb90a06f5003113cb4ed6ba44c2 https://git.kernel.org/stable/c/1d46d07458dba369daf61fb643d40a62c8423d8e https://git.kernel.org/stable/c/7d2f4fdf134e7398847417b25743e1e04928c7d7 https://git.kernel.org/stable/c/3756a272d2cf356d2203da8474d173257f5f8521 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits in volume label handling Crafted EROFS images containing valid volume labels can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system crashes or other severe issues. | 2026-05-06 | not yet calculated | CVE-2026-43154 | https://git.kernel.org/stable/c/8d8a878ef60801d867119b3df6a93e2982d62a71 https://git.kernel.org/stable/c/d498bd168494ad4a4bce16192bfb9ce04ca19c9a https://git.kernel.org/stable/c/3afa4da38802a4cba1c23848a32284e7e57b831b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mux: mmio: fix regmap leak on probe failure The mmio regmap that may be allocated during probe is never freed. Switch to using the device managed allocator so that the regmap is released on probe failures (e.g. probe deferral) and on driver unbind. | 2026-05-06 | not yet calculated | CVE-2026-43155 | https://git.kernel.org/stable/c/76096f156fe9dc9fbd6e4618088706e91b9b0a6c https://git.kernel.org/stable/c/cbde3c109d52564ae2c12e514c33c44345e84b2c https://git.kernel.org/stable/c/3c4ae63073d84abee5d81ce46d86a94e9dae9c89 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: enable basic endpoint checking pegasus_probe() fills URBs with hardcoded endpoint pipes without verifying the endpoint descriptors: – usb_rcvbulkpipe(dev, 1) for RX data – usb_sndbulkpipe(dev, 2) for TX data – usb_rcvintpipe(dev, 3) for status interrupts A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes. Add a pegasus_usb_ep enum for endpoint numbers, replacing magic constants throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls before any resource allocation to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time, and avoid triggering assertion. Similar fix to – commit 90b7f2961798 (“net: usb: rtl8150: enable basic endpoint checking”) – commit 9e7021d2aeae (“net: usb: catc: enable basic endpoint checking”) | 2026-05-06 | not yet calculated | CVE-2026-43156 | https://git.kernel.org/stable/c/a3e64e950a3981a8199de9798f6d21261b959171 https://git.kernel.org/stable/c/229dc9b9db475ac900182bafe258943e0e054c6d https://git.kernel.org/stable/c/26b3ec62fa1a94ac801feca47f040fc729b3c174 https://git.kernel.org/stable/c/35854ed5c40b02f95824e44398f9d2ba33727203 https://git.kernel.org/stable/c/67ba6b13dbcaf45681fb6758794c5ac5fa589a6c https://git.kernel.org/stable/c/d2e7c898cc02dfe42443489a67a45ed616cb76e9 https://git.kernel.org/stable/c/2705709f6574a088aab246af72fc95f2fea51484 https://git.kernel.org/stable/c/3d7e6ce34f4fcc7083510c28b17a7c36462a25d4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: CGX: fix bitmap leaks The RX/TX flow-control bitmaps (rx_fc_pfvf_bmap and tx_fc_pfvf_bmap) are allocated by cgx_lmac_init() but never freed in cgx_lmac_exit(). Unbinding and rebinding the driver therefore triggers kmemleak: unreferenced object (size 16): backtrace: rvu_alloc_bitmap cgx_probe Free both bitmaps during teardown. | 2026-05-06 | not yet calculated | CVE-2026-43157 | https://git.kernel.org/stable/c/ad8a13a45c5c24d0d32de9a1c3fd58498a675ece https://git.kernel.org/stable/c/013ac469596a0b8671e62d89c89ae0bd46bbe667 https://git.kernel.org/stable/c/ccef79af58b43787c25710c9da96651c6ddfe50f https://git.kernel.org/stable/c/6d389382ee655128056fbdab86baad8495ffbf33 https://git.kernel.org/stable/c/ccca14bbdcc25829d355b9f4d3249f43dadb71c1 https://git.kernel.org/stable/c/3def995c4ede842adf509c410e92d09a0cedc965 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix null dereference in find_network The variable pwlan has the possibility of being NULL when passed into rtw_free_network_nolock() which would later dereference the variable. | 2026-05-06 | not yet calculated | CVE-2026-43159 | https://git.kernel.org/stable/c/3b1d0c9a1f78836d0bce6fdd37f596f22c19b03e https://git.kernel.org/stable/c/1aa9c59f4b96a9056c02476c7ca89e96d15e0645 https://git.kernel.org/stable/c/48b4dec3a8bfd667cd0cd767eaf511176193e9a1 https://git.kernel.org/stable/c/cc3f83b6fb3773ad943365d1cd774b4ec050332e https://git.kernel.org/stable/c/04d24a3654ed195485bc6346a9ef326fc494a34e https://git.kernel.org/stable/c/677490a6bd4c63acdf6f48e4aaf6a23d7e6a446f https://git.kernel.org/stable/c/7fa16ffed2b9d9d44940990c1f31159770769aeb https://git.kernel.org/stable/c/41460a19654c32d39fd0e3a3671cd8d4b7b8479f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mfd: macsmc: Initialize mutex Initialize struct apple_smc’s mutex in apple_smc_probe(). Using the mutex uninitialized surprisingly resulted only in occasional NULL pointer dereferences in apple_smc_read() calls from the probe() functions of sub devices. | 2026-05-06 | not yet calculated | CVE-2026-43160 | https://git.kernel.org/stable/c/a1e9e299c0d9ea42ab1067b39fb72e976d3f1bdb https://git.kernel.org/stable/c/2d5932588f029f7787f52c29174fead9bbc6b2cf https://git.kernel.org/stable/c/414f65d6736342c77d4ec5e7373039f4a09250dd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode PCIe endpoints with ATS enabled and passed through to userspace (e.g., QEMU, DPDK) can hard-lock the host when their link drops, either by surprise removal or by a link fault. Commit 4fc82cd907ac (“iommu/vt-d: Don’t issue ATS Invalidation request when device is disconnected”) adds pci_dev_is_disconnected() to devtlb_invalidation_with_pasid() so ATS invalidation is skipped only when the device is being safely removed, but it applies only when Intel IOMMU scalable mode is enabled. With scalable mode disabled or unsupported, a system hard-lock occurs when a PCIe endpoint’s link drops because the Intel IOMMU waits indefinitely for an ATS invalidation that cannot complete. Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_ist Commit 81e921fd3216 (“iommu/vt-d: Fix NULL domain on device release”) adds intel_pasid_teardown_sm_context() to intel_iommu_release_device(), which calls qi_flush_dev_iotlb() and can also hard-lock the system when a PCIe endpoint’s link drops. Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 intel_context_flush_no_pasid device_pasid_table_teardown pci_pasid_table_teardown pci_for_each_dma_alias intel_pasid_teardown_sm_context intel_iommu_release_device iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_ist Sometimes the endpoint loses connection without a link-down event (e.g., due to a link fault); killing the process (virsh destroy) then hard-locks the host. Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fput pci_dev_is_disconnected() only covers safe-removal paths; pci_device_is_present() tests accessibility by reading vendor/device IDs and internally calls pci_dev_is_disconnected(). On a ConnectX-5 (8 GT/s, x2) this costs ~70 µs. Since __context_flush_dev_iotlb() is only called on {attach,release}_dev paths (not hot), add pci_device_is_present() there to skip inaccessible devices and avoid the hard-lock. | 2026-05-06 | not yet calculated | CVE-2026-43161 | https://git.kernel.org/stable/c/48b3f08e68b29a79527869cdde7298ca2a9b9646 https://git.kernel.org/stable/c/e70d5feb10c5ba2bbf7ca400b8f39a2f82d653e8 https://git.kernel.org/stable/c/bc0490ad9edf5c6f98e39fbbee2877b85261a5ae https://git.kernel.org/stable/c/42662d19839f34735b718129ea200e3734b07e50 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: tegra-video: Fix memory leak in __tegra_channel_try_format() The state object allocated by __v4l2_subdev_state_alloc() must be freed with __v4l2_subdev_state_free() when it is no longer needed. In __tegra_channel_try_format(), two error paths return directly after v4l2_subdev_call() fails, without freeing the allocated ‘sd_state’ object. This violates the requirement and causes a memory leak. Fix this by introducing a cleanup label and using goto statements in the error paths to ensure that __v4l2_subdev_state_free() is always called before the function returns. | 2026-05-06 | not yet calculated | CVE-2026-43162 | https://git.kernel.org/stable/c/6c6f419fa9c44a4b7149b0292e01bff47308ba14 https://git.kernel.org/stable/c/ca921be7a1174d5d58b28f84b683c2c0079f18c5 https://git.kernel.org/stable/c/3ca2f09061736e72ef25eec2597d00f7f44094d3 https://git.kernel.org/stable/c/2dff8966a3a889dd9d248a7e15d963b4097efcc5 https://git.kernel.org/stable/c/d92e9a18f97a1d19d4c2ff81dcfbe43591f75b5a https://git.kernel.org/stable/c/43e5302d22334f1183dec3e0d5d8007eefe2817c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in write_page caused by resize race A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod] This is a use-after-free race between bitmap_daemon_work() and __bitmap_resize(). The daemon iterates over `bitmap->storage.filemap` without locking, while the resize path frees that storage via md_bitmap_file_unmap(). `quiesce()` does not stop the md thread, allowing concurrent access to freed pages. Fix by holding `mddev->bitmap_info.mutex` during the bitmap update. | 2026-05-06 | not yet calculated | CVE-2026-43163 | https://git.kernel.org/stable/c/140cc839fbeb1ddb33a8da8811b716d88d3905b7 https://git.kernel.org/stable/c/ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8 https://git.kernel.org/stable/c/d3af62411e19752c663fe4f424dbf49d95a4cc7c https://git.kernel.org/stable/c/d92b8fac294b5f915c50e65ce4ae2262e53614ec https://git.kernel.org/stable/c/a437e3bf30e32846079e470c1ba5ee790bccdf89 https://git.kernel.org/stable/c/9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f https://git.kernel.org/stable/c/5f73c8b33df9a605a591eab72d43a969600c1f8c https://git.kernel.org/stable/c/46ef85f854dfa9d5226b3c1c46493d79556c9589 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct7363) Fix a resource leak in nct7363_present_pwm_fanin When calling of_parse_phandle_with_args(), the caller is responsible to call of_node_put() to release the reference of device node. In nct7363_present_pwm_fanin, it does not release the reference, causing a resource leak. | 2026-05-06 | not yet calculated | CVE-2026-43165 | https://git.kernel.org/stable/c/c8cde3ddd12ad7d0e6b5a3e0ea3914a9a778adf4 https://git.kernel.org/stable/c/fb99b58763a95e20b214fc1dd86837ae00a400b7 https://git.kernel.org/stable/c/4923bbff0bcffe488b3aa76829c829bd15b02585 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: always flush state and policy upon NETDEV_UNREGISTER event syzbot is reporting that “struct xfrm_state” refcount is leaking. unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2 ref_tracker: netdev@ffff888052f24618 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_tracker_alloc include/linux/netdevice.h:4412 [inline] xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316 xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline] xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022 xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550 xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646 __sys_sendmsg+0x16d/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This is because commit d77e38e612a0 (“xfrm: Add an IPsec hardware offloading API”) implemented xfrm_dev_unregister() as no-op despite xfrm_dev_state_add() from xfrm_state_construct() acquires a reference to “struct net_device”. I guess that that commit expected that NETDEV_DOWN event is fired before NETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add() is called only if (dev->features & NETIF_F_HW_ESP) != 0. Sabrina Dubroca identified steps to reproduce the same symptoms as below. echo 0 > /sys/bus/netdevsim/new_device dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/) ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp spi 0x1000 mode tunnel aead ‘rfc4106(gcm(aes))’ $key 128 offload crypto dev $dev dir out ethtool -K $dev esp-hw-offload off echo 0 > /sys/bus/netdevsim/del_device Like these steps indicate, the NETIF_F_HW_ESP bit can be cleared after xfrm_dev_state_add() acquired a reference to “struct net_device”. Also, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit when acquiring a reference to “struct net_device”. Commit 03891f820c21 (“xfrm: handle NETDEV_UNREGISTER for xfrm device”) re-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that commit for unknown reason chose to share xfrm_dev_down() between the NETDEV_DOWN event and the NETDEV_UNREGISTER event. I guess that that commit missed the behavior in the previous paragraph. Therefore, we need to re-introduce xfrm_dev_unregister() in order to release the reference to “struct net_device” by unconditionally flushing state and policy. | 2026-05-06 | not yet calculated | CVE-2026-43167 | https://git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f110f303cfddfbc3 https://git.kernel.org/stable/c/a3c8fede034fa27892f87c863cbd5493167d17ed https://git.kernel.org/stable/c/59581778792cbaf8ad788f4a21dc663ce986050e https://git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4 https://git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cba8fed8293aef8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix reflink preserve cleanup issue commit c06c303832ec (“ocfs2: fix xattr array entry __counted_by error”) doesn’t handle all cases and the cleanup job for preserved xattr entries still has bug: – the ‘last’ pointer should be shifted by one unit after cleanup an array entry. – current code logic doesn’t cleanup the first entry when xh_count is 1. Note, commit c06c303832ec is also a bug fix for 0fe9b66c65f3. | 2026-05-06 | not yet calculated | CVE-2026-43168 | https://git.kernel.org/stable/c/c44d86ca949cb1e5566ad14510cc26fa1a17e2d8 https://git.kernel.org/stable/c/02acc9f72365e50eb45a56b7dacb9114ca3b503c https://git.kernel.org/stable/c/8ff329353134280b203cb2bce95311cb8f7cbd8a https://git.kernel.org/stable/c/bb273b68c1719c2925e05557f7e7099edb066680 https://git.kernel.org/stable/c/b2952dbeac2c3c527cb0519d5ffaeb95b062466a https://git.kernel.org/stable/c/3bdc3766aafb052aef4baadef455a84c1c0a059d https://git.kernel.org/stable/c/2f4daccd9d9b8b2952df7878df8c2e8ba6439398 https://git.kernel.org/stable/c/5138c936c2c82c9be8883921854bc6f7e1177d8c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/buddy: Prevent BUG_ON by validating rounded allocation When DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is rounded up to the next power-of-two via roundup_pow_of_two(). Similarly, for non-contiguous allocations with large min_block_size, the size is aligned up via round_up(). Both operations can produce a rounded size that exceeds mm->size, which later triggers BUG_ON(order > mm->max_order). Example scenarios: – 9G CONTIGUOUS allocation on 10G VRAM memory: roundup_pow_of_two(9G) = 16G > 10G – 9G allocation with 8G min_block_size on 10G VRAM memory: round_up(9G, 8G) = 16G > 10G Fix this by checking the rounded size against mm->size. For non-contiguous or range allocations where size > mm->size is invalid, return -EINVAL immediately. For contiguous allocations without range restrictions, allow the request to fall through to the existing __alloc_contig_try_harder() fallback. This ensures invalid user input returns an error or uses the fallback path instead of hitting BUG_ON. v2: (Matt A) – Add Fixes, Cc stable, and Closes tags for context | 2026-05-06 | not yet calculated | CVE-2026-43169 | https://git.kernel.org/stable/c/d764b8dd420098a4d253b8a5b27568c897edb2cf https://git.kernel.org/stable/c/6236c1cd9fdf433d39ed28b2491ccdfe7ae95061 https://git.kernel.org/stable/c/ecb32c60d8cbed2ee9ce9f343b6aa2f32babc727 https://git.kernel.org/stable/c/5488a29596cdba93a60a79398dc9b69d5bdadf92 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Move vbus draw to workqueue context Currently dwc3_gadget_vbus_draw() can be called from atomic context, which in turn invokes power-supply-core APIs. And some these PMIC APIs have operations that may sleep, leading to kernel panic. Fix this by moving the vbus_draw into a workqueue context. | 2026-05-06 | not yet calculated | CVE-2026-43170 | https://git.kernel.org/stable/c/76c1123ffccfaba95cf4ecc2a50f95504a522424 https://git.kernel.org/stable/c/a7a80c25b65112768eeba58a7af129d3c52a6d90 https://git.kernel.org/stable/c/2333653ef854c2cc124077f71a8526f03bf6e06a https://git.kernel.org/stable/c/74a231e3d99d310497ab0ccb359539a6063b316a https://git.kernel.org/stable/c/54aaa3b387c2f580a99dc86a9cc2eb6dfaf599a7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: EFI/CPER: don’t dump the entire memory region The current logic at cper_print_fw_err() doesn’t check if the error record length is big enough to handle offset. On a bad firmware, if the ofset is above the actual record, length -= offset will underflow, making it dump the entire memory. The end result can be: – the logic taking a lot of time dumping large regions of memory; – data disclosure due to the memory dumps; – an OOPS, if it tries to dump an unmapped memory region. Fix it by checking if the section length is too small before doing a hex dump. [ rjw: Subject tweaks ] | 2026-05-06 | not yet calculated | CVE-2026-43171 | https://git.kernel.org/stable/c/02de64ab54b4bb0f1b21bb324aeff3b08612be33 https://git.kernel.org/stable/c/0e09b522f2622841389c3b2f9ac4969e35c0809d https://git.kernel.org/stable/c/64ae5aaa7ac93c83da456039e8ec747bfa8a7cff https://git.kernel.org/stable/c/5a9b1dda8481b82851a655c3bcc5b44879b95334 https://git.kernel.org/stable/c/7780c0bad2a3a70a8c0113a33c02f4151d901eb3 https://git.kernel.org/stable/c/a8419f5f2c5f2d80848ddabb2b95cf0da84a5f91 https://git.kernel.org/stable/c/54e131db4cdffd946db890ff33ff2647053fd4f6 https://git.kernel.org/stable/c/55cc6fe5716f678f06bcb95140882dfa684464ec |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: xscale: Check for PTP support properly In ixp4xx_get_ts_info() ixp46x_ptp_find() is called unconditionally despite this feature only existing on ixp46x, leading to the following splat from tcpdump: root@OpenWrt:~# tcpdump -vv -X -i eth0 (…) Unable to handle kernel NULL pointer dereference at virtual address 00000238 when read (…) Call trace: ptp_clock_index from ixp46x_ptp_find+0x1c/0x38 ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64 ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108 __ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648 __dev_ethtool from dev_ethtool+0x160/0x234 dev_ethtool from dev_ioctl+0x2cc/0x460 dev_ioctl from sock_ioctl+0x1ec/0x524 sock_ioctl from sys_ioctl+0x51c/0xa94 sys_ioctl from ret_fast_syscall+0x0/0x44 (…) Segmentation fault Check for ixp46x in ixp46x_ptp_find() before trying to set up PTP to avoid this. To avoid altering the returned error code from ixp4xx_hwtstamp_set() which before this patch was -EOPNOTSUPP, we return -EOPNOTSUPP from ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matter the error code. The helper function ixp46x_ptp_find() helper returns -ENODEV. | 2026-05-06 | not yet calculated | CVE-2026-43173 | https://git.kernel.org/stable/c/144dde3146985b25fa84d4e4b7c3d11e0f5fc5a4 https://git.kernel.org/stable/c/5195b10c34b8993194ad12ad7d8f54d861be084b https://git.kernel.org/stable/c/322437972f0a712767f6920ad34aba25f2e9b942 https://git.kernel.org/stable/c/21d1e80d0d6e7d0c3cd8b1e001ed1fa92fb9f3f5 https://git.kernel.org/stable/c/2d74412dfd3621552a394d55cc3dd26a7cbf608e https://git.kernel.org/stable/c/cbecebd35909f6cd0f6fb773f0fb73da99e02f8c https://git.kernel.org/stable/c/594163ea88a03bdb412063af50fc7177ef3cbeae |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix post open error handling Closing a queue doesn’t guarantee that all associated page pools are terminated right away, let the refcounting do the work instead of releasing the zcrx ctx directly. | 2026-05-06 | not yet calculated | CVE-2026-43174 | https://git.kernel.org/stable/c/18afaff077b46655a8eb6fd7f6de1b81327be577 https://git.kernel.org/stable/c/5d540e4508950c674d6feef1d95463d039bbf4f5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841 The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure there are 8 slots for those newly registered clk_hw pointers, else there is going to be out of bounds write when pointers 4..7 are set into struct rs9_driver_data .clk_dif[4..7] field. Since there are other structure members past this struct clk_hw pointer array, writing to .clk_dif[4..7] fields corrupts both the struct rs9_driver_data content and data around it, sometimes without crashing the kernel. However, the kernel does surely crash when the driver is unbound or during suspend. Fix this, increase the struct clk_hw pointer array size to the maximum output count of 9FGV0841, which is the biggest chip that is supported by this driver. | 2026-05-06 | not yet calculated | CVE-2026-43175 | https://git.kernel.org/stable/c/2f926875dffe2226ea26d129e16d9092cccd03aa https://git.kernel.org/stable/c/da86ca15d7389ee0b5df08e8f70c39354e6b8a4b https://git.kernel.org/stable/c/82a34f344999d8029bcebf131028fa519140c7cc https://git.kernel.org/stable/c/5ec820fc28d0b8a0f3890d476b1976f20e8343cc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: ipu6: Fix RPM reference leak in probe error paths Several error paths in ipu6_pci_probe() were jumping directly to out_ipu6_bus_del_devices without releasing the runtime PM reference. Add pm_runtime_put_sync() before cleaning up other resources. | 2026-05-06 | not yet calculated | CVE-2026-43177 | https://git.kernel.org/stable/c/fdc06d36dab7b28c2bdd16cb7ee4f25e0f55d9ac https://git.kernel.org/stable/c/364759ccc3fb49754758c585c530407f96683030 https://git.kernel.org/stable/c/3cd9e7539a3010a83391fecade1186cf30e616c9 https://git.kernel.org/stable/c/6099f78e4c9223f4de4169d2fd1cded01279da1a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits for invalid metabox-enabled images Crafted EROFS images with metadata compression enabled can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system crashes or other severe issues. | 2026-05-06 | not yet calculated | CVE-2026-43179 | https://git.kernel.org/stable/c/041b5163bb9b2e81050bcd885b3373bf2f42d5f5 https://git.kernel.org/stable/c/56e4a84220045b6af0f1efc11825b39217c7decf https://git.kernel.org/stable/c/643575d5a4f24b23b0c54aa20aa74a4abed8ff5e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: sysfs: fix chip removal with GPIOs exported over sysfs Currently if we export a GPIO over sysfs and unbind the parent GPIO controller, the exported attribute will remain under /sys/class/gpio because once we remove the parent device, we can no longer associate the descriptor with it in gpiod_unexport() and never drop the final reference. Rework the teardown code: provide an unlocked variant of gpiod_unexport() and remove all exported GPIOs with the sysfs_lock taken before unregistering the parent device itself. This is done to prevent any new exports happening before we unregister the device completely. | 2026-05-06 | not yet calculated | CVE-2026-43181 | https://git.kernel.org/stable/c/54f463494eb5bf193ef7d904a493474c451734df https://git.kernel.org/stable/c/a645cc25904b0baf508b77a0402ce151212b9800 https://git.kernel.org/stable/c/6766f59012301f1bf3f46c6e7149caca45d92309 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: ccs: Avoid possible division by zero Calculating maximum M for scaler configuration involves dividing by MIN_X_OUTPUT_SIZE limit register’s value. Albeit the value is presumably non-zero, the driver was missing the check it in fact was. Fix this. | 2026-05-06 | not yet calculated | CVE-2026-43182 | https://git.kernel.org/stable/c/b6e0529c300e44153fc6f3b565e28163caf1f031 https://git.kernel.org/stable/c/9aae0f31d37a8facd25e37c0f0709ea08de83802 https://git.kernel.org/stable/c/c9af1818387f5c6f543e2e02c40b3038eae86be8 https://git.kernel.org/stable/c/32a21ed2ad743fe2d12af48e627089b921a032c2 https://git.kernel.org/stable/c/a8ff58cc8c7514c278ba0ea2c787d4bf9eeb355d https://git.kernel.org/stable/c/8ca7df18e7a58a0e5b0ed9eaaa34e16fc5cb9680 https://git.kernel.org/stable/c/679f0b7b6a409750a25754c8833e268e5fdde742 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: cx25821: Fix a resource leak in cx25821_dev_setup() Add release_mem_region() if ioremap() fails to release the memory region obtained by cx25821_get_resources(). | 2026-05-06 | not yet calculated | CVE-2026-43183 | https://git.kernel.org/stable/c/9f1c926248bde95a77ca104ab525467470607836 https://git.kernel.org/stable/c/071bfc6e723aabbbf08f0d439fb913cd01eb8de2 https://git.kernel.org/stable/c/f7759eb6738ee9fc296f6ab1705c6809947976f3 https://git.kernel.org/stable/c/4010e596d23cda6de65acb14f7fd4ce8289f1d49 https://git.kernel.org/stable/c/e220ec4c4596d634685b8a08d79ad876a720b466 https://git.kernel.org/stable/c/b7210170b10e2d17f7a4f6b9d39cc092442db860 https://git.kernel.org/stable/c/80ce3797dc99dae4ce8b939626b891c9eb85139f https://git.kernel.org/stable/c/68cd8ac994cac38a305200f638b30e13c690753b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: do not propagate page array emplacement errors as batch errors When fscrypt is enabled, move_dirty_folio_in_page_array() may fail because it needs to allocate bounce buffers to store the encrypted versions of each folio. Each folio beyond the first allocates its bounce buffer with GFP_NOWAIT. Failures are common (and expected) under this allocation mode; they should flush (not abort) the batch. However, ceph_process_folio_batch() uses the same `rc` variable for its own return code and for capturing the return codes of its routine calls; failing to reset `rc` back to 0 results in the error being propagated out to the main writeback loop, which cannot actually tolerate any errors here: once `ceph_wbc.pages` is allocated, it must be passed to ceph_submit_write() to be freed. If it survives until the next iteration (e.g. due to the goto being followed), ceph_allocate_page_array()’s BUG_ON() will oops the worker. Note that this failure mode is currently masked due to another bug (addressed next in this series) that prevents multiple encrypted folios from being selected for the same write. For now, just reset `rc` when redirtying the folio to prevent errors in move_dirty_folio_in_page_array() from propagating. Note that move_dirty_folio_in_page_array() is careful never to return errors on the first folio, so there is no need to check for that. After this change, ceph_process_folio_batch() no longer returns errors; its only remaining failure indicator is `locked_pages == 0`, which the caller already handles correctly. | 2026-05-06 | not yet calculated | CVE-2026-43188 | https://git.kernel.org/stable/c/746840c87d76b614b14d9337c466ff022fc49823 https://git.kernel.org/stable/c/4c0d84c788d89c167abf0bf84fd37890c4c84f08 https://git.kernel.org/stable/c/707104682e3c163f7c14cdd6b07a3e95fb374759 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: v4l2-async: Fix error handling on steps after finding a match Once an async connection is found to be matching with an fwnode, a sub-device may be registered (in case it wasn’t already), its bound operation is called, ancillary links are created, the async connection is added to the sub-device’s list of connections and removed from the global waiting connection list. Further on, the sub-device’s possible own notifier is searched for possible additional matches. Fix these specific issues: – If v4l2_async_match_notify() failed before the sub-notifier handling, the async connection was unbound and its entry removed from the sub-device’s async connection list. The latter part was also done in v4l2_async_match_notify(). – The async connection’s sd field was only set after creating ancillary links in v4l2_async_match_notify(). It was however dereferenced in v4l2_async_unbind_subdev_one(), which was called on error path of v4l2_async_match_notify() failure. | 2026-05-06 | not yet calculated | CVE-2026-43189 | https://git.kernel.org/stable/c/30aaed311f973f13ba13a0cd2dc0202f595fff48 https://git.kernel.org/stable/c/461733d83e67ba7e3a5b750c0d203f738e01244f https://git.kernel.org/stable/c/b02bcb378efa8af07827f49b3afcc5e825318c55 https://git.kernel.org/stable/c/2de0a3c8148fc3dbea21981e6569f550b3626119 https://git.kernel.org/stable/c/7345d6d356336c448d6b9230ed8704f39679fd12 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35 [Why] A backport of the change made for DCN401 that addresses an issue where we turn off the PHY PLL when disabling TMDS output, which causes the OTG to remain stuck. The OTG being stuck can lead to a hang in the DCHVM’s ability to ACK invalidations when it thinks the HUBP is still on but it’s not receiving global sync. The transition to PLL_ON needs to be atomic as there’s no guarantee that the thread isn’t pre-empted or is able to complete before the IOMMU watchdog times out. [How] Backport the implementation from dcn401 back to dcn35. There’s a functional difference in when the eDP output is disabled in dcn401 code so we don’t want to utilize it directly. | 2026-05-06 | not yet calculated | CVE-2026-43191 | https://git.kernel.org/stable/c/d1f7ceb00e8956ff6d183b7b45ef4e73c96f4c51 https://git.kernel.org/stable/c/75372d75a4e23783583998ed99d5009d555850da |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm mpath: Add missing dm_put_device when failing to get scsi dh name When commit fd81bc5cca8f (“scsi: device_handler: Return error pointer in scsi_dh_attached_handler_name()”) added code to fail parsing the path if scsi_dh_attached_handler_name() failed with -ENOMEM, it didn’t clean up the reference to the path device that had just been taken. Fix this, and steamline the error paths of parse_path() a little. | 2026-05-06 | not yet calculated | CVE-2026-43192 | https://git.kernel.org/stable/c/4aa5c37b7d8019f7296111c1add00e7214baae60 https://git.kernel.org/stable/c/787bd63ee661b0148ce8e1fde92b7afddd85c446 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfs4_file refcount leak in nfsd_get_dir_deleg() Claude pointed out that there is a nfs4_file refcount leak in nfsd_get_dir_deleg(). Ensure that the reference to “fp” is released before returning. | 2026-05-06 | not yet calculated | CVE-2026-43193 | https://git.kernel.org/stable/c/0d8362e15aad5b5c1d6a65bb23ac6c45ccf881f3 https://git.kernel.org/stable/c/789477b849394afdb60507924d65f7ef18f078ce |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate user queue size constraints Add validation to ensure user queue sizes meet hardware requirements: – Size must be a power of two for efficient ring buffer wrapping – Size must be at least AMDGPU_GPU_PAGE_SIZE to prevent undersized allocations This prevents invalid configurations that could lead to GPU faults or unexpected behavior. | 2026-05-06 | not yet calculated | CVE-2026-43195 | https://git.kernel.org/stable/c/cf2a37be899dc1b01f53bf1d0157330eaf3e3f55 https://git.kernel.org/stable/c/9f6cc309cd15922fe58cab2dfa1b5993ad31dec7 https://git.kernel.org/stable/c/8079b87c02e531cc91601f72ea8336dd2262fdf1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: soc: ti: pruss: Fix double free in pruss_clk_mux_setup() In the pruss_clk_mux_setup(), the devm_add_action_or_reset() indirectly calls pruss_of_free_clk_provider(), which calls of_node_put(clk_mux_np) on the error path. However, after the devm_add_action_or_reset() returns, the of_node_put(clk_mux_np) is called again, causing a double free. Fix by returning directly, to avoid the duplicate of_node_put(). | 2026-05-06 | not yet calculated | CVE-2026-43196 | https://git.kernel.org/stable/c/dbda01bf2dfe5af33163e1e5fca1b82b619c2803 https://git.kernel.org/stable/c/24c40076e3bc3d73c839c886d6bda1da6c4d9b93 https://git.kernel.org/stable/c/818cf66d91c8ef09b01664a12d5f4ea786d64396 https://git.kernel.org/stable/c/e113339cc7d23be4948891f3a702e9dce5b47035 https://git.kernel.org/stable/c/69aa67c1e22d13e9aad4b08c86304ad8e743dcab https://git.kernel.org/stable/c/b7db9953c2f8da37de498198623b05b46f8e2ca0 https://git.kernel.org/stable/c/04dbbb18cc9c8795c9ff47d8994bc03ebfef9d68 https://git.kernel.org/stable/c/80db65d4acfb9ff12d00172aed39ea8b98261aad |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix swapped parameters in pci_{primary/secondary}_epc_epf_unlink() functions struct configfs_item_operations callbacks are defined like the following: int (*allow_link)(struct config_item *src, struct config_item *target); void (*drop_link)(struct config_item *src, struct config_item *target); While pci_primary_epc_epf_link() and pci_secondary_epc_epf_link() specify the parameters in the correct order, pci_primary_epc_epf_unlink() and pci_secondary_epc_epf_unlink() specify the parameters in the wrong order, leading to the below kernel crash when using the unlink command in configfs: Unable to handle kernel paging request at virtual address 0000000300000857 Mem abort info: … pc : string+0x54/0x14c lr : vsnprintf+0x280/0x6e8 … string+0x54/0x14c vsnprintf+0x280/0x6e8 vprintk_default+0x38/0x4c vprintk+0xc4/0xe0 pci_epf_unbind+0xdc/0x108 configfs_unlink+0xe0/0x208+0x44/0x74 vfs_unlink+0x120/0x29c __arm64_sys_unlinkat+0x3c/0x90 invoke_syscall+0x48/0x134 do_el0_svc+0x1c/0x30prop.0+0xd0/0xf0 [mani: cced stable, changed commit message as per https://lore.kernel.org/linux-pci/aV9joi3jF1R6ca02@ryzen] | 2026-05-06 | not yet calculated | CVE-2026-43200 | https://git.kernel.org/stable/c/58686bf62cb38b92e4b28408162a5703775b4d12 https://git.kernel.org/stable/c/1c96c1acef4b4a1108fc13f84a8ac0b0633bbb46 https://git.kernel.org/stable/c/142b1bba3299264b76ed8ef53cd93b2b2af65d6c https://git.kernel.org/stable/c/339191811e6fc4559c4008c5af7a91b05086d596 https://git.kernel.org/stable/c/733cbc3aa97e71cc70847e75c925b364cc9b04a6 https://git.kernel.org/stable/c/aefc0e0bd20f54abe3b501b8798c0be656af272b https://git.kernel.org/stable/c/8754dd7639ab0fd68c3ab9d91c7bdecc3e5740a8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: APEI/GHES: ARM processor Error: don’t go past allocated memory If the BIOS generates a very small ARM Processor Error, or an incomplete one, the current logic will fail to deferrence err->section_length and ctx_info->size Add checks to avoid that. With such changes, such GHESv2 records won’t cause OOPSes like this: [ 1.492129] Internal error: Oops: 0000000096000005 [#1] SMP [ 1.495449] Modules linked in: [ 1.495820] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.18.0-rc1-00017-gabadcc3553dd-dirty #18 PREEMPT [ 1.496125] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022 [ 1.496433] Workqueue: kacpi_notify acpi_os_execute_deferred [ 1.496967] pstate: 814000c5 (Nzcv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=–) [ 1.497199] pc : log_arm_hw_error+0x5c/0x200 [ 1.497380] lr : ghes_handle_arm_hw_error+0x94/0x220 0xffff8000811c5324 is in log_arm_hw_error (../drivers/ras/ras.c:75). 70 err_info = (struct cper_arm_err_info *)(err + 1); 71 ctx_info = (struct cper_arm_ctx_info *)(err_info + err->err_info_num); 72 ctx_err = (u8 *)ctx_info; 73 74 for (n = 0; n < err->context_info_num; n++) { 75 sz = sizeof(struct cper_arm_ctx_info) + ctx_info->size; 76 ctx_info = (struct cper_arm_ctx_info *)((long)ctx_info + sz); 77 ctx_len += sz; 78 } 79 and similar ones while trying to access section_length on an error dump with too small size. [ rjw: Subject tweaks ] | 2026-05-06 | not yet calculated | CVE-2026-43201 | https://git.kernel.org/stable/c/242c652849d979d0133c315a42d9acea0ff88390 https://git.kernel.org/stable/c/136093ba4161e0080088abff48273f6830a47766 https://git.kernel.org/stable/c/db103b8bd3a4aca69b1b5fe8831a6ed75ac4b3bd https://git.kernel.org/stable/c/87880af2d24e62a84ed19943dbdd524f097172f2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: vt8500lcdfb: fix missing dma_free_coherent() fbi->fb.screen_buffer is allocated with dma_alloc_coherent() but is not freed if the error path is reached. | 2026-05-06 | not yet calculated | CVE-2026-43202 | https://git.kernel.org/stable/c/9a9bc60ed372aaae9784ff8ad8e5f496ff15fd31 https://git.kernel.org/stable/c/9c3873cccb3fab54cde0605ae7093d332c99073e https://git.kernel.org/stable/c/778f31be5b8c10024db23fdd8a05f68a02311008 https://git.kernel.org/stable/c/e8c5d5f6cd66e032f9aefdcc21b0c34761aef78a https://git.kernel.org/stable/c/f47d5b9e8aa6178a0aaf225119ad1ec7d3f49876 https://git.kernel.org/stable/c/40c1ff25025150ff6d7ec7ad441fcfd6d070ee76 https://git.kernel.org/stable/c/2cd2f988a8bd2da227f5c3cfa0cbf3a9a287ddc3 https://git.kernel.org/stable/c/88b3b9924337336a31cefbe99a22ed09401be74a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6asm: drop DSP responses for closed data streams ‘Commit a354f030dbce (“ASoC: qcom: q6asm: handle the responses after closing”)’ attempted to ignore DSP responses arriving after a stream had been closed. However, those responses were still handled, causing lockups. Fix this by unconditionally dropping all DSP responses associated with closed data streams. | 2026-05-06 | not yet calculated | CVE-2026-43204 | https://git.kernel.org/stable/c/3249251eac6081d5169ba09f2d9cca66ab0cab0d https://git.kernel.org/stable/c/8a066a81ee0c1b6cdbd81393536c3b2d19ccef25 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= … | 2026-05-06 | not yet calculated | CVE-2026-43205 | https://git.kernel.org/stable/c/a26dda3bae469c8e4e1b1993ad33dafa32d0fc28 https://git.kernel.org/stable/c/a3034a8d56174dd6464c46823438f25797910a8d https://git.kernel.org/stable/c/b690635d4719214892855b79ce018d4b1672ac96 https://git.kernel.org/stable/c/8b841fd529db9faf8bc678d429d4bf4e98b10900 https://git.kernel.org/stable/c/89764cf44544e943230f5e03b8c40a90da26537c https://git.kernel.org/stable/c/c18493f750208eb4ff1198fc5a02786b8b2d70a6 https://git.kernel.org/stable/c/8a5752c6dcc085a3bfc78589925182e4e98468c5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: minix: Add required sanity checking to minix_check_superblock() The fs/minix implementation of the minix filesystem does not currently support any other value for s_log_zone_size than 0. This is also the only value supported in util-linux; see mkfs.minix.c line 511. In addition, this patch adds some sanity checking for the other minix superblock fields, and moves the minix_blocks_needed() checks for the zmap and imap also to minix_check_super_block(). This also closes a related syzbot bug report. | 2026-05-06 | not yet calculated | CVE-2026-43209 | https://git.kernel.org/stable/c/a051ecf5c5b0387840dc210413ed3bc7fbdaa69c https://git.kernel.org/stable/c/d791c544efd6b9c944b43cf7f502e5bcb02fb941 https://git.kernel.org/stable/c/66c7c239c65341f99ae388d4d53dc9df2bcb9925 https://git.kernel.org/stable/c/2bb588cede1c1969e49c0a2822c8cb8b346b7682 https://git.kernel.org/stable/c/f57ccd4657c7f082dc47e5b9e18a883bb5f9118f https://git.kernel.org/stable/c/31fefc18096cdc5549cfa54964d90e0b3229aedc https://git.kernel.org/stable/c/1efc128ee4adbc23e082715425ff895449d233bc https://git.kernel.org/stable/c/8c97a6ddc95690a938ded44b4e3202f03f15078c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: ring-buffer: Fix to check event length before using Check the event length before adding it for accessing next index in rb_read_data_buffer(). Since this function is used for validating possibly broken ring buffers, the length of the event could be broken. In that case, the new event (e + len) can point a wrong address. To avoid invalid memory access at boot, check whether the length of each event is in the possible range before using it. | 2026-05-06 | not yet calculated | CVE-2026-43210 | https://git.kernel.org/stable/c/b4700c089a10f89de3a5149d57f8a58306458982 https://git.kernel.org/stable/c/5026010110a5ad2268d8c23e1e286ab7c736f7ac https://git.kernel.org/stable/c/9eb80e54494ef1efef8a64bec4ffa672c9cf411e https://git.kernel.org/stable/c/912b0ee248c529a4f45d1e7f568dc1adddbf2a4a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: Drop the lock in skb_may_tx_timestamp() skb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock must not be taken in IRQ context, only softirq is okay. A few drivers receive the timestamp via a dedicated interrupt and complete the TX timestamp from that handler. This will lead to a deadlock if the lock is already write-locked on the same CPU. Taking the lock can be avoided. The socket (pointed by the skb) will remain valid until the skb is released. The ->sk_socket and ->file member will be set to NULL once the user closes the socket which may happen before the timestamp arrives. If we happen to observe the pointer while the socket is closing but before the pointer is set to NULL then we may use it because both pointer (and the file’s cred member) are RCU freed. Drop the lock. Use READ_ONCE() to obtain the individual pointer. Add a matching WRITE_ONCE() where the pointer are cleared. | 2026-05-06 | not yet calculated | CVE-2026-43216 | https://git.kernel.org/stable/c/f3e4cceafad27c9363c33622732f86722846ec6f https://git.kernel.org/stable/c/e4c6efb3b70ff87f1df99efce2f8893717695718 https://git.kernel.org/stable/c/983512f3a87fd8dc4c94dfa6b596b6e57df5aad7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: gen2: Add sanity check for session stop In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash. Add a NULL check for inst_hfi_gen2->packet before sendling STOP packet to firmware to fix that. | 2026-05-06 | not yet calculated | CVE-2026-43217 | https://git.kernel.org/stable/c/72846441c5f6396de9face04e77fa3d28e9915b6 https://git.kernel.org/stable/c/75992ba43072674fd4767df62a1fe2048565cc60 https://git.kernel.org/stable/c/9aa8d63d09cfc44d879427cc5ba308012ca4ab8e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: i2c/tw9903: Fix potential memory leak in tw9903_probe() In one of the error paths in tw9903_probe(), the memory allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix that by calling v4l2_ctrl_handler_free() on the handler in that error path. | 2026-05-06 | not yet calculated | CVE-2026-43218 | https://git.kernel.org/stable/c/e54aa17c968c4de2c5f7b7ea390c63d33c07513b https://git.kernel.org/stable/c/32f0493506313775d3bd448de34762b6538da6bd https://git.kernel.org/stable/c/92537a15780b6d0281fd8286f93fbc3652e35f48 https://git.kernel.org/stable/c/9cb9eca33d20316ed3c7a938793b8735ac3e128b https://git.kernel.org/stable/c/a114918270f0d95c607d69b03a244e6afe54813f https://git.kernel.org/stable/c/cc7aeed33e4f55c76f35f0fca73e4dfe12a63a3a https://git.kernel.org/stable/c/add02a3fb1fd71b004f0ed824cbac00f850de558 https://git.kernel.org/stable/c/9cea16fea47e5553f51d10957677ff735b1eff03 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Fix potential unregister of netdev that has not been registered yet If an error occurs during register_netdev() for the first MAC in cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL, cpsw->slaves[1].ndev would remain unchanged. This could later cause cpsw_unregister_ports() to attempt unregistering the second MAC. To address this, add a check for ndev->reg_state before calling unregister_netdev(). With this change, setting cpsw->slaves[i].ndev to NULL becomes unnecessary and can be removed accordingly. | 2026-05-06 | not yet calculated | CVE-2026-43219 | https://git.kernel.org/stable/c/29739ec197ed66535bc0b86f14ab66c5f4512138 https://git.kernel.org/stable/c/349c4cac6f54a81fc107589771f88136a2b20415 https://git.kernel.org/stable/c/9d724b34fbe13b71865ad0906a4be97571f19cf5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: serialize sequence allocation under concurrent TLB invalidations With concurrent TLB invalidations, completion wait randomly gets timed out because cmd_sem_val was incremented outside the IOMMU spinlock, allowing CMD_COMPL_WAIT commands to be queued out of sequence and breaking the ordering assumption in wait_on_sem(). Move the cmd_sem_val increment under iommu->lock so completion sequence allocation is serialized with command queuing. And remove the unnecessary return. | 2026-05-06 | not yet calculated | CVE-2026-43220 | https://git.kernel.org/stable/c/5000ce7fcb31067566a1a1a2e5b5bbff93625242 https://git.kernel.org/stable/c/48caa7542a795c9679ec1bd1bc2592e05a7369a4 https://git.kernel.org/stable/c/9e249c48412828e807afddc21527eb734dc9bd3d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi: ipmb: initialise event handler read bytes IPMB doesn’t use i2c reads, but the handler needs to set a value. Otherwise an i2c read will return an uninitialised value from the bus driver. | 2026-05-06 | not yet calculated | CVE-2026-43221 | https://git.kernel.org/stable/c/905554ebd76aeee370bfd5136ea11e0b9d75c6f1 https://git.kernel.org/stable/c/56d5c0557e53c4d8d92a619fa83eaae178165e07 https://git.kernel.org/stable/c/2dfbc8c17dd161885336e77e71c336cd62cf6748 https://git.kernel.org/stable/c/f726b3a57e00bb6249c67714c11ae8b4b31719a1 https://git.kernel.org/stable/c/102712417bb6aa9a00d852bc59cb0a276db486c4 https://git.kernel.org/stable/c/9f235ccecd03c436cb1683eac16b12f119e54aa9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix URB leak in pvr2_send_request_ex When pvr2_send_request_ex() submits a write URB successfully but fails to submit the read URB (e.g. returns -ENOMEM), it returns immediately without waiting for the write URB to complete. Since the driver reuses the same URB structure, a subsequent call to pvr2_send_request_ex() attempts to submit the still-active write URB, triggering a ‘URB submitted while active’ warning in usb_submit_urb(). Fix this by ensuring the write URB is unlinked and waited upon if the read URB submission fails. | 2026-05-06 | not yet calculated | CVE-2026-43223 | https://git.kernel.org/stable/c/da524c939b1e5ba17f10db4bde4bdaf569ffcda6 https://git.kernel.org/stable/c/cf459d6ffa5e150ef3744b897f936ff24b52bd15 https://git.kernel.org/stable/c/77a63f8efc434ddb04667ed632aade58301a2f13 https://git.kernel.org/stable/c/4ba5c7a1aade7090172cbffd4d120bf4cf5ccbde https://git.kernel.org/stable/c/58dd722b6c3debcddb4684fb256c90fee7f063e5 https://git.kernel.org/stable/c/2011929f0e4cf6a0a34dd6205911b12276904453 https://git.kernel.org/stable/c/5f3ac816861c3b8a5d1a3645b17dc3a99d668d94 https://git.kernel.org/stable/c/a8333c8262aed2aedf608c18edd39cf5342680a7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix sgtable leak on mapping failures In an unlikely case when io_populate_area_dma() fails, which could only happen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine, io_zcrx_map_area() will have an initialised and not freed table. It was supposed to be cleaned up in the error path, but !is_mapped prevents that. | 2026-05-06 | not yet calculated | CVE-2026-43224 | https://git.kernel.org/stable/c/f1ae403324311e143ef20e53cf9a5f01e312f7c9 https://git.kernel.org/stable/c/ef075c1464ac9047e2cf7d23cb020bfd0b8e4b60 https://git.kernel.org/stable/c/a983aae397767e9da931128ff2b5bf9066513ce3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix memory leak on failure path cfg80211_inform_bss_frame() may return NULL on failure. In that case, the allocated buffer ‘buf’ is not freed and the function returns early, leading to potential memory leak. Fix this by ensuring that ‘buf’ is freed on both success and failure paths. | 2026-05-06 | not yet calculated | CVE-2026-43225 | https://git.kernel.org/stable/c/9874e33ce52ba449ab0ade78752a2d37a2294617 https://git.kernel.org/stable/c/a968c6a39607c129b8ac2c3c2a5e8923574e90d0 https://git.kernel.org/stable/c/8311bb40698ba027649d5d1ca84ad4bf25270546 https://git.kernel.org/stable/c/9f70f78e22b321429afc77befecedf05543d4e2c https://git.kernel.org/stable/c/af48c1a0abe849e167fc754b6c260b6d8350b6fd https://git.kernel.org/stable/c/017295b17bf1f477246c95bd253a7ef0cb4684c9 https://git.kernel.org/stable/c/abe850d82c8cb72d28700673678724e779b1826e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: clocksource/drivers/sh_tmu: Always leave device running after probe The TMU device can be used as both a clocksource and a clockevent provider. The driver tries to be smart and power itself on and off, as well as enabling and disabling its clock when it’s not in operation. This behavior is slightly altered if the TMU is used as an early platform device in which case the device is left powered on after probe, but the clock is still enabled and disabled at runtime. This has worked for a long time, but recent improvements in PREEMPT_RT and PROVE_LOCKING have highlighted an issue. As the TMU registers itself as a clockevent provider, clockevents_register_device(), it needs to use raw spinlocks internally as this is the context of which the clockevent framework interacts with the TMU driver. However in the context of holding a raw spinlock the TMU driver can’t really manage its power state or clock with calls to pm_runtime_*() and clk_*() as these calls end up in other platform drivers using regular spinlocks to control power and clocks. This mix of spinlock contexts trips a lockdep warning. ============================= [ BUG: Invalid wait context ] 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted —————————– swapper/0/0 is trying to lock: ffff000008c9e180 (&dev->power.lock){-…}-{3:3}, at: __pm_runtime_resume+0x38/0x88 other info that might help us debug this: context-{5:5} 1 lock held by swapper/0/0: ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0 #0: ffff8000817ec298 ccree e6601000.crypto: ARM ccree device initialized (tick_broadcast_lock){-…}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8 stack backtrace: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) Call trace: show_stack+0x14/0x1c (C) dump_stack_lvl+0x6c/0x90 dump_stack+0x14/0x1c __lock_acquire+0x904/0x1584 lock_acquire+0x220/0x34c _raw_spin_lock_irqsave+0x58/0x80 __pm_runtime_resume+0x38/0x88 sh_tmu_clock_event_set_oneshot+0x84/0xd4 clockevents_switch_state+0xfc/0x13c tick_broadcast_set_event+0x30/0xa4 __tick_broadcast_oneshot_control+0x1e0/0x3a8 tick_broadcast_oneshot_control+0x30/0x40 cpuidle_enter_state+0x40c/0x680 cpuidle_enter+0x30/0x40 do_idle+0x1f4/0x280 cpu_startup_entry+0x34/0x40 kernel_init+0x0/0x130 do_one_initcall+0x0/0x230 __primary_switched+0x88/0x90 For non-PREEMPT_RT builds this is not really an issue, but for PREEMPT_RT builds where normal spinlocks can sleep this might be an issue. Be cautious and always leave the power and clock running after probe. | 2026-05-06 | not yet calculated | CVE-2026-43227 | https://git.kernel.org/stable/c/79d650695773f03de36b99228a090d33d1c18264 https://git.kernel.org/stable/c/f0b31247e7d67a943b3a09d3cef7c0ae788d88e6 https://git.kernel.org/stable/c/016476afef993d1201a19decc9b5b2ea1e6620f2 https://git.kernel.org/stable/c/6f113ab549b864c1bc57d4f89846ee335394089a https://git.kernel.org/stable/c/88c76792180dffd83f1c5b9dc8fdaeb145cb94e0 https://git.kernel.org/stable/c/bc59d5f3afe41fec5d673c27c703b761ae578d28 https://git.kernel.org/stable/c/0e513cc6b9cea190fe342cc222b1054e7e8acfc8 https://git.kernel.org/stable/c/b1278972b08e480990e2789bdc6a7c918bc349be |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hfs: Replace BUG_ON with error handling for CNID count checks In a06ec283e125 next_id, folder_count, and file_count in the super block info were expanded to 64 bits, and BUG_ONs were added to detect overflow. This triggered an error reported by syzbot: if the MDB is corrupted, the BUG_ON is triggered. This patch replaces this mechanism with proper error handling and resolves the syzbot reported bug. Singed-off-by: Jori Koolstra <jkoolstra@xs4all.nl> | 2026-05-06 | not yet calculated | CVE-2026-43228 | https://git.kernel.org/stable/c/b6536c1ced315fa645576d3a39c6e07f2a472962 https://git.kernel.org/stable/c/b226804532a875c10276168dc55ce752944096bd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix device cleanup order to prevent kernel panic Move video device unregistration to the beginning of the remove function to ensure all video operations are stopped before cleaning up the worker thread and disabling PM runtime. This prevents hardware register access after the device has been powered down. In polling mode, the hrtimer periodically triggers wave5_vpu_timer_callback() which queues work to the kthread worker. The worker executes wave5_vpu_irq_work_fn() which reads hardware registers via wave5_vdi_read_register(). The original cleanup order disabled PM runtime and powered down hardware before unregistering video devices. When autosuspend triggers and powers off the hardware, the video devices are still registered and the worker thread can still be triggered by the hrtimer, causing it to attempt reading registers from powered-off hardware. This results in a bus error (synchronous external abort) and kernel panic. This causes random kernel panics during encoding operations: Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP Modules linked in: wave5 rpmsg_ctrl rpmsg_char … CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread Tainted: G M W pc : wave5_vdi_read_register+0x10/0x38 [wave5] lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5] Call trace: wave5_vdi_read_register+0x10/0x38 [wave5] kthread_worker_fn+0xd8/0x238 kthread+0x104/0x120 ret_from_fork+0x10/0x20 Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000) —[ end trace 0000000000000000 ]— Kernel panic – not syncing: synchronous external abort: Fatal exception | 2026-05-06 | not yet calculated | CVE-2026-43229 | https://git.kernel.org/stable/c/b73d85231d5b1400a4fa5046cdac6c4d7cc6d969 https://git.kernel.org/stable/c/526816f2e331954d80fed8b37fa94efbbdde2b8d https://git.kernel.org/stable/c/dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f https://git.kernel.org/stable/c/b74cedac643b02aefa7da881b58a3792859d9748 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: radio-keene: fix memory leak in error path Fix a memory leak in usb_keene_probe(). The v4l2 control handler is initialized and controls are added, but if v4l2_device_register() or video_register_device() fails afterward, the handler was never freed, leaking memory. Add v4l2_ctrl_handler_free() call in the err_v4l2 error path to ensure the control handler is properly freed for all error paths after it is initialized. | 2026-05-06 | not yet calculated | CVE-2026-43231 | https://git.kernel.org/stable/c/ad85bb5623079a35bd400f51de2e2fbc2170bdb2 https://git.kernel.org/stable/c/242b0aabb1866024a7995a767ac330c158b39aa4 https://git.kernel.org/stable/c/2fe28a63d598235595a9601e0d8fdc7c8f4fd575 https://git.kernel.org/stable/c/27c508f61963013fdf29097578284099ee7a85a4 https://git.kernel.org/stable/c/7fa9754f48cb8eefa566156be341e63d313247e5 https://git.kernel.org/stable/c/1d8558a232ecb187e8e0328d6347a125f437a0fc https://git.kernel.org/stable/c/de204d87e7d61859937272fe30cbdd46a4cfb10a https://git.kernel.org/stable/c/b8bf939d77c0cd01118e953bbf554e0fa15e9006 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: team: avoid NETDEV_CHANGEMTU event when unregistering slave syzbot is reporting unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3 ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_hold include/linux/netdevice.h:4429 [inline] inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286 inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline] netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886 netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907 dev_set_mtu+0x126/0x260 net/core/dev_api.c:248 team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333 team_del_slave drivers/net/team/team_core.c:1936 [inline] team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline] call_netdevice_notifiers net/core/dev.c:2295 [inline] __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592 do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 problem. Ido Schimmel found steps to reproduce ip link add name team1 type team ip link add name dummy1 mtu 1499 master team1 type dummy ip netns add ns1 ip link set dev dummy1 netns ns1 ip -n ns1 link del dev dummy1 and also found that the same issue was fixed in the bond driver in commit f51048c3e07b (“bonding: avoid NETDEV_CHANGEMTU event when unregistering slave”). Let’s do similar thing for the team driver, with commit ad7c7b2172c3 (“net: hold netdev instance lock during sysfs operations”) and commit 303a8487a657 (“net: s/__dev_set_mtu/__netif_set_mtu/”) also applied. | 2026-05-06 | not yet calculated | CVE-2026-43234 | https://git.kernel.org/stable/c/bce42728ac4887060a24a585c5122fbd24939db7 https://git.kernel.org/stable/c/5268892de70f0b29bde341db863b234aa9259c08 https://git.kernel.org/stable/c/bb4c698633c0e19717586a6524a33196cff01a32 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: Add missing platform data entries for SM8750 Two platform-data fields for SM8750 were missed: – get_vpu_buffer_size = iris_vpu33_buf_size Without this, the driver fails to allocate the required internal buffers, leading to basic decode/encode failures during session bring-up. – max_core_mbps = ((7680 * 4320) / 256) * 60 Without this capability exposed, capability checks are incomplete and v4l2-compliance for encoder fails. | 2026-05-06 | not yet calculated | CVE-2026-43235 | https://git.kernel.org/stable/c/1aa5833f29b88c16e9ad49a1782927754f3af742 https://git.kernel.org/stable/c/c7b2105a1cad1737eb877cdb4865618927623dd4 https://git.kernel.org/stable/c/bbef55f414100853d5bcea56a41f8b171bac8fcb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash() Commit 38a6f0865796 (“net: sched: support hash selecting tx queue”) added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is computed as: mapping_mod = queue_mapping_max – queue_mapping + 1; The range size can be 65536 when the requested range covers all possible u16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX). That value cannot be represented in a u16 and previously wrapped to 0, so tcf_skbedit_hash() could trigger a divide-by-zero: queue_mapping += skb_get_hash(skb) % params->mapping_mod; Compute mapping_mod in a wider type and reject ranges larger than U16_MAX to prevent params->mapping_mod from becoming 0 and avoid the crash. | 2026-05-06 | not yet calculated | CVE-2026-43238 | https://git.kernel.org/stable/c/59809fda4da7730cfe84a948033f47eb45db073d https://git.kernel.org/stable/c/9c735a7d98c982a786b0db71eb6566ee00aaa04f https://git.kernel.org/stable/c/015cebdfcb97b5347fb7f598ea712a281cb35840 https://git.kernel.org/stable/c/4ece5eb4836f8ff03b9004dc2430a7169f282851 https://git.kernel.org/stable/c/3c2b95b26860bd6f8e2310d31ea1200d3f8f173e https://git.kernel.org/stable/c/be054cc66f739a9ba615dba9012a07fab8e7dd6f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/kexec: add a sanity check on previous kernel’s ima kexec buffer When the second-stage kernel is booted via kexec with a limiting command line such as “mem=<size>”, the physical range that contains the carried over IMA measurement list may fall outside the truncated RAM leading to a kernel panic. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) – not-present page Other architectures already validate the range with page_is_ram(), as done in commit cbf9c4b9617b (“of: check previous kernel’s ima-kexec-buffer against memory bounds”) do a similar check on x86. Without carrying the measurement list across kexec, the attestation would fail. | 2026-05-06 | not yet calculated | CVE-2026-43240 | https://git.kernel.org/stable/c/37f18915a261afe84dab462624ed829cddb77a9b https://git.kernel.org/stable/c/22e460b6333a5f818b042ac89201f8e735556f4a https://git.kernel.org/stable/c/f8f73bf0f8a57ee9b86792456bd42079bc98c6b7 https://git.kernel.org/stable/c/d4a132f121c591b60dbaf57ea91f1faf11631fbc https://git.kernel.org/stable/c/4d7a8f5f28187e3d2958b2a134473da2665207e7 https://git.kernel.org/stable/c/c5489d04337b47e93c0623e8145fcba3f5739efd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access Number of MW LUTs depends on NTB configuration and can be set to MAX_MWS, This patch protects against invalid index out of bounds access to mw_sizes When invalid access print message to user that configuration is not valid. | 2026-05-06 | not yet calculated | CVE-2026-43241 | https://git.kernel.org/stable/c/348e1ac9ad983ed7e62de14e1daf47f1695a4ce9 https://git.kernel.org/stable/c/ee02c4f980c91820845dd8e469ec7dc670ab6d9d https://git.kernel.org/stable/c/740945de896021b9a859e71f38f6aea72a6393cf https://git.kernel.org/stable/c/85c9daa1f8319bbb3dfee71dc6a2f969cd3b4c92 https://git.kernel.org/stable/c/0e930420945106151c6eb3d7837b4e6154e9b144 https://git.kernel.org/stable/c/2346856b74823a2a78109002e479a3d02526a9ce https://git.kernel.org/stable/c/47ce292dd45dc689747c40603222691638919189 https://git.kernel.org/stable/c/c8ba7ad2cc1c7b90570aa347b8ebbe279f1eface |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: soc: ti: k3-socinfo: Fix regmap leak on probe failure The mmio regmap allocated during probe is never freed. Switch to using the device managed allocator so that the regmap is released on probe failures (e.g. probe deferral) and on driver unbind. | 2026-05-06 | not yet calculated | CVE-2026-43242 | https://git.kernel.org/stable/c/c97c21d342838b2a7787b0f1d6ad417e85c906f6 https://git.kernel.org/stable/c/b1006b5892ec8a95d039a89b47e6fd69cf607405 https://git.kernel.org/stable/c/458136527fe127fd051c1c9537f4540849780d70 https://git.kernel.org/stable/c/d451bf970a0c54b586f8b3161261bdf35d463c99 https://git.kernel.org/stable/c/eaa16059f9af26d8b8a6f3e887649f58e8ca96c9 https://git.kernel.org/stable/c/ab1ac24c407e4df326d7154a4deadd444e9209d9 https://git.kernel.org/stable/c/bbaa9e615608c204d384a7d4b1a434580a142d4c https://git.kernel.org/stable/c/c933138d45176780fabbbe7da263e04d5b3e525d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add signal type check for dcn401 get_phyd32clk_src Trying to access link enc on a dpia link will cause a crash otherwise | 2026-05-06 | not yet calculated | CVE-2026-43243 | https://git.kernel.org/stable/c/23e7150afc70da615857f9f07b494ec58540f096 https://git.kernel.org/stable/c/486b2909ac284185900c06f05ffc6eca895f38b8 https://git.kernel.org/stable/c/e332112255afbce02db67760f5743a1b13aa8541 https://git.kernel.org/stable/c/c979d8db7b0f293111f2e83795ea353c8ed75de9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: kcm: fix zero-frag skb in frag_list on partial sendmsg error Syzkaller reported a warning in kcm_write_msgs() when processing a message with a zero-fragment skb in the frag_list. When kcm_sendmsg() fills MAX_SKB_FRAGS fragments in the current skb, it allocates a new skb (tskb) and links it into the frag_list before copying data. If the copy subsequently fails (e.g. -EFAULT from user memory), tskb remains in the frag_list with zero fragments: head skb (msg being assembled, NOT yet in sk_write_queue) +———–+ | frags[17] | (MAX_SKB_FRAGS, all filled with data) | frag_list-+–> tskb +———–+ +———-+ | frags[0] | (empty! copy failed before filling) +———-+ For SOCK_SEQPACKET with partial data already copied, the error path saves this message via partial_message for later completion. For SOCK_SEQPACKET, sock_write_iter() automatically sets MSG_EOR, so a subsequent zero-length write(fd, NULL, 0) completes the message and queues it to sk_write_queue. kcm_write_msgs() then walks the frag_list and hits: WARN_ON(!skb_shinfo(skb)->nr_frags) TCP has a similar pattern where skbs are enqueued before data copy and cleaned up on failure via tcp_remove_empty_skb(). KCM was missing the equivalent cleanup. Fix this by tracking the predecessor skb (frag_prev) when allocating a new frag_list entry. On error, if the tail skb has zero frags, use frag_prev to unlink and free it in O(1) without walking the singly-linked frag_list. frag_prev is safe to dereference because the entire message chain is only held locally (or in kcm->seq_skb) and is not added to sk_write_queue until MSG_EOR, so the send path cannot free it underneath us. Also change the WARN_ON to WARN_ON_ONCE to avoid flooding the log if the condition is somehow hit repeatedly. There are currently no KCM selftests in the kernel tree; a simple reproducer is available at [1]. [1] https://gist.github.com/mrpre/a94d431c757e8d6f168f4dd1a3749daa | 2026-05-06 | not yet calculated | CVE-2026-43244 | https://git.kernel.org/stable/c/9ea3671d70ee07480d80bebe86696397c4e99fb7 https://git.kernel.org/stable/c/b1e3edf688a88c1a3ac41657055d9c136a08cd25 https://git.kernel.org/stable/c/7af58f76e4b404a74c836881a845e6652db8a09f https://git.kernel.org/stable/c/ca220141fa8ebae09765a242076b2b77338106b0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: i2c/tw9906: Fix potential memory leak in tw9906_probe() In one of the error paths in tw9906_probe(), the memory allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix that by calling v4l2_ctrl_handler_free() on the handler in that error path. | 2026-05-06 | not yet calculated | CVE-2026-43246 | https://git.kernel.org/stable/c/e9a490937942f18205dac7b6b192975ef1369ae1 https://git.kernel.org/stable/c/9548a8bbf511a252a9848f96220c6b95c9a3b918 https://git.kernel.org/stable/c/0c33338514d8246280533a77091e6b6ee548c606 https://git.kernel.org/stable/c/ccb92def042a3636ed47f25a30bd553788e5191e https://git.kernel.org/stable/c/fb09d8b80046216646f1a344410cfa9cfa6c6c7c https://git.kernel.org/stable/c/377a7756914364d72550fc86ca0f404ef1d96141 https://git.kernel.org/stable/c/59420d5d9c46b084e21f9ea6ce79fc79ae9e414c https://git.kernel.org/stable/c/cad237b6c875fbee5d353a2b289e98d240d17ec8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix SError of kernel panic when closed SError of kernel panic rarely happened while testing fluster. The root cause was to enter suspend mode because timeout of autosuspend delay happened. [ 48.834439] SError Interrupt on CPU0, code 0x00000000bf000000 — SError [ 48.834455] CPU: 0 UID: 0 PID: 1067 Comm: v4l2h265dec0:sr Not tainted 6.12.9-gc9e21a1ebd75-dirty #7 [ 48.834461] Hardware name: ti Texas Instruments J721S2 EVM/Texas Instruments J721S2 EVM, BIOS 2025.01-00345-gbaf3aaa8ecfa 01/01/2025 [ 48.834464] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 48.834468] pc : wave5_dec_clr_disp_flag+0x40/0x80 [wave5] [ 48.834488] lr : wave5_dec_clr_disp_flag+0x40/0x80 [wave5] [ 48.834495] sp : ffff8000856e3a30 [ 48.834497] x29: ffff8000856e3a30 x28: ffff0008093f6010 x27: ffff000809158130 [ 48.834504] x26: 0000000000000000 x25: ffff00080b625000 x24: ffff000804a9ba80 [ 48.834509] x23: ffff000802343028 x22: ffff000809158150 x21: ffff000802218000 [ 48.834513] x20: ffff0008093f6000 x19: ffff0008093f6000 x18: 0000000000000000 [ 48.834518] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff74009618 [ 48.834523] x14: 000000010000000c x13: 0000000000000000 x12: 0000000000000000 [ 48.834527] x11: ffffffffffffffff x10: ffffffffffffffff x9 : ffff000802343028 [ 48.834532] x8 : ffff00080b6252a0 x7 : 0000000000000038 x6 : 0000000000000000 [ 48.834536] x5 : ffff00080b625060 x4 : 0000000000000000 x3 : 0000000000000000 [ 48.834541] x2 : 0000000000000000 x1 : ffff800084bf0118 x0 : ffff800084bf0000 [ 48.834547] Kernel panic – not syncing: Asynchronous SError Interrupt [ 48.834549] CPU: 0 UID: 0 PID: 1067 Comm: v4l2h265dec0:sr Not tainted 6.12.9-gc9e21a1ebd75-dirty #7 [ 48.834554] Hardware name: ti Texas Instruments J721S2 EVM/Texas Instruments J721S2 EVM, BIOS 2025.01-00345-gbaf3aaa8ecfa 01/01/2025 [ 48.834556] Call trace: [ 48.834559] dump_backtrace+0x94/0xec [ 48.834574] show_stack+0x18/0x24 [ 48.834579] dump_stack_lvl+0x38/0x90 [ 48.834585] dump_stack+0x18/0x24 [ 48.834588] panic+0x35c/0x3e0 [ 48.834592] nmi_panic+0x40/0x8c [ 48.834595] arm64_serror_panic+0x64/0x70 [ 48.834598] do_serror+0x3c/0x78 [ 48.834601] el1h_64_error_handler+0x34/0x4c [ 48.834605] el1h_64_error+0x64/0x68 [ 48.834608] wave5_dec_clr_disp_flag+0x40/0x80 [wave5] [ 48.834615] wave5_vpu_dec_clr_disp_flag+0x54/0x80 [wave5] [ 48.834622] wave5_vpu_dec_buf_queue+0x19c/0x1a0 [wave5] [ 48.834628] __enqueue_in_driver+0x3c/0x74 [videobuf2_common] [ 48.834639] vb2_core_qbuf+0x508/0x61c [videobuf2_common] [ 48.834646] vb2_qbuf+0xa4/0x168 [videobuf2_v4l2] [ 48.834656] v4l2_m2m_qbuf+0x80/0x238 [v4l2_mem2mem] [ 48.834666] v4l2_m2m_ioctl_qbuf+0x18/0x24 [v4l2_mem2mem] [ 48.834673] v4l_qbuf+0x48/0x5c [videodev] [ 48.834704] __video_do_ioctl+0x180/0x3f0 [videodev] [ 48.834725] video_usercopy+0x2ec/0x68c [videodev] [ 48.834745] video_ioctl2+0x18/0x24 [videodev] [ 48.834766] v4l2_ioctl+0x40/0x60 [videodev] [ 48.834786] __arm64_sys_ioctl+0xa8/0xec [ 48.834793] invoke_syscall+0x44/0x100 [ 48.834800] el0_svc_common.constprop.0+0xc0/0xe0 [ 48.834804] do_el0_svc+0x1c/0x28 [ 48.834809] el0_svc+0x30/0xd0 [ 48.834813] el0t_64_sync_handler+0xc0/0xc4 [ 48.834816] el0t_64_sync+0x190/0x194 [ 48.834820] SMP: stopping secondary CPUs [ 48.834831] Kernel Offset: disabled [ 48.834833] CPU features: 0x08,00002002,80200000,4200421b [ 48.834837] Memory Limit: none [ 49.161404] —[ end Kernel panic – not syncing: Asynchronous SError Interrupt ]— | 2026-05-06 | not yet calculated | CVE-2026-43247 | https://git.kernel.org/stable/c/27cb12b7dc88c51582094eeb2b65b0e94603e411 https://git.kernel.org/stable/c/5da55243fe190c2165ed34e77091a43c0ff74f10 https://git.kernel.org/stable/c/cbb9c0d50e471483cced55f5b7db4569dcd959a6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke() The ChipIdea UDC driver can encounter “not page aligned sg buffer” errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers. Root cause: When a disconnect happens during a multi-segment DMA transfer, the request’s num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption. The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state. Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue(): – Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set – Call sglist_do_debounce() with copy=false if bounce buffer exists This ensures that when requests are returned due to endpoint shutdown, they don’t retain stale DMA mappings. The ‘false’ parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted). | 2026-05-06 | not yet calculated | CVE-2026-43250 | https://git.kernel.org/stable/c/1b72b834511d17f4d069d512f78671f3f210a2f1 https://git.kernel.org/stable/c/f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec https://git.kernel.org/stable/c/e74c436f8568af1c60942469d0a2300b3ada3857 https://git.kernel.org/stable/c/cea2a1257a3b5ea3e769a445b34af13e6aa5a123 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HID: prodikeys: Check presence of pm->input_ep82 Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, pm->input_ep82 stays NULL, which leads to a crash later. This does not happen with the real device, but can be provoked by imposing as one. | 2026-05-06 | not yet calculated | CVE-2026-43251 | https://git.kernel.org/stable/c/f580c79683356632f12f2c2029f2fe936d953aa1 https://git.kernel.org/stable/c/ee572578f09f0e743e9383393a75c3a7a0f9b4c2 https://git.kernel.org/stable/c/edccbf7d6dc05d692bde3a89de5a4001f72a0fa4 https://git.kernel.org/stable/c/3f1b21cc67a15d7d081378a9b8747dd000a017b8 https://git.kernel.org/stable/c/e7ac1cd823cd2e9fcbd5cb0b261d6d35dbb79341 https://git.kernel.org/stable/c/d5512ce892f774d37c53082adadfcad04f21b50e https://git.kernel.org/stable/c/d08f35f843881ec504d7537a9bb728a073db3366 https://git.kernel.org/stable/c/cee8337e1bad168136aecfe6416ecd7d3aa7529a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: in-kernel: always set ID as avail when rm endp Syzkaller managed to find a combination of actions that was generating this warning: WARNING: net/mptcp/pm_kernel.c:1074 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538, CPU#1: syz.7.48/2535 Modules linked in: CPU: 1 UID: 0 PID: 2535 Comm: syz.7.48 Not tainted 6.18.0-03987-gea5f5e676cf5 #17 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 25.10 PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline] RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline] RIP: 0010:mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline] RIP: 0010:mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538 Code: 89 c7 e8 c5 8c 73 fe e9 f7 fd ff ff 49 83 ef 80 e8 b7 8c 73 fe 4c 89 ff be 03 00 00 00 e8 4a 29 e3 fe eb ac e8 a3 8c 73 fe 90 <0f> 0b 90 e9 3d ff ff ff e8 95 8c 73 fe b8 a1 ff ff ff eb 1a e8 89 RSP: 0018:ffffc9001535b820 EFLAGS: 00010287 netdevsim0: tun_chr_ioctl cmd 1074025677 RAX: ffffffff82da294d RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc900096d0000 RSI: 00000000000006d6 RDI: 00000000000006d7 netdevsim0: linktype set to 823 RBP: ffff88802cdb2240 R08: 00000000000104ae R09: ffffffffffffffff R10: ffffffff82da27d4 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88801246d8c0 R14: ffffc9001535b8b8 R15: ffff88802cdb1800 FS: 00007fc6ac5a76c0(0000) GS:ffff8880f90c8000(0000) knlGS:0000000000000000 netlink: ‘syz.3.50′: attribute type 5 has an invalid length. CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 netlink: 1232 bytes leftover after parsing attributes in process `syz.3.50’. CR2: 0000200000010000 CR3: 0000000025b1a000 CR4: 0000000000350ef0 Call Trace: <TASK> mptcp_pm_set_flags net/mptcp/pm_netlink.c:277 [inline] mptcp_pm_nl_set_flags_doit+0x1d7/0x210 net/mptcp/pm_netlink.c:282 genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x4ab/0x5b0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0xc9/0xf0 net/socket.c:733 ____sys_sendmsg+0x272/0x3b0 net/socket.c:2608 ___sys_sendmsg+0x2de/0x320 net/socket.c:2662 __sys_sendmsg net/socket.c:2694 [inline] __do_sys_sendmsg net/socket.c:2699 [inline] __se_sys_sendmsg net/socket.c:2697 [inline] __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2697 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xed/0x360 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc6adb66f6d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc6ac5a6ff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fc6addf5fa0 RCX: 00007fc6adb66f6d RDX: 0000000000048084 RSI: 00002000000002c0 RDI: 000000000000000e RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000 —truncated— | 2026-05-06 | not yet calculated | CVE-2026-43252 | https://git.kernel.org/stable/c/d90d73ad183566c81320d453a223f610a280f210 https://git.kernel.org/stable/c/1b3ff4d88b508b73e2bbddb59356311efb7ba192 https://git.kernel.org/stable/c/7c1d221e475e3d8eb8ed4702392d43f8c5134d1f https://git.kernel.org/stable/c/7e4d88e36e5d0b8ffda637999cbca64c81701a81 https://git.kernel.org/stable/c/4d480efd98e290c445f4ba476e4dcda5624b1aab https://git.kernel.org/stable/c/d191101dee25567c2af3b28565f45346c33d65f5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix WARNING in usb_tx_block The function usb_tx_block() submits cardp->tx_urb without ensuring that any previous transmission on this URB has completed. If a second call occurs while the URB is still active (e.g. during rapid firmware loading), usb_submit_urb() detects the active state and triggers a warning: ‘URB submitted while active’. Fix this by enforcing serialization: call usb_kill_urb() before submitting the new request. This ensures the URB is idle and safe to reuse. | 2026-05-06 | not yet calculated | CVE-2026-43255 | https://git.kernel.org/stable/c/498525d8358d6d20918787e59736d5b6a021e9fd https://git.kernel.org/stable/c/2902a9b4415a6bafc9b1e5dd360f065d757a0bb7 https://git.kernel.org/stable/c/948a39c95d0f8d73722910f8cdb7b6e3e9206232 https://git.kernel.org/stable/c/5bfb25495e391a1be0db94b15715174fa06b93a1 https://git.kernel.org/stable/c/b82073564373e68c6ae3a96039fae14cd002a496 https://git.kernel.org/stable/c/3308c7504e093b22e91a4468470309cee2e26b83 https://git.kernel.org/stable/c/fc188b44547dea4e7350833171982a6312befde9 https://git.kernel.org/stable/c/d66676e6ca96bf8680f869a9bd6573b26c634622 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: cx88: Add missing unmap in snd_cx88_hw_params() In error path, add cx88_alsa_dma_unmap() to release resource acquired by cx88_alsa_dma_map(). | 2026-05-06 | not yet calculated | CVE-2026-43257 | https://git.kernel.org/stable/c/f0d7f735eba963742009b0706e19dd0bed91537a https://git.kernel.org/stable/c/dc911fccc6e08ef46a66b2a42a764252b001ee3c https://git.kernel.org/stable/c/24f3dabeb97bd0bec8c1c926c97e3eb6a8129225 https://git.kernel.org/stable/c/10ab64f8efc2f479293dce929fde326c285fc96f https://git.kernel.org/stable/c/e3fb15aadfc8643203bbdf97ace0396e4586fa64 https://git.kernel.org/stable/c/1ce8c2a8f050a23240553c8bae628ac623f9dbc1 https://git.kernel.org/stable/c/3baefeeb7b85e1e34eebef399ffa312be7179e30 https://git.kernel.org/stable/c/dbc527d980f7ba8559de38f8c1e4158c71a78915 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: phy: fsl-imx8mq-usb: set platform driver data Add missing platform_set_drvdata() as the data will be used in remove(). | 2026-05-06 | not yet calculated | CVE-2026-43259 | https://git.kernel.org/stable/c/42d9509161d0539767ba875f3ef6b4b3c0b425ed https://git.kernel.org/stable/c/06db8c06d94858cda4b3870f421a1aeeef617690 https://git.kernel.org/stable/c/debf8326a435ac746f48173e4742a574810f1ff4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RSS context delete logic We need to free the corresponding RSS context VNIC in FW everytime an RSS context is deleted in driver. Commit 667ac333dbb7 added a check to delete the VNIC in FW only when netif_running() is true to help delete RSS contexts with interface down. Having that condition will make the driver leak VNICs in FW whenever close() happens with active RSS contexts. On the subsequent open(), as part of RSS context restoration, we will end up trying to create extra VNICs for which we did not make any reservation. FW can fail this request, thereby making us lose active RSS contexts. Suppose an RSS context is deleted already and we try to process a delete request again, then the HWRM functions will check for validity of the request and they simply return if the resource is already freed. So, even for delete-when-down cases, netif_running() check is not necessary. Remove the netif_running() condition check when deleting an RSS context. | 2026-05-06 | not yet calculated | CVE-2026-43260 | https://git.kernel.org/stable/c/348a5f8d06c7bdf954e13c17ad5f80b59a075604 https://git.kernel.org/stable/c/079986d6db1f8e3d50c55f400cf998ac9690d2c8 https://git.kernel.org/stable/c/9a9b89eea4a9cc7726702946ff688d716962fabd https://git.kernel.org/stable/c/e123d9302d223767bd910bfbcfe607bae909f8ac |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: Add support for TSV110 Spectre-BHB mitigation The TSV110 processor is vulnerable to the Spectre-BHB (Branch History Buffer) attack, which can be exploited to leak information through branch prediction side channels. This commit adds the MIDR of TSV110 to the list for software mitigation. | 2026-05-06 | not yet calculated | CVE-2026-43261 | https://git.kernel.org/stable/c/598c11dd4f4a9de31d854fcb9702f54c1c70f0d0 https://git.kernel.org/stable/c/a8d0ad5d990b050a6db74218a34b5529085e16b8 https://git.kernel.org/stable/c/cccf96c49f61e47d9332d6a4d1c7fe9a2df44440 https://git.kernel.org/stable/c/fd7e360845d331f542854d552469544182e61134 https://git.kernel.org/stable/c/5dbe1f14359735fa50ba0dd4a496125b5bc7f422 https://git.kernel.org/stable/c/fd51d47fcacec3ca027eb65d8c44853d3b6cea95 https://git.kernel.org/stable/c/ad0c356cae164ed5dbd1f4cfd438e46faa5292cb https://git.kernel.org/stable/c/e3baa5d4b361276efeb87b20d8beced451a7dbd5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: fiemap page fault fix In gfs2_fiemap(), we are calling iomap_fiemap() while holding the inode glock. This can lead to recursive glock taking if the fiemap buffer is memory mapped to the same inode and accessing it triggers a page fault. Fix by disabling page faults for iomap_fiemap() and faulting in the buffer by hand if necessary. Fixes xfstest generic/742. | 2026-05-06 | not yet calculated | CVE-2026-43262 | https://git.kernel.org/stable/c/5d5d9ec957bfa1eb2b05861c19f5d701dd006db7 https://git.kernel.org/stable/c/cead3bebf3e318578b8a86a5472015d713d2a8a8 https://git.kernel.org/stable/c/e428670cfb2993d8c224effd076242ca6b0950de https://git.kernel.org/stable/c/5d2c4f182ea8516de8682e2b60411c03df00e3ea https://git.kernel.org/stable/c/2e121c53b581e40397ae08090a7af4ed10781fbc https://git.kernel.org/stable/c/9d15fee888f0e8938c9aeed71ec9c2cbba0c88ab https://git.kernel.org/stable/c/e411d74cc5ba290f85d0dd5e4d1df8f1d6d975d2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: of: display_timing: fix refcount leak in of_get_display_timings() of_parse_phandle() returns a device_node with refcount incremented, which is stored in ‘entry’ and then copied to ‘native_mode’. When the error paths at lines 184 or 192 jump to ‘entryfail’, native_mode’s refcount is not decremented, causing a refcount leak. Fix this by changing the goto target from ‘entryfail’ to ‘timingfail’, which properly calls of_node_put(native_mode) before cleanup. | 2026-05-06 | not yet calculated | CVE-2026-43264 | https://git.kernel.org/stable/c/20881ad42e651c69d89eb38a2042838187900fd6 https://git.kernel.org/stable/c/b5bdcc5afbff845834d04d651773cb6b47db5dd3 https://git.kernel.org/stable/c/2b22e4fe1273c24f405ed7903349c4bbd82b6368 https://git.kernel.org/stable/c/3ed019654234edb8625c05d05e15d40f74e64f70 https://git.kernel.org/stable/c/d6f34bbff07476c6abb8672c89d217824871c5ed https://git.kernel.org/stable/c/69290f2d3999c5fa1a7f5d5593cfc5461fa3ee64 https://git.kernel.org/stable/c/c5734f9030a8b1e13868d1641b5163d8e659306e https://git.kernel.org/stable/c/eacf9840ae1285a1ef47eb0ce16d786e542bd4d7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() Ignore -EBUSY when checking nested events after exiting a blocking state while L2 is active, as exiting to userspace will generate a spurious userspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM’s demise. Continuing with the wakeup isn’t perfect either, as *something* has gone sideways if a vCPU is awakened in L2 with an injected event (or worse, a nested run pending), but continuing on gives the VM a decent chance of surviving without any major side effects. As explained in the Fixes commits, it _should_ be impossible for a vCPU to be put into a blocking state with an already-injected event (exception, IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected events, and thus put the vCPU into what should be an impossible state. Don’t bother trying to preserve the WARN, e.g. with an anti-syzkaller Kconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be violating x86 architecture, e.g. by WARNing if KVM attempts to inject an exception or interrupt while the vCPU isn’t running. | 2026-05-06 | not yet calculated | CVE-2026-43265 | https://git.kernel.org/stable/c/78265cd066d73a5cb41c088fcae4a2515e480d97 https://git.kernel.org/stable/c/ec3be7dc9391085a2d96700e159d66d1328b7ff6 https://git.kernel.org/stable/c/2657439265d34a911886b916ba8be97ecc117d51 https://git.kernel.org/stable/c/1e88b5f854bdb469424132e0bb44793ad7a7c20a https://git.kernel.org/stable/c/1c957773063ed3264953597e32990a748381caf6 https://git.kernel.org/stable/c/ead63640d4e72e6f6d464f4e31f7fecb79af8869 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: EFI/CPER: don’t go past the ARM processor CPER record buffer There’s a logic inside GHES/CPER to detect if the section_length is too small, but it doesn’t detect if it is too big. Currently, if the firmware receives an ARM processor CPER record stating that a section length is big, kernel will blindly trust section_length, producing a very long dump. For instance, a 67 bytes record with ERR_INFO_NUM set 46198 and section length set to 854918320 would dump a lot of data going a way past the firmware memory-mapped area. Fix it by adding a logic to prevent it to go past the buffer if ERR_INFO_NUM is too big, making it report instead: [Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 [Hardware Error]: event severity: recoverable [Hardware Error]: Error 0, type: recoverable [Hardware Error]: section_type: ARM processor error [Hardware Error]: MIDR: 0xff304b2f8476870a [Hardware Error]: section length: 854918320, CPER size: 67 [Hardware Error]: section length is too big [Hardware Error]: firmware-generated error record is incorrect [Hardware Error]: ERR_INFO_NUM is 46198 [ rjw: Subject and changelog tweaks ] | 2026-05-06 | not yet calculated | CVE-2026-43266 | https://git.kernel.org/stable/c/c80113dcfc807308f5ab33847fae77e07531aeb8 https://git.kernel.org/stable/c/ca2aad8771aa9091bc9e42e7d546bd40b72ddcd4 https://git.kernel.org/stable/c/a68d22902a6916e10ee235fee609239004e129d0 https://git.kernel.org/stable/c/64eb63f573f497553e1a0c388bbcdd639e0f0704 https://git.kernel.org/stable/c/be10c1bdf64a39832998f54900aa309b3917abcf https://git.kernel.org/stable/c/25b290624b0e3d2f0f90238709ee0b6009b9fde8 https://git.kernel.org/stable/c/45766863baf899059e75595dd3cb1116467f2095 https://git.kernel.org/stable/c/eae21beecb95a3b69ee5c38a659f774e171d730e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix potential zero beacon interval in beacon tracking During fuzz testing, it was discovered that bss_conf->beacon_int might be zero, which could result in a division by zero error in subsequent calculations. Set a default value of 100 TU if the interval is zero to ensure stability. | 2026-05-06 | not yet calculated | CVE-2026-43267 | https://git.kernel.org/stable/c/1260bee01493126cf9c872b6ca2af261173baa6d https://git.kernel.org/stable/c/e00c9a4ec84c0bb067833b34202f457badbbc1c1 https://git.kernel.org/stable/c/eb57be32f438c57c88d6ce756101c1dfbcc03bba |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: pretend special inodes as regular files Since commit af153bb63a33 (“vfs: catch invalid modes in may_open()”) requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for special inodes. | 2026-05-06 | not yet calculated | CVE-2026-43268 | https://git.kernel.org/stable/c/dcac5582f90b55a267d89769073c5651990b2ec5 https://git.kernel.org/stable/c/799c492a619a10322543d13e6d2a6d27335c868c https://git.kernel.org/stable/c/676bc99d0b3e356cdfec5d8204518e1aac14ec84 https://git.kernel.org/stable/c/de9affb698d5034888314880736925c39d6d048e https://git.kernel.org/stable/c/d209ebaee93fc5089101d34d1b38a91d7abb03fd https://git.kernel.org/stable/c/67407d6abc9520a8a4661285b3ed294eb73ff6e7 https://git.kernel.org/stable/c/9353d4ee26dc33f6ada1646e84660f4c59189763 https://git.kernel.org/stable/c/ed8889ca21b6ab37bc1435c4009ce37a79acb9e6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback After several commits, the slab memory increases. Some drm_crtc_commit objects are not freed. The atomic_destroy_state callback only put the framebuffer. Use the __drm_atomic_helper_plane_destroy_state() function to put all the objects that are no longer needed. It has been seen after hours of usage of a graphics application or using kmemleak: unreferenced object 0xc63a6580 (size 64): comm “egt_basic”, pid 171, jiffies 4294940784 hex dump (first 32 bytes): 40 50 34 c5 01 00 00 00 ff ff ff ff 8c 65 3a c6 @P4……….e:. 8c 65 3a c6 ff ff ff ff 98 65 3a c6 98 65 3a c6 .e:……e:..e:. backtrace (crc c25aa925): kmemleak_alloc+0x34/0x3c __kmalloc_cache_noprof+0x150/0x1a4 drm_atomic_helper_setup_commit+0x1e8/0x7bc drm_atomic_helper_commit+0x3c/0x15c drm_atomic_commit+0xc0/0xf4 drm_atomic_helper_set_config+0x84/0xb8 drm_mode_setcrtc+0x32c/0x810 drm_ioctl+0x20c/0x488 sys_ioctl+0x14c/0xc20 ret_fast_syscall+0x0/0x54 | 2026-05-06 | not yet calculated | CVE-2026-43269 | https://git.kernel.org/stable/c/6d4e91ab97fda64e8cf9c8881cc3b4da026bd849 https://git.kernel.org/stable/c/5718d98976ad6b9700e5a6afec67fc47a8a92580 https://git.kernel.org/stable/c/57fa3487acfa3467405f8506b94682abd96e7393 https://git.kernel.org/stable/c/ec40702029b08ee8d5f5b03303d64a10e74a957b https://git.kernel.org/stable/c/25e832a7830740e72103eb0b527680a4b64bbcb3 https://git.kernel.org/stable/c/082271e364a3205598c2e4e6233a9f49ce7941cf https://git.kernel.org/stable/c/3e64e78f4a70e3f6ac8fe5a7071f08ffd25a2489 https://git.kernel.org/stable/c/f12352471061df83a36edf54bbb16284793284e4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove() In mtk_mdp_probe(), vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak. | 2026-05-06 | not yet calculated | CVE-2026-43270 | https://git.kernel.org/stable/c/403b7c757ac9f6b2ffb7d00ff4795a245f5e8911 https://git.kernel.org/stable/c/dd530e29bd514d7187b3e2df8eb2107419c7988f https://git.kernel.org/stable/c/c44beed2e5caf2cbbe651432baa3a129f18b0169 https://git.kernel.org/stable/c/564fd3a63efc3ebbdb5d0a8fc7c0d3f753fbbd5d https://git.kernel.org/stable/c/4f2a51433a3a65d16975d1e32052d80656da077d https://git.kernel.org/stable/c/a62ba5aa9ee95fd953583e95e519badf0b76ecf3 https://git.kernel.org/stable/c/2d93758f42a57f3485534eab858b308e41653de4 https://git.kernel.org/stable/c/f128bab57b8018e526b7eda854ca20069863af47 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md-cluster: fix NULL pointer dereference in process_metadata_update The function process_metadata_update() blindly dereferences the ‘thread’ pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states “daemon thread must exist”, there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() starts the “cluster_recv” thread (recv_daemon). 3. At this point, recv_daemon is active and processing messages. 4. However, mddev->thread (the main MD thread) is not initialized until later in md_run(). If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic. To fix this, we must validate the ‘thread’ pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it. | 2026-05-06 | not yet calculated | CVE-2026-43271 | https://git.kernel.org/stable/c/a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1 https://git.kernel.org/stable/c/dec123825c1ed74d98fd5fc7571a851dea4f46ff https://git.kernel.org/stable/c/721599e837d3f4c0e6cc14da059612c017b6d3ec https://git.kernel.org/stable/c/dceb5a843910004cb118148e267036104fc3ee43 https://git.kernel.org/stable/c/f150e753cb8dd756085f46e86f2c35ce472e0a3c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix possible dereference of uninitialized pointer There is a pointer head_page in rb_meta_validate_events() which is not initialized at the beginning of a function. This pointer can be dereferenced if there is a failure during reader page validation. In this case the control is passed to “invalid” label where the pointer is dereferenced in a loop. To fix the issue initialize orig_head and head_page before calling rb_validate_buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-05-06 | not yet calculated | CVE-2026-43272 | https://git.kernel.org/stable/c/bc77986f3cb7476637052edf2d87137fa39f153d https://git.kernel.org/stable/c/d9942396845fef2369478c157b26738fe07142f6 https://git.kernel.org/stable/c/f1547779402c4cd67755c33616b7203baa88420b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: supply snapshot context in ceph_zero_partial_object() The ceph_zero_partial_object function was missing proper snapshot context for its OSD write operations, which could lead to data inconsistencies in snapshots. Reproducer: ../src/vstart.sh –new -x –localhost –bluestore ./bin/ceph auth caps client.fs_a mds ‘allow rwps fsname=a’ mon ‘allow r fsname=a’ osd ‘allow rw tag cephfs data=a’ mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.conf dd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1 mkdir /mnt/mycephfs/.snap/snap1 md5sum /mnt/mycephfs/.snap/snap1/foo fallocate -p -o 0 -l 4096 /mnt/mycephfs/foo echo 3 > /proc/sys/vm/drop/caches md5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!! | 2026-05-06 | not yet calculated | CVE-2026-43273 | https://git.kernel.org/stable/c/36673344b41c31fb502dd0d0113cec1aa96f581e https://git.kernel.org/stable/c/5788b742007f53406049bef917833a71ddd43f60 https://git.kernel.org/stable/c/757873abfc8ea38592582180aed0f57f0f0cb07a https://git.kernel.org/stable/c/9efa154609cdb658f51c7d76b30a09f7e6485250 https://git.kernel.org/stable/c/531a76c5a2e44264cee8a70121e63eb28c1ba728 https://git.kernel.org/stable/c/69e59a87bab0ea31ab2a584fc65e12dafacf8953 https://git.kernel.org/stable/c/4097e70fc543cca72982854108a32f6ae924e727 https://git.kernel.org/stable/c/f16bd3fa74a2084ee7e16a8a2be7e7399b970907 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Flush exception handling work when RPM level is zero Ensure that the exception event handling work is explicitly flushed during suspend when the runtime power management level is set to UFS_PM_LVL_0. When the RPM level is zero, the device power mode and link state both remain active. Previously, the UFS core driver bypassed flushing exception event handling jobs in this configuration. This created a race condition where the driver could attempt to access the host controller to handle an exception after the system had already entered a deep power-down state, resulting in a system crash. Explicitly flush this work and disable auto BKOPs before the suspend callback proceeds. This guarantees that pending exception tasks complete and prevents illegal hardware access during the power-down sequence. | 2026-05-06 | not yet calculated | CVE-2026-43275 | https://git.kernel.org/stable/c/d5c3a1a13f97355c397f9439d79cb04b182958a3 https://git.kernel.org/stable/c/5d186731bc335cc049d4e57ab9f563cfab95593e https://git.kernel.org/stable/c/aa8d68d97c7f0ef966e51afc17fdbdc372700edf https://git.kernel.org/stable/c/aac2fee7513dd25042a616f86a1469b4858d2c5c https://git.kernel.org/stable/c/78d8e2d6352e8317686ee3a44811ac14c415a57d https://git.kernel.org/stable/c/ab71c146c135f9af1614ef0fc29a0a3b84f1a373 https://git.kernel.org/stable/c/f8ef441811ec413717f188f63d99182f30f0f08e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix double destroy_workqueue on service rescan PCI path While testing corner cases in the driver, a use-after-free crash was found on the service rescan PCI path. When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() destroys gc->service_wq. If the subsequent mana_gd_resume() fails with -ETIMEDOUT or -EPROTO, the code falls through to mana_serv_rescan() which triggers pci_stop_and_remove_bus_device(). This invokes the PCI .remove callback (mana_gd_remove), which calls mana_gd_cleanup() a second time, attempting to destroy the already- freed workqueue. Fix this by NULL-checking gc->service_wq in mana_gd_cleanup() and setting it to NULL after destruction. Call stack of issue for reference: [Sat Feb 21 18:53:48 2026] Call Trace: [Sat Feb 21 18:53:48 2026] <TASK> [Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana] [Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana] [Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0 [Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70 [Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250 [Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20 [Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90 [Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30 [Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana] [Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana] [Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0 [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0 [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130 [Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30 [Sat Feb 21 18:53:48 2026] </TASK> | 2026-05-06 | not yet calculated | CVE-2026-43276 | https://git.kernel.org/stable/c/fa3c2f8d9152344a478abb847081c1b5f84a94f5 https://git.kernel.org/stable/c/a9a7c3203fdc4d4a8d8a7a3b1ed05d2bb4c6e77e https://git.kernel.org/stable/c/f975a0955276579e2176a134366ed586071c7c6a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: APEI/GHES: ensure that won’t go past CPER allocated record The logic at ghes_new() prevents allocating too large records, by checking if they’re bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB). Yet, the allocation is done with the actual number of pages from the CPER bios table location, which can be smaller. Yet, a bad firmware could send data with a different size, which might be bigger than the allocated memory, causing an OOPS: Unable to handle kernel paging request at virtual address fff00000f9b40000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 52-bit VAs, pgdp=000000008ba16000 [fff00000f9b40000] pgd=180000013ffff403, p4d=180000013fffe403, pud=180000013f85b403, pmd=180000013f68d403, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-rc1-00002-gda407d200220 #34 PREEMPT Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022 Workqueue: kacpi_notify acpi_os_execute_deferred pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=–) pc : hex_dump_to_buffer+0x30c/0x4a0 lr : hex_dump_to_buffer+0x328/0x4a0 sp : ffff800080e13880 x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083 x26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004 x23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083 x20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010 x17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020 x14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008 x11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020 x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000 x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008 Call trace: hex_dump_to_buffer+0x30c/0x4a0 (P) print_hex_dump+0xac/0x170 cper_estatus_print_section+0x90c/0x968 cper_estatus_print+0xf0/0x158 __ghes_print_estatus+0xa0/0x148 ghes_proc+0x1bc/0x220 ghes_notify_hed+0x5c/0xb8 notifier_call_chain+0x78/0x148 blocking_notifier_call_chain+0x4c/0x80 acpi_hed_notify+0x28/0x40 acpi_ev_notify_dispatch+0x50/0x80 acpi_os_execute_deferred+0x24/0x48 process_one_work+0x15c/0x3b0 worker_thread+0x2d0/0x400 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44) —[ end trace 0000000000000000 ]— Prevent that by taking the actual allocated are into account when checking for CPER length. [ rjw: Subject tweaks ] | 2026-05-06 | not yet calculated | CVE-2026-43277 | https://git.kernel.org/stable/c/92ba79074c58e65a6e32713758c5a9aecd33c2ea https://git.kernel.org/stable/c/616c120dcdf1ce96edcd818e38bce49667f80689 https://git.kernel.org/stable/c/f3740a1562445f36f08afab8af59e37117b3acdc https://git.kernel.org/stable/c/e0ec99115e135dbb58e11a0df007c7d4771d4a17 https://git.kernel.org/stable/c/b6be51a12441136fdf8c49b2525689fbea1856e1 https://git.kernel.org/stable/c/6f5d41984ad896736c23e2fff7c80e15c1319132 https://git.kernel.org/stable/c/98bd9b28d4d11e6739ad86524b4be4ada9025e60 https://git.kernel.org/stable/c/fa2408a24f8f0db14d9cfc613ef162dc267d7ad4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate() Although it is guided that `#mbox-cells` must be at least 1, there are many instances of `#mbox-cells = <0>;` in the device tree. If that is the case and the corresponding mailbox controller does not provide `fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will be used by default and out-of-bounds accesses could occur due to lack of bounds check in that function. | 2026-05-06 | not yet calculated | CVE-2026-43281 | https://git.kernel.org/stable/c/2662ed331a69c0b551f78af58f12eb629a89a36f https://git.kernel.org/stable/c/31c4c67dec3362094a6747a171a4848e98542265 https://git.kernel.org/stable/c/01d9a8c2615d436b2b30c19c1afe9fcd5726ff6d https://git.kernel.org/stable/c/4caae8168d1b808c7d4ff481295292e3f97f90fb https://git.kernel.org/stable/c/f50b39fd7c72a8734153644ee945ca0d8b2e65ab https://git.kernel.org/stable/c/fcd7f96c783626c07ee3ed75fa3739a8a2052310 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port The function ionic_query_port() calls ib_device_get_netdev() without checking the return value which could lead to NULL pointer dereference, Fix it by checking the return value and return -ENODEV if the ‘ndev’ is NULL. | 2026-05-06 | not yet calculated | CVE-2026-43282 | https://git.kernel.org/stable/c/2b96156c927cd83c109e2e3946e6111dce73231f https://git.kernel.org/stable/c/81932a46dfd0db10a03f46f0b1c7ef946ac4552f https://git.kernel.org/stable/c/fd80bd7105f88189f47d465ca8cb7d115570de30 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/slab: do not access current->mems_allowed_seq if !allow_spin Lockdep complains when get_from_any_partial() is called in an NMI context, because current->mems_allowed_seq is seqcount_spinlock_t and not NMI-safe: ================================ WARNING: inconsistent lock state 6.19.0-rc5-kfree-rcu+ #315 Tainted: G N ——————————– inconsistent {INITIAL USE} -> {IN-NMI} usage. kunit_try_catch/9989 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff889085799820 (&____s->seqcount#3){.-.-}-{0:0}, at: ___slab_alloc+0x58f/0xc00 {INITIAL USE} state was registered at: lock_acquire+0x185/0x320 kernel_init_freeable+0x391/0x1150 kernel_init+0x1f/0x220 ret_from_fork+0x736/0x8f0 ret_from_fork_asm+0x1a/0x30 irq event stamp: 56 hardirqs last enabled at (55): [<ffffffff850a68d7>] _raw_spin_unlock_irq+0x27/0x70 hardirqs last disabled at (56): [<ffffffff850858ca>] __schedule+0x2a8a/0x6630 softirqs last enabled at (0): [<ffffffff81536711>] copy_process+0x1dc1/0x6a10 softirqs last disabled at (0): [<0000000000000000>] 0x0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 —- lock(&____s->seqcount#3); <Interrupt> lock(&____s->seqcount#3); *** DEADLOCK *** According to Documentation/locking/seqlock.rst, seqcount_t is not NMI-safe and seqcount_latch_t should be used when read path can interrupt the write-side critical section. In this case, do not access current->mems_allowed_seq and avoid retry. | 2026-05-08 | not yet calculated | CVE-2026-43285 | https://git.kernel.org/stable/c/353dd9934447b9193643ae1afd938607a74d4915 https://git.kernel.org/stable/c/efd767ddcef0669bbd33c6a823ea0a88f06d4b29 https://git.kernel.org/stable/c/144080a5823b2dbd635acb6decf7ab23182664f3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: restore failed global reservations to subpool Commit a833a693a490 (“mm: hugetlb: fix incorrect fallback for subpool”) fixed an underflow error for hstate->resv_huge_pages caused by incorrectly attributing globally requested pages to the subpool’s reservation. Unfortunately, this fix also introduced the opposite problem, which would leave spool->used_hpages elevated if the globally requested pages could not be acquired. This is because while a subpool’s reserve pages only accounts for what is requested and allocated from the subpool, its “used” counter keeps track of what is consumed in total, both from the subpool and globally. Thus, we need to adjust spool->used_hpages in the other direction, and make sure that globally requested pages are uncharged from the subpool’s used counter. Each failed allocation attempt increments the used_hpages counter by how many pages were requested from the global pool. Ultimately, this renders the subpool unusable, as used_hpages approaches the max limit. The issue can be reproduced as follows: 1. Allocate 4 hugetlb pages 2. Create a hugetlb mount with max=4, min=2 3. Consume 2 pages globally 4. Request 3 pages from the subpool (2 from subpool + 1 from global) 4.1 hugepage_subpool_get_pages(spool, 3) succeeds. used_hpages += 3 4.2 hugetlb_acct_memory(h, 1) fails: no global pages left used_hpages -= 2 5. Subpool now has used_hpages = 1, despite not being able to successfully allocate any hugepages. It believes it can now only allocate 3 more hugepages, not 4. With each failed allocation attempt incrementing the used counter, the subpool eventually reaches a point where its used counter equals its max counter. At that point, any future allocations that try to allocate hugeTLB pages from the subpool will fail, despite the subpool not having any of its hugeTLB pages consumed by any user. Once this happens, there is no way to make the subpool usable again, since there is no way to decrement the used counter as no process is really consuming the hugeTLB pages. The underflow issue that the original commit fixes still remains fixed as well. Without this fix, used_hpages would keep on leaking if hugetlb_acct_memory() fails. | 2026-05-08 | not yet calculated | CVE-2026-43286 | https://git.kernel.org/stable/c/5eac1322a7b14b8cd05ec896618278b90fba7f39 https://git.kernel.org/stable/c/f055897c975d079a90af873c791ab58cf0f6f2a5 https://git.kernel.org/stable/c/1d3f9bb4c8af70304d19c22e30f5d16a2d589bb5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm: Account property blob allocations to memcg DRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to allocate arbitrary-sized property blobs backed by kernel memory. Currently, the blob data allocation is not accounted to the allocating process’s memory cgroup, allowing unprivileged users to trigger unbounded kernel memory consumption and potentially cause system-wide OOM. Mark the property blob data allocation with GFP_KERNEL_ACCOUNT so that the memory is properly charged to the caller’s memcg. This ensures existing cgroup memory limits apply and prevents uncontrolled kernel memory growth without introducing additional policy or per-file limits. | 2026-05-08 | not yet calculated | CVE-2026-43287 | https://git.kernel.org/stable/c/b6117210ed349356f8e6027ff020b4d620bca42b https://git.kernel.org/stable/c/815fa29cab3c67bebb9d0b5f41145cdd3a14d04d https://git.kernel.org/stable/c/866e0c1a9e7244d58ed74853cb22b81e1900cfdd https://git.kernel.org/stable/c/bbfaa5761f589a81031b493cb01275a990d6fb25 https://git.kernel.org/stable/c/8e1664b9ee43608eb973d357ae5d858d30cbc9ca https://git.kernel.org/stable/c/cb8b9a1755fe9f38e4fb7f287486d7e7fab3dba4 https://git.kernel.org/stable/c/405fd652d8fedff219a8f48daf8f20e881e303ab https://git.kernel.org/stable/c/26b4309a3ab82a0697751cde52eb336c29c19035 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: move ext4_percpu_param_init() before ext4_mb_init() When running `kvm-xfstests -c ext4/1k -C 1 generic/383` with the `DOUBLE_CHECK` macro defined, the following panic is triggered: ================================================================== EXT4-fs error (device vdc): ext4_validate_block_bitmap:423: comm mount: bg 0: bad block bitmap checksum BUG: unable to handle page fault for address: ff110000fa2cc000 PGD 3e01067 P4D 3e02067 PUD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 2386 Comm: mount Tainted: G W 6.18.0-gba65a4e7120a-dirty #1152 PREEMPT(none) RIP: 0010:percpu_counter_add_batch+0x13/0xa0 Call Trace: <TASK> ext4_mark_group_bitmap_corrupted+0xcb/0xe0 ext4_validate_block_bitmap+0x2a1/0x2f0 ext4_read_block_bitmap+0x33/0x50 mb_group_bb_bitmap_alloc+0x33/0x80 ext4_mb_add_groupinfo+0x190/0x250 ext4_mb_init_backend+0x87/0x290 ext4_mb_init+0x456/0x640 __ext4_fill_super+0x1072/0x1680 ext4_fill_super+0xd3/0x280 get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x29/0xd0 vfs_cmd_create+0x59/0xe0 __do_sys_fsconfig+0x4f6/0x6b0 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ================================================================== This issue can be reproduced using the following commands: mkfs.ext4 -F -q -b 1024 /dev/sda 5G tune2fs -O quota,project /dev/sda mount /dev/sda /tmp/test With DOUBLE_CHECK defined, mb_group_bb_bitmap_alloc() reads and validates the block bitmap. When the validation fails, ext4_mark_group_bitmap_corrupted() attempts to update sbi->s_freeclusters_counter. However, this percpu_counter has not been initialized yet at this point, which leads to the panic described above. Fix this by moving the execution of ext4_percpu_param_init() to occur before ext4_mb_init(), ensuring the per-CPU counters are initialized before they are used. | 2026-05-08 | not yet calculated | CVE-2026-43288 | https://git.kernel.org/stable/c/0d5fcb063cdabb9aeaa8554b7fedad2092c4150e https://git.kernel.org/stable/c/9e9fb259bcddf459a0168f4a964e979e500a68a5 https://git.kernel.org/stable/c/bf5b609524497c195f801cd5707252384aed8149 https://git.kernel.org/stable/c/aec095f3cc6cf209effd93278ce35be27db81d73 https://git.kernel.org/stable/c/270564513489d98b721a1e4a10017978d5213bff |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: kexec: derive purgatory entry from symbol kexec_load_purgatory() derives image->start by locating e_entry inside an SHF_EXECINSTR section. If the purgatory object contains multiple executable sections with overlapping sh_addr, the entrypoint check can match more than once and trigger a WARN. Derive the entry section from the purgatory_start symbol when present and compute image->start from its final placement. Keep the existing e_entry fallback for purgatories that do not expose the symbol. WARNING: kernel/kexec_file.c:1009 at kexec_load_purgatory+0x395/0x3c0, CPU#10: kexec/1784 Call Trace: <TASK> bzImage64_load+0x133/0xa00 __do_sys_kexec_file_load+0x2b3/0x5c0 do_syscall_64+0x81/0x610 entry_SYSCALL_64_after_hwframe+0x76/0x7e [me@linux.beauty: move helper to avoid forward declaration, per Baoquan] | 2026-05-08 | not yet calculated | CVE-2026-43289 | https://git.kernel.org/stable/c/027797595a108726f4a0a45d225f603b0ffbd22b https://git.kernel.org/stable/c/1737d37ae1d2814e6cf0a1af87af3d41f0812b95 https://git.kernel.org/stable/c/f736032c638a33a243e9126e617788f763d648f9 https://git.kernel.org/stable/c/cfccd3b8c51bc57a8a6fcb2fd30453afae5bc0d2 https://git.kernel.org/stable/c/875355152b33436907c2a6d2ffad1431fa86c62b https://git.kernel.org/stable/c/36eb314184a0ae74dd42914b47d2b9fc43be8034 https://git.kernel.org/stable/c/5226570bd252cea2e805a161cb0f75c204c3108a https://git.kernel.org/stable/c/480e1d5c64bb14441f79f2eb9421d5e26f91ea3d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during vmalloc cleanup triggers expensive stack unwinding that acquires RCU read locks. Processing a large purge_list without rescheduling can cause the task to hold CPU for extended periods (10+ seconds), leading to RCU stalls and potential OOM conditions. The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node() where iterating through hundreds or thousands of vmap_area entries and freeing their associated shadow pages causes: rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l … task:kworker/0:17 state:R running task stack:28840 pid:6229 … kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299 purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299 Each call to kasan_release_vmalloc() can free many pages, and with page_owner tracking, each free triggers save_stack() which performs stack unwinding under RCU read lock. Without yielding, this creates an unbounded RCU critical section. Add periodic cond_resched() calls within the loop to allow: – RCU grace periods to complete – Other tasks to run – Scheduler to preempt when needed The fix uses need_resched() for immediate response under load, with a batch count of 32 as a guaranteed upper bound to prevent worst-case stalls even under light load. | 2026-05-08 | not yet calculated | CVE-2026-43292 | https://git.kernel.org/stable/c/2efa9c02c9b4c0d6866aa445f11056809b25ca28 https://git.kernel.org/stable/c/1afe45f89d54b7183768ebbbbf14238ec187ab5c https://git.kernel.org/stable/c/b351fbe71091f7c8676c8ba597653d08b6719447 https://git.kernel.org/stable/c/5747435e0fd474c24530ef1a6822f47e7d264b27 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix kthread worker destruction in polling mode Fix the cleanup order in polling mode (irq < 0) to prevent kernel warnings during module removal. Cancel the hrtimer before destroying the kthread worker to ensure work queues are empty. In polling mode, the driver uses hrtimer to periodically trigger wave5_vpu_timer_callback() which queues work via kthread_queue_work(). The kthread_destroy_worker() function validates that both work queues are empty with WARN_ON(!list_empty(&worker->work_list)) and WARN_ON(!list_empty(&worker->delayed_work_list)). The original code called kthread_destroy_worker() before hrtimer_cancel(), creating a race condition where the timer could fire during worker destruction and queue new work, triggering the WARN_ON. This causes the following warning on every module unload in polling mode: ————[ cut here ]———— WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char … Call trace: kthread_destroy_worker+0x84/0x98 wave5_vpu_remove+0xc8/0xe0 [wave5] platform_remove+0x30/0x58 … —[ end trace 0000000000000000 ]— | 2026-05-08 | not yet calculated | CVE-2026-43293 | https://git.kernel.org/stable/c/156020e889edf4593870d926d3c4a6d06baac44a https://git.kernel.org/stable/c/cc8071b1bac6568ea09d54be2d4f74dba80e17f8 https://git.kernel.org/stable/c/0c2e752688a0ee3b89993e6de6c496d863870c93 https://git.kernel.org/stable/c/5a0c122e834b2f7f029526422c71be922960bf03 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm: renesas: rz-du: mipi_dsi: fix kernel panic when rebooting for some panels Since commit 56de5e305d4b (“clk: renesas: r9a07g044: Add MSTOP for RZ/G2L”) we may get the following kernel panic, for some panels, when rebooting: systemd-shutdown[1]: Rebooting. Call trace: … do_serror+0x28/0x68 el1h_64_error_handler+0x34/0x50 el1h_64_error+0x6c/0x70 rzg2l_mipi_dsi_host_transfer+0x114/0x458 (P) mipi_dsi_device_transfer+0x44/0x58 mipi_dsi_dcs_set_display_off_multi+0x9c/0xc4 ili9881c_unprepare+0x38/0x88 drm_panel_unprepare+0xbc/0x108 This happens for panels that need to send MIPI-DSI commands in their unprepare() callback. Since the MIPI-DSI interface is stopped at that point, rzg2l_mipi_dsi_host_transfer() triggers the kernel panic. Fix by moving rzg2l_mipi_dsi_stop() to new callback function rzg2l_mipi_dsi_atomic_post_disable(). With this change we now have the correct power-down/stop sequence: systemd-shutdown[1]: Rebooting. rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_disable(): entry ili9881c-dsi 10850000.dsi.0: ili9881c_unprepare(): entry rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_post_disable(): entry reboot: Restarting system | 2026-05-08 | not yet calculated | CVE-2026-43294 | https://git.kernel.org/stable/c/79f42487ed60d0d5ffce97c3bb98f80c3d17735a https://git.kernel.org/stable/c/41cda667ffc5074c56279c632b0c20024da6ecdd https://git.kernel.org/stable/c/64aa8b3a60a825134f7d866adf05c024bbe0c24c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net() When idtab allocation fails, net is not registered with rio_add_net() yet, so kfree(net) is sufficient to release the memory. Set mport->net to NULL to avoid dangling pointer. | 2026-05-08 | not yet calculated | CVE-2026-43295 | https://git.kernel.org/stable/c/83e579c2f7f6b1706323d744833b26470049dcc2 https://git.kernel.org/stable/c/34a4f233df5eef5f1f113b2196142c0568b387f8 https://git.kernel.org/stable/c/fecf292c6691970897396190855aa38826b7104e https://git.kernel.org/stable/c/649c2e853608cad0b0cba545555d168e67f094b3 https://git.kernel.org/stable/c/87272e3e70ec4b666885bd520ff77463c11444ef https://git.kernel.org/stable/c/e5a732bfe29451e16abf9c6f07ce5948b22f3d59 https://git.kernel.org/stable/c/78812c4fb7ed242d5961bf1337a49070d6487c94 https://git.kernel.org/stable/c/666183dcdd9ad3b8156a1df7f204f728f720380f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init() rga_get_frame() can return ERR_PTR(-EINVAL) when buffer type is unsupported or invalid. rga_buf_init() does not check the return value and unconditionally dereferences the pointer when accessing f->size. Add proper ERR_PTR checking and return the error to prevent dereferencing an invalid pointer. | 2026-05-08 | not yet calculated | CVE-2026-43297 | https://git.kernel.org/stable/c/5da29ade540b51763b950987bd410add7edaf3d1 https://git.kernel.org/stable/c/1af2853b4e97fd95262fdef311b2334337069bc9 https://git.kernel.org/stable/c/aa22221c5dc695a3d479e1e1b63f0c0e9eb29dbf https://git.kernel.org/stable/c/81f8e0e6a2e115df9274d0289779f8fca694479c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Skip vcn poison irq release on VF VF doesn’t enable VCN poison irq in VCNv2.5. Skip releasing it and avoid call trace during deinitialization. [ 71.913601] [drm] clean up the vf2pf work item [ 71.915088] ————[ cut here ]———— [ 71.915092] WARNING: CPU: 3 PID: 1079 at /tmp/amd.aFkFvSQl/amd/amdgpu/amdgpu_irq.c:641 amdgpu_irq_put+0xc6/0xe0 [amdgpu] [ 71.915355] Modules linked in: amdgpu(OE-) amddrm_ttm_helper(OE) amdttm(OE) amddrm_buddy(OE) amdxcp(OE) amddrm_exec(OE) amd_sched(OE) amdkcl(OE) drm_suballoc_helper drm_display_helper cec rc_core i2c_algo_bit video wmi binfmt_misc nls_iso8859_1 intel_rapl_msr intel_rapl_common input_leds joydev serio_raw mac_hid qemu_fw_cfg sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 hid_generic crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel usbhid 8139too sha256_ssse3 sha1_ssse3 hid psmouse bochs i2c_i801 ahci drm_vram_helper libahci i2c_smbus lpc_ich drm_ttm_helper 8139cp mii ttm aesni_intel crypto_simd cryptd [ 71.915484] CPU: 3 PID: 1079 Comm: rmmod Tainted: G OE 6.8.0-87-generic #88~22.04.1-Ubuntu [ 71.915489] Hardware name: Red Hat KVM/RHEL, BIOS 1.16.3-2.el9_5.1 04/01/2014 [ 71.915492] RIP: 0010:amdgpu_irq_put+0xc6/0xe0 [amdgpu] [ 71.915768] Code: 75 84 b8 ea ff ff ff eb d4 44 89 ea 48 89 de 4c 89 e7 e8 fd fc ff ff 5b 41 5c 41 5d 41 5e 5d 31 d2 31 f6 31 ff e9 55 30 3b c7 <0f> 0b eb d4 b8 fe ff ff ff eb a8 e9 b7 3b 8a 00 66 2e 0f 1f 84 00 [ 71.915771] RSP: 0018:ffffcf0800eafa30 EFLAGS: 00010246 [ 71.915775] RAX: 0000000000000000 RBX: ffff891bda4b0668 RCX: 0000000000000000 [ 71.915777] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 71.915779] RBP: ffffcf0800eafa50 R08: 0000000000000000 R09: 0000000000000000 [ 71.915781] R10: 0000000000000000 R11: 0000000000000000 R12: ffff891bda480000 [ 71.915782] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 [ 71.915792] FS: 000070cff87c4c40(0000) GS:ffff893abfb80000(0000) knlGS:0000000000000000 [ 71.915795] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 71.915797] CR2: 00005fa13073e478 CR3: 000000010d634006 CR4: 0000000000770ef0 [ 71.915800] PKRU: 55555554 [ 71.915802] Call Trace: [ 71.915805] <TASK> [ 71.915809] vcn_v2_5_hw_fini+0x19e/0x1e0 [amdgpu] | 2026-05-08 | not yet calculated | CVE-2026-43298 | https://git.kernel.org/stable/c/8ee9aa80d4f1893a6699d46c403a1731548b544b https://git.kernel.org/stable/c/f1db6fc5a834c8ca9485cc0596dd7df8b8619b64 https://git.kernel.org/stable/c/8980be03b3f9a4b58197ef95d3b37efa41a25331 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: do not ASSERT() when the fs flips RO inside btrfs_repair_io_failure() [BUG] There is a bug report that when btrfs hits ENOSPC error in a critical path, btrfs flips RO (this part is expected, although the ENOSPC bug still needs to be addressed). The problem is after the RO flip, if there is a read repair pending, we can hit the ASSERT() inside btrfs_repair_io_failure() like the following: BTRFS info (device vdc): relocating block group 30408704 flags metadata|raid1 ————[ cut here ]———— BTRFS: Transaction aborted (error -28) WARNING: fs/btrfs/extent-tree.c:3235 at __btrfs_free_extent.isra.0+0x453/0xfd0, CPU#1: btrfs/383844 Modules linked in: kvm_intel kvm irqbypass […] —[ end trace 0000000000000000 ]— BTRFS info (device vdc state EA): 2 enospc errors during balance BTRFS info (device vdc state EA): balance: ended with status: -30 BTRFS error (device vdc state EA): parent transid verify failed on logical 30556160 mirror 2 wanted 8 found 6 BTRFS error (device vdc state EA): bdev /dev/nvme0n1 errs: wr 0, rd 0, flush 0, corrupt 10, gen 0 […] assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, in fs/btrfs/bio.c:938 ————[ cut here ]———— assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, in fs/btrfs/bio.c:938 kernel BUG at fs/btrfs/bio.c:938! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 868 Comm: kworker/u8:13 Tainted: G W N 6.19.0-rc6+ #4788 PREEMPT(full) Tainted: [W]=WARN, [N]=TEST Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 Workqueue: btrfs-endio simple_end_io_work RIP: 0010:btrfs_repair_io_failure.cold+0xb2/0x120 RSP: 0000:ffffc90001d2bcf0 EFLAGS: 00010246 RAX: 0000000000000051 RBX: 0000000000001000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8305cf42 RDI: 00000000ffffffff RBP: 0000000000000002 R08: 00000000fffeffff R09: ffffffff837fa988 R10: ffffffff8327a9e0 R11: 6f69747265737361 R12: ffff88813018d310 R13: ffff888168b8a000 R14: ffffc90001d2bd90 R15: ffff88810a169000 FS: 0000000000000000(0000) GS:ffff8885e752c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 ————[ cut here ]———— [CAUSE] The cause of -ENOSPC error during the test case btrfs/124 is still unknown, although it’s known that we still have cases where metadata can be over-committed but can not be fulfilled correctly, thus if we hit such ENOSPC error inside a critical path, we have no choice but abort the current transaction. This will mark the fs read-only. The problem is inside the btrfs_repair_io_failure() path that we require the fs not to be mount read-only. This is normally fine, but if we are doing a read-repair meanwhile the fs flips RO due to a critical error, we can enter btrfs_repair_io_failure() with super block set to read-only, thus triggering the above crash. [FIX] Just replace the ASSERT() with a proper return if the fs is already read-only. | 2026-05-08 | not yet calculated | CVE-2026-43299 | https://git.kernel.org/stable/c/f6df18c001e3dcebc08482d0adeacd0cfea08593 https://git.kernel.org/stable/c/8ceaad6cd6e7fa5f73b0b2796a2e85d75d37e9f3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panel: Fix a possible null-pointer dereference in jdi_panel_dsi_remove() In jdi_panel_dsi_remove(), jdi is explicitly checked, indicating that it may be NULL: if (!jdi) mipi_dsi_detach(dsi); However, when jdi is NULL, the function does not return and continues by calling jdi_panel_disable(): err = jdi_panel_disable(&jdi->base); Inside jdi_panel_disable(), jdi is dereferenced unconditionally, which can lead to a NULL-pointer dereference: struct jdi_panel *jdi = to_panel_jdi(panel); backlight_disable(jdi->backlight); To prevent such a potential NULL-pointer dereference, return early from jdi_panel_dsi_remove() when jdi is NULL. | 2026-05-08 | not yet calculated | CVE-2026-43300 | https://git.kernel.org/stable/c/ec2f37bbb733cdd7ed7d04171fca728a532414d5 https://git.kernel.org/stable/c/2f5427d8726b22b807beec248d7d6bf88e291e0b https://git.kernel.org/stable/c/83ce0085fabf757b039322928188ad78e962d609 https://git.kernel.org/stable/c/95eed73b871111123a8b1d31cb1fce7e902e49ea |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix PM runtime usage count underflow Replace pm_runtime_put_sync() with pm_runtime_dont_use_autosuspend() in the remove path to properly pair with pm_runtime_use_autosuspend() from probe. This allows pm_runtime_disable() to handle reference count cleanup correctly regardless of current suspend state. The driver calls pm_runtime_put_sync() unconditionally in remove, but the device may already be suspended due to autosuspend configured in probe. When autosuspend has already suspended the device, the usage count is 0, and pm_runtime_put_sync() decrements it to -1. This causes the following warning on module unload: ————[ cut here ]———— WARNING: CPU: 1 PID: 963 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 … vdec 30210000.video-codec: Runtime PM usage count underflow! | 2026-05-08 | not yet calculated | CVE-2026-43301 | https://git.kernel.org/stable/c/3a278a55ead50db2444c8f01410c7f5a68723990 https://git.kernel.org/stable/c/0bffda02317989f8d5cdc2d4462a4110b1290cf0 https://git.kernel.org/stable/c/9cf4452e824c1e2d41c9c0b13cc8a32a0a7dec38 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Set DMA segment size to avoid debug warnings When using V3D rendering with CONFIG_DMA_API_DEBUG enabled, the kernel occasionally reports a segment size mismatch. This is because ‘max_seg_size’ is not set. The kernel defaults to 64K. setting ‘max_seg_size’ to the maximum will prevent ‘debug_dma_map_sg()’ from complaining about the over-mapping of the V3D segment length. DMA-API: v3d 1002000000.v3d: mapping sg segment longer than device claims to support [len=8290304] [max=65536] WARNING: CPU: 0 PID: 493 at kernel/dma/debug.c:1179 debug_dma_map_sg+0x330/0x388 CPU: 0 UID: 0 PID: 493 Comm: Xorg Not tainted 6.12.53-yocto-standard #1 Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : debug_dma_map_sg+0x330/0x388 lr : debug_dma_map_sg+0x330/0x388 sp : ffff8000829a3ac0 x29: ffff8000829a3ac0 x28: 0000000000000001 x27: ffff8000813fe000 x26: ffffc1ffc0000000 x25: ffff00010fdeb760 x24: 0000000000000000 x23: ffff8000816a9bf0 x22: 0000000000000001 x21: 0000000000000002 x20: 0000000000000002 x19: ffff00010185e810 x18: ffffffffffffffff x17: 69766564206e6168 x16: 74207265676e6f6c x15: 20746e656d676573 x14: 20677320676e6970 x13: 5d34303334393134 x12: 0000000000000000 x11: 00000000000000c0 x10: 00000000000009c0 x9 : ffff8000800e0b7c x8 : ffff00010a315ca0 x7 : ffff8000816a5110 x6 : 0000000000000001 x5 : 000000000000002b x4 : 0000000000000002 x3 : 0000000000000008 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00010a315280 Call trace: debug_dma_map_sg+0x330/0x388 __dma_map_sg_attrs+0xc0/0x278 dma_map_sgtable+0x30/0x58 drm_gem_shmem_get_pages_sgt+0xb4/0x140 v3d_bo_create_finish+0x28/0x130 [v3d] v3d_create_bo_ioctl+0x54/0x180 [v3d] drm_ioctl_kernel+0xc8/0x140 drm_ioctl+0x2d4/0x4d8 | 2026-05-08 | not yet calculated | CVE-2026-43302 | https://git.kernel.org/stable/c/14d0d6c8b4504a60cfeea74775ab2e0164019e65 https://git.kernel.org/stable/c/225023e3619b81af6d8d0e680503fc2d68633023 https://git.kernel.org/stable/c/2663ef70c6123b2232190f917275e5c3175f97d0 https://git.kernel.org/stable/c/cf510785f74e74c54de40a43a955b7f844857487 https://git.kernel.org/stable/c/0290934d30abe7c88e18140fd5184c3f386b1e44 https://git.kernel.org/stable/c/db15f469a88d3bbeeaa9f8c9f5e74d856ba5d7d2 https://git.kernel.org/stable/c/9eb018828b1b30dfba689c060735c50fc5b9f704 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix mismatched unlock for DMUB HW lock in HWSS fast path [Why] The evaluation for whether we need to use the DMUB HW lock isn’t the same as whether we need to unlock which results in a hang when the fast path is used for ASIC without FAMS support. [How] Store a flag that indicates whether we should use the lock and use that same flag to specify whether unlocking is needed. | 2026-05-08 | not yet calculated | CVE-2026-43305 | https://git.kernel.org/stable/c/4e387ad67efb100b645630ffbce7716786f52283 https://git.kernel.org/stable/c/af3303970da5ce5bfe6dffdd07f38f42aad603e0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: crypto: Use the correct destructor kfunc type With CONFIG_CFI enabled, the kernel strictly enforces that indirect function calls use a function pointer type that matches the target function. I ran into the following type mismatch when running BPF self-tests: CFI failure at bpf_obj_free_fields+0x190/0x238 (target: bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc) Internal error: Oops – CFI: 00000000f2008228 [#1] SMP … As bpf_crypto_ctx_release() is also used in BPF programs and using a void pointer as the argument would make the verifier unhappy, add a simple stub function with the correct type and register it as the destructor kfunc instead. | 2026-05-08 | not yet calculated | CVE-2026-43306 | https://git.kernel.org/stable/c/4e3e57dbf46dad3498f8c4219ce2dba756875962 https://git.kernel.org/stable/c/50d6fd69388cc7b05dce72f09080674dcede4ac9 https://git.kernel.org/stable/c/3979a550fe06b370d73647f59cf462fa525c9ec4 https://git.kernel.org/stable/c/b40a5d724f29fc2eed23ff353808a9aae616b48a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: don’t BUG() on unexpected delayed ref type in run_one_delayed_ref() There is no need to BUG(), we can just return an error and log an error message. | 2026-05-08 | not yet calculated | CVE-2026-43308 | https://git.kernel.org/stable/c/5549743e11c06da23cfa7712a994b9f1e69064c6 https://git.kernel.org/stable/c/c7d1d4ff56744074e005771aff193b927392d51f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md raid: fix hang when stopping arrays with metadata through dm-raid When using device-mapper’s dm-raid target, stopping a RAID array can cause the system to hang under specific conditions. This occurs when: – A dm-raid managed device tree is suspended from top to bottom (the top-level RAID device is suspended first, followed by its underlying metadata and data devices) – The top-level RAID device is then removed Removing the top-level device triggers a hang in the following sequence: the dm-raid destructor calls md_stop(), which tries to flush the write-intent bitmap by writing to the metadata sub-devices. However, these devices are already suspended, making them unable to complete the write-intent operations and causing an indefinite block. Fix: – Prevent bitmap flushing when md_stop() is called from dm-raid destructor context and avoid a quiescing/unquescing cycle which could also cause I/O – Still allow write-intent bitmap flushing when called from dm-raid suspend context This ensures that RAID array teardown can complete successfully even when the underlying devices are in a suspended state. This second patch uses md_is_rdwr() to distinguish between suspend and destructor paths as elaborated on above. | 2026-05-08 | not yet calculated | CVE-2026-43309 | https://git.kernel.org/stable/c/24783dd06de870d646c25207bae186f78195f912 https://git.kernel.org/stable/c/338378dfffbdbb8d37a18f0a0c0358812671f91e https://git.kernel.org/stable/c/cefcb9297fbdb6d94b61787b4f8d84f55b741470 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: verisilicon: Avoid G2 bus error while decoding H.264 and HEVC For the i.MX8MQ platform, there is a hardware limitation: the g1 VPU and g2 VPU cannot decode simultaneously; otherwise, it will cause below bus error and produce corrupted pictures, even potentially lead to system hang. [ 110.527986] hantro-vpu 38310000.video-codec: frame decode timed out. [ 110.583517] hantro-vpu 38310000.video-codec: bus error detected. Therefore, it is necessary to ensure that g1 and g2 operate alternately. This allows for successful multi-instance decoding of H.264 and HEVC. To achieve this, g1 and g2 share the same v4l2_m2m_dev, and then the v4l2_m2m_dev can handle the scheduling. | 2026-05-08 | not yet calculated | CVE-2026-43310 | https://git.kernel.org/stable/c/286d629d10640bc22f3bf46aa4f356eb7975e862 https://git.kernel.org/stable/c/e0203ddf9af7c8e170e1e99ce83b4dc07f0cd765 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: soc/tegra: pmc: Fix unsafe generic_handle_irq() call Currently, when resuming from system suspend on Tegra platforms, the following warning is observed: WARNING: CPU: 0 PID: 14459 at kernel/irq/irqdesc.c:666 Call trace: handle_irq_desc+0x20/0x58 (P) tegra186_pmc_wake_syscore_resume+0xe4/0x15c syscore_resume+0x3c/0xb8 suspend_devices_and_enter+0x510/0x540 pm_suspend+0x16c/0x1d8 The warning occurs because generic_handle_irq() is being called from a non-interrupt context which is considered as unsafe. Fix this warning by deferring generic_handle_irq() call to an IRQ work which gets executed in hard IRQ context where generic_handle_irq() can be called safely. When PREEMPT_RT kernels are used, regular IRQ work (initialized with init_irq_work) is deferred to run in per-CPU kthreads in preemptible context rather than hard IRQ context. Hence, use the IRQ_WORK_INIT_HARD variant so that with PREEMPT_RT kernels, the IRQ work is processed in hardirq context instead of being deferred to a thread which is required for calling generic_handle_irq(). On non-PREEMPT_RT kernels, both init_irq_work() and IRQ_WORK_INIT_HARD() execute in IRQ context, so this change has no functional impact for standard kernel configurations. [treding@nvidia.com: miscellaneous cleanups] | 2026-05-08 | not yet calculated | CVE-2026-43311 | https://git.kernel.org/stable/c/64016227dcdb968b7030eda04304f3d0df5d209d https://git.kernel.org/stable/c/e6d96073af681780820c94079b978474a8a44413 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5647: Initialize subdev before controls In ov5647_init_controls() we call v4l2_get_subdevdata, but it is initialized by v4l2_i2c_subdev_init() in the probe, which currently happens after init_controls(). This can result in a segfault if the error condition is hit, and we try to access i2c_client, so fix the order. | 2026-05-08 | not yet calculated | CVE-2026-43312 | https://git.kernel.org/stable/c/f2a1998bc0053ebfe137f65081ed13afd9f34502 https://git.kernel.org/stable/c/59e372aa4cf60e2500eba7f978acdcb18bb49032 https://git.kernel.org/stable/c/cabd025182cfed4a19b3aab57493e312d681e398 https://git.kernel.org/stable/c/2dedda97a64e7735844609c6c77c0dd953d73833 https://git.kernel.org/stable/c/8ecb21c20387cc0c8aa00489a21ccc69f6b0f5d1 https://git.kernel.org/stable/c/fb69e4842f5b463ff5f121d2ac7746014e3477ea https://git.kernel.org/stable/c/eee13cbccacb6d0a3120c126b8544030905b069d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4() In acpi_processor_errata_piix4(), the pointer dev is first assigned an IDE device and then reassigned an ISA device: dev = pci_get_subsys(…, PCI_DEVICE_ID_INTEL_82371AB, …); dev = pci_get_subsys(…, PCI_DEVICE_ID_INTEL_82371AB_0, …); If the first lookup succeeds but the second fails, dev becomes NULL. This leads to a potential null-pointer dereference when dev_dbg() is called: if (errata.piix4.bmisx) dev_dbg(&dev->dev, …); To prevent this, use two temporary pointers and retrieve each device independently, avoiding overwriting dev with a possible NULL value. [ rjw: Subject adjustment, added an empty code line ] | 2026-05-08 | not yet calculated | CVE-2026-43313 | https://git.kernel.org/stable/c/06724a60cfa9767ea90b0f5d3dfb5cdd251b64f5 https://git.kernel.org/stable/c/ad86ac604f8391c0212a91412d4f764c7a85f254 https://git.kernel.org/stable/c/01e8751b37a366b1ca561add0042f2ceb18c03bf https://git.kernel.org/stable/c/b803811485ac0b2f774b6bf3abc8b999ba3b7033 https://git.kernel.org/stable/c/29f60d3d06818d40118a30d663231f027ae87a05 https://git.kernel.org/stable/c/0398b641be2b66c2fc7e0163c606ef19372e7ad5 https://git.kernel.org/stable/c/f132e089fe89cadc2098991f0a3cb05c3f824ac6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm: remove fake timeout to avoid leak request Since commit 15f73f5b3e59 (“blk-mq: move failure injection out of blk_mq_complete_request”), drivers are responsible for calling blk_should_fake_timeout() at appropriate code paths and opportunities. However, the dm driver does not implement its own timeout handler and relies on the timeout handling of its slave devices. If an io-timeout-fail error is injected to a dm device, the request will be leaked and never completed, causing tasks to hang indefinitely. Reproduce: 1. prepare dm which has iscsi slave device 2. inject io-timeout-fail to dm echo 1 >/sys/class/block/dm-0/io-timeout-fail echo 100 >/sys/kernel/debug/fail_io_timeout/probability echo 10 >/sys/kernel/debug/fail_io_timeout/times 3. read/write dm 4. iscsiadm -m node -u Result: hang task like below [ 862.243768] INFO: task kworker/u514:2:151 blocked for more than 122 seconds. [ 862.244133] Tainted: G E 6.19.0-rc1+ #51 [ 862.244337] “echo 0 > /proc/sys/kernel/hung_task_timeout_secs” disables this message. [ 862.244718] task:kworker/u514:2 state:D stack:0 pid:151 tgid:151 ppid:2 task_flags:0x4288060 flags:0x00080000 [ 862.245024] Workqueue: iscsi_ctrl_3:1 __iscsi_unbind_session [scsi_transport_iscsi] [ 862.245264] Call Trace: [ 862.245587] <TASK> [ 862.245814] __schedule+0x810/0x15c0 [ 862.246557] schedule+0x69/0x180 [ 862.246760] blk_mq_freeze_queue_wait+0xde/0x120 [ 862.247688] elevator_change+0x16d/0x460 [ 862.247893] elevator_set_none+0x87/0xf0 [ 862.248798] blk_unregister_queue+0x12e/0x2a0 [ 862.248995] __del_gendisk+0x231/0x7e0 [ 862.250143] del_gendisk+0x12f/0x1d0 [ 862.250339] sd_remove+0x85/0x130 [sd_mod] [ 862.250650] device_release_driver_internal+0x36d/0x530 [ 862.250849] bus_remove_device+0x1dd/0x3f0 [ 862.251042] device_del+0x38a/0x930 [ 862.252095] __scsi_remove_device+0x293/0x360 [ 862.252291] scsi_remove_target+0x486/0x760 [ 862.252654] __iscsi_unbind_session+0x18a/0x3e0 [scsi_transport_iscsi] [ 862.252886] process_one_work+0x633/0xe50 [ 862.253101] worker_thread+0x6df/0xf10 [ 862.253647] kthread+0x36d/0x720 [ 862.254533] ret_from_fork+0x2a6/0x470 [ 862.255852] ret_from_fork_asm+0x1a/0x30 [ 862.256037] </TASK> Remove the blk_should_fake_timeout() check from dm, as dm has no native timeout handling and should not attempt to fake timeouts. | 2026-05-08 | not yet calculated | CVE-2026-43314 | https://git.kernel.org/stable/c/ece6720de9403260088209b0b92d45e0b49ff856 https://git.kernel.org/stable/c/8200fca818c1e2f65bc6cb16d934ff6049302197 https://git.kernel.org/stable/c/b307b6307f6459841312432bd4bc9519cbac97f5 https://git.kernel.org/stable/c/4f9e7ca933a9fbf9912a384b061a00c77332cbf0 https://git.kernel.org/stable/c/cf2d06c9fd4b6521ea5b7f73c99c64c2c6f5e224 https://git.kernel.org/stable/c/6cdb21e0c9fdee484feba14fc9e72e9d07daf9f3 https://git.kernel.org/stable/c/c8a23d4c995ef4227bd4de64cd3910637ee6162e https://git.kernel.org/stable/c/f3a9c95a15d2f4466acad5c68faeff79ca5e9f47 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding Drop the WARN in svm_set_nested_state() on nested_svm_load_cr3() failing as it is trivially easy to trigger from userspace by modifying CPUID after loading CR3. E.g. modifying the state restoration selftest like so: — tools/testing/selftests/kvm/x86/state_test.c +++ tools/testing/selftests/kvm/x86/state_test.c @@ -280,7 +280,16 @@ int main(int argc, char *argv[]) /* Restore state in a new VM. */ vcpu = vm_recreate_with_one_vcpu(vm); – vcpu_load_state(vcpu, state); + + if (stage == 4) { + state->sregs.cr3 = BIT(44); + vcpu_load_state(vcpu, state); + + vcpu_set_cpuid_property(vcpu, X86_PROPERTY_MAX_PHY_ADDR, 36); + __vcpu_nested_state_set(vcpu, &state->nested); + } else { + vcpu_load_state(vcpu, state); + } /* * Restore XSAVE state in a dummy vCPU, first without doing generates: WARNING: CPU: 30 PID: 938 at arch/x86/kvm/svm/nested.c:1877 svm_set_nested_state+0x34a/0x360 [kvm_amd] Modules linked in: kvm_amd kvm irqbypass [last unloaded: kvm] CPU: 30 UID: 1000 PID: 938 Comm: state_test Tainted: G W 6.18.0-rc7-58e10b63777d-next-vm Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:svm_set_nested_state+0x34a/0x360 [kvm_amd] Call Trace: <TASK> kvm_arch_vcpu_ioctl+0xf33/0x1700 [kvm] kvm_vcpu_ioctl+0x4e6/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x61/0xad0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Simply delete the WARN instead of trying to prevent userspace from shoving “illegal” state into CR3. For better or worse, KVM’s ABI allows userspace to set CPUID after SREGS, and vice versa, and KVM is very permissive when it comes to guest CPUID. I.e. attempting to enforce the virtual CPU model when setting CPUID could break userspace. Given that the WARN doesn’t provide any meaningful protection for KVM or benefit for userspace, simply drop it even though the odds of breaking userspace are minuscule. Opportunistically delete a spurious newline. | 2026-05-08 | not yet calculated | CVE-2026-43315 | https://git.kernel.org/stable/c/155ec243ef726f4bc49536fa0bfb565dc011ab17 https://git.kernel.org/stable/c/580ea57840864d40e019bc13fd26afdc8d510a2f https://git.kernel.org/stable/c/deb8f6dfd31d94b18dbeeaa8c01fbec5fc70fd2b https://git.kernel.org/stable/c/ce904c8a5bbe697eae0f7e34b07095bd7a6dee19 https://git.kernel.org/stable/c/969e5e13ff5c18603f21d1f9f64ec9194e141ac0 https://git.kernel.org/stable/c/ebb2ab4f1c87d6b52776292cf7dc16aea48e95f8 https://git.kernel.org/stable/c/fc3ba56385d03501eb582e4b86691ba378e556f9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: solo6x10: Check for out of bounds chip_id Clang with CONFIG_UBSAN_SHIFT=y noticed a condition where a signed type (literal “1” is an “int”) could end up being shifted beyond 32 bits, so instrumentation was added (and due to the double is_tw286x() call seen via inlining), Clang decides the second one must now be undefined behavior and elides the rest of the function[1]. This is a known problem with Clang (that is still being worked on), but we can avoid the entire problem by actually checking the existing max chip ID, and now there is no runtime instrumentation added at all since everything is known to be within bounds. Additionally use an unsigned value for the shift to remove the instrumentation even without the explicit bounds checking. [hverkuil: fix checkpatch warning for is_tw286x] | 2026-05-08 | not yet calculated | CVE-2026-43316 | https://git.kernel.org/stable/c/c327192ca26670cf6e588c1eeda66cd2fa97630e https://git.kernel.org/stable/c/0b3dadada2417782a63ce32dae05bafe1c949e3f https://git.kernel.org/stable/c/603e3859393ee2ce91393b7d05e6e56e4b66e5cd https://git.kernel.org/stable/c/33af366211ee78e3b074ff44a16121e537e86826 https://git.kernel.org/stable/c/5849ae68d7b8b6ad55cc1bf0d227dd2ae6362528 https://git.kernel.org/stable/c/d29f33b2cf98e4901cd5457d1ee34062e808df73 https://git.kernel.org/stable/c/4d6db0c6bbbfd8d7bbdbf7ab6a9c003752abf116 https://git.kernel.org/stable/c/0fdf6323c35a134f206dcad5babb4ff488552076 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: most: core: fix leak on early registration failure A recent commit fixed a resource leak on early registration failures but for some reason left out the first error path which still leaks the resources associated with the interface. Fix up also the first error path so that the interface is always released on errors. | 2026-05-08 | not yet calculated | CVE-2026-43317 | https://git.kernel.org/stable/c/bbfe49ffb892bddf32c34bea95b7ff0fc30affb5 https://git.kernel.org/stable/c/f1ba620f9e8d7291f80c0554e4b820f5fb30e819 https://git.kernel.org/stable/c/5fd4396c2e48e90cc2597a86c18227d56ea845f0 https://git.kernel.org/stable/c/2c198c272f9c9213b0fdf6b4a879f445c574f416 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify Invalidating a dmabuf will impact other users of the shared BO. In the scenario where process A moves the BO, it needs to inform process B about the move and process B will need to update its page table. The commit fixes a synchronisation bug caused by the use of the ticket: it made amdgpu_vm_handle_moved behave as if updating the page table immediately was correct but in this case it’s not. An example is the following scenario, with 2 GPUs and glxgears running on GPU0 and Xorg running on GPU1, on a system where P2P PCI isn’t supported: glxgears: export linear buffer from GPU0 and import using GPU1 submit frame rendering to GPU0 submit tiled->linear blit Xorg: copy of linear buffer The sequence of jobs would be: drm_sched_job_run # GPU0, frame rendering drm_sched_job_queue # GPU0, blit drm_sched_job_done # GPU0, frame rendering drm_sched_job_run # GPU0, blit move linear buffer for GPU1 access # amdgpu_dma_buf_move_notify -> update pt # GPU0 It this point the blit job on GPU0 is still running and would likely produce a page fault. | 2026-05-08 | not yet calculated | CVE-2026-43318 | https://git.kernel.org/stable/c/82a7ea35a1526bef8ae170c33ff80e5db7728961 https://git.kernel.org/stable/c/89a9389ad70d3c69538e59d87df67d407aef4c26 https://git.kernel.org/stable/c/3307459eb3583115264421e859858d1f90f3694a https://git.kernel.org/stable/c/b18fc0ab837381c1a6ef28386602cd888f2d9edf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: spidev: fix lock inversion between spi_lock and buf_lock The spidev driver previously used two mutexes, spi_lock and buf_lock, but acquired them in different orders depending on the code path: write()/read(): buf_lock -> spi_lock ioctl(): spi_lock -> buf_lock This AB-BA locking pattern triggers lockdep warnings and can cause real deadlocks: WARNING: possible circular locking dependency detected spidev_ioctl() -> mutex_lock(&spidev->buf_lock) spidev_sync_write() -> mutex_lock(&spidev->spi_lock) *** DEADLOCK *** The issue is reproducible with a simple userspace program that performs write() and SPI_IOC_WR_MAX_SPEED_HZ ioctl() calls from separate threads on the same spidev file descriptor. Fix this by simplifying the locking model and removing the lock inversion entirely. spidev_sync() no longer performs any locking, and all callers serialize access using spi_lock. buf_lock is removed since its functionality is fully covered by spi_lock, eliminating the possibility of lock ordering issues. This removes the lock inversion and prevents deadlocks without changing userspace ABI or behaviour. | 2026-05-08 | not yet calculated | CVE-2026-43319 | https://git.kernel.org/stable/c/f8431b8672231d378b03176fe74c95adfd3522cf https://git.kernel.org/stable/c/e341e18215030af2136836b78508e0d798916df7 https://git.kernel.org/stable/c/41ccfac7d302968a4f32b5f7b012d066c5f5cdf8 https://git.kernel.org/stable/c/40534d19ed2afb880ecf202dab26a8e7a5808d16 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix dsc eDP issue [why] Need to add function hook check before use | 2026-05-08 | not yet calculated | CVE-2026-43320 | https://git.kernel.org/stable/c/11718976c53a258c4d107aa05d68773379d0006f https://git.kernel.org/stable/c/c10fe9471f3aa352bb9d9329d0b25e28e0672243 https://git.kernel.org/stable/c/0481be9f12d8324789ccebf1e5fd0704b6e3fc99 https://git.kernel.org/stable/c/878a4b73c11111ff5f820730f59a7f8c6fd59374 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix zero_vruntime tracking fix John reported that stress-ng-yield could make his machine unhappy and managed to bisect it to commit b3d99f43c72b (“sched/fair: Fix zero_vruntime tracking”). The combination of yield and that commit was specific enough to hypothesize the following scenario: Suppose we have 2 runnable tasks, both doing yield. Then one will be eligible and one will not be, because the average position must be in between these two entities. Therefore, the runnable task will be eligible, and be promoted a full slice (all the tasks do is yield after all). This causes it to jump over the other task and now the other task is eligible and current is no longer. So we schedule. Since we are runnable, there is no {de,en}queue. All we have is the __{en,de}queue_entity() from {put_prev,set_next}_task(). But per the fingered commit, those two no longer move zero_vruntime. All that moves zero_vruntime are tick and full {de,en}queue. This means, that if the two tasks playing leapfrog can reach the critical speed to reach the overflow point inside one tick’s worth of time, we’re up a creek. Additionally, when multiple cgroups are involved, there is no guarantee the tick will in fact hit every cgroup in a timely manner. Statistically speaking it will, but that same statistics does not rule out the possibility of one cgroup not getting a tick for a significant amount of time — however unlikely. Therefore, just like with the yield() case, force an update at the end of every slice. This ensures the update is never more than a single slice behind and the whole thing is within 2 lag bounds as per the comment on entity_key(). | 2026-05-08 | not yet calculated | CVE-2026-43323 | https://git.kernel.org/stable/c/c089147074ed96ff4330739a0559394c19a3dfc8 https://git.kernel.org/stable/c/87573883c30f1a8555ff720836bb6ea231058539 https://git.kernel.org/stable/c/fb61ffb3fb30a161eb5404c27fc7635e275beafd https://git.kernel.org/stable/c/1319ea57529e131822bab56bf417c8edc2db9ae8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don’t send a 6E related command when not supported MCC_ALLOWED_AP_TYPE_CMD is related to 6E support. Do not send it if the device doesn’t support 6E. Apparently, the firmware is mistakenly advertising support for this command even on AX201 which does not support 6E and then the firmware crashes. | 2026-05-08 | not yet calculated | CVE-2026-43325 | https://git.kernel.org/stable/c/c0b3fa5e0eaecd38e6a9f8f78e86f468fbde719a https://git.kernel.org/stable/c/6607d0e58ceca997816122568ce54db9e134edab https://git.kernel.org/stable/c/323156c3541e23da7e582008a7ac30cd51b60acd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix SCX_KICK_WAIT deadlock by deferring wait to balance callback SCX_KICK_WAIT busy-waits in kick_cpus_irq_workfn() using smp_cond_load_acquire() until the target CPU’s kick_sync advances. Because the irq_work runs in hardirq context, the waiting CPU cannot reschedule and its own kick_sync never advances. If multiple CPUs form a wait cycle, all CPUs deadlock. Replace the busy-wait in kick_cpus_irq_workfn() with resched_curr() to force the CPU through do_pick_task_scx(), which queues a balance callback to perform the wait. The balance callback drops the rq lock and enables IRQs following the sched_core_balance() pattern, so the CPU can process IPIs while waiting. The local CPU’s kick_sync is advanced on entry to do_pick_task_scx() and continuously during the wait, ensuring any CPU that starts waiting for us sees the advancement and cannot form cyclic dependencies. | 2026-05-08 | not yet calculated | CVE-2026-43326 | https://git.kernel.org/stable/c/c3a7903f65cf4c7fb0477eb0f8b94f326a47fe54 https://git.kernel.org/stable/c/415cb193bb9736f0e830286c72a6fa8eb2a9cc5c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix locking/synchronization error Syzbot testing was able to provoke an addressing exception and crash in the usb_gadget_udc_reset() routine in drivers/usb/gadgets/udc/core.c, resulting from the fact that the routine was called with a second (“driver”) argument of NULL. The bad caller was set_link_state() in dummy_hcd.c, and the problem arose because of a race between a USB reset and driver unbind. These sorts of races were not supposed to be possible; commit 7dbd8f4cabd9 (“USB: dummy-hcd: Fix erroneous synchronization change”), along with a few followup commits, was written specifically to prevent them. As it turns out, there are (at least) two errors remaining in the code. Another patch will address the second error; this one is concerned with the first. The error responsible for the syzbot crash occurred because the stop_activity() routine will sometimes drop and then re-acquire the dum->lock spinlock. A call to stop_activity() occurs in set_link_state() when handling an emulated USB reset, after the test of dum->ints_enabled and before the increment of dum->callback_usage. This allowed another thread (doing a driver unbind) to sneak in and grab the spinlock, and then clear dum->ints_enabled and dum->driver. Normally this other thread would have to wait for dum->callback_usage to go down to 0 before it would clear dum->driver, but in this case it didn’t have to wait since dum->callback_usage had not yet been incremented. The fix is to increment dum->callback_usage _before_ calling stop_activity() instead of after. Then the thread doing the unbind will not clear dum->driver until after the call to usb_gadget_udc_reset() safely returns and dum->callback_usage has been decremented again. | 2026-05-08 | not yet calculated | CVE-2026-43327 | https://git.kernel.org/stable/c/6350c7dd33ab481ef41c931a238361490c32d15c https://git.kernel.org/stable/c/cc97fb5969177cccce2e23b31298df220fc7570d https://git.kernel.org/stable/c/218886b2ef2dea7627d3700ab0abaf4bf9d1161f https://git.kernel.org/stable/c/791966f85b439b261bf19865cf1c07c065ffb4b4 https://git.kernel.org/stable/c/805b1833d6ed6da5086e610578a28e71bb54fbbb https://git.kernel.org/stable/c/efbd9441f1e769a7aae1813d497cec09cbdff031 https://git.kernel.org/stable/c/69ab97a693251d6a6093e630060a3c744fd58524 https://git.kernel.org/stable/c/616a63ff495df12863692ab3f9f7b84e3fa7a66d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj). The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free. Keep the direct kfree(dbs_data) for the gov->init() failure path, but after kobject_init_and_add() has been called, let kobject_put() handle the cleanup through cpufreq_dbs_data_release(). | 2026-05-08 | not yet calculated | CVE-2026-43328 | https://git.kernel.org/stable/c/56bc91ee78babe9578585a2bc137abc4b3115ff3 https://git.kernel.org/stable/c/019ea28629720c220daedf38107c8787f330dc05 https://git.kernel.org/stable/c/da39ee627fd82b52068d4d5f115749a8b7d271f9 https://git.kernel.org/stable/c/427d048e4f6acbfa01b5a8062449fe0ee8987c0d https://git.kernel.org/stable/c/d2703b4f8fb7cc6f0dfdb2dc2359cc46189e7357 https://git.kernel.org/stable/c/3bf9d023d2329a0e5379f2fd09d06ef09729cd9d https://git.kernel.org/stable/c/6dcf9d0064ce2f3e3dfe5755f98b93abe6a98e1e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Disable KCOV instrumentation after load_segments() The load_segments() function changes segment registers, invalidating GS base (which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins crashing the kernel in an endless loop. To reproduce the problem, it’s sufficient to do kexec on a KCOV-instrumented kernel: $ kexec -l /boot/otherKernel $ kexec -e The real-world context for this problem is enabling crash dump collection in syzkaller. For this, the tool loads a panic kernel before fuzzing and then calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC and CONFIG_KCOV to be enabled simultaneously. Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc()) is also undesirable as it would introduce an extra performance overhead. Disabling instrumentation for the individual functions would be too fragile, so disable KCOV instrumentation for the entire machine_kexec_64.c and physaddr.c. If coverage-guided fuzzing ever needs these components in the future, other approaches should be considered. The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported there. [ bp: Space out comment for better readability. ] | 2026-05-08 | not yet calculated | CVE-2026-43331 | https://git.kernel.org/stable/c/1e3e98596c2769721ade0418434852fb3af4849a https://git.kernel.org/stable/c/de05c66fab8847237a9ca216934e56d3ee837f08 https://git.kernel.org/stable/c/917e3ad3321e75ca0223d5ccf26ceda116aa51e1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: reject direct access to nullable PTR_TO_BUF pointers check_mem_access() matches PTR_TO_BUF via base_type() which strips PTR_MAYBE_NULL, allowing direct dereference without a null check. Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL. On stop callbacks these are NULL, causing a kernel NULL dereference. Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the existing PTR_TO_BTF_ID pattern. | 2026-05-08 | not yet calculated | CVE-2026-43333 | https://git.kernel.org/stable/c/10bc4a4dcded509c5d5c67d497900c3922c604cd https://git.kernel.org/stable/c/21a10c06ffae24cb01fd174a7ab7736001d2ea56 https://git.kernel.org/stable/c/8755066f7bd0f4ac46a29d1708c7b20894539252 https://git.kernel.org/stable/c/70abd9d118da2f56beb4ec22e3a29becae373535 https://git.kernel.org/stable/c/63276547debc4d8a73eefb2c5273b2a905c961b0 https://git.kernel.org/stable/c/4f6c99dc0420f1a3d671c1b8ab8a7ac84d9cba09 https://git.kernel.org/stable/c/b0db1accbc7395657c2b79db59fa9fae0d6656f3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: interconnect: qcom: sm8450: Fix NULL pointer dereference in icc_link_nodes() The change to dynamic IDs for SM8450 platform interconnects left two links unconverted, fix it to avoid the NULL pointer dereference in runtime, when a pointer to a destination interconnect is not valid: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 <…> Call trace: icc_link_nodes+0x3c/0x100 (P) qcom_icc_rpmh_probe+0x1b4/0x528 platform_probe+0x64/0xc0 really_probe+0xc4/0x2a8 __driver_probe_device+0x80/0x140 driver_probe_device+0x48/0x170 __device_attach_driver+0xc0/0x148 bus_for_each_drv+0x88/0xf0 __device_attach+0xb0/0x1c0 device_initial_probe+0x58/0x68 bus_probe_device+0x40/0xb8 deferred_probe_work_func+0x90/0xd0 process_one_work+0x15c/0x3c0 worker_thread+0x2e8/0x400 kthread+0x150/0x208 ret_from_fork+0x10/0x20 Code: 900310f4 911d6294 91008280 94176078 (f94002a0) —[ end trace 0000000000000000 ]— Kernel panic – not syncing: Oops: Fatal exception | 2026-05-08 | not yet calculated | CVE-2026-43335 | https://git.kernel.org/stable/c/77d22bf3fc5d1bcdee035979b07840c9c2ece8f2 https://git.kernel.org/stable/c/dbbd550d7c8d90d3af9fe8a12a9caff077ddb8e3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL pointer dereference in dcn401_init_hw() dcn401_init_hw() assumes that update_bw_bounding_box() is valid when entering the update path. However, the existing condition: ((!fams2_enable && update_bw_bounding_box) || freq_changed) does not guarantee this, as the freq_changed branch can evaluate to true independently of the callback pointer. This can result in calling update_bw_bounding_box() when it is NULL. Fix this by separating the update condition from the pointer checks and ensuring the callback, dc->clk_mgr, and bw_params are validated before use. Fixes the below: ../dc/hwss/dcn401/dcn401_hwseq.c:367 dcn401_init_hw() error: we previously assumed ‘dc->res_pool->funcs->update_bw_bounding_box’ could be null (see line 362) (cherry picked from commit 86117c5ab42f21562fedb0a64bffea3ee5fcd477) | 2026-05-08 | not yet calculated | CVE-2026-43337 | https://git.kernel.org/stable/c/10c13c111d0d7f8e101c742feff264fc98e3f9f7 https://git.kernel.org/stable/c/2d4a6f0702c5211e0be8b688c5fc24f082ec74d6 https://git.kernel.org/stable/c/e927b36ae18b66b49219eaa9f46edc7b4fdbb25e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: reserve enough transaction items for qgroup ioctls Currently our qgroup ioctls don’t reserve any space, they just do a transaction join, which does not reserve any space, neither for the quota tree updates nor for the delayed refs generated when updating the quota tree. The quota root uses the global block reserve, which is fine most of the time since we don’t expect a lot of updates to the quota root, or to be too close to -ENOSPC such that other critical metadata updates need to resort to the global reserve. However this is not optimal, as not reserving proper space may result in a transaction abort due to not reserving space for delayed refs and then abusing the use of the global block reserve. For example, the following reproducer (which is unlikely to model any real world use case, but just to illustrate the problem), triggers such a transaction abort due to -ENOSPC when running delayed refs: $ cat test.sh #!/bin/bash DEV=/dev/nullb0 MNT=/mnt/nullb0 umount $DEV &> /dev/null # Limit device to 1G so that it’s much faster to reproduce the issue. mkfs.btrfs -f -b 1G $DEV mount -o commit=600 $DEV $MNT fallocate -l 800M $MNT/filler btrfs quota enable $MNT for ((i = 1; i <= 400000; i++)); do btrfs qgroup create 1/$i $MNT done umount $MNT When running this, we can see in dmesg/syslog that a transaction abort happened: [436.490] BTRFS error (device nullb0): failed to run delayed ref for logical 30408704 num_bytes 16384 type 176 action 1 ref_mod 1: -28 [436.493] ————[ cut here ]———— [436.494] BTRFS: Transaction aborted (error -28) [436.495] WARNING: fs/btrfs/extent-tree.c:2247 at btrfs_run_delayed_refs+0xd9/0x110 [btrfs], CPU#4: umount/2495372 [436.497] Modules linked in: btrfs loop (…) [436.508] CPU: 4 UID: 0 PID: 2495372 Comm: umount Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [436.510] Tainted: [W]=WARN [436.511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [436.513] RIP: 0010:btrfs_run_delayed_refs+0xdf/0x110 [btrfs] [436.514] Code: 0f 82 ea (…) [436.518] RSP: 0018:ffffd511850b7d78 EFLAGS: 00010292 [436.519] RAX: 00000000ffffffe4 RBX: ffff8f120dad37e0 RCX: 0000000002040001 [436.520] RDX: 0000000000000002 RSI: 00000000ffffffe4 RDI: ffffffffc090fd80 [436.522] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffc04d1867 [436.523] R10: ffff8f18dc1fffa8 R11: 0000000000000003 R12: ffff8f173aa89400 [436.524] R13: 0000000000000000 R14: ffff8f173aa89400 R15: 0000000000000000 [436.526] FS: 00007fe59045d840(0000) GS:ffff8f192e22e000(0000) knlGS:0000000000000000 [436.527] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [436.528] CR2: 00007fe5905ff2b0 CR3: 000000060710a002 CR4: 0000000000370ef0 [436.530] Call Trace: [436.530] <TASK> [436.530] btrfs_commit_transaction+0x73/0xc00 [btrfs] [436.531] ? btrfs_attach_transaction_barrier+0x1e/0x70 [btrfs] [436.532] sync_filesystem+0x7a/0x90 [436.533] generic_shutdown_super+0x28/0x180 [436.533] kill_anon_super+0x12/0x40 [436.534] btrfs_kill_super+0x12/0x20 [btrfs] [436.534] deactivate_locked_super+0x2f/0xb0 [436.534] cleanup_mnt+0xea/0x180 [436.535] task_work_run+0x58/0xa0 [436.535] exit_to_user_mode_loop+0xed/0x480 [436.536] ? __x64_sys_umount+0x68/0x80 [436.536] do_syscall_64+0x2a5/0xf20 [436.537] entry_SYSCALL_64_after_hwframe+0x76/0x7e [436.537] RIP: 0033:0x7fe5906b6217 [436.538] Code: 0d 00 f7 (…) [436.540] RSP: 002b:00007ffcd87a61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [436.541] RAX: 0000000000000000 RBX: 00005618b9ecadc8 RCX: 00007fe5906b6217 [436.541] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005618b9ecb100 [436.542] RBP: 0000000000000000 R08: 00007ffcd87a4fe0 R09: 00000000ffffffff [436.544] R10: 0000000000000103 R11: —truncated— | 2026-05-08 | not yet calculated | CVE-2026-43338 | https://git.kernel.org/stable/c/bb6eb33c908edbbb4d92abdc0c6c87f21b4952e8 https://git.kernel.org/stable/c/cf930a651eef6f8d915bf0ccd60c2045974f870c https://git.kernel.org/stable/c/386f5e16a383101a68e195c806b4eedb233cd1d3 https://git.kernel.org/stable/c/f9a4e3015db1aeafbef407650eb8555445ca943e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: Reinit dev->spinlock between attachments to low-level drivers `struct comedi_device` is the main controlling structure for a COMEDI device created by the COMEDI subsystem. It contains a member `spinlock` containing a spin-lock that is initialized by the COMEDI subsystem, but is reserved for use by a low-level driver attached to the COMEDI device (at least since commit 25436dc9d84f (“Staging: comedi: remove RT code”)). Some COMEDI devices (those created on initialization of the COMEDI subsystem when the “comedi.comedi_num_legacy_minors” parameter is non-zero) can be attached to different low-level drivers over their lifetime using the `COMEDI_DEVCONFIG` ioctl command. This can result in inconsistent lock states being reported when there is a mismatch in the spin-lock locking levels used by each low-level driver to which the COMEDI device has been attached. Fix it by reinitializing `dev->spinlock` before calling the low-level driver’s `attach` function pointer if `CONFIG_LOCKDEP` is enabled. | 2026-05-08 | not yet calculated | CVE-2026-43340 | https://git.kernel.org/stable/c/3181c34b415c5464be9d34bff3e43ef63b747039 https://git.kernel.org/stable/c/2b1f49e4fdff3ef0f8e9158bbb5b149e06287560 https://git.kernel.org/stable/c/4d5ffe524903a30e2e0da7d16841a56bec2de55c https://git.kernel.org/stable/c/c01bcc67a9a692d65508ebd480405b5e77d562b7 https://git.kernel.org/stable/c/430291d8f3884f57ae0057049b0ca291453e29e1 https://git.kernel.org/stable/c/b89c026227712c367950bbae055a5b31073d3b30 https://git.kernel.org/stable/c/83134a7a176ce5b4b19b6edecf4360e8d98d1a5a https://git.kernel.org/stable/c/4b9a9a6d71e3e252032f959fb3895a33acb5865c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Protect RNDIS options with mutex The class/subclass/protocol options are suspectible to race conditions as they can be accessed concurrently through configfs. Use existing mutex to protect these options. This issue was identified during code inspection. | 2026-05-08 | not yet calculated | CVE-2026-43342 | https://git.kernel.org/stable/c/0a75d97c53477a59c0aa1c65f69038c719f9c5b8 https://git.kernel.org/stable/c/c1b3d5b0acb194efe20fc5864ee03439fa7bd45c https://git.kernel.org/stable/c/65b7dbf80a1627667c241fff7c1c224f3118014f https://git.kernel.org/stable/c/cb5316b37288ab8791584e32f114c4f41ad45b67 https://git.kernel.org/stable/c/7d8fa3b8783ab95a46e20d97fbeeede719b2efda https://git.kernel.org/stable/c/446f1842cda929c40d4697722bfdcfb334bc9692 https://git.kernel.org/stable/c/209decd3f7901df9842b83f2540dc8685e344a07 https://git.kernel.org/stable/c/8d8c68b1fc06ece60cf43e1306ff0f4ac121547e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_subset: Fix unbalanced refcnt in geth_free geth_alloc() increments the reference count, but geth_free() fails to decrement it. This prevents the configuration of attributes via configfs after unlinking the function. Decrement the reference count in geth_free() to ensure proper cleanup. | 2026-05-08 | not yet calculated | CVE-2026-43343 | https://git.kernel.org/stable/c/a932b171554714b1bca313b853c7aa9f2930f9aa https://git.kernel.org/stable/c/d7d702407b61e96286a15b6e715572f541a8d41c https://git.kernel.org/stable/c/3f5bfc550a40d7493b1cf09540ed6b412b3b82be https://git.kernel.org/stable/c/75776a055b656873319c3830fed471daef3ceb23 https://git.kernel.org/stable/c/cc8ec610cd14c093a19371691a7ce1ee5421e829 https://git.kernel.org/stable/c/3d436670b47415da042452618fb5d8e317ab095f https://git.kernel.org/stable/c/23e4851ce348a329d974e84e828155dda9f52122 https://git.kernel.org/stable/c/caa27923aacd8a5869207842f2ab1657c6c0c7bc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix die ID init and look up bugs In snbep_pci2phy_map_init(), in the nr_node_ids > 8 path, uncore_device_to_die() may return -1 when all CPUs associated with the UBOX device are offline. Remove the WARN_ON_ONCE(die_id == -1) check for two reasons: – The current code breaks out of the loop. This is incorrect because pci_get_device() does not guarantee iteration in domain or bus order, so additional UBOX devices may be skipped during the scan. – Returning -EINVAL is incorrect, since marking offline buses with die_id == -1 is expected and should not be treated as an error. Separately, when NUMA is disabled on a NUMA-capable platform, pcibus_to_node() returns NUMA_NO_NODE, causing uncore_device_to_die() to return -1 for all PCI devices. As a result, spr_update_device_location(), used on Intel SPR and EMR, ignores the corresponding PMON units and does not add them to the RB tree. Fix this by using uncore_pcibus_to_dieid(), which retrieves topology from the UBOX GIDNIDMAP register and works regardless of whether NUMA is enabled in Linux. This requires snbep_pci2phy_map_init() to be added in spr_uncore_pci_init(). Keep uncore_device_to_die() only for the nr_node_ids > 8 case, where NUMA is expected to be enabled. | 2026-05-08 | not yet calculated | CVE-2026-43344 | https://git.kernel.org/stable/c/6a5dc3ee97581da2907fc7acd62853f07184de67 https://git.kernel.org/stable/c/a16d1ec4dd0cdcf689f324adde6067083bce9099 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ice: ptp: don’t WARN when controlling PF is unavailable In VFIO passthrough setups, it is possible to pass through only a PF which doesn’t own the source timer. In that case the PTP controlling PF (adapter->ctrl_pf) is never initialized in the VM, so ice_get_ctrl_ptp() returns NULL and triggers WARN_ON() in ice_ptp_setup_pf(). Since this is an expected behavior in that configuration, replace WARN_ON() with an informational message and return -EOPNOTSUPP. | 2026-05-08 | not yet calculated | CVE-2026-43346 | https://git.kernel.org/stable/c/e19675b384e9dcaca1bd5e4a67b8ad136eccfbe8 https://git.kernel.org/stable/c/c73f365707d3b1b78b7d16e1f029020d1ae50d0f https://git.kernel.org/stable/c/bb3f21edc7056cdf44a7f7bd7ba65af40741838c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER When registering VTL0 memory via MSHV_ADD_VTL0_MEMORY, the kernel computes pgmap->vmemmap_shift as the number of trailing zeros in the OR of start_pfn and last_pfn, intending to use the largest compound page order both endpoints are aligned to. However, this value is not clamped to MAX_FOLIO_ORDER, so a sufficiently aligned range (e.g. physical range [0x800000000000, 0x800080000000), corresponding to start_pfn=0x800000000 with 35 trailing zeros) can produce a shift larger than what memremap_pages() accepts, triggering a WARN and returning -EINVAL: WARNING: … memremap_pages+0x512/0x650 requested folio size unsupported The MAX_FOLIO_ORDER check was added by commit 646b67d57589 (“mm/memremap: reject unreasonable folio/compound page sizes in memremap_pages()”). Fix this by clamping vmemmap_shift to MAX_FOLIO_ORDER so we always request the largest order the kernel supports, in those cases, rather than an out-of-range value. Also fix the error path to propagate the actual error code from devm_memremap_pages() instead of hard-coding -EFAULT, which was masking the real -EINVAL return. | 2026-05-08 | not yet calculated | CVE-2026-43348 | https://git.kernel.org/stable/c/a142ca4b6481e71498712800b20e0c0fcf02843b https://git.kernel.org/stable/c/404cd6bffe17e25e0f94ed2775ffdd6cd10ac3fd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer syzbot reported a f2fs bug as below: BUG: KMSAN: uninit-value in f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520 f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520 f2fs_finish_read_bio+0xe1e/0x1d60 fs/f2fs/data.c:177 f2fs_read_end_io+0x6ab/0x2220 fs/f2fs/data.c:-1 bio_endio+0x1006/0x1160 block/bio.c:1792 submit_bio_noacct+0x533/0x2960 block/blk-core.c:891 submit_bio+0x57a/0x620 block/blk-core.c:926 blk_crypto_submit_bio include/linux/blk-crypto.h:203 [inline] f2fs_submit_read_bio+0x12c/0x360 fs/f2fs/data.c:557 f2fs_submit_page_bio+0xee2/0x1450 fs/f2fs/data.c:775 read_node_folio+0x384/0x4b0 fs/f2fs/node.c:1481 __get_node_folio+0x5db/0x15d0 fs/f2fs/node.c:1576 f2fs_get_inode_folio+0x40/0x50 fs/f2fs/node.c:1623 do_read_inode fs/f2fs/inode.c:425 [inline] f2fs_iget+0x1209/0x9380 fs/f2fs/inode.c:596 f2fs_fill_super+0x8f5a/0xb2e0 fs/f2fs/super.c:5184 get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694 get_tree_bdev+0x38/0x50 fs/super.c:1717 f2fs_get_tree+0x35/0x40 fs/f2fs/super.c:5436 vfs_get_tree+0xb3/0x5d0 fs/super.c:1754 fc_mount fs/namespace.c:1193 [inline] do_new_mount_fc fs/namespace.c:3763 [inline] do_new_mount+0x885/0x1dd0 fs/namespace.c:3839 path_mount+0x7a2/0x20b0 fs/namespace.c:4159 do_mount fs/namespace.c:4172 [inline] __do_sys_mount fs/namespace.c:4361 [inline] __se_sys_mount+0x704/0x7f0 fs/namespace.c:4338 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4338 x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is: in f2fs_finish_read_bio(), we may access uninit data in folio if we failed to read the data from device into folio, let’s add a check condition to avoid such issue. | 2026-05-08 | not yet calculated | CVE-2026-43349 | https://git.kernel.org/stable/c/59970b2586fef4b13e96527b9d232bed30b640cd https://git.kernel.org/stable/c/a10b89343d41ceee1af0ec38d3a74e526c77fa09 https://git.kernel.org/stable/c/7b9161a605e91d0987e2596a245dc1f21621b23f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Eagerly init vgic dist/redist on vgic creation If vgic_allocate_private_irqs_locked() fails for any odd reason, we exit kvm_vgic_create() early, leaving dist->rd_regions uninitialised. kvm_vgic_dist_destroy() then comes along and walks into the weeds trying to free the RDs. Got to love this stuff. Solve it by moving all the static initialisation early, and make sure that if we fail halfway, we’re in a reasonable shape to perform the rest of the teardown. While at it, reset the vgic model on failure, just in case… | 2026-05-08 | not yet calculated | CVE-2026-43351 | https://git.kernel.org/stable/c/b7493f48c3dba75674a4ee505b4afa8fe5102457 https://git.kernel.org/stable/c/a24f1d80fbcdbf8b2a7044a00fa12b3972b4c31c https://git.kernel.org/stable/c/ac6769c8f948dff33265c50e524aebf9aa6f1be0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iio: proximity: hx9023s: Protect against division by zero in set_samp_freq Avoid division by zero when sampling frequency is unspecified. | 2026-05-08 | not yet calculated | CVE-2026-43354 | https://git.kernel.org/stable/c/451ec5e67444f8460f9706a1bde146b5bbc86ce6 https://git.kernel.org/stable/c/ad9da7d39cecd3e92f54149ea0ebca390f33fe69 https://git.kernel.org/stable/c/739fdfe65678d8e5dcf59496c56b32ab3ba3dbaa https://git.kernel.org/stable/c/a318cfc0853706f1d6ce682dba660bc455d674ef |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iio: light: bh1780: fix PM runtime leak on error path Move pm_runtime_put_autosuspend() before the error check to ensure the PM runtime reference count is always decremented after pm_runtime_get_sync(), regardless of whether the read operation succeeds or fails. | 2026-05-08 | not yet calculated | CVE-2026-43355 | https://git.kernel.org/stable/c/1eb3af4f59e09323788860a9155e9766b12891e5 https://git.kernel.org/stable/c/424bf90e87134effe4bd932608a15286493b11ab https://git.kernel.org/stable/c/fc77e0a5600e620a2ae51ec78933162fb217b20b https://git.kernel.org/stable/c/aae572ddc28578af476cce7da3faec0395ef0bf0 https://git.kernel.org/stable/c/33661bfc85c14836bfef4425a74b0ca2df4bb5ad https://git.kernel.org/stable/c/dd72e6c3cdea05cad24e99710939086f7a113fb5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iio: imu: adis: Fix NULL pointer dereference in adis_init The adis_init() function dereferences adis->ops to check if the individual function pointers (write, read, reset) are NULL, but does not first check if adis->ops itself is NULL. Drivers like adis16480, adis16490, adis16545 and others do not set custom ops and rely on adis_init() assigning the defaults. Since struct adis is zero-initialized by devm_iio_device_alloc(), adis->ops is NULL when adis_init() is called, causing a NULL pointer dereference: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : adis_init+0xc0/0x118 Call trace: adis_init+0xc0/0x118 adis16480_probe+0xe0/0x670 Fix this by checking if adis->ops is NULL before dereferencing it, falling through to assign the default ops in that case. | 2026-05-08 | not yet calculated | CVE-2026-43356 | https://git.kernel.org/stable/c/ba19dd366528b961430f5195c2e382420703074f https://git.kernel.org/stable/c/1a48f94c63a078e7b6a2e59a637fc0858dc6510c https://git.kernel.org/stable/c/9990cd4f8827bd1ae3fb6eb7407630d8d463c430 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iio: gyro: mpu3050-core: fix pm_runtime error handling The return value of pm_runtime_get_sync() is not checked, allowing the driver to access hardware that may fail to resume. The device usage count is also unconditionally incremented. Use pm_runtime_resume_and_get() which propagates errors and avoids incrementing the usage count on failure. In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate() failure since postdisable does not run when preenable fails. | 2026-05-08 | not yet calculated | CVE-2026-43357 | https://git.kernel.org/stable/c/935f57dd43492240e1ca220dd065d624efece6be https://git.kernel.org/stable/c/8544c488e50206f00630a8bbba43d2c8bd290345 https://git.kernel.org/stable/c/35f54e7bcb1eccdc6e5bff06580eeef2e0ff3677 https://git.kernel.org/stable/c/2a86a396aa001a9f9ba2d37dda36573a76f17c90 https://git.kernel.org/stable/c/66c0d1d600e7be034959cf49edab104cb5a39258 https://git.kernel.org/stable/c/42685cf96e28262e0b84d74447f3d99f3f6a72e0 https://git.kernel.org/stable/c/7a3dec5b265cf87678b10c98a72a435a8e769bb7 https://git.kernel.org/stable/c/acc3949aab3e8094641a9c7c2768de1958c88378 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer() Call rcu_read_lock() before exiting the loop in try_release_subpage_extent_buffer() because there is a rcu_read_unlock() call past the loop. This has been detected by the Clang thread-safety analyzer. | 2026-05-08 | not yet calculated | CVE-2026-43358 | https://git.kernel.org/stable/c/5e1ab71f74a1e61f1254dff128a764fdebaec0b8 https://git.kernel.org/stable/c/35b0c8768e848e1b7e32052db36b5fa59b6a33a1 https://git.kernel.org/stable/c/b2840e33127ce0eea880504b7f133e780f567a9b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on set received ioctl due to item overflow If the set received ioctl fails due to an item overflow when attempting to add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction since we did some metadata updates before. This means that if a user calls this ioctl with the same received UUID field for a lot of subvolumes, we will hit the overflow, trigger the transaction abort and turn the filesystem into RO mode. A malicious user could exploit this, and this ioctl does not even requires that a user has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume. Fix this by doing an early check for item overflow before starting a transaction. This is also race safe because we are holding the subvol_sem semaphore in exclusive (write) mode. A test case for fstests will follow soon. | 2026-05-08 | not yet calculated | CVE-2026-43359 | https://git.kernel.org/stable/c/b9914db13ac15aca3b74544c0bb1a2e0dad1f174 https://git.kernel.org/stable/c/b19c0465e4daad5aa8f60552ea0578cf31a11b1e https://git.kernel.org/stable/c/2e57b8cac2ba0d38aac76c1ecdfd8b899e3581a5 https://git.kernel.org/stable/c/d11aefe654a04fc41996d254748d6a38b6b0a7be https://git.kernel.org/stable/c/41fb97353ff58fa4f31904c343fc8e3df2f7517d https://git.kernel.org/stable/c/87f2c46003fce4d739138aab4af1942b1afdadac |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on file creation due to name hash collision If we attempt to create several files with names that result in the same hash, we have to pack them in same dir item and that has a limit inherent to the leaf size. However if we reach that limit, we trigger a transaction abort and turns the filesystem into RO mode. This allows for a malicious user to disrupt a system, without the need to have administration privileges/capabilities. Reproducer: $ cat exploit-hash-collisions.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi # Use smallest node size to make the test faster and require fewer file # names that result in hash collision. mkfs.btrfs -f –nodesize 4K $DEV mount $DEV $MNT # List of names that result in the same crc32c hash for btrfs. declare -a names=( ‘foobar’ ‘%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC’ ‘AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z’ ‘CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4’ ‘ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:’ ‘HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO’ ‘Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us’ ‘KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY’ ‘NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO’ ‘Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU’ ‘Ono7avN5GjC:_6dBJ_’ ‘WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am’ ‘WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd–e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k’ ‘XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2’ ‘d3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd’ ‘ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm’ ‘evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ’ ‘gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky’ ‘hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS’ ‘isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz’ ‘kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu’ ‘lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA–@WqWLIuX7o1S_SfS@2FSiUZN’ ‘rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4=’ ‘uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn’ ‘UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C’ ‘y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW’ ‘8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc’ ‘YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mC —truncated— | 2026-05-08 | not yet calculated | CVE-2026-43360 | https://git.kernel.org/stable/c/36947b5200b89bbe3a63629c12d4b31c84c0af9f https://git.kernel.org/stable/c/64ad49597d14c495ab8b7933bfefc83936a598e4 https://git.kernel.org/stable/c/5e2ea10b800d1bbb95e0c01a83f4f8119ac5d688 https://git.kernel.org/stable/c/9273175bf16c83f3ec93aa242d78c9b5db452d4d https://git.kernel.org/stable/c/0625e564290450c1921b115fc3d9abef74e055bd https://git.kernel.org/stable/c/2d1ababdedd4ba38867c2500eb7f95af5ddeeef7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort when snapshotting received subvolumes Currently a user can trigger a transaction abort by snapshotting a previously received snapshot a bunch of times until we reach a BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we can store in a leaf). This is very likely not common in practice, but if it happens, it turns the filesystem into RO mode. The snapshot, send and set_received_subvol and subvol_setflags (used by receive) don’t require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user could use this to turn a filesystem into RO mode and disrupt a system. Reproducer script: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi # Use smallest node size to make the test faster. mkfs.btrfs -f –nodesize 4K $DEV mount $DEV $MNT # Create a subvolume and set it to RO so that it can be used for send. btrfs subvolume create $MNT/sv touch $MNT/sv/foo btrfs property set $MNT/sv ro true # Send and receive the subvolume into snaps/sv. mkdir $MNT/snaps btrfs send $MNT/sv | btrfs receive $MNT/snaps # Now snapshot the received subvolume, which has a received_uuid, a # lot of times to trigger the leaf overflow. total=500 for ((i = 1; i <= $total; i++)); do echo -ne “rCreating snapshot $i/$total” btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null done echo umount $MNT When running the test: $ ./test.sh (…) Create subvolume ‘/mnt/sdi/sv’ At subvol /mnt/sdi/sv At subvol sv Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system And in dmesg/syslog: $ dmesg (…) [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252! [251067.629212] ————[ cut here ]———— [251067.630033] BTRFS: Transaction aborted (error -75) [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235 [251067.632851] Modules linked in: btrfs dm_zero (…) [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [251067.646165] Tainted: [W]=WARN [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs] [251067.649984] Code: f0 48 0f (…) [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292 [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3 [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750 [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820 [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0 [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5 [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000 [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0 [251067.661972] Call Trace: [251067.662292] <TASK> [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs] [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs] [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs] [251067.665238] ? _raw_spin_unlock+0x15/0x30 [251067.665837] ? record_root_ —truncated— | 2026-05-08 | not yet calculated | CVE-2026-43361 | https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6 https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238 https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/apic: Disable x2apic on resume if the kernel expects so When resuming from s2ram, firmware may re-enable x2apic mode, which may have been disabled by the kernel during boot either because it doesn’t support IRQ remapping or for other reasons. This causes the kernel to continue using the xapic interface, while the hardware is in x2apic mode, which causes hangs. This happens on defconfig + bare metal + s2ram. Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be disabled, i.e. when x2apic_mode = 0. The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the pre-sleep configuration or initial boot configuration for each CPU, including MSR state: When executing from the power-on reset vector as a result of waking from an S2 or S3 sleep state, the platform firmware performs only the hardware initialization required to restore the system to either the state the platform was in prior to the initial operating system boot, or to the pre-sleep configuration state. In multiprocessor systems, non-boot processors should be placed in the same state as prior to the initial operating system boot. (further ahead) If this is an S2 or S3 wake, then the platform runtime firmware restores minimum context of the system before jumping to the waking vector. This includes: CPU configuration. Platform runtime firmware restores the pre-sleep configuration or initial boot configuration of each CPU (MSR, MTRR, firmware update, SMBase, and so on). Interrupts must be disabled (for IA-32 processors, disabled by CLI instruction). (and other things) So at least as per the spec, re-enablement of x2apic by the firmware is allowed if “x2apic on” is a part of the initial boot configuration. [1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization [ bp: Massage. ] | 2026-05-08 | not yet calculated | CVE-2026-43363 | https://git.kernel.org/stable/c/a6ad6f2e31b524cbb66b2f370bad0cf17d327e6c https://git.kernel.org/stable/c/3dd0812a7c764cd8f3b0182441ac22da0a7f3b09 https://git.kernel.org/stable/c/965289b120cc68cca886c75219c68b8c15751d73 https://git.kernel.org/stable/c/f591938072115bf08730b8530c67fab189cc6308 https://git.kernel.org/stable/c/1a85f84214f9d790216547ac6086bf8033cd9e5a https://git.kernel.org/stable/c/11712c4eb384098db4cb08792e223c818b908c1a https://git.kernel.org/stable/c/1d8440c1e7c49715f937416ac90cf260f1f1712c https://git.kernel.org/stable/c/8cc7dd77a1466f0ec58c03478b2e735a5b289b96 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: fix NULL pointer dereference in ublk_ctrl_set_size() ublk_ctrl_set_size() unconditionally dereferences ub->ub_disk via set_capacity_and_notify() without checking if it is NULL. ub->ub_disk is NULL before UBLK_CMD_START_DEV completes (it is only assigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs (ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZE handler performs no state validation, a user can trigger a NULL pointer dereference by sending UPDATE_SIZE to a device that has been added but not yet started, or one that has been stopped. Fix this by checking ub->ub_disk under ub->mutex before dereferencing it, and returning -ENODEV if the disk is not available. | 2026-05-08 | not yet calculated | CVE-2026-43364 | https://git.kernel.org/stable/c/f13fe6794726755a43090cb680c4c58cea6aa5f1 https://git.kernel.org/stable/c/c28d945bfa92e15147e93b73f95345b9bec979b0 https://git.kernel.org/stable/c/25966fc097691e5c925ad080f64a2f19c5fd940a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix a few more NULL pointer dereference in device cleanup I found a few more paths that cleanup fails due to a NULL version pointer on unsupported hardware. Add NULL checks as applicable. (cherry picked from commit f5a05f8414fc10f307eb965f303580c7778f8dd2) | 2026-05-08 | not yet calculated | CVE-2026-43367 | https://git.kernel.org/stable/c/38f1640db7f8bf57b9e09c5b0b8b205a598f1b3e https://git.kernel.org/stable/c/5edcb0d6729b88f192ec8b0896aaf581e3593c9c https://git.kernel.org/stable/c/72ecb1dae72775fa9fea0159d8445d620a0a2295 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix NULL pointer dereference in device cleanup When GPU initialization fails due to an unsupported HW block IP blocks may have a NULL version pointer. During cleanup in amdgpu_device_fini_hw, the code calls amdgpu_device_set_pg_state and amdgpu_device_set_cg_state which iterate over all IP blocks and access adev->ip_blocks[i].version without NULL checks, leading to a kernel NULL pointer dereference. Add NULL checks for adev->ip_blocks[i].version in both amdgpu_device_set_cg_state and amdgpu_device_set_pg_state to prevent dereferencing NULL pointers during GPU teardown when initialization has failed. (cherry picked from commit b7ac77468cda92eecae560b05f62f997a12fe2f2) | 2026-05-08 | not yet calculated | CVE-2026-43369 | https://git.kernel.org/stable/c/43025c941aced9a9009f9ff20eea4eb78c61deb8 https://git.kernel.org/stable/c/767cd24d3c4ae847688877def4891943f6611ecd https://git.kernel.org/stable/c/062ea905fff7756b2e87143ffccaece5cdb44267 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: macb: Shuffle the tx ring before enabling tx Quanyang observed that when using an NFS rootfs on an AMD ZynqMp board, the rootfs may take an extended time to recover after a suspend. Upon investigation, it was determined that the issue originates from a problem in the macb driver. According to the Zynq UltraScale TRM [1], when transmit is disabled, the transmit buffer queue pointer resets to point to the address specified by the transmit buffer queue base address register. In the current implementation, the code merely resets `queue->tx_head` and `queue->tx_tail` to ‘0’. This approach presents several issues: – Packets already queued in the tx ring are silently lost, leading to memory leaks since the associated skbs cannot be released. – Concurrent write access to `queue->tx_head` and `queue->tx_tail` may occur from `macb_tx_poll()` or `macb_start_xmit()` when these values are reset to ‘0’. – The transmission may become stuck on a packet that has already been sent out, with its ‘TX_USED’ bit set, but has not yet been processed. However, due to the manipulation of ‘queue->tx_head’ and ‘queue->tx_tail’, `macb_tx_poll()` incorrectly assumes there are no packets to handle because `queue->tx_head == queue->tx_tail`. This issue is only resolved when a new packet is placed at this position. This is the root cause of the prolonged recovery time observed for the NFS root filesystem. To resolve this issue, shuffle the tx ring and tx skb array so that the first unsent packet is positioned at the start of the tx ring. Additionally, ensure that updates to `queue->tx_head` and `queue->tx_tail` are properly protected with the appropriate lock. [1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm | 2026-05-08 | not yet calculated | CVE-2026-43371 | https://git.kernel.org/stable/c/c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7 https://git.kernel.org/stable/c/0a47c3889fcd843c72aa57fa8c4d06f5801fced4 https://git.kernel.org/stable/c/88f974fe118cb4653f029929ecbca7cfe06132ae https://git.kernel.org/stable/c/58f5d34f88e8f00910b692537f7b2efdb8c3705d https://git.kernel.org/stable/c/403182e0771b250cfde0fe7e1081d095ceaf8230 https://git.kernel.org/stable/c/881a0263d502e1a93ebc13a78254e9ad19520232 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: microchip: Fix error path in PTP IRQ setup If request_threaded_irq() fails during the PTP message IRQ setup, the newly created IRQ mapping is never disposed. Indeed, the ksz_ptp_irq_setup()’s error path only frees the mappings that were successfully set up. Dispose the newly created mapping if the associated request_threaded_irq() fails at setup. | 2026-05-08 | not yet calculated | CVE-2026-43372 | https://git.kernel.org/stable/c/3704ac6a0d9a78f66a187515a8ca3faedaf01cc5 https://git.kernel.org/stable/c/e80fef36c676c947072dabeb5803ae59d92ba493 https://git.kernel.org/stable/c/6c58a9fdb0d0e1011aa02455d26d6ebea251979b https://git.kernel.org/stable/c/c2d1d41e0e8ec447d40a5752844fc5fb0b23db27 https://git.kernel.org/stable/c/99c8c16a4aad0b37293cae213e15957c573cf79b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: mctp: fix device leak on probe failure Driver core holds a reference to the USB interface and its parent USB device while the interface is bound to a driver and there is no need to take additional references unless the structures are needed after disconnect. This driver takes a reference to the USB device during probe but does not to release it on probe failures. Drop the redundant device reference to fix the leak, reduce cargo culting, make it easier to spot drivers where an extra reference is needed, and reduce the risk of further memory leaks. | 2026-05-08 | not yet calculated | CVE-2026-43375 | https://git.kernel.org/stable/c/3224990fb16a831aabc50b67c74f5d0074ce80dd https://git.kernel.org/stable/c/ec9538f9b5cd1db5e8c612aa636b6119b6355c5d https://git.kernel.org/stable/c/224a0d284c3caf1951302d1744a714784febed71 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb: server: fix use-after-free in smb2_open() The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window. | 2026-05-08 | not yet calculated | CVE-2026-43378 | https://git.kernel.org/stable/c/e1b21e6066615e7d3d3a7aa2677e415e563fd7cc https://git.kernel.org/stable/c/b720c84087cb547f23ce03eab93568c1769e4556 https://git.kernel.org/stable/c/54b48ae83de8bb06e65079d96368efe359d4909c https://git.kernel.org/stable/c/8f5b1a7cb009a93c48e9e334a2f59a660f9afc07 https://git.kernel.org/stable/c/190e5f808e8058640b408ccfed25440b441a718a https://git.kernel.org/stable/c/1e689a56173827669a35da7cb2a3c78ed5c53680 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read The q54sj108a2_debugfs_read function suffers from a stack buffer overflow due to incorrect arguments passed to bin2hex(). The function currently passes ‘data’ as the destination and ‘data_char’ as the source. Because bin2hex() converts each input byte into two hex characters, a 32-byte block read results in 64 bytes of output. Since ‘data’ is only 34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end of the buffer onto the stack. Additionally, the arguments were swapped: it was reading from the zero-initialized ‘data_char’ and writing to ‘data’, resulting in all-zero output regardless of the actual I2C read. Fix this by: 1. Expanding ‘data_char’ to 66 bytes to safely hold the hex output. 2. Correcting the bin2hex() argument order and using the actual read count. 3. Using a pointer to select the correct output buffer for the final simple_read_from_buffer call. | 2026-05-08 | not yet calculated | CVE-2026-43380 | https://git.kernel.org/stable/c/a0fc1b9c738fba231f190ab960c83202722efee5 https://git.kernel.org/stable/c/c59090c50f62a17129fc4c5407bc4071305a9e82 https://git.kernel.org/stable/c/52db5ef163c96f916d424e472fb17aadc35a9f7a https://git.kernel.org/stable/c/b48a0f8d4541a4f6651dc9a64430ce9fdf5c120b https://git.kernel.org/stable/c/73a7a345816946d276ad2c46c8bb771de67cfc46 https://git.kernel.org/stable/c/24a7b9daa103fa963b3fd37d8805b23e01621976 https://git.kernel.org/stable/c/25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nouveau/dpcd: return EBUSY for aux xfer if the device is asleep If we have runtime suspended, and userspace wants to use /dev/drm_dp_* then just tell it the device is busy instead of crashing in the GSP code. WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy) Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024 RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] This is a simple fix to get backported. We should probably engineer a proper power domain solution to wake up devices and keep them awake while fw updates are happening. | 2026-05-08 | not yet calculated | CVE-2026-43381 | https://git.kernel.org/stable/c/178df7c91e6c202579284df9f79d1592a514cdcf https://git.kernel.org/stable/c/4df518aa196085909fd7e32518ecd27fba60ed69 https://git.kernel.org/stable/c/cd24cab2023aa46b595bc6b9cc39d8973d9d0a8c https://git.kernel.org/stable/c/fad178ae894930520519ead3c8e0150641466360 https://git.kernel.org/stable/c/6bdd2d70c338d52c387d3b3aadc596784ae81b01 https://git.kernel.org/stable/c/ad8fa5bff53f5d1f8394f996850da8ce070eaee3 https://git.kernel.org/stable/c/24639553a016578222ac597db924dfb6fa5ec8b5 https://git.kernel.org/stable/c/8f3c6f08ababad2e3bdd239728cf66a9949446b4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: Avoid double-rtnl_lock ELP metric worker batadv_v_elp_get_throughput() might be called when the RTNL lock is already held. This could be problematic when the work queue item is cancelled via cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case, an rtnl_lock() would cause a deadlock. To avoid this, rtnl_trylock() was used in this function to skip the retrieval of the ethtool information in case the RTNL lock was already held. But for cfg80211 interfaces, batadv_get_real_netdev() was called – which also uses rtnl_lock(). The approach for __ethtool_get_link_ksettings() must also be used instead and the lockless version __batadv_get_real_netdev() has to be called. | 2026-05-08 | not yet calculated | CVE-2026-43382 | https://git.kernel.org/stable/c/4c3ae249431b4fcb315d7dfb4c3a13f9e443fd9b https://git.kernel.org/stable/c/192f40ad8a7dac58dae9199a065dbf7e6e67b75b https://git.kernel.org/stable/c/fa7b4edfbabdf9235b0ab4bea297fc12b3bec9ca https://git.kernel.org/stable/c/f3ca45673dab0514a887231de6f3243a699d5bfd https://git.kernel.org/stable/c/b7e5d8ddfdf1d6e9e0808d1adf7736a107372d77 https://git.kernel.org/stable/c/2ab9f2531d37775cd79228c1f5d80e6bd08d11d3 https://git.kernel.org/stable/c/77808fe7d03ad0062840b95f431869a8b3d88b24 https://git.kernel.org/stable/c/cfc83a3c71517b59c1047db57da31e26a9dc2f33 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie The current code checks ‘i + 5 < in_len’ at the end of the if statement. However, it accesses ‘in_ie[i + 5]’ before that check, which can lead to an out-of-bounds read. Move the length check to the beginning of the conditional to ensure the index is within bounds before accessing the array. | 2026-05-08 | not yet calculated | CVE-2026-43386 | https://git.kernel.org/stable/c/6ff2243d5e05a5239e39d4ba61d96b0ea3bf7259 https://git.kernel.org/stable/c/12cc6e8f8d4245b7b5a408c6fc8ab1d098d67020 https://git.kernel.org/stable/c/209644e25757c499e1c1f08c071ea0386d4448b6 https://git.kernel.org/stable/c/768f25613a9fe6766d15a4a72979657adfc1c6d8 https://git.kernel.org/stable/c/e14a1148f02e8cf1ca380d57e4b95ca36c97f45d https://git.kernel.org/stable/c/4dd2d9cf563c54e09d5f7eacf95c5b8f538b513b https://git.kernel.org/stable/c/d97fc1b29513010b60fde874c7f0ba816744e18c https://git.kernel.org/stable/c/a75281626fc8fa6dc6c9cc314ee423e8bc45203b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Just like in commit 154828bf9559 (“staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser”), we don’t trust the data in the frame so we should check the length better before acting on it | 2026-05-08 | not yet calculated | CVE-2026-43387 | https://git.kernel.org/stable/c/ac38856092b4c994f94343251b30520bdeb7f475 https://git.kernel.org/stable/c/35969c3a208a07cb8642301df5869c34e2db7071 https://git.kernel.org/stable/c/8097a48c606a9306281ea7bd73bf2afc97553733 https://git.kernel.org/stable/c/740bca8bbdb707c0e4bb11e3316deb2f04fc7ce1 https://git.kernel.org/stable/c/821f7d759fb2de33c5e5b0c4981181c4d0c3e9b1 https://git.kernel.org/stable/c/6d62fa548387e159a21ea95132c09bfc96d336ed https://git.kernel.org/stable/c/9a4cd4c37593cc8b8d28f9a6732b490a8032006a https://git.kernel.org/stable/c/f0109b9d3e1e455429279d602f6276e34689750a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: clear walk_control on inactive context in damos_walk() damos_walk() sets ctx->walk_control to the caller-provided control structure before checking whether the context is running. If the context is inactive (damon_is_running() returns false), the function returns -EINVAL without clearing ctx->walk_control. This leaves a dangling pointer to a stack-allocated structure that will be freed when the caller returns. This is structurally identical to the bug fixed in commit f9132fbc2e83 (“mm/damon/core: remove call_control in inactive contexts”) for damon_call(), which had the same pattern of linking a control object and returning an error without unlinking it. The dangling walk_control pointer can cause: 1. Use-after-free if the context is later started and kdamond dereferences ctx->walk_control (e.g., in damos_walk_cancel() which writes to control->canceled and calls complete()) 2. Permanent -EBUSY from subsequent damos_walk() calls, since the stale pointer is non-NULL Nonetheless, the real user impact is quite restrictive. The use-after-free is impossible because there is no damos_walk() callers who starts the context later. The permanent -EBUSY can actually confuse users, as DAMON is not running. But the symptom is kept only while the context is turned off. Turning it on again will make DAMON internally uses a newly generated damon_ctx object that doesn’t have the invalid damos_walk_control pointer, so everything will work fine again. Fix this by clearing ctx->walk_control under walk_control_lock before returning -EINVAL, mirroring the fix pattern from f9132fbc2e83. | 2026-05-08 | not yet calculated | CVE-2026-43388 | https://git.kernel.org/stable/c/ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b https://git.kernel.org/stable/c/9320c77134ab8d7701e20608bbf08517df4fa321 https://git.kernel.org/stable/c/d210fdcac9c0d1380eab448aebc93f602c1cd4e6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm: memfd_luo: always dirty all folios A dirty folio is one which has been written to. A clean folio is its opposite. Since a clean folio has no user data, it can be freed under memory pressure. memfd preservation with LUO saves the flag at preserve(). This is problematic. The folio might get dirtied later. Saving it at freeze() also doesn’t work, since the dirty bit from PTE is normally synced at unmap and there might still be mappings of the file at freeze(). To see why this is a problem, say a folio is clean at preserve, but gets dirtied later. The serialized state of the folio will mark it as clean. After retrieve, the next kernel will see the folio as clean and might try to reclaim it under memory pressure. This will result in losing user data. Mark all folios of the file as dirty, and always set the MEMFD_LUO_FOLIO_DIRTY flag. This comes with the side effect of making all clean folios un-reclaimable. This is a cost that has to be paid for participants of live update. It is not expected to be a common use case to preserve a lot of clean folios anyway. Since the value of pfolio->flags is a constant now, drop the flags variable and set it directly. | 2026-05-08 | not yet calculated | CVE-2026-43389 | https://git.kernel.org/stable/c/e901c871d4b592f0042e30f3a0f031eae79744ec https://git.kernel.org/stable/c/7e04bf1f33151a30e06a65b74b5f2c19fc2be128 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nstree: tighten permission checks for listing Even privileged services should not necessarily be able to see other privileged service’s namespaces so they can’t leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts. | 2026-05-08 | not yet calculated | CVE-2026-43390 | https://git.kernel.org/stable/c/0abd81645fc95ec6a9d4e4813000f22c5efc0ff4 https://git.kernel.org/stable/c/8d76afe84fa2babf604b3c173730d4d2b067e361 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix starvation of scx_enable() under fair-class saturation During scx_enable(), the READY -> ENABLED task switching loop changes the calling thread’s sched_class from fair to ext. Since fair has higher priority than ext, saturating fair-class workloads can indefinitely starve the enable thread, hanging the system. This was introduced when the enable path switched from preempt_disable() to scx_bypass() which doesn’t protect against fair-class starvation. Note that the original preempt_disable() protection wasn’t complete either – in partial switch modes, the calling thread could still be starved after preempt_enable() as it may have been switched to ext class. Fix it by offloading the enable body to a dedicated system-wide RT (SCHED_FIFO) kthread which cannot be starved by either fair or ext class tasks. scx_enable() lazily creates the kthread on first use and passes the ops pointer through a struct scx_enable_cmd containing the kthread_work, then synchronously waits for completion. The workfn runs on a different kthread from sch->helper (which runs disable_work), so it can safely flush disable_work on the error path without deadlock. | 2026-05-08 | not yet calculated | CVE-2026-43392 | https://git.kernel.org/stable/c/e0b14bf06393be137d3efb6a3b7cd5b4b9810a6b https://git.kernel.org/stable/c/c44198f25fdfecc0ec0fe366bf8a47fe17d8e229 https://git.kernel.org/stable/c/05ab9ec5dc24f234e0a2fecf3e6ff937c68f7d81 https://git.kernel.org/stable/c/b06ccbabe2506fd70b9167a644978b049150224a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies() Fix a chunk map leak in btrfs_map_block(): if we return early with -EINVAL, we’re not freeing the chunk map that we’ve just looked up. | 2026-05-08 | not yet calculated | CVE-2026-43393 | https://git.kernel.org/stable/c/0e4aaf5a3212b6a469c2489637c29a8e2a5062a5 https://git.kernel.org/stable/c/7bdf00ed75c477252578068dba19934cd825f20a https://git.kernel.org/stable/c/4f90c5c2698383984102401b1724b0b67da832ab https://git.kernel.org/stable/c/f15fb3d41543244d1179f423da4a4832a55bc050 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit(). nfsd_nl_listener_set_doit() uses get_current_cred() without put_cred(). As we can see from other callers, svc_xprt_create_from_sa() does not require the extra refcount. nfsd_nl_listener_set_doit() is always in the process context, sendmsg(), and current->cred does not go away. Let’s use current_cred() in nfsd_nl_listener_set_doit(). | 2026-05-08 | not yet calculated | CVE-2026-43394 | https://git.kernel.org/stable/c/02e87ec0bc706cb93fa47b43d18c4d10102c7d54 https://git.kernel.org/stable/c/019debe5851d7355bea9ff0248cc317878924d8f https://git.kernel.org/stable/c/cba413765376bb466035c9160fa3130402971e2c https://git.kernel.org/stable/c/92978c83bb4eef55d02a6c990c01c423131eefa7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Cleanup partially initialized sync on parse failure xe_sync_entry_parse() can allocate references (syncobj, fence, chain fence, or user fence) before hitting a later failure path. Several of those paths returned directly, leaving partially initialized state and leaking refs. Route these error paths through a common free_sync label and call xe_sync_entry_cleanup(sync) before returning the error. (cherry picked from commit f939bdd9207a5d1fc55cced5459858480686ce22) | 2026-05-08 | not yet calculated | CVE-2026-43395 | https://git.kernel.org/stable/c/91c228f96fcfacc2341a58815b1da8c69da94ebb https://git.kernel.org/stable/c/af65cd1853599394b94201c08bed7a46717db478 https://git.kernel.org/stable/c/f0af63ffa06306f12592cd3919fad6957b425e1b https://git.kernel.org/stable/c/1bfd7575092420ba5a0b944953c95b74a5646ff8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Fix user fence leak on alloc failure When dma_fence_chain_alloc() fails, properly release the user fence reference to prevent a memory leak. (cherry picked from commit a5d5634cde48a9fcd68c8504aa07f89f175074a0) | 2026-05-08 | not yet calculated | CVE-2026-43396 | https://git.kernel.org/stable/c/05edc78eb4699e8e000a62aaa8dace50a17e19e3 https://git.kernel.org/stable/c/f8f90b33934b307f6e4599b9fae38aa1ee5441a7 https://git.kernel.org/stable/c/0879c3f04f67e2a1677c25dcc24669ce21eb6a6c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/bridge: samsung-dsim: Fix memory leak in error path In samsung_dsim_host_attach(), drm_bridge_add() is called to add the bridge. However, if samsung_dsim_register_te_irq() or pdata->host_ops->attach() fails afterwards, the function returns without removing the bridge, causing a memory leak. Fix this by adding proper error handling with goto labels to ensure drm_bridge_remove() is called in all error paths. Also ensure that samsung_dsim_unregister_te_irq() is called if the attach operation fails after the TE IRQ has been registered. samsung_dsim_unregister_te_irq() function is moved without changes to be before samsung_dsim_host_attach() to avoid forward declaration. | 2026-05-08 | not yet calculated | CVE-2026-43397 | https://git.kernel.org/stable/c/98310fe3a2a79671b739a5344c1a11d74c503e25 https://git.kernel.org/stable/c/0b07f7d2c5a4078c2f1c11bb36685084fe4e5c95 https://git.kernel.org/stable/c/e6d779654cda63d632bd8dfcdcabd125057e30a5 https://git.kernel.org/stable/c/a40b92fb4b26d4cb1b5e439e55a56db7e79a82d1 https://git.kernel.org/stable/c/803ec1faf7c1823e6e3b1f2aaa81be18528c9436 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add upper bound check on user inputs in wait ioctl Huge input values in amdgpu_userq_wait_ioctl can lead to a OOM and could be exploited. So check these input value against AMDGPU_USERQ_MAX_HANDLES which is big enough value for genuine use cases and could potentially avoid OOM. v2: squash in Srini’s fix (cherry picked from commit fcec012c664247531aed3e662f4280ff804d1476) | 2026-05-08 | not yet calculated | CVE-2026-43398 | https://git.kernel.org/stable/c/b1d10508da559da2e0ca9cca6505094a7df948e1 https://git.kernel.org/stable/c/3cd93bc695b3456f26f5ed52753d9071da26202a https://git.kernel.org/stable/c/64ac7c09fc44985ec9bb6a9db740899fa40ca613 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Fix reference leak in amdgpu_userq_wait_ioctl Drop reference to syncobj and timeline fence when aborting the ioctl due output array being too small. (cherry picked from commit 68951e9c3e6bb22396bc42ef2359751c8315dd27) | 2026-05-08 | not yet calculated | CVE-2026-43399 | https://git.kernel.org/stable/c/762f47e2b824383d5be65eee2c40a1269b7d50c8 https://git.kernel.org/stable/c/5409247d41f372bec5b141ef599f2d9f5e81b746 https://git.kernel.org/stable/c/49abfa812617a7f2d0132c70d23ac98b389c6ec1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add upper bound check on user inputs in signal ioctl Huge input values in amdgpu_userq_signal_ioctl can lead to a OOM and could be exploited. So check these input value against AMDGPU_USERQ_MAX_HANDLES which is big enough value for genuine use cases and could potentially avoid OOM. (cherry picked from commit be267e15f99bc97cbe202cd556717797cdcf79a5) | 2026-05-08 | not yet calculated | CVE-2026-43400 | https://git.kernel.org/stable/c/6fff5204d8aa26b1be50b6427f833bd3e8899c4f https://git.kernel.org/stable/c/46630d966b99b0fc6cb01fef4110587f3375a0c0 https://git.kernel.org/stable/c/ea78f8c68f4f6211c557df49174c54d167821962 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request() The update_cpu_qos_request() function attempts to initialize the ‘freq’ variable by dereferencing ‘cpudata’ before verifying if the ‘policy’ is valid. This issue occurs on systems booted with the “nosmt” parameter, where all_cpu_data[cpu] is NULL for the SMT sibling threads. As a result, any call to update_qos_requests() will result in a NULL pointer dereference as the code will attempt to access pstate.turbo_freq using the NULL cpudata pointer. Also, pstate.turbo_freq may be updated by intel_pstate_get_hwp_cap() after initializing the ‘freq’ variable, so it is better to defer the ‘freq’ until intel_pstate_get_hwp_cap() has been called. Fix this by deferring the ‘freq’ assignment until after the policy and driver_data have been validated. [ rjw: Added one paragraph to the changelog ] | 2026-05-08 | not yet calculated | CVE-2026-43401 | https://git.kernel.org/stable/c/6bfda7ce56e7d14a677b7bcd6c7a5009cc29aa88 https://git.kernel.org/stable/c/42738dffb7b0766a45882dff7989401d78f66f92 https://git.kernel.org/stable/c/ab39cc4cb8ceecdc2b61747433e7237f1ac2b789 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm: Fix a hmm_range_fault() livelock / starvation problem If hmm_range_fault() fails a folio_trylock() in do_swap_page, trying to acquire the lock of a device-private folio for migration, to ram, the function will spin until it succeeds grabbing the lock. However, if the process holding the lock is depending on a work item to be completed, which is scheduled on the same CPU as the spinning hmm_range_fault(), that work item might be starved and we end up in a livelock / starvation situation which is never resolved. This can happen, for example if the process holding the device-private folio lock is stuck in migrate_device_unmap()->lru_add_drain_all() sinc lru_add_drain_all() requires a short work-item to be run on all online cpus to complete. A prerequisite for this to happen is: a) Both zone device and system memory folios are considered in migrate_device_unmap(), so that there is a reason to call lru_add_drain_all() for a system memory folio while a folio lock is held on a zone device folio. b) The zone device folio has an initial mapcount > 1 which causes at least one migration PTE entry insertion to be deferred to try_to_migrate(), which can happen after the call to lru_add_drain_all(). c) No or voluntary only preemption. This all seems pretty unlikely to happen, but indeed is hit by the “xe_exec_system_allocator” igt test. Resolve this by waiting for the folio to be unlocked if the folio_trylock() fails in do_swap_page(). Rename migration_entry_wait_on_locked() to softleaf_entry_wait_unlock() and update its documentation to indicate the new use-case. Future code improvements might consider moving the lru_add_drain_all() call in migrate_device_unmap() to be called *after* all pages have migration entries inserted. That would eliminate also b) above. v2: – Instead of a cond_resched() in hmm_range_fault(), eliminate the problem by waiting for the folio to be unlocked in do_swap_page() (Alistair Popple, Andrew Morton) v3: – Add a stub migration_entry_wait_on_locked() for the !CONFIG_MIGRATION case. (Kernel Test Robot) v4: – Rename migrate_entry_wait_on_locked() to softleaf_entry_wait_on_locked() and update docs (Alistair Popple) v5: – Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION version of softleaf_entry_wait_on_locked(). – Modify wording around function names in the commit message (Andrew Morton) (cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215) | 2026-05-08 | not yet calculated | CVE-2026-43404 | https://git.kernel.org/stable/c/94b6d0ba4b640ba23bb6c708a59316e74e5ede63 https://git.kernel.org/stable/c/7e6e2fc91d4b9b12ec6e137019532568ebcf2680 https://git.kernel.org/stable/c/b570f37a2ce480be26c665345c5514686a8a0274 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: kprobes: avoid crash when rmmod/insmod after ftrace killed After we hit ftrace is killed by some errors, the kernel crash if we remove modules in which kprobe probes. BUG: unable to handle page fault for address: fffffbfff805000d PGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010:kprobes_module_callback+0x89/0x790 RSP: 0018:ffff88812e157d30 EFLAGS: 00010a02 RAX: 1ffffffff805000d RBX: dffffc0000000000 RCX: ffffffff86a8de90 RDX: ffffed1025c2af9b RSI: 0000000000000008 RDI: ffffffffc0280068 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed1025c2af9a R10: ffff88812e157cd7 R11: 205d323130325420 R12: 0000000000000002 R13: ffffffffc0290488 R14: 0000000000000002 R15: ffffffffc0280040 FS: 00007fbc450dd740(0000) GS:ffff888420331000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff805000d CR3: 000000010f624000 CR4: 00000000000006f0 Call Trace: <TASK> notifier_call_chain+0xc6/0x280 blocking_notifier_call_chain+0x60/0x90 __do_sys_delete_module.constprop.0+0x32a/0x4e0 do_syscall_64+0x5d/0xfa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because the kprobe on ftrace does not correctly handles the kprobe_ftrace_disabled flag set by ftrace_kill(). To prevent this error, check kprobe_ftrace_disabled in __disarm_kprobe_ftrace() and skip all ftrace related operations. | 2026-05-08 | not yet calculated | CVE-2026-43409 | https://git.kernel.org/stable/c/8b6767e4141b2a42745b544d4555cf1614ba1a2d https://git.kernel.org/stable/c/b0ca81616a010807e91fc31db9be242b96326adc https://git.kernel.org/stable/c/cae928e3178c75602c21d67e21255d73e7e9ed4f https://git.kernel.org/stable/c/9edc79d664832a842012ad105b1521c1a3c35ab3 https://git.kernel.org/stable/c/e113f0b46d19626ec15388bcb91432c9a4fd6261 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled When the Remote System Update (RSU) isn’t enabled in the First Stage Boot Loader (FSBL), the driver encounters a NULL pointer dereference when excute svc_normal_to_secure_thread() thread, resulting in a kernel panic: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Mem abort info: … Data abort info: … [0000000000000008] user address but active_mm is swapper Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 79 Comm: svc_smc_hvc_thr Not tainted 6.19.0-rc8-yocto-standard+ #59 PREEMPT Hardware name: SoCFPGA Stratix 10 SoCDK (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : svc_normal_to_secure_thread+0x38c/0x990 lr : svc_normal_to_secure_thread+0x144/0x990 … Call trace: svc_normal_to_secure_thread+0x38c/0x990 (P) kthread+0x150/0x210 ret_from_fork+0x10/0x20 Code: 97cfc113 f9400260 aa1403e1 f9400400 (f9400402) —[ end trace 0000000000000000 ]— The issue occurs because rsu_send_async_msg() fails when RSU is not enabled in firmware, causing the channel to be freed via stratix10_svc_free_channel(). However, the probe function continues execution and registers svc_normal_to_secure_thread(), which subsequently attempts to access the already-freed channel, triggering the NULL pointer dereference. Fix this by properly cleaning up the async client and returning early on failure, preventing the thread from being used with an invalid channel. | 2026-05-08 | not yet calculated | CVE-2026-43410 | https://git.kernel.org/stable/c/aa5739e0c51ad01c6e763ca89c1bfb58fc6ea71a https://git.kernel.org/stable/c/c45f7263100cece247dd3fa5fe277bd97fdb5687 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tipc: fix divide-by-zero in tipc_sk_filter_connect() A user can set conn_timeout to any value via setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in tipc_sk_filter_connect() executes: delay %= (tsk->conn_timeout / 4); If conn_timeout is in the range [0, 3], the integer division yields 0, and the modulo operation triggers a divide-by-zero exception, causing a kernel oops/panic. Fix this by clamping conn_timeout to a minimum of 4 at the point of use in tipc_sk_filter_connect(). Oops: divide error: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+ RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362) Call Trace: tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406) __release_sock (include/net/sock.h:1185 net/core/sock.c:3213) release_sock (net/core/sock.c:3797) tipc_connect (net/tipc/socket.c:2570) __sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098) | 2026-05-08 | not yet calculated | CVE-2026-43411 | https://git.kernel.org/stable/c/600feb0a66a98c6b7f6f02b5f3612e75f9b8540f https://git.kernel.org/stable/c/3bc9998041076ee05d3f312a22cee6b2ca35527f https://git.kernel.org/stable/c/579956f9f297eb1b6a5d24de313f3acccee1f9d5 https://git.kernel.org/stable/c/a360d3815aae1f00dd71b7714a846482e85cc1f7 https://git.kernel.org/stable/c/c2ebfbe63deb7bfd4dc2532bae62a7ed67713272 https://git.kernel.org/stable/c/2754e7b3d64748643df867d1ea6fec522914b635 https://git.kernel.org/stable/c/338c5edeb6ae3f12a4b84dff9d71f6f7f8c202c3 https://git.kernel.org/stable/c/6c5a9baa15de240e747263aba435a0951da8d8d2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start During ADSP stop and start, the kernel crashes due to the order in which ASoC components are removed. On ADSP stop, the q6apm-audio .remove callback unloads topology and removes PCM runtimes during ASoC teardown. This deletes the RTDs that contain the q6apm DAI components before their removal pass runs, leaving those components still linked to the card and causing crashes on the next rebind. Fix this by ensuring that all dependent (child) components are removed first, and the q6apm component is removed last. [ 48.105720] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 [ 48.114763] Mem abort info: [ 48.117650] ESR = 0x0000000096000004 [ 48.121526] EC = 0x25: DABT (current EL), IL = 32 bits [ 48.127010] SET = 0, FnV = 0 [ 48.130172] EA = 0, S1PTW = 0 [ 48.133415] FSC = 0x04: level 0 translation fault [ 48.138446] Data abort info: [ 48.141422] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 48.147079] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 48.152354] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 48.157859] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001173cf000 [ 48.164517] [00000000000000d0] pgd=0000000000000000, p4d=0000000000000000 [ 48.171530] Internal error: Oops: 0000000096000004 [#1] SMP [ 48.177348] Modules linked in: q6prm_clocks q6apm_lpass_dais q6apm_dai snd_q6dsp_common q6prm snd_q6apm 8021q garp mrp stp llc snd_soc_hdmi_codec apr pdr_interface phy_qcom_edp fastrpc qcom_pd_mapper rpmsg_ctrl qrtr_smd rpmsg_char qcom_pdr_msg qcom_iris v4l2_mem2mem videobuf2_dma_contig ath11k_pci msm ubwc_config at24 ath11k videobuf2_memops mac80211 ocmem videobuf2_v4l2 libarc4 drm_gpuvm mhi qrtr videodev drm_exec snd_soc_sc8280xp gpu_sched videobuf2_common nvmem_qcom_spmi_sdam snd_soc_qcom_sdw drm_dp_aux_bus qcom_q6v5_pas qcom_spmi_temp_alarm snd_soc_qcom_common rtc_pm8xxx qcom_pon drm_display_helper cec qcom_pil_info qcom_stats soundwire_bus drm_client_lib mc dispcc0_sa8775p videocc_sa8775p qcom_q6v5 camcc_sa8775p snd_soc_dmic phy_qcom_sgmii_eth snd_soc_max98357a i2c_qcom_geni snd_soc_core dwmac_qcom_ethqos llcc_qcom icc_bwmon qcom_sysmon snd_compress qcom_refgen_regulator coresight_stm stmmac_platform snd_pcm_dmaengine qcom_common coresight_tmc stmmac coresight_replicator qcom_glink_smem coresight_cti stm_core [ 48.177444] coresight_funnel snd_pcm ufs_qcom phy_qcom_qmp_usb gpi phy_qcom_snps_femto_v2 coresight phy_qcom_qmp_ufs qcom_wdt gpucc_sa8775p pcs_xpcs mdt_loader qcom_ice icc_osm_l3 qmi_helpers snd_timer snd soundcore display_connector qcom_rng nvmem_reboot_mode drm_kms_helper phy_qcom_qmp_pcie sha256 cfg80211 rfkill socinfo fuse drm backlight ipv6 [ 48.301059] CPU: 2 UID: 0 PID: 293 Comm: kworker/u32:2 Not tainted 6.19.0-rc6-dirty #10 PREEMPT [ 48.310081] Hardware name: Qualcomm Technologies, Inc. Lemans EVK (DT) [ 48.316782] Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface] [ 48.323672] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 48.330825] pc : mutex_lock+0xc/0x54 [ 48.334514] lr : soc_dapm_shutdown_dapm+0x44/0x174 [snd_soc_core] [ 48.340794] sp : ffff800084ddb7b0 [ 48.344207] x29: ffff800084ddb7b0 x28: ffff00009cd9cf30 x27: ffff00009cd9cc00 [ 48.351544] x26: ffff000099610190 x25: ffffa31d2f19c810 x24: ffffa31d2f185098 [ 48.358869] x23: ffff800084ddb7f8 x22: 0000000000000000 x21: 00000000000000d0 [ 48.366198] x20: ffff00009ba6c338 x19: ffff00009ba6c338 x18: 00000000ffffffff [ 48.373528] x17: 000000040044ffff x16: ffffa31d4ae6dca8 x15: 072007740775076f [ 48.380853] x14: 0765076d07690774 x13: 00313a323a656369 x12: 767265733a637673 [ 48.388182] x11: 00000000000003f9 x10: ffffa31d4c7dea98 x9 : 0000000000000001 [ 48.395519] x8 : ffff00009a2aadc0 x7 : 0000000000000003 x6 : 0000000000000000 [ 48.402854] x5 : 0000000000000 —truncated— | 2026-05-08 | not yet calculated | CVE-2026-43412 | https://git.kernel.org/stable/c/94bda21adb2a51f69366b847b4d80dfe50bd9fb9 https://git.kernel.org/stable/c/a8e9cab16771b15160465783507496dc83742d8e https://git.kernel.org/stable/c/0da170b9e600da6930cfb8352e4cc036db3b6159 https://git.kernel.org/stable/c/22b05abb17e3c6ef45035141fe3d26f815ff9d30 https://git.kernel.org/stable/c/897f32cab7945f4662a50b3841ba31c6c3204876 https://git.kernel.org/stable/c/d6db827b430bdcca3976cebca7bd69cca03cde2c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Fix NULL pointer exception during user_scan() user_scan() invokes updated sas_user_scan() for channel 0, and if successful, iteratively scans remaining channels (1 to shost->max_channel) via scsi_scan_host_selected() in commit 37c4e72b0651 (“scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans”). However, hisi_sas supports only one channel, and the current value of max_channel is 1. sas_user_scan() for channel 1 will trigger the following NULL pointer exception: [ 441.554662] Unable to handle kernel NULL pointer dereference at virtual address 00000000000008b0 [ 441.554699] Mem abort info: [ 441.554710] ESR = 0x0000000096000004 [ 441.554718] EC = 0x25: DABT (current EL), IL = 32 bits [ 441.554723] SET = 0, FnV = 0 [ 441.554726] EA = 0, S1PTW = 0 [ 441.554730] FSC = 0x04: level 0 translation fault [ 441.554735] Data abort info: [ 441.554737] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 441.554742] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 441.554747] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 441.554752] user pgtable: 4k pages, 48-bit VAs, pgdp=00000828377a6000 [ 441.554757] [00000000000008b0] pgd=0000000000000000, p4d=0000000000000000 [ 441.554769] Internal error: Oops: 0000000096000004 [#1] SMP [ 441.629589] Modules linked in: arm_spe_pmu arm_smmuv3_pmu tpm_tis_spi hisi_uncore_sllc_pmu hisi_uncore_pa_pmu hisi_uncore_l3c_pmu hisi_uncore_hha_pmu hisi_uncore_ddrc_pmu hisi_uncore_cpa_pmu hns3_pmu hisi_ptt hisi_pcie_pmu tpm_tis_core spidev spi_hisi_sfc_v3xx hisi_uncore_pmu spi_dw_mmio fuse hclge hclge_common hisi_sec2 hisi_hpre hisi_zip hisi_qm hns3 hisi_sas_v3_hw sm3_ce sbsa_gwdt hnae3 hisi_sas_main uacce hisi_dma i2c_hisi dm_mirror dm_region_hash dm_log dm_mod [ 441.670819] CPU: 46 UID: 0 PID: 6994 Comm: bash Kdump: loaded Not tainted 7.0.0-rc2+ #84 PREEMPT [ 441.691327] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=–) [ 441.698277] pc : sas_find_dev_by_rphy+0x44/0x118 [ 441.702896] lr : sas_find_dev_by_rphy+0x3c/0x118 [ 441.707502] sp : ffff80009abbba40 [ 441.710805] x29: ffff80009abbba40 x28: ffff082819a40008 x27: ffff082810c37c08 [ 441.717930] x26: ffff082810c37c28 x25: ffff082819a40290 x24: ffff082810c37c00 [ 441.725054] x23: 0000000000000000 x22: 0000000000000001 x21: ffff082819a40000 [ 441.732179] x20: ffff082819a40290 x19: 0000000000000000 x18: 0000000000000020 [ 441.739304] x17: 0000000000000000 x16: ffffb5dad6bda690 x15: 00000000ffffffff [ 441.746428] x14: ffff082814c3b26c x13: 00000000ffffffff x12: ffff082814c3b26a [ 441.753553] x11: 00000000000000c0 x10: 000000000000003a x9 : ffffb5dad5ea94f4 [ 441.760678] x8 : 000000000000003a x7 : ffff80009abbbab0 x6 : 0000000000000030 [ 441.767802] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 441.774926] x2 : ffff08280f35a300 x1 : ffffb5dad7127180 x0 : 0000000000000000 [ 441.782053] Call trace: [ 441.784488] sas_find_dev_by_rphy+0x44/0x118 (P) [ 441.789095] sas_target_alloc+0x24/0xb0 [ 441.792920] scsi_alloc_target+0x290/0x330 [ 441.797010] __scsi_scan_target+0x88/0x258 [ 441.801096] scsi_scan_channel+0x74/0xb8 [ 441.805008] scsi_scan_host_selected+0x170/0x188 [ 441.809615] sas_user_scan+0xfc/0x148 [ 441.813267] store_scan+0x10c/0x180 [ 441.816743] dev_attr_store+0x20/0x40 [ 441.820398] sysfs_kf_write+0x84/0xa8 [ 441.824054] kernfs_fop_write_iter+0x130/0x1c8 [ 441.828487] vfs_write+0x2c0/0x370 [ 441.831880] ksys_write+0x74/0x118 [ 441.835271] __arm64_sys_write+0x24/0x38 [ 441.839182] invoke_syscall+0x50/0x120 [ 441.842919] el0_svc_common.constprop.0+0xc8/0xf0 [ 441.847611] do_el0_svc+0x24/0x38 [ 441.850913] el0_svc+0x38/0x158 [ 441.854043] el0t_64_sync_handler+0xa0/0xe8 [ 441.858214] el0t_64_sync+0x1ac/0x1b0 [ 441.861865] Code: aa1303e0 97ff70a8 34ffff80 d10a4273 (f9445a75) [ 441.867946] —[ end trace 0000000000000000 ]— Therefore —truncated— | 2026-05-08 | not yet calculated | CVE-2026-43413 | https://git.kernel.org/stable/c/70c78429ef383e35f9c58848994aeeac8083ae35 https://git.kernel.org/stable/c/40119a21d9769bf8fdab5c93c6c878296e628abf https://git.kernel.org/stable/c/21a13db8d449b9c7eda4471da7f12417602dbbc7 https://git.kernel.org/stable/c/beadac156610a4f3bb15cb7bb4b07b6ac06f6567 https://git.kernel.org/stable/c/8ddc0c26916574395447ebf4cff684314f6873a9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op, POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can still be running while ufshcd_vops_suspend() is executing. When UFSHCD_CAP_CLK_GATING is not supported, the condition !hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc() to be executed. Since ufshcd_vops_suspend() typically performs clock gating operations, executing ufshcd_update_rtc() at that moment triggers an SError. The kernel panic trace is as follows: Kernel panic – not syncing: Asynchronous SError Interrupt Call trace: dump_backtrace+0xec/0x128 show_stack+0x18/0x28 dump_stack_lvl+0x40/0xa0 dump_stack+0x18/0x24 panic+0x148/0x374 nmi_panic+0x3c/0x8c arm64_serror_panic+0x64/0x8c do_serror+0xc4/0xc8 el1h_64_error_handler+0x34/0x4c el1h_64_error+0x68/0x6c el1_interrupt+0x20/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c ktime_get+0xc4/0x12c ufshcd_mcq_sq_stop+0x4c/0xec ufshcd_mcq_sq_cleanup+0x64/0x1dc ufshcd_clear_cmd+0x38/0x134 ufshcd_issue_dev_cmd+0x298/0x4d0 ufshcd_exec_dev_cmd+0x1a4/0x1c4 ufshcd_query_attr+0xbc/0x19c ufshcd_rtc_work+0x10c/0x1c8 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x120/0x1d8 ret_from_fork+0x10/0x20 Fix this by moving cancel_delayed_work_sync() before the call to ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is fully completed or cancelled at that point. | 2026-05-08 | not yet calculated | CVE-2026-43415 | https://git.kernel.org/stable/c/a6a894413b043704b77a6294c379c93b1477e48d https://git.kernel.org/stable/c/2fcc2fc21cae7a0cbe73053f7fc70680ce2a7f69 https://git.kernel.org/stable/c/b17211b512cbf0e07de27e1932428ee6c20df910 https://git.kernel.org/stable/c/c387a8f1d3713f6b0415ece8485042d0f134b91a https://git.kernel.org/stable/c/b0bd84c39289ef6a6c3827dd52c875659291970a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc, perf: Check that current->mm is alive before getting user callchain It may happen that mm is already released, which leads to kernel panic. This adds the NULL check for current->mm, similarly to commit 20afc60f892d (“x86, perf: Check that current->mm is alive before getting user callchain”). I was getting this panic when running a profiling BPF program (profile.py from bcc-tools): [26215.051935] Kernel attempted to read user page (588) – exploit attempt? (uid: 0) [26215.051950] BUG: Kernel NULL pointer dereference on read at 0x00000588 [26215.051952] Faulting instruction address: 0xc00000000020fac0 [26215.051957] Oops: Kernel access of bad area, sig: 11 [#1] […] [26215.052049] Call Trace: [26215.052050] [c000000061da6d30] [c00000000020fc10] perf_callchain_user_64+0x2d0/0x490 (unreliable) [26215.052054] [c000000061da6dc0] [c00000000020f92c] perf_callchain_user+0x1c/0x30 [26215.052057] [c000000061da6de0] [c0000000005ab2a0] get_perf_callchain+0x100/0x360 [26215.052063] [c000000061da6e70] [c000000000573bc8] bpf_get_stackid+0x88/0xf0 [26215.052067] [c000000061da6ea0] [c008000000042258] bpf_prog_16d4ab9ab662f669_do_perf_event+0xf8/0x274 […] In addition, move storing the top-level stack entry to generic perf_callchain_user to make sure the top-evel entry is always captured, even if current->mm is NULL. [Maddy: fixed message to avoid checkpatch format style error] | 2026-05-08 | not yet calculated | CVE-2026-43416 | https://git.kernel.org/stable/c/98074e16742ae87fb82e234b419783c5ffc9baea https://git.kernel.org/stable/c/7e5f60b8cfc02a2b23a40a5f5fd2fa81d010e737 https://git.kernel.org/stable/c/e9bbfb4bfa86c6b5515b868d6982ac60505d7e39 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Handle vfork()/CLONE_VM correctly Matthieu and Jiri reported stalls where a task endlessly loops in mm_get_cid() when scheduling in. It turned out that the logic which handles vfork()’ed tasks is broken. It is invoked when the number of tasks associated to a process is smaller than the number of MMCID users. It then walks the task list to find the vfork()’ed task, but accounts all the already processed tasks as well. If that double processing brings the number of to be handled tasks to 0, the walk stops and the vfork()’ed task’s CID is not fixed up. As a consequence a subsequent schedule in fails to acquire a (transitional) CID and the machine stalls. Cure this by removing the accounting condition and make the fixup always walk the full task list if it could not find the exact number of users in the process’ thread list. | 2026-05-08 | not yet calculated | CVE-2026-43417 | https://git.kernel.org/stable/c/e6761cdce78a8919a537989afb6aaf6881469f83 https://git.kernel.org/stable/c/28b5a1395036d6c7a6c8034d85ad3d7d365f192c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Prevent CID stalls due to concurrent forks A newly forked task is accounted as MMCID user before the task is visible in the process’ thread list and the global task list. This creates the following problem: CPU1 CPU2 fork() sched_mm_cid_fork(tnew1) tnew1->mm.mm_cid_users++; tnew1->mm_cid.cid = getcid() -> preemption fork() sched_mm_cid_fork(tnew2) tnew2->mm.mm_cid_users++; // Reaches the per CPU threshold mm_cid_fixup_tasks_to_cpus() for_each_other(current, p) …. As tnew1 is not visible yet, this fails to fix up the already allocated CID of tnew1. As a consequence a subsequent schedule in might fail to acquire a (transitional) CID and the machine stalls. Move the invocation of sched_mm_cid_fork() after the new task becomes visible in the thread and the task list to prevent this. This also makes it symmetrical vs. exit() where the task is removed as CID user before the task is removed from the thread and task lists. | 2026-05-08 | not yet calculated | CVE-2026-43418 | https://git.kernel.org/stable/c/f0189d49282e0458f3a737bd486c1ec048148f66 https://git.kernel.org/stable/c/b2e48c429ec54715d16fefa719dd2fbded2e65be |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix memory leaks in ceph_mdsc_build_path() Add __putname() calls to error code paths that did not free the “path” pointer obtained by __getname(). If ownership of this pointer is not passed to the caller via path_info.path, the function must free it before returning. | 2026-05-08 | not yet calculated | CVE-2026-43419 | https://git.kernel.org/stable/c/657dc653b06a3cc0282aea447a3f137fa94066a4 https://git.kernel.org/stable/c/5895d0164c84d7fec6abc198920c257f55c51899 https://git.kernel.org/stable/c/097cd68f46686391a98f2618188f0cb7b7570de2 https://git.kernel.org/stable/c/13b8b9d6f59ef17fb96c298c3a0d62a8306950cc https://git.kernel.org/stable/c/040d159a45ded7f33201421a81df0aa2a86e5a0b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix i_nlink underrun during async unlink During async unlink, we drop the `i_nlink` counter before we receive the completion (that will eventually update the `i_nlink`) because “we assume that the unlink will succeed”. That is not a bad idea, but it races against deletions by other clients (or against the completion of our own unlink) and can lead to an underrun which emits a WARNING like this one: WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68 Modules linked in: CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655 Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023 pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : drop_nlink+0x50/0x68 lr : ceph_unlink+0x6c4/0x720 sp : ffff80012173bc90 x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680 x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647 x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203 x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365 x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74 x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94 x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002 x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8 Call trace: drop_nlink+0x50/0x68 (P) vfs_unlink+0xb0/0x2e8 do_unlinkat+0x204/0x288 __arm64_sys_unlinkat+0x3c/0x80 invoke_syscall.constprop.0+0x54/0xe8 do_el0_svc+0xa4/0xc8 el0_svc+0x18/0x58 el0t_64_sync_handler+0x104/0x130 el0t_64_sync+0x154/0x158 In ceph_unlink(), a call to ceph_mdsc_submit_request() submits the CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion. Meanwhile, between this call and the following drop_nlink() call, a worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own completion). These will lead to a set_nlink() call, updating the `i_nlink` counter to the value received from the MDS. If that new `i_nlink` value happens to be zero, it is illegal to decrement it further. But that is exactly what ceph_unlink() will do then. The WARNING can be reproduced this way: 1. Force async unlink; only the async code path is affected. Having no real clue about Ceph internals, I was unable to find out why the MDS wouldn’t give me the “Fxr” capabilities, so I patched get_caps_for_async_unlink() to always succeed. (Note that the WARNING dump above was found on an unpatched kernel, without this kludge – this is not a theoretical bug.) 2. Add a sleep call after ceph_mdsc_submit_request() so the unlink completion gets handled by a worker thread before drop_nlink() is called. This guarantees that the `i_nlink` is already zero before drop_nlink() runs. The solution is to skip the counter decrement when it is already zero, but doing so without a lock is still racy (TOCTOU). Since ceph_fill_inode() and handle_cap_grant() both hold the `ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this seems like the proper lock to protect the `i_nlink` updates. I found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using `afs_vnode.cb_lock`). All three have the zero check as well. | 2026-05-08 | not yet calculated | CVE-2026-43420 | https://git.kernel.org/stable/c/9b31e88ac5623d15c8bc46f69dfe1d3b43a8f67c https://git.kernel.org/stable/c/6d5fd8bb574bef039eb3b738e523870433a2aeb9 https://git.kernel.org/stable/c/fcc477a6e8856c8a42b3c9e171724d8d6dfadd06 https://git.kernel.org/stable/c/b3f5513141ecc6b277a8f7b7efe58a0cf9a5e859 https://git.kernel.org/stable/c/aedd29386b23f3e1e6818943e11abfff2953732f https://git.kernel.org/stable/c/7db008e85a5d17b64bc5390b828bf457ae91a415 https://git.kernel.org/stable/c/8975b85b0d45ca811ace6fac5907652f2310e5ac https://git.kernel.org/stable/c/ce0123cbb4a40a2f1bbb815f292b26e96088639f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix net_device lifecycle with device_move The network device outlived its parent gadget device during disconnection, resulting in dangling sysfs links and null pointer dereference problems. A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1] was reverted due to power management ordering concerns and a NO-CARRIER regression. A subsequent attempt to defer net_device allocation to bind [2] broke 1:1 mapping between function instance and network device, making it impossible for configfs to report the resolved interface name. This results in a regression where the DHCP server fails on pmOS. Use device_move to reparent the net_device between the gadget device and /sys/devices/virtual/ across bind/unbind cycles. This preserves the network interface across USB reconnection, allowing the DHCP server to retain their binding. Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use __free(detach_gadget) macro to undo attachment on bind failure. The bind_count ensures device_move executes only on the first bind. [1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/ [2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/ | 2026-05-08 | not yet calculated | CVE-2026-43421 | https://git.kernel.org/stable/c/93f116c3393a22acab96ad1bef12b2572eb80ca4 https://git.kernel.org/stable/c/e584cb58a2ea7ff4d3a4bc43d5ca512ed3ecb77d https://git.kernel.org/stable/c/85acaba2f42b557499bab3608307f17bf13beb69 https://git.kernel.org/stable/c/ec35c1969650e7cb6c8a91020e568ed46e3551b0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: legacy: ncm: Fix NPE in gncm_bind Commit 56a512a9b410 (“usb: gadget: f_ncm: align net_device lifecycle with bind/unbind”) deferred the allocation of the net_device. This change leads to a NULL pointer dereference in the legacy NCM driver as it attempts to access the net_device before it’s fully instantiated. Store the provided qmult, host_addr, and dev_addr into the struct ncm_opts->net_opts during gncm_bind(). These values will be properly applied to the net_device when it is allocated and configured later in the binding process by the NCM function driver. | 2026-05-08 | not yet calculated | CVE-2026-43422 | https://git.kernel.org/stable/c/be5738d19bed244ede84da45bc45395bcb1d99e0 https://git.kernel.org/stable/c/b23e86a3a15803c3dcb24701285f73e65099fdf9 https://git.kernel.org/stable/c/fde0634ad9856b3943a2d1a8cc8de174a63ac840 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix atomic context locking issue The ncm_set_alt function was holding a mutex to protect against races with configfs, which invokes the might-sleep function inside an atomic context. Remove the struct net_device pointer from the f_ncm_opts structure to eliminate the contention. The connection state is now managed by a new boolean flag to preserve the use-after-free fix from commit 6334b8e4553c (“usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error”). BUG: sleeping function called from invalid context Call Trace: dump_stack_lvl+0x83/0xc0 dump_stack+0x14/0x16 __might_resched+0x389/0x4c0 __might_sleep+0x8e/0x100 … __mutex_lock+0x6f/0x1740 … ncm_set_alt+0x209/0xa40 set_config+0x6b6/0xb40 composite_setup+0x734/0x2b40 … | 2026-05-08 | not yet calculated | CVE-2026-43423 | https://git.kernel.org/stable/c/e533a44fb1b337d14f772585b67328bee2e0b5e3 https://git.kernel.org/stable/c/e95120b4b95ef1c16d8e94e201ae89f5e59e2612 https://git.kernel.org/stable/c/0d6c8144ca4d93253de952a5ea0028c19ed7ab68 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends requests before the nexus is fully established or immediately after it is dropped. Currently, functions like `bot_submit_command()` and the data transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately dereference `tv_nexus->tvn_se_sess` without any validation. If a malicious or misconfigured USB host sends a BOT (Bulk-Only Transport) command during this race window, it triggers a NULL pointer dereference, leading to a kernel panic (local DoS). This exposes an inconsistent API usage within the module, as peer functions like `usbg_submit_command()` and `bot_send_bad_response()` correctly implement a NULL check for `tv_nexus` before proceeding. Fix this by bringing consistency to the nexus handling. Add the missing `if (!tv_nexus)` checks to the vulnerable BOT command and request processing paths, aborting the command gracefully with an error instead of crashing the system. | 2026-05-08 | not yet calculated | CVE-2026-43424 | https://git.kernel.org/stable/c/b9b26d7f3aa288cfa54a7bc68612bab1f153f156 https://git.kernel.org/stable/c/2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7 https://git.kernel.org/stable/c/d146f27758049fa55ae4c53785a852d3cf7a18d6 https://git.kernel.org/stable/c/f962ca3b020e13d6714f27e8c36fe742441c58d1 https://git.kernel.org/stable/c/679d9535aeb15c10bce89c44102004b96624d706 https://git.kernel.org/stable/c/3d309b37633c4a847fc149939a2c9576f1aa1065 https://git.kernel.org/stable/c/b9fde507355342a2d64225d582dc8b98ff5ecb19 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: image: mdc800: kill download URB on timeout mdc800_device_read() submits download_urb and waits for completion. If the timeout fires and the device has not responded, the function returns without killing the URB, leaving it active. A subsequent read() resubmits the same URB while it is still in-flight, triggering the WARN in usb_submit_urb(): “URB submitted while active” Check the return value of wait_event_timeout() and kill the URB if it indicates timeout, ensuring the URB is complete before its status is inspected or the URB is resubmitted. Similar to – commit 372c93131998 (“USB: yurex: fix control-URB timeout handling”) – commit b98d5000c505 (“media: rc: iguanair: handle timeouts”) | 2026-05-08 | not yet calculated | CVE-2026-43425 | https://git.kernel.org/stable/c/9fa5a49760979ba016506fe292a431c8b83f043e https://git.kernel.org/stable/c/15536f6c15f48037a1672cbdea53266d67861ff6 https://git.kernel.org/stable/c/9bf877cc67309b2a063b0087c3ad8585fb11cec3 https://git.kernel.org/stable/c/155f471e38aa516f6c58c2ae03ca3dc222fa2fdb https://git.kernel.org/stable/c/d4a400a6a4c4d49f77a04a3f401df5ae1a10657c https://git.kernel.org/stable/c/b7fed917f84e484e06c5e9926746d0b524e3a93e https://git.kernel.org/stable/c/cc7398447810c9450c90d092efe9997569f8d96f https://git.kernel.org/stable/c/1be3b77de4eb89af8ae2fd6610546be778e25589 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: fix use-after-free in ISR during device removal In usbhs_remove(), the driver frees resources (including the pipe array) while the interrupt handler (usbhs_interrupt) is still registered. If an interrupt fires after usbhs_pipe_remove() but before the driver is fully unbound, the ISR may access freed memory, causing a use-after-free. Fix this by calling devm_free_irq() before freeing resources. This ensures the interrupt handler is both disabled and synchronized (waits for any running ISR to complete) before usbhs_pipe_remove() is called. | 2026-05-08 | not yet calculated | CVE-2026-43426 | https://git.kernel.org/stable/c/c7012fc73dab4829404fedeeaa8531f12ac8545f https://git.kernel.org/stable/c/51afaf919bbaacdd9cc9e146033ae0a743a42dd7 https://git.kernel.org/stable/c/1899edac312ef17a7234851686e8a703f56d0a84 https://git.kernel.org/stable/c/9c6159d5b72d5fc265cce5da04f27d730b552e69 https://git.kernel.org/stable/c/6287e0c01ccb818e7214f88d885ffb7c9e81b0e0 https://git.kernel.org/stable/c/0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae https://git.kernel.org/stable/c/6ffe44f022c95b1b29c691d2169c5abc046f7580 https://git.kernel.org/stable/c/3cbc242b88c607f55da3d0d0d336b49bf1e20412 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: class: cdc-wdm: fix reordering issue in read code path Quoting the bug report: Due to compiler optimization or CPU out-of-order execution, the desc->length update can be reordered before the memmove. If this happens, wdm_read() can see the new length and call copy_to_user() on uninitialized memory. This also violates LKMM data race rules [1]. Fix it by using WRITE_ONCE and memory barriers. | 2026-05-08 | not yet calculated | CVE-2026-43427 | https://git.kernel.org/stable/c/638328ca9c17ae6511ad62198c57bae32ffa3c91 https://git.kernel.org/stable/c/170e8daca24da6edb4be82ab01abf44e87af387b https://git.kernel.org/stable/c/c8fa96ed021923dae147bcd9f9205b8df7b82360 https://git.kernel.org/stable/c/4ee3062bf2c9a722afef429826e8607eaf3fc6a0 https://git.kernel.org/stable/c/276aef0fd2b92f41b920ac891c72cadeee957934 https://git.kernel.org/stable/c/67ed312124bb1b61858778ac0b985b48961c862a https://git.kernel.org/stable/c/e3c874b05901dc519054b5107d16620e6d2b5fea https://git.kernel.org/stable/c/8df672bfe3ec2268c2636584202755898e547173 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: USB: core: Limit the length of unkillable synchronous timeouts The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore allow unlimited timeout durations. And since they use uninterruptible waits, this leaves open the possibility of hanging a task for an indefinitely long time, with no way to kill it short of unplugging the target device. To prevent this sort of problem, enforce a maximum limit on the length of these unkillable timeouts. The limit chosen here, somewhat arbitrarily, is 60 seconds. On many systems (although not all) this is short enough to avoid triggering the kernel’s hung-task detector. In addition, clear up the ambiguity of negative timeout values by treating them the same as 0, i.e., using the maximum allowed timeout. | 2026-05-08 | not yet calculated | CVE-2026-43428 | https://git.kernel.org/stable/c/4e86f5b79e62ded7e3c3ebd688cf5775e618148a https://git.kernel.org/stable/c/06d2bbc4c66c6b0e8a43728c4949026026a5be67 https://git.kernel.org/stable/c/6c62935670acdbb7687ced20494923b66fbb0367 https://git.kernel.org/stable/c/659c0c7d50a4b0f6aa197c4c098cfd91daf63862 https://git.kernel.org/stable/c/24b31a227f679a942d820840a4dea7f0c09a387f https://git.kernel.org/stable/c/64f3d75633aedc12bdff220e9a4337177430bd9d https://git.kernel.org/stable/c/2d34cb4d1d6283b4be9c78f4a83ed6956d3069ec https://git.kernel.org/stable/c/1015c27a5e1a63efae2b18a9901494474b4d1dc3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts The usbtmc driver accepts timeout values specified by the user in an ioctl command, and uses these timeouts for some usb_bulk_msg() calls. Since the user can specify arbitrarily long timeouts and usb_bulk_msg() uses unkillable waits, call usb_bulk_msg_killable() instead to avoid the possibility of the user hanging a kernel thread indefinitely. | 2026-05-08 | not yet calculated | CVE-2026-43429 | https://git.kernel.org/stable/c/e14a0dcdf468c3ad616bb06696c7c64c36e736d8 https://git.kernel.org/stable/c/7fa72c369c23c27d1f64883c1e276af950557fb1 https://git.kernel.org/stable/c/72c0a063489be183cfb99e7050aaef503bdb6449 https://git.kernel.org/stable/c/39bd4097292fd8564cf2cfba9356f8ab11e38d12 https://git.kernel.org/stable/c/0535f84cb94c9d8bcba0a2a5b3fac81b7d97235d https://git.kernel.org/stable/c/6cb7dc91f057dd8ce44f6caa2995d8e22784ed0a https://git.kernel.org/stable/c/d4f1c45bdff3f393f9ab7e76795901c442b9eb76 https://git.kernel.org/stable/c/7784caa413a89487dd14dd5c41db8753483b2acb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: yurex: fix race in probe The bbu member of the descriptor must be set to the value standing for uninitialized values before the URB whose completion handler sets bbu is submitted. Otherwise there is a window during which probing can overwrite already retrieved data. | 2026-05-08 | not yet calculated | CVE-2026-43430 | https://git.kernel.org/stable/c/a7934d7202a39c3160aa30521c382c7b744ae4a2 https://git.kernel.org/stable/c/a8b3b3d730acea1640bc89465f2832cf06a1e13a https://git.kernel.org/stable/c/687d26d43a5aaf44323ce7d601cf242bb87e9559 https://git.kernel.org/stable/c/939e3d17b843b0bae70467fef4481069d73c8520 https://git.kernel.org/stable/c/3cec135415a89723e2d38e1c8cc5098203355965 https://git.kernel.org/stable/c/a41d3d9202e951995cfac6248c565423079c71fa https://git.kernel.org/stable/c/af83e92c329f11139d5eea2b5b7b83c26c3f67e7 https://git.kernel.org/stable/c/7a875c09899ba0404844abfd8f0d54cdc481c151 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xhci: Fix NULL pointer dereference when reading portli debugfs files Michal reported and debgged a NULL pointer dereference bug in the recently added portli debugfs files Oops is caused when there are more port registers counted in xhci->max_ports than ports reported by Supported Protocol capabilities. This is possible if max_ports is more than maximum port number, or if there are gaps between ports of different speeds the ‘Supported Protocol’ capabilities. In such cases port->rhub will be NULL so we can’t reach xhci behind it. Add an explicit NULL check for this case, and print portli in hex without dereferencing port->rhub. | 2026-05-08 | not yet calculated | CVE-2026-43431 | https://git.kernel.org/stable/c/9c8bef223c6e991276188d30d74bdb2cbd8be652 https://git.kernel.org/stable/c/ae4ff9dead5efa2025eddfcdb29411432bf40a7c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix memory leak in xhci_disable_slot() xhci_alloc_command() allocates a command structure and, when the second argument is true, also allocates a completion structure. Currently, the error handling path in xhci_disable_slot() only frees the command structure using kfree(), causing the completion structure to leak. Use xhci_free_command() instead of kfree(). xhci_free_command() correctly frees both the command structure and the associated completion structure. Since the command structure is allocated with zero-initialization, command->in_ctx is NULL and will not be erroneously freed by xhci_free_command(). This bug was found using an experimental static analysis tool we are developing. The tool is based on the LLVM framework and is specifically designed to detect memory management issues. It is currently under active development and not yet publicly available, but we plan to open-source it after our research is published. The bug was originally detected on v6.13-rc1 using our static analysis tool, and we have verified that the issue persists in the latest mainline kernel. We performed build testing on x86_64 with allyesconfig using GCC=11.4.0. Since triggering these error paths in xhci_disable_slot() requires specific hardware conditions or abnormal state, we were unable to construct a test case to reliably trigger these specific error paths at runtime. | 2026-05-08 | not yet calculated | CVE-2026-43432 | https://git.kernel.org/stable/c/1e800e26d54ccf2ddf2ea6d6cbe021c804d8aa62 https://git.kernel.org/stable/c/6288baf0c8c4dcfbf206773aede9c1f2269cec28 https://git.kernel.org/stable/c/46aea90763832cd6e9b0c2e1c00e6a9512156d4b https://git.kernel.org/stable/c/2e2baa8fb5aa4d080cbfeb84c51eff797529f413 https://git.kernel.org/stable/c/807e4fb5140c73eb5dba1e399a990db5c1f3cdf8 https://git.kernel.org/stable/c/c65f1b840ab8ce72ba68f1b63bab7960f8fdfa89 https://git.kernel.org/stable/c/078b446efc0f5e496c31bccb72b98af979963a83 https://git.kernel.org/stable/c/c1c8550e70401159184130a1afc6261db01fc0ce |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rust_binder: fix oneway spam detection The spam detection logic in TreeRange was executed before the current request was inserted into the tree. So the new request was not being factored in the spam calculation. Fix this by moving the logic after the new range has been inserted. Also, the detection logic for ArrayRange was missing altogether which meant large spamming transactions could get away without being detected. Fix this by implementing an equivalent low_oneway_space() in ArrayRange. Note that I looked into centralizing this logic in RangeAllocator but iterating through ‘state’ and ‘size’ got a bit too complicated (for me) and I abandoned this effort. | 2026-05-08 | not yet calculated | CVE-2026-43435 | https://git.kernel.org/stable/c/edf685946c4acbe57cb96f8d5f3c07e9a2e973c8 https://git.kernel.org/stable/c/8d34c993a9a156e657e43cb95186980745cc3597 https://git.kernel.org/stable/c/4fc87c240b8f30e22b7ebaae29d57105589e1c0b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces The Scarlett2 mixer quirk in USB-audio driver may hit a NULL dereference when a malformed USB descriptor is passed, since it assumes the presence of an endpoint in the parsed interface in scarlett2_find_fc_interface(), as reported by fuzzer. For avoiding the NULL dereference, just add the sanity check of bNumEndpoints and skip the invalid interface. | 2026-05-08 | not yet calculated | CVE-2026-43436 | https://git.kernel.org/stable/c/b014cc945baba75816cda0cf8934be87c9ed4947 https://git.kernel.org/stable/c/c5c5a6c53cf3b658f1d4512dfa61f3cd25bc34ba https://git.kernel.org/stable/c/b267255c15d2a5b90c4e926146aa155e5161e264 https://git.kernel.org/stable/c/3d542cf3c4c854cdf5d58049771f68926b9eb2b9 https://git.kernel.org/stable/c/3d4f23885e4b90347c9a1d779af6e79a99b5172a https://git.kernel.org/stable/c/df1d8abf36ca3681c21a6809eaa9a1e01ef897a6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cgroup: fix race between task migration and iteration When a task is migrated out of a css_set, cgroup_migrate_add_task() first moves it from cset->tasks to cset->mg_tasks via: list_move_tail(&task->cg_list, &cset->mg_tasks); If a css_task_iter currently has it->task_pos pointing to this task, css_set_move_task() calls css_task_iter_skip() to keep the iterator valid. However, since the task has already been moved to ->mg_tasks, the iterator is advanced relative to the mg_tasks list instead of the original tasks list. As a result, remaining tasks on cset->tasks, as well as tasks queued on cset->mg_tasks, can be skipped by iteration. Fix this by calling css_set_skip_task_iters() before unlinking task->cg_list from cset->tasks. This advances all active iterators to the next task on cset->tasks, so iteration continues correctly even when a task is concurrently being migrated. This race is hard to hit in practice without instrumentation, but it can be reproduced by artificially slowing down cgroup_procs_show(). For example, on an Android device a temporary /sys/kernel/cgroup/cgroup_test knob can be added to inject a delay into cgroup_procs_show(), and then: 1) Spawn three long-running tasks (PIDs 101, 102, 103). 2) Create a test cgroup and move the tasks into it. 3) Enable a large delay via /sys/kernel/cgroup/cgroup_test. 4) In one shell, read cgroup.procs from the test cgroup. 5) Within the delay window, in another shell migrate PID 102 by writing it to a different cgroup.procs file. Under this setup, cgroup.procs can intermittently show only PID 101 while skipping PID 103. Once the migration completes, reading the file again shows all tasks as expected. Note that this change does not allow removing the existing css_set_skip_task_iters() call in css_set_move_task(). The new call in cgroup_migrate_add_task() only handles iterators that are racing with migration while the task is still on cset->tasks. Iterators may also start after the task has been moved to cset->mg_tasks. If we dropped css_set_skip_task_iters() from css_set_move_task(), such iterators could keep task_pos pointing to a migrating task, causing css_task_iter_advance() to malfunction on the destination css_set, up to and including crashes or infinite loops. The race window between migration and iteration is very small, and css_task_iter is not on a hot path. In the worst case, when an iterator is positioned on the first thread of the migrating process, cgroup_migrate_add_task() may have to skip multiple tasks via css_set_skip_task_iters(). However, this only happens when migration and iteration actually race, so the performance impact is negligible compared to the correctness fix provided here. | 2026-05-08 | not yet calculated | CVE-2026-43439 | https://git.kernel.org/stable/c/7c85debc35e6d131bd29c64f2ae78c6ede0e55c4 https://git.kernel.org/stable/c/3b95abab7369235a37b15eaec6e1a0b443bba7c7 https://git.kernel.org/stable/c/4a9654a2b46cfdaae287fb8995f536245635e467 https://git.kernel.org/stable/c/3dfd1328c05234e8d8fa61948b2ba82680594988 https://git.kernel.org/stable/c/9cca530c7cc1b3e02cb8fa7f80060dd4b38562ce https://git.kernel.org/stable/c/86ceaccfdfa16dad05addb33dc206e03589bcfd1 https://git.kernel.org/stable/c/9dc76f6fc0d28d2382583715bc4ec22f28104845 https://git.kernel.org/stable/c/5ee01f1a7343d6a3547b6802ca2d4cdce0edacb1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mana: Null service_wq on setup error to prevent double destroy In mana_gd_setup() error path, set gc->service_wq to NULL after destroy_workqueue() to match the cleanup in mana_gd_cleanup(). This prevents a use-after-free if the workqueue pointer is checked after a failed setup. | 2026-05-08 | not yet calculated | CVE-2026-43440 | https://git.kernel.org/stable/c/59489ce60d7412ed82fb1d8002faa3102dcd4916 https://git.kernel.org/stable/c/6c92392602b451e3869f15ab685f8f650e942b13 https://git.kernel.org/stable/c/87c2302813abc55c46485711a678e3c312b00666 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp-mach-common: Add missing error check for clock acquisition The acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not check the return values of clk_get(). This could lead to a kernel crash when the invalid pointers are later dereferenced by clock core functions. Fix this by: 1. Changing clk_get() to the device-managed devm_clk_get(). 2. Adding IS_ERR() checks immediately after each clock acquisition. | 2026-05-08 | not yet calculated | CVE-2026-43443 | https://git.kernel.org/stable/c/0cee68fb7f4cf1562e067c5a82d25062a973b0d0 https://git.kernel.org/stable/c/30c64fb9839949f085c8eb55b979cbd8a4c51f00 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Unreserve bo if queue update failed Error handling path should unreserve bo then return failed. (cherry picked from commit c24afed7de9ecce341825d8ab55a43a254348b33) | 2026-05-08 | not yet calculated | CVE-2026-43444 | https://git.kernel.org/stable/c/781110700ada22168fbb490dd61432d23a17a5b4 https://git.kernel.org/stable/c/529c985da1b277b36dc99aad660f96dc70f3c467 https://git.kernel.org/stable/c/b2b7742c465c8e3b36dc325a48abb4b9f2aaa38b https://git.kernel.org/stable/c/2ce75a0b7e1bfddbcb9bc8aeb2e5e7fa99971acf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: e1000/e1000e: Fix leak in DMA error cleanup If an error is encountered while mapping TX buffers, the driver should unmap any buffers already mapped for that skb. Because count is incremented after a successful mapping, it will always match the correct number of unmappings needed when dma_error is reached. Decrementing count before the while loop in dma_error causes an off-by-one error. If any mapping was successful before an unsuccessful mapping, exactly one DMA mapping would leak. In these commits, a faulty while condition caused an infinite loop in dma_error: Commit 03b1320dfcee (“e1000e: remove use of skb_dma_map from e1000e driver”) Commit 602c0554d7b0 (“e1000: remove use of skb_dma_map from e1000 driver”) Commit c1fa347f20f1 (“e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()”) fixed the infinite loop, but introduced the off-by-one error. This issue may still exist in the igbvf driver, but I did not address it in this patch. | 2026-05-08 | not yet calculated | CVE-2026-43445 | https://git.kernel.org/stable/c/7eaeb778bfaa3b2a804f89321c234d59c74569db https://git.kernel.org/stable/c/0606c24a745bafd1be5d66c48361638cd9cad74b https://git.kernel.org/stable/c/519051c711dfd239ef6e4b28878efee400a035f9 https://git.kernel.org/stable/c/0a1fc25deabab4efce64610e3c449485c4fa8f5f https://git.kernel.org/stable/c/fa5ba9867a55e640df0dc79bf0199770fb043f03 https://git.kernel.org/stable/c/30e87ade8d678c25a8546cf38c0b498fa5cb27d3 https://git.kernel.org/stable/c/10b5e65959e955a1c8894e0a5413944b5a70204a https://git.kernel.org/stable/c/e94eaef11142b01f77bf8ba4d0b59720b7858109 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix runtime suspend deadlock when there is pending job The runtime suspend callback drains the running job workqueue before suspending the device. If a job is still executing and calls pm_runtime_resume_and_get(), it can deadlock with the runtime suspend path. Fix this by moving pm_runtime_resume_and_get() from the job execution routine to the job submission routine, ensuring the device is resumed before the job is queued and avoiding the deadlock during runtime suspend. | 2026-05-08 | not yet calculated | CVE-2026-43446 | https://git.kernel.org/stable/c/ac72e7385a2c7533dd766de4197134d96230be85 https://git.kernel.org/stable/c/6b13cb8f48a42ddf6dd98865b673a82e37ff238b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix race bug in nvme_poll_irqdisable() In the following scenario, pdev can be disabled between (1) and (3) by (2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2). This causes IRQ warning because it tries to enable INTx IRQ that has never been disabled before. To fix this, save IRQ number into a local variable and ensure disable_irq() and enable_irq() operate on the same IRQ number. Even if pci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and enable_irq() on a stale IRQ number is still valid and safe, and the depth accounting reamins balanced. task 1: nvme_poll_irqdisable() disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) …(1) enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) …(3) task 2: nvme_reset_work() nvme_dev_disable() pdev->msix_enable = 0; …(2) crash log: ————[ cut here ]———— Unbalanced enable for IRQ 10 WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26 Modules linked in: CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_timeout_work RIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753 Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9 RSP: 0018:ffffc900001bf550 EFLAGS: 00010046 RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90 RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0 RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001 R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000 R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293 FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0 Call Trace: <TASK> enable_irq+0x121/0x1e0 kernel/irq/manage.c:797 nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494 nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744 blk_mq_rq_timed_out block/blk-mq.c:1653 [inline] blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721 bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292 __sbitmap_for_each_set include/linux/sbitmap.h:269 [inline] sbitmap_for_each_set include/linux/sbitmap.h:290 [inline] bt_for_each block/blk-mq-tag.c:324 [inline] blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536 blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> irq event stamp: 74478 hardirqs last enabled at (74477): [<ffffffffb5720a9c>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] hardirqs last enabled at (74477): [<ffffffffb5720a9c>] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202 hardirqs last disabled at (74478): [<ffffffffb57207b5>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (74478): [<ffffffffb57207b5>] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162 softirqs last enabled at (74304): [<ffffffffb1e9466c>] __do_softirq kernel/softirq.c:656 [inline] softirqs last enabled at (74304): [<ffffffffb1e9466c>] invoke_softirq kernel/softirq.c:496 [inline] softirqs last enabled at (74304): [<ffffffffb1e9466c>] __irq_exit_rcu+0xdc/0x120 —truncated— | 2026-05-08 | not yet calculated | CVE-2026-43448 | https://git.kernel.org/stable/c/265dbc9bc33c29f60f90be3e0afe1c4067ebb70b https://git.kernel.org/stable/c/628773eba024d1107cc9ec157a682cbb42ac912a https://git.kernel.org/stable/c/843e913cef4e33723663a899727f685a95ab53fe https://git.kernel.org/stable/c/b56c49897bdac5cb49e3495ef421c391628ee9bb https://git.kernel.org/stable/c/e311d84c62eb76e025e11a44155b402e55950b83 https://git.kernel.org/stable/c/fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set dev->online_queues is a count incremented in nvme_init_queue. Thus, valid indices are 0 through dev->online_queues − 1. This patch fixes the loop condition to ensure the index stays within the valid range. Index 0 is excluded because it is the admin queue. KASAN splat: ================================================================== BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74 CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: nvme-reset-wq nvme_reset_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xce/0x5d0 mm/kasan/report.c:482 kasan_report+0xdc/0x110 mm/kasan/report.c:595 __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379 nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 34 on cpu 1 at 4.241550s: kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57 kasan_save_track+0x1c/0x70 mm/kasan/common.c:78 kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5657 [inline] __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663 kmalloc_array_node_noprof include/linux/slab.h:1075 [inline] nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline] nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534 local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324 pci_call_probe drivers/pci/pci-driver.c:392 [inline] __pci_device_probe drivers/pci/pci-driver.c:417 [inline] pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451 call_driver_probe drivers/base/dd.c:583 [inline] really_probe+0x29b/0xb70 drivers/base/dd.c:661 __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803 driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833 __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159 async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 The buggy address belongs to the object at ffff88800592a000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 244 bytes to the right of allocated 1152-byte region [ffff88800592a000, ffff88800592a480) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff) page_type: f5(slab) raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 head: 000fffffc0000040 ffff888001042000 00000 —truncated— | 2026-05-08 | not yet calculated | CVE-2026-43449 | https://git.kernel.org/stable/c/2b9d605c3f0d3262142f196249cd3bd58c857c71 https://git.kernel.org/stable/c/86183d550559e45e07059bbdf17331fea469e38c https://git.kernel.org/stable/c/d7990c936e25f484b61a5adeeadc1d290a9fd16e https://git.kernel.org/stable/c/83e6edd6358326c9c2de31a54bb4a1ec50703f1f https://git.kernel.org/stable/c/50bad78f03a02d3c0f228edf9912b494d3e7acb9 https://git.kernel.org/stable/c/328c551f0cc81ee776b186b86cc6e5253bb6fda7 https://git.kernel.org/stable/c/78279d2d74c58a0ed64e43cf601a02649771182e https://git.kernel.org/stable/c/b4e78f1427c7d6859229ae9616df54e1fc05a516 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() nfnl_cthelper_dump_table() has a ‘goto restart’ that jumps to a label inside the for loop body. When the “last” helper saved in cb->args[1] is deleted between dump rounds, every entry fails the (cur != last) check, so cb->args[1] is never cleared. The for loop finishes with cb->args[0] == nf_ct_helper_hsize, and the ‘goto restart’ jumps back into the loop body bypassing the bounds check, causing an 8-byte out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize]. The ‘goto restart’ block was meant to re-traverse the current bucket when “last” is no longer found, but it was placed after the for loop instead of inside it. Move the block into the for loop body so that the restart only occurs while cb->args[0] is still within bounds. BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0 Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131 Call Trace: nfnl_cthelper_dump_table+0x9f/0x1b0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 sock_recvmsg+0xde/0xf0 __sys_recvfrom+0x150/0x200 __x64_sys_recvfrom+0x76/0x90 do_syscall_64+0xc3/0x6e0 Allocated by task 1: __kvmalloc_node_noprof+0x21b/0x700 nf_ct_alloc_hashtable+0x65/0xd0 nf_conntrack_helper_init+0x21/0x60 nf_conntrack_init_start+0x18d/0x300 nf_conntrack_standalone_init+0x12/0xc0 | 2026-05-08 | not yet calculated | CVE-2026-43450 | https://git.kernel.org/stable/c/0605e1985a95d4334a67869aee45a47e82301abf https://git.kernel.org/stable/c/92441f6d9405a0c18d03f278b395e782f79a4a30 https://git.kernel.org/stable/c/3cc328ffc32ddb389cba7b78b6aa95d995c2876e https://git.kernel.org/stable/c/4a1f6ee69267a5f524102c028981410eeacfa3da https://git.kernel.org/stable/c/894c5780ddadd5fde0e16f66587918e6be1504c4 https://git.kernel.org/stable/c/05018cd9370f77bb18fbf6e15ff33c7a06f10b3c https://git.kernel.org/stable/c/61b3a1f8621df1a5928118313f133996f6a786db https://git.kernel.org/stable/c/6dcee8496d53165b2d8a5909b3050b62ae71fe89 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue entry from the queue data structures, taking ownership of the entry. For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN present but NFQA_VLAN_TCI missing), the function returns immediately without freeing the dequeued entry or its sk_buff. This leaks the nf_queue_entry, its associated sk_buff, and all held references (net_device refcounts, struct net refcount). Repeated triggering exhausts kernel memory. Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict on the error path, consistent with other error handling in this file. | 2026-05-08 | not yet calculated | CVE-2026-43451 | https://git.kernel.org/stable/c/a907bea273b60d3e604ec4e8e1f6c49954805794 https://git.kernel.org/stable/c/0b18d1b834ab5a5009be70b530f978d7989e445b https://git.kernel.org/stable/c/b38d2b4603fd3dda24eb8b3dd81c18a0930be97b https://git.kernel.org/stable/c/47b1c5d1b0944aa88299f55a846fabaefc756982 https://git.kernel.org/stable/c/cf4a4df38d1747e06fc54f9879bd7a6f4178032f https://git.kernel.org/stable/c/9853d94b82d303fc4ac37d592a23a154096ecd41 https://git.kernel.org/stable/c/208669df703a25a601f45822b10c413f258bf275 https://git.kernel.org/stable/c/f1ba83755d81c6fc66ac7acd723d238f974091e9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the to_offset argument on every iteration, including the last one where i == m->field_count – 1. This reads one element past the end of the stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] with NFT_PIPAPO_MAX_FIELDS == 16). Although pipapo_unmap() returns early when is_last is true without using the to_offset value, the argument is evaluated at the call site before the function body executes, making this a genuine out-of-bounds stack read confirmed by KASAN: BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] Read of size 4 at addr ffff8000810e71a4 This frame has 1 object: [32, 160) ‘rulemap’ The buggy address is at offset 164 — exactly 4 bytes past the end of the rulemap array. Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid the out-of-bounds read. | 2026-05-08 | not yet calculated | CVE-2026-43453 | https://git.kernel.org/stable/c/1957e793196e7f8557374fd4eda53abcbb42e1c0 https://git.kernel.org/stable/c/57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e https://git.kernel.org/stable/c/60c1d18781e37bfb96290b86510eb01c5fa24d75 https://git.kernel.org/stable/c/0a55d62cdb628923d8a21724374a70c76ac7d19d https://git.kernel.org/stable/c/dfbdac719198778b581bc0dd055df2542edb8c62 https://git.kernel.org/stable/c/e047f6fbb975f685d6c9fcef95b3b7787a79b46d https://git.kernel.org/stable/c/324b749aa5b2d516ccfab933df9d3f56e7807f5f https://git.kernel.org/stable/c/d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mctp: route: hold key->lock in mctp_flow_prepare_output() mctp_flow_prepare_output() checks key->dev and may call mctp_dev_set_key(), but it does not hold key->lock while doing so. mctp_dev_set_key() and mctp_dev_release_key() are annotated with __must_hold(&key->lock), so key->dev access is intended to be serialized by key->lock. The mctp_sendmsg() transmit path reaches mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output() without holding key->lock, so the check-and-set sequence is racy. Example interleaving: CPU0 CPU1 —- —- mctp_flow_prepare_output(key, devA) if (!key->dev) // sees NULL mctp_flow_prepare_output( key, devB) if (!key->dev) // still NULL mctp_dev_set_key(devB, key) mctp_dev_hold(devB) key->dev = devB mctp_dev_set_key(devA, key) mctp_dev_hold(devA) key->dev = devA // overwrites devB Now both devA and devB references were acquired, but only the final key->dev value is tracked for release. One reference can be lost, causing a resource leak as mctp_dev_release_key() would only decrease the reference on one dev. Fix by taking key->lock around the key->dev check and mctp_dev_set_key() call. | 2026-05-08 | not yet calculated | CVE-2026-43455 | https://git.kernel.org/stable/c/47893166bc5611ee9a20de6b8d2933b2320fb772 https://git.kernel.org/stable/c/86f5334fcb48a5b611c33364ab52ca684d0f6d91 https://git.kernel.org/stable/c/0695712f3a6f1a48915f95767cfb42077683dcdc https://git.kernel.org/stable/c/925a5ffd99cddd7a7e41d5ad120c7a2c6d50260f https://git.kernel.org/stable/c/8d27d9b260dd19c1b519e1a13de6448f9984e30e https://git.kernel.org/stable/c/7d86aa41c073c4e7eb75fd2e674f1fd8f289728a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mctp: i2c: fix skb memory leak in receive path When ‘midev->allow_rx’ is false, the newly allocated skb isn’t consumed by netif_rx(), it needs to free the skb directly. | 2026-05-08 | not yet calculated | CVE-2026-43457 | https://git.kernel.org/stable/c/0fb2adbdd5c03e8c9ebcdc48afd414b2724c85eb https://git.kernel.org/stable/c/d7900a43b0a314a645ca0a2adf45928dbc7001f4 https://git.kernel.org/stable/c/9f81be2ab9d8e4744871bfb3e868ef413413829f https://git.kernel.org/stable/c/1ec54187e1aa40a4cfa2b265e9a311179f24b98d https://git.kernel.org/stable/c/1b1be322342a6b0085bf6ee52235e5ac9834ec25 https://git.kernel.org/stable/c/e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: serial: caif: hold tty->link reference in ldisc_open and ser_release A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial’s TX path calls tty_write_room(). The faulting access is on tty->link->port. Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path. With this change applied, the reproducer no longer triggers the UAF in my testing. | 2026-05-08 | not yet calculated | CVE-2026-43458 | https://git.kernel.org/stable/c/23a3ac2e2262a291498567418227b99e1f3606b1 https://git.kernel.org/stable/c/52135420e9f75853ea0c6cea7b736e3e98495f7d https://git.kernel.org/stable/c/ca2ceba983bb23ea0202c2882d963253416654a3 https://git.kernel.org/stable/c/8460187b4852fd00bd1c76394358053f3fa4d089 https://git.kernel.org/stable/c/27e43356d0defb9fc7fa25265219a3ffeb7b3e98 https://git.kernel.org/stable/c/35b58d3bc716ebb9ebd10fe1cac8c1177242511c https://git.kernel.org/stable/c/97a0bb491cae39478c6225381f14e9ac67b7bba7 https://git.kernel.org/stable/c/288598d80a068a0e9281de35bcb4ce495f189e2a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: rockchip-sfc: Fix double-free in remove() callback The driver uses devm_spi_register_controller() for registration, which automatically unregisters the controller via devm cleanup when the device is removed. The manual call to spi_unregister_controller() in the remove() callback can lead to a double-free. And to make sure controller is unregistered before DMA buffer is unmapped, switch to use spi_register_controller() in probe(). | 2026-05-08 | not yet calculated | CVE-2026-43460 | https://git.kernel.org/stable/c/b6051f2bdd4bd3dde85b68558edd3a6843489221 https://git.kernel.org/stable/c/85fb53351e6a3b921357a2178671e847a087e400 https://git.kernel.org/stable/c/111e2863372c322e836e0c896f6dd9cf4ee08c71 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer() rxrpc_kernel_lookup_peer() can also return error pointers in addition to NULL, so just checking for NULL is not sufficient. Fix this by: (1) Changing rxrpc_kernel_lookup_peer() to return -ENOMEM rather than NULL on allocation failure. (2) Making the callers in afs use IS_ERR() and PTR_ERR() to pass on the error code returned. | 2026-05-08 | not yet calculated | CVE-2026-43463 | https://git.kernel.org/stable/c/d55fa7cd4b19ba91b34b307d769c149e56ad0a75 https://git.kernel.org/stable/c/54331c5dcc6d97683d7ca2788e7ef9c9505e1477 https://git.kernel.org/stable/c/4245a79003adf30e67f8e9060915bd05cb31d142 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix crash when moving to switchdev mode When moving to switchdev mode when the device doesn’t support IPsec, we try to clean up the IPsec resources anyway which causes the crash below, fix that by correctly checking for IPsec support before trying to clean up its resources. [27642.515799] WARNING: arch/x86/mm/fault.c:1276 at do_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490 [27642.517159] Modules linked in: xt_conntrack xt_MASQUERADE ip6table_nat ip6table_filter ip6_tables iptable_nat nf_nat xt_addrtype rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_fwctl nfnetlink zram zsmalloc mlx5_ib fuse rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_core ib_core [27642.521358] CPU: 4 UID: 0 PID: 6490 Comm: devlink Not tainted 6.19.0-rc5_for_upstream_min_debug_2026_01_14_16_47 #1 NONE [27642.522923] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [27642.524528] RIP: 0010:do_user_addr_fault+0x18a/0x680 [27642.525362] Code: ff 0f 84 75 03 00 00 48 89 ee 4c 89 e7 e8 5e b9 22 00 49 89 c0 48 85 c0 0f 84 a8 02 00 00 f7 c3 60 80 00 00 74 22 31 c9 eb ae <0f> 0b 48 83 c4 10 48 89 ea 48 89 de 4c 89 f7 5b 5d 41 5c 41 5d 41 [27642.528166] RSP: 0018:ffff88810770f6b8 EFLAGS: 00010046 [27642.529038] RAX: 0000000000000000 RBX: 0000000000000002 RCX: ffff88810b980f00 [27642.530158] RDX: 00000000000000a0 RSI: 0000000000000002 RDI: ffff88810770f728 [27642.531270] RBP: 00000000000000a0 R08: 0000000000000000 R09: 0000000000000000 [27642.532383] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888103f3c4c0 [27642.533499] R13: 0000000000000000 R14: ffff88810770f728 R15: 0000000000000000 [27642.534614] FS: 00007f197c741740(0000) GS:ffff88856a94c000(0000) knlGS:0000000000000000 [27642.535915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [27642.536858] CR2: 00000000000000a0 CR3: 000000011334c003 CR4: 0000000000172eb0 [27642.537982] Call Trace: [27642.538466] <TASK> [27642.538907] exc_page_fault+0x76/0x140 [27642.539583] asm_exc_page_fault+0x22/0x30 [27642.540282] RIP: 0010:_raw_spin_lock_irqsave+0x10/0x30 [27642.541134] Code: 07 85 c0 75 11 ba ff 00 00 00 f0 0f b1 17 75 06 b8 01 00 00 00 c3 31 c0 c3 90 0f 1f 44 00 00 53 9c 5b fa 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 05 48 89 d8 5b c3 89 c6 e8 7e 02 00 00 48 89 d8 5b [27642.543936] RSP: 0018:ffff88810770f7d8 EFLAGS: 00010046 [27642.544803] RAX: 0000000000000000 RBX: 0000000000000202 RCX: ffff888113ad96d8 [27642.545916] RDX: 0000000000000001 RSI: ffff88810770f818 RDI: 00000000000000a0 [27642.547027] RBP: 0000000000000098 R08: 0000000000000400 R09: ffff88810b980f00 [27642.548140] R10: 0000000000000001 R11: ffff888101845a80 R12: 00000000000000a8 [27642.549263] R13: ffffffffa02a9060 R14: 00000000000000a0 R15: ffff8881130d8a40 [27642.550379] complete_all+0x20/0x90 [27642.551010] mlx5e_ipsec_disable_events+0xb6/0xf0 [mlx5_core] [27642.552022] mlx5e_nic_disable+0x12d/0x220 [mlx5_core] [27642.552929] mlx5e_detach_netdev+0x66/0xf0 [mlx5_core] [27642.553822] mlx5e_netdev_change_profile+0x5b/0x120 [mlx5_core] [27642.554821] mlx5e_vport_rep_load+0x419/0x590 [mlx5_core] [27642.555757] ? xa_load+0x53/0x90 [27642.556361] __esw_offloads_load_rep+0x54/0x70 [mlx5_core] [27642.557328] mlx5_esw_offloads_rep_load+0x45/0xd0 [mlx5_core] [27642.558320] esw_offloads_enable+0xb4b/0xc90 [mlx5_core] [27642.559247] mlx5_eswitch_enable_locked+0x34e/0x4f0 [mlx5_core] [27642.560257] ? mlx5_rescan_drivers_locked+0x222/0x2d0 [mlx5_core] [27642.561284] mlx5_devlink_eswitch_mode_set+0x5ac/0x9c0 [mlx5_core] [27642.562334] ? devlink_rate_set_ops_supported+0x21/0x3a0 [27642.563220] devlink_nl_eswitch_set_doit+0x67/0xe0 [27642.564026] genl_family_rcv_msg_doit+0xe0/0x130 [27642.564816] genl_rcv_msg+0x183/0x290 [27642.565466] ? __devlink_nl_pre_doit.isra.0+0x160/0x160 [27642.566329] ? d —truncated— | 2026-05-08 | not yet calculated | CVE-2026-43467 | https://git.kernel.org/stable/c/05c9a6df3646cdd25e0e10e6ef2d20cdba3ed8f9 https://git.kernel.org/stable/c/835778685f157b4fd4683b670cfe4010265bac60 https://git.kernel.org/stable/c/bc72f739f398d9d2e4f3d06f3f75fe98876d5579 https://git.kernel.org/stable/c/24b2795f9683e092dc22a68f487e7aaaf2ddafea |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix deadlock between devlink lock and esw->wq esw->work_queue executes esw_functions_changed_event_handler -> esw_vfs_changed_event_handler and acquires the devlink lock. .eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) -> mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked -> mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks when esw_vfs_changed_event_handler executes. Fix that by no longer flushing the work to avoid the deadlock, and using a generation counter to keep track of work relevance. This avoids an old handler manipulating an esw that has undergone one or more mode changes: – the counter is incremented in mlx5_eswitch_event_handler_unregister. – the counter is read and passed to the ephemeral mlx5_host_work struct. – the work handler takes the devlink lock and bails out if the current generation is different than the one it was scheduled to operate on. – mlx5_eswitch_cleanup does the final draining before destroying the wq. No longer flushing the workqueue has the side effect of maybe no longer cancelling pending vport_change_handler work items, but that’s ok since those are disabled elsewhere: – mlx5_eswitch_disable_locked disables the vport eq notifier. – mlx5_esw_vport_disable disarms the HW EQ notification and marks vport->enabled under state_lock to false to prevent pending vport handler from doing anything. – mlx5_eswitch_cleanup destroys the workqueue and makes sure all events are disabled/finished. | 2026-05-08 | not yet calculated | CVE-2026-43468 | https://git.kernel.org/stable/c/0de867f6e34eae6907b367fd152c55e61cb98608 https://git.kernel.org/stable/c/957d2a58f7f8ebcbdd0a85935e0d2675134b890d https://git.kernel.org/stable/c/3c7313cb41b1b427078440364d2f042c276a1c0b https://git.kernel.org/stable/c/4a7838bebc38374f74baaf88bf2cf8d439a92923 https://git.kernel.org/stable/c/90e7e5d14d0bd25ffd019a3aa39d9f1c05fedbe1 https://git.kernel.org/stable/c/aed763abf0e905b4b8d747d1ba9e172961572f57 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfs: return EISDIR on nfs3_proc_create if d_alias is a dir If we found an alias through nfs3_do_create/nfs_add_or_obtain /d_splice_alias which happens to be a dir dentry, we don’t return any error, and simply forget about this alias, but the original dentry we were adding and passed as parameter remains negative. This later causes an oops on nfs_atomic_open_v23/finish_open since we supply a negative dentry to do_dentry_open. This has been observed running lustre-racer, where dirs and files are created/removed concurrently with the same name and O_EXCL is not used to open files (frequent file redirection). While d_splice_alias typically returns a directory alias or NULL, we explicitly check d_is_dir() to ensure that we don’t attempt to perform file operations (like finish_open) on a directory inode, which triggers the observed oops. | 2026-05-08 | not yet calculated | CVE-2026-43470 | https://git.kernel.org/stable/c/7e2963773760a664684435201960dd2fb712f1b5 https://git.kernel.org/stable/c/203c792cb4315360d49973ae2e57feeb6d3dcf7e https://git.kernel.org/stable/c/9ee1770fcb2f1b48354622b926e7dc10222805f5 https://git.kernel.org/stable/c/410666a298c34ebd57256fde6b24c96bd23059a2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL pointer dereference when accessing hwq->id. This can happen if ufshcd_mcq_req_to_hwq() returns NULL. This patch adds a NULL check for hwq before accessing its id field to prevent a kernel crash. Kernel log excerpt: [<ffffffd5d192dc4c>] notify_die+0x4c/0x8c [<ffffffd5d1814e58>] __die+0x60/0xb0 [<ffffffd5d1814d64>] die+0x4c/0xe0 [<ffffffd5d181575c>] die_kernel_fault+0x74/0x88 [<ffffffd5d1864db4>] __do_kernel_fault+0x314/0x318 [<ffffffd5d2a3cdf8>] do_page_fault+0xa4/0x5f8 [<ffffffd5d2a3cd34>] do_translation_fault+0x34/0x54 [<ffffffd5d1864524>] do_mem_abort+0x50/0xa8 [<ffffffd5d2a297dc>] el1_abort+0x3c/0x64 [<ffffffd5d2a29718>] el1h_64_sync_handler+0x44/0xcc [<ffffffd5d181133c>] el1h_64_sync+0x80/0x88 [<ffffffd5d255c1dc>] ufshcd_add_command_trace+0x23c/0x320 [<ffffffd5d255bad8>] ufshcd_compl_one_cqe+0xa4/0x404 [<ffffffd5d2572968>] ufshcd_mcq_poll_cqe_lock+0xac/0x104 [<ffffffd5d11c7460>] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod] [<ffffffd5d19ab92c>] __handle_irq_event_percpu+0xc8/0x348 [<ffffffd5d19abca8>] handle_irq_event+0x3c/0xa8 [<ffffffd5d19b1f0c>] handle_fasteoi_irq+0xf8/0x294 [<ffffffd5d19aa778>] generic_handle_domain_irq+0x54/0x80 [<ffffffd5d18102bc>] gic_handle_irq+0x1d4/0x330 [<ffffffd5d1838210>] call_on_irq_stack+0x44/0x68 [<ffffffd5d183af30>] do_interrupt_handler+0x78/0xd8 [<ffffffd5d2a29c00>] el1_interrupt+0x48/0xa8 [<ffffffd5d2a29ba8>] el1h_64_irq_handler+0x14/0x24 [<ffffffd5d18113c4>] el1h_64_irq+0x80/0x88 [<ffffffd5d2527fb4>] arch_local_irq_enable+0x4/0x1c [<ffffffd5d25282e4>] cpuidle_enter+0x34/0x54 [<ffffffd5d195a678>] do_idle+0x1dc/0x2f8 [<ffffffd5d195a7c4>] cpu_startup_entry+0x30/0x3c [<ffffffd5d18155c4>] secondary_start_kernel+0x134/0x1ac [<ffffffd5d18640bc>] __secondary_switched+0xc4/0xcc | 2026-05-08 | not yet calculated | CVE-2026-43471 | https://git.kernel.org/stable/c/0614f5618c24fbc3d555efade22887b102ad7ad6 https://git.kernel.org/stable/c/be730f9ee92ae08f2bc4b336967bcfd8183c06fe https://git.kernel.org/stable/c/f4f590c6c9df7453bbda2ef9170b1b09e42a124c https://git.kernel.org/stable/c/93b9e7ee9e93629db80bbc9dab8a874215b89ccf https://git.kernel.org/stable/c/30df81f2228d65bddf492db3929d9fcaffd38fc5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: unshare: fix unshare_fs() handling There’s an unpleasant corner case in unshare(2), when we have a CLONE_NEWNS in flags and current->fs hadn’t been shared at all; in that case copy_mnt_ns() gets passed current->fs instead of a private copy, which causes interesting warts in proof of correctness] > I guess if private means fs->users == 1, the condition could still be true. Unfortunately, it’s worse than just a convoluted proof of correctness. Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS (and current->fs->users == 1). We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and flips current->fs->{pwd,root} to corresponding locations in the new namespace. Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM). We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it’s destroyed and its mount tree is dissolved, but… current->fs->root and current->fs->pwd are both left pointing to now detached mounts. They are pinning those, so it’s not a UAF, but it leaves the calling process with unshare(2) failing with -ENOMEM _and_ leaving it with pwd and root on detached isolated mounts. The last part is clearly a bug. There is other fun related to that mess (races with pivot_root(), including the one between pivot_root() and fork(), of all things), but this one is easy to isolate and fix – treat CLONE_NEWNS as “allocate a new fs_struct even if it hadn’t been shared in the first place”. Sure, we could go for something like “if both CLONE_NEWNS *and* one of the things that might end up failing after copy_mnt_ns() call in create_new_namespaces() are set, force allocation of new fs_struct”, but let’s keep it simple – the cost of copy_fs_struct() is trivial. Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets a freshly allocated fs_struct, yet to be attached to anything. That seriously simplifies the analysis… FWIW, that bug had been there since the introduction of unshare(2) ;-/ | 2026-05-08 | not yet calculated | CVE-2026-43472 | https://git.kernel.org/stable/c/845bf3c6963a52096d0d3866e4a92db77a0c03d8 https://git.kernel.org/stable/c/d3ffc8f13034af895531a02c30b1fe3a34b46432 https://git.kernel.org/stable/c/d0d99f60538ddb4a62ccaac2168d8f448965f083 https://git.kernel.org/stable/c/d7963d6997fea86a6def242ac36198b86655f912 https://git.kernel.org/stable/c/aa9ebc084505fb26dd90f4d7a249045aad152043 https://git.kernel.org/stable/c/af8f4be3b68ac8caa41c8e5ead0eeaf5e85e42d0 https://git.kernel.org/stable/c/42e21e74061b0ebbd859839f81acf10efad02a27 https://git.kernel.org/stable/c/6c4b2243cb6c0755159bd567130d5e12e7b10d9f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Add NULL checks when resetting request and reply queues The driver encountered a crash during resource cleanup when the reply and request queues were NULL due to freed memory. This issue occurred when the creation of reply or request queues failed, and the driver freed the memory first, but attempted to mem set the content of the freed memory, leading to a system crash. Add NULL pointer checks for reply and request queues before accessing the reply/request memory during cleanup | 2026-05-08 | not yet calculated | CVE-2026-43473 | https://git.kernel.org/stable/c/7df0296ad4e9253d12c6dbe7f120044dddc95600 https://git.kernel.org/stable/c/7da755e0d02e9ca035065127e108d1fed8950dc8 https://git.kernel.org/stable/c/78d3f201f8b609928eade53cf03a52df5415aaf7 https://git.kernel.org/stable/c/e978a36f332ede78eb4de037b517db16265d420d https://git.kernel.org/stable/c/220d7ca70611a73d50ef8e9edac630ed1ececb7c https://git.kernel.org/stable/c/fa96392ebebc8fade2b878acb14cce0f71016503 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs: init flags_valid before calling vfs_fileattr_get syzbot reported a uninit-value bug in [1]. Similar to the “*get” context where the kernel’s internal file_kattr structure is initialized before calling vfs_fileattr_get(), we should use the same mechanism when using fa. [1] BUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517 fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517 vfs_fileattr_get fs/file_attr.c:94 [inline] __do_sys_file_getattr fs/file_attr.c:416 [inline] Local variable fa.i created at: __do_sys_file_getattr fs/file_attr.c:380 [inline] __se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372 | 2026-05-08 | not yet calculated | CVE-2026-43474 | https://git.kernel.org/stable/c/379e19e820dd1c6145426b97467728b3b89c0b42 https://git.kernel.org/stable/c/b8c182b2c8c44c6016b11d8af61715ad7ef958a1 https://git.kernel.org/stable/c/cb184dd19154fc486fa3d9e02afe70a97e54e055 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT This resolves the follow splat and lock-up when running with PREEMPT_RT enabled on Hyper-V: [ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002 [ 415.140822] INFO: lockdep is turned off. [ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common [ 415.140846] Preemption disabled at: [ 415.140847] [<ffffffffc0656171>] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc] [ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)} [ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024 [ 415.140857] Call Trace: [ 415.140861] <TASK> [ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc] [ 415.140863] dump_stack_lvl+0x91/0xb0 [ 415.140870] __schedule_bug+0x9c/0xc0 [ 415.140875] __schedule+0xdf6/0x1300 [ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980 [ 415.140879] ? rcu_is_watching+0x12/0x60 [ 415.140883] schedule_rtlock+0x21/0x40 [ 415.140885] rtlock_slowlock_locked+0x502/0x1980 [ 415.140891] rt_spin_lock+0x89/0x1e0 [ 415.140893] hv_ringbuffer_write+0x87/0x2a0 [ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0 [ 415.140900] ? rcu_is_watching+0x12/0x60 [ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc] [ 415.140904] ? HARDIRQ_verbose+0x10/0x10 [ 415.140908] ? __rq_qos_issue+0x28/0x40 [ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod] [ 415.140926] __blk_mq_issue_directly+0x4a/0xc0 [ 415.140928] blk_mq_issue_direct+0x87/0x2b0 [ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440 [ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0 [ 415.140935] __blk_flush_plug+0xf4/0x150 [ 415.140940] __submit_bio+0x2b2/0x5c0 [ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360 [ 415.140946] submit_bio_noacct_nocheck+0x272/0x360 [ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4] [ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4] [ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4] [ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4] [ 415.141060] generic_perform_write+0x14e/0x2c0 [ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4] [ 415.141083] vfs_write+0x2ca/0x570 [ 415.141087] ksys_write+0x76/0xf0 [ 415.141089] do_syscall_64+0x99/0x1490 [ 415.141093] ? rcu_is_watching+0x12/0x60 [ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0 [ 415.141097] ? rcu_is_watching+0x12/0x60 [ 415.141098] ? lock_release+0x1f0/0x2a0 [ 415.141100] ? rcu_is_watching+0x12/0x60 [ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0 [ 415.141103] ? rcu_is_watching+0x12/0x60 [ 415.141104] ? __schedule+0xb34/0x1300 [ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170 [ 415.141109] ? do_nanosleep+0x8b/0x160 [ 415.141111] ? hrtimer_nanosleep+0x89/0x100 [ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10 [ 415.141116] ? xfd_validate_state+0x26/0x90 [ 415.141118] ? rcu_is_watching+0x12/0x60 [ 415.141120] ? do_syscall_64+0x1e0/0x1490 [ 415.141121] ? do_syscall_64+0x1e0/0x1490 [ 415.141123] ? rcu_is_watching+0x12/0x60 [ 415.141124] ? do_syscall_64+0x1e0/0x1490 [ 415.141125] ? do_syscall_64+0x1e0/0x1490 [ 415.141127] ? irqentry_exit+0x140/0 —truncated— | 2026-05-08 | not yet calculated | CVE-2026-43475 | https://git.kernel.org/stable/c/cf00cb15f2515e38d3b7571bf6800b7c6ce70a84 https://git.kernel.org/stable/c/b82462af23e45e066dd56d2736ea70159a6ad647 https://git.kernel.org/stable/c/91ab59f76d0866079420ebff1c7959fcd87a242e https://git.kernel.org/stable/c/e7919a293f9b6101e38bde0d8613daea6c9955df https://git.kernel.org/stable/c/f8db760f4f52a73a022a3d6c84c488ead952a9b5 https://git.kernel.org/stable/c/c2e73d8acd056347a70047e6be7cd98e0e811dfa https://git.kernel.org/stable/c/c7984d196476adcbd51c0ce386d7e90277198d57 https://git.kernel.org/stable/c/57297736c08233987e5d29ce6584c6ca2a831b12 |
| Apache Software Foundation–Apache Wicket | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | 2026-05-06 | not yet calculated | CVE-2026-43646 | https://lists.apache.org/thread/6zqcvjyz4lsqty1z2g5hg7pl5fqk88rs |
| Apache Software Foundation–Apache Thrift | Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-43868 | https://lists.apache.org/thread/zj76dtwnbbs1m7z3focf4wd51pqpsmn9 |
| Apache Software Foundation–Apache Thrift | Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-43869 | https://lists.apache.org/thread/3hsgl1b69wzq3ry39scqbv2dhyl3j52r |
| Apache Software Foundation–Apache Thrift | Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-43870 | https://lists.apache.org/thread/pgtfq44ltc9t63kxcbqmwqzt45pnhqdy |
| electerm–electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI –opts, or crafted shortcuts. Exploit requires clicking a crafted electerm://… link or opening a crafted shortcut/command that launches electerm with attacker-controlled opts. This issue has been patched in version 3.8.15. | 2026-05-08 | not yet calculated | CVE-2026-43944 | https://github.com/electerm/electerm/security/advisories/GHSA-mpm8-cx2p-626q https://github.com/electerm/electerm/commit/8a6a17951e96d715f5a231532bbd8303fe208700 https://github.com/electerm/electerm/commit/a79e06f4a1f0ac6376c3d2411ef4690fa0377742 https://github.com/electerm/electerm/releases/tag/v3.8.15 |
| absinthe-graphql–absinthe | Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. ‘Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames’:run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) – a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller. Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required. This issue affects absinthe: from 1.2.0 before 1.10.2. | 2026-05-08 | not yet calculated | CVE-2026-43967 | https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2 https://cna.erlef.org/cves/CVE-2026-43967.html https://osv.dev/vulnerability/EEF-CVE-2026-43967 https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d |
| Apache Software Foundation–Apache Wicket | FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on the server. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | 2026-05-06 | not yet calculated | CVE-2026-43975 | https://github.com/apache/wicket/pull/1432 https://lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg1dw3hbr |
| SEPPmail AG–Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 fails to enforce authorization checks for multiple endpoints in the new GINA UI, allowing unauthenticated remote attackers to access functionality that should require a valid session. | 2026-05-08 | not yet calculated | CVE-2026-44125 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| SEPPmail AG–Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 insecurely deserializes untrusted data, which can be reached from the new GINA UI and may allow unauthenticated remote attackers to execute code via a crafted serialized object. | 2026-05-08 | not yet calculated | CVE-2026-44126 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| SEPPmail AG–Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 contains an unauthenticated path traversal vulnerability in the identifier parameter of /api.app/attachment/preview that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the api.app process. | 2026-05-08 | not yet calculated | CVE-2026-44127 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| SEPPmail AG–Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.2.1 allows unauthenticated remote code execution in the new GINA UI because an endpoint passes attacker-controlled input from a parameter to Perl’s eval. | 2026-05-08 | not yet calculated | CVE-2026-44128 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| SEPPmail AG–Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 contains a server-side template injection vulnerability in the new GINA UI because an endpoint accepts attacker-controlled template, allowing remote attackers to execute arbitrary template expressions and potentially achieve remote code execution depending on the enabled template plugins. | 2026-05-08 | not yet calculated | CVE-2026-44129 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| gitpython-developers–GitPython | GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48. | 2026-05-07 | not yet calculated | CVE-2026-44243 | https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j24 https://github.com/gitpython-developers/GitPython/releases/tag/3.1.48 |
| labring–FastGPT | FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers (or authenticated users with App editing privileges) to send arbitrary HTTP requests to internal/private network addresses. The fetchData function in the lafModule workflow node uses axios to fetch user-controlled URLs without validating them against the application’s internal network blocklist guard (isInternalAddress), bypassing SSRF protections. This issue has been patched in version 4.14.17. | 2026-05-08 | not yet calculated | CVE-2026-44286 | https://github.com/labring/FastGPT/security/advisories/GHSA-xpx6-xcpf-76qg https://github.com/labring/FastGPT/releases/tag/v4.14.17 |
| The Document Foundation–LibreOffice | Out-of-bounds write vulnerability in The Document Foundation LibreOffice via crafted OOXML documents with mismatched encryption salt parameters. This issue affects LibreOffice: from 26.2 before 26.2.3, from 25.8 before 25.8.7. | 2026-05-07 | not yet calculated | CVE-2026-4430 | https://www.libreoffice.org/about-us/security/advisories/cve-2026-4430 |
| MervinPraison–PraisonAI | PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. This issue has been patched in version 1.6.32. | 2026-05-08 | not yet calculated | CVE-2026-44335 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q9pw-vmhh-384g |
| MervinPraison–PraisonAI | PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI’s MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default – praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joins it onto ~/.praison/rules/ (or, for workflow.show, accepts an absolute path) with no containment check. The JSON-RPC dispatcher passes params[“arguments”] blind to each handler via **kwargs without validating against the advertised input schema. By setting rule_name=”../../<some-path>” an attacker walks out of the rules directory and writes any file the running user can write. Dropping a Python .pth file into the user site-packages directory escalates this primitive to arbitrary code execution in any subsequent Python process the user spawns – the next praisonai CLI invocation, an IDE script run, the user’s python REPL, or any background Python service. This issue has been patched in version 4.6.34. | 2026-05-08 | not yet calculated | CVE-2026-44336 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9mqq-jqxf-grvw |
| MervinPraison–PraisonAI | PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member’s name for absolute paths, .. segments, and resolved-path escape – but does not validate member.linkname, does not reject symlink/hardlink members, and calls tar.extractall(dest_dir) without filter=”data”. A bundle that contains a symlink with a name inside dest_dir but a linkname pointing outside it, followed by a regular file whose path traverses through the just-created symlink, escapes dest_dir and lets the attacker write arbitrary content to an attacker-chosen location on the victim’s filesystem. This issue has been patched in version 4.6.37. | 2026-05-08 | not yet calculated | CVE-2026-44340 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9q28-ghcr-c4x3 |
| daptin–daptin | Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resource_findallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.L(fmt.Sprintf(“LOWER(%s) LIKE ?”, prefix+col)) raw SQL with no column whitelist check. The entry point is GET /api/<entity> with operator=fuzzy (or fuzzy_any, fuzzy_all). Any authenticated user – including one who self-registered with no admin involvement – can read the entire database. This issue has been patched in version 0.11.5. | 2026-05-07 | not yet calculated | CVE-2026-44349 | https://github.com/daptin/daptin/security/advisories/GHSA-pwqg-q8pg-pp6r https://github.com/daptin/daptin/releases/tag/v0.11.5 |
| ZcashFoundation–zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a separate issue due to insufficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of returning an error, the normal flow would resume, and the input sighash buffer would be left untouched. In scenarios where a previous signature validation could leave a valid sighash in the buffer, an invalid hash-type could be incorrectly accepted, which would create a consensus split between Zebra and zcashd nodes. This issue has been patched in zebrad version 4.4.0 and zebra-script version 6.0.0. | 2026-05-08 | not yet calculated | CVE-2026-44497 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-gq4h-3grw-2rhv |
| ZcashFoundation–zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra’s block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block can split the network: Zebra nodes follow the offending chain while zcashd nodes do not. This issue has been patched in version 4.4.0. | 2026-05-08 | not yet calculated | CVE-2026-44498 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-jv4h-j224-23cc https://github.com/ZcashFoundation/zebra/releases/tag/v4.4.0 |
| ZcashFoundation–zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra’s block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems – all exercisable from a single TCP connection – to create a monotonically growing block deficit that never self-heals. This issue has been patched in version 4.4.0. | 2026-05-08 | not yet calculated | CVE-2026-44499 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-h9hm-m2xj-4rq9 |
| vim–vim | Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim’s :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435. | 2026-05-08 | not yet calculated | CVE-2026-44656 | https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0 https://github.com/vim/vim/releases/tag/v9.2.0435 |
| czlonkowski–n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. From version 2.18.7 to before version 2.50.2, there is an authenticated server-side request forgery vulnerability affecting the webhook trigger tools, the n8n API client (N8N_API_URL), and per-request URLs supplied via the x-n8n-url header in multi-tenant HTTP mode. This issue has been patched in version 2.50.2. | 2026-05-08 | not yet calculated | CVE-2026-44694 | https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-cmrh-wvq6-wm9r https://github.com/czlonkowski/n8n-mcp/commit/bcaba839409d470abeb4a6ad9b361b553a1098eb https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.50.2 |
| RRWO–Plack::Middleware::Statsd | Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users’ IP addresses may be leaked. Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead. | 2026-05-10 | not yet calculated | CVE-2026-45179 | https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx https://metacpan.org/release/RRWO/Plack-Middleware-Statsd-v0.9.0/changes |
| RRWO–Catalyst::Plugin::Statsd | Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users’ session ids may be leaked. This may allow an attacker to use session ids as authentication tokens. | 2026-05-10 | not yet calculated | CVE-2026-45180 | https://github.com/robrwo/CatalystX-Statsd/security/advisories/GHSA-gjvr-hq83-fc38 https://metacpan.org/release/RRWO/Catalyst-Plugin-Statsd-v0.10.0/changes https://www.cve.org/CVERecord?id=CVE-2026-45179 https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx |
| STIGTSP–Net::CIDR::Lite | Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result. Example: my $cidr = Net::CIDR::Lite->new(); $cidr->add(“::1n/128”); $cidr->find(“::1a”); # incorrectly returns true See also CVE-2026-45191. | 2026-05-10 | not yet calculated | CVE-2026-45190 | https://github.com/stigtsp/Net-CIDR-Lite/commit/ca9542adec87110556601d7ce48381ea8d13e692.patch https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes https://www.cve.org/CVERecord?id=CVE-2026-45191 |
| STIGTSP–Net::CIDR::Lite | Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass. Mask forms like “/00” and “/01” pass validation and parse to the same prefix as their unpadded value. See also CVE-2026-45190. | 2026-05-10 | not yet calculated | CVE-2026-45191 | https://github.com/stigtsp/Net-CIDR-Lite/commit/24e2c439ec405e5256024b9acefd4f7008c5ed0c.patch https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes https://www.cve.org/CVERecord?id=CVE-2026-45190 |
| Unknown–OttoKit: All-in-One Automation Platform | The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks. | 2026-05-08 | not yet calculated | CVE-2026-4935 | https://wpscan.com/vulnerability/54bc1bf4-1033-49e2-aff9-a14c834c35bd/ |
| CHORNY–Apache::Session::Generate::ModUniqueId | Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation. The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header). The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes. | 2026-05-06 | not yet calculated | CVE-2026-5081 | https://httpd.apache.org/docs/current/mod/mod_unique_id.html https://metacpan.org/pod/Apache::Session::Generate::Random |
| Unknown–Magic Export & Import | The Magic Export & Import WordPress plugin before 1.2.0 stores exported CSV files at a publicly accessible location, making it possible for any visitors to leak sensitive user information. | 2026-05-04 | not yet calculated | CVE-2026-5335 | https://wpscan.com/vulnerability/ed6f00de-bbae-4e89-9d0e-ded0d70e781c/ |
| PHP Group–PHP | In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings. | 2026-05-10 | not yet calculated | CVE-2026-6104 | https://github.com/php/php-src/security/advisories/GHSA-74r9-qxhc-fx53 |
| PaperCut–PaperCut NG/MF | A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notification fails to reach the server, the server may reject the initial data chunk while erroneously accepting subsequent chunks before a connection reset completes. This leads to the registration of a truncated badge ID string. While this typically results in an authentication failure, the vulnerability is compounded in environments utilizing custom badge-ID post-processing scripts. In such configurations, the truncated string may be transformed into a valid ID belonging to a different user, leading to unauthorized session establishment (Incorrect User Login) on the device. | 2026-05-05 | not yet calculated | CVE-2026-6180 | https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/ |
| The Qt Company–Qt | A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image. When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a <line> element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker, followed by an endless recursion that bypasses the marker recursion guard through incorrect virtual dispatch. The result is an application crash (denial of service). This issue affects Qt SVG: from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1. | 2026-05-06 | not yet calculated | CVE-2026-6210 | https://codereview.qt-project.org/c/qt/qtsvg/+/724887 https://issues.oss-fuzz.com/issues/496327371 |
| Remote Spark (https://www.remotespark.com/)–SparkView | A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the local connection check and achieve arbitrary code execution as root on the server side. Depending on implementation the vulnerability can be exploited by an unauthenticated attacker. | 2026-05-08 | not yet calculated | CVE-2026-6213 | https://www.remotespark.com/view/new.html |
| PaperCut–PaperCut NG/MF | An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization. Due to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file paths on the local file system. This allows for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files. When the synchronization process is triggered, the application attempts to parse the contents of the specified file, subsequently exposing the data within the application’s account management interface. This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running. | 2026-05-05 | not yet calculated | CVE-2026-6418 | https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/ |
| ILM Informatique–OpenConcerto | Incorrect Permission Assignment for Critical Resource vulnerability in ILM Informatique OpenConcerto allows Replace Binaries. This issue affects OpenConcerto: 1.7.5. | 2026-05-04 | not yet calculated | CVE-2026-6499 | https://www.openconcerto.org/fr/version-1.7.html |
| ILM Informatique–OpenConcerto | Plaintext storage of a password vulnerability in ILM Informatique OpenConcerto allows Retrieve Embedded Sensitive Data. This issue affects OpenConcerto: 1.7.5. | 2026-05-04 | not yet calculated | CVE-2026-6500 | https://www.openconcerto.org/fr/version-1.7.html |
| ILM Informatique–jOpenDocument | Improper restriction of XML external entity reference vulnerability in ILM Informatique jOpenDocument allows Data Serialization External Entities Blowup. This issue affects jOpenDocument: 1.5. | 2026-05-04 | not yet calculated | CVE-2026-6501 | https://www.jopendocument.org/documentation.html |
| RSAVAGE–Crypt::PasswdMD5 | Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts. The built-in rand function is predictable, and unsuitable for cryptography. | 2026-05-08 | not yet calculated | CVE-2026-6659 | https://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.42/source/lib/Crypt/PasswdMD5.pm#L35-47 |
| PHP Group–PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension’s object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution. | 2026-05-10 | not yet calculated | CVE-2026-6722 | https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5 |
| PHP Group–PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target’s machine when the target is viewing the PHP-FPM status page. | 2026-05-10 | not yet calculated | CVE-2026-6735 | https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv |
| GitHub–Enterprise Server | An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the authentication restriction, allowing account creation and session establishment without identity provider validation. The created account was limited to the default base permissions configured on the instance. Exploitation required network access to a GHES instance configured with an external authentication provider. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. | 2026-05-07 | not yet calculated | CVE-2026-6736 | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2 |
| ASUS–AsusPTPFilter | An Exposed IOCTL with Insufficient Access Control vulnerability in AsusPTPFilter allows a local user to bypass driver security mechanisms and obtain restricted touchpad information or render the touchpad unusable via crafted IOCTL requests.Refer to the ‘ Security Update for ASUS Precision Touchpad ‘ section on the ASUS Security Advisory for more information. | 2026-05-08 | not yet calculated | CVE-2026-6737 | https://www.asus.com/security-advisory |
| WatchGuard–WatchGuard Agent | Use of Hard-coded Cryptographic Key vulnerability in WatchGuard Agent on Windows allows Inclusion of Code in Existing Process.This issue affects WatchGuard Agent: before 1.25.03.0000. | 2026-05-06 | not yet calculated | CVE-2026-6787 | https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00013 |
| WatchGuard–WatchGuard Agent | Uncontrolled Search Path Element vulnerability in WatchGuard Agent on Windows allows Using Malicious Files.This issue affects WatchGuard Agent before 1.25.03.0000. | 2026-05-06 | not yet calculated | CVE-2026-6788 | https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00013 |
| Ercom–Cryptobox | Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link. | 2026-05-07 | not yet calculated | CVE-2026-6805 | https://info.cryptobox.com/doc/v4.40/4.40.en/ |
| Eclipse Foundation–Eclipse Vert.x | A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used. | 2026-05-06 | not yet calculated | CVE-2026-6860 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381 https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6 https://github.com/eclipse-vertx/vert.x/pull/6102 |
| Eclipse Foundation–Eclipse OpenJ9 | In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message. | 2026-05-05 | not yet calculated | CVE-2026-6918 | https://github.com/eclipse-openj9/openj9/security/advisories/GHSA-q393-vr4c-969r https://github.com/eclipse-openj9/openj9/pull/23793 |
| PHP Group–PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions – such as NetBSD – this can lead to accessing array with negative offset, which can trigger a denial of service. | 2026-05-10 | not yet calculated | CVE-2026-7258 | https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4 |
| PHP Group–PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding(). | 2026-05-10 | not yet calculated | CVE-2026-7259 | https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75 |
| PHP Group–PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system. | 2026-05-10 | not yet calculated | CVE-2026-7261 | https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q |
| PHP Group–PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service. | 2026-05-10 | not yet calculated | CVE-2026-7262 | https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv |
| PHP Group–PHP | In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application. | 2026-05-10 | not yet calculated | CVE-2026-7263 | https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733 |
| GitHub–Enterprise Server | A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-05-07 | not yet calculated | CVE-2026-7541 | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2 |
| PHP Group–PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process. | 2026-05-10 | not yet calculated | CVE-2026-7568 | https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57 |
| PaperCut–PaperCut Hive | An issue was discovered in the PaperCut Hive Ricoh embedded application. When the “Deep Logging” (diagnostic) mode is enabled, the application inadvertently records administrative credentials in plain text within the log files. An attacker with administrative access to the PaperCut Hive management portal could remotely enable deep logging and subsequently retrieve sensitive device passwords from the logs after an authorized user authenticates at the device. This exposure allows for the lateral movement or unauthorized configuration of the physical print hardware. | 2026-05-05 | not yet calculated | CVE-2026-7824 | https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/ |
| SEPPmail AG–Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endpoint in the new GINA UI, allowing remote attackers to obtain sensitive system information. | 2026-05-08 | not yet calculated | CVE-2026-7864 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| Crestron Electronics–Touchpanels (x60/x70) | A hidden console command is vulnerable to command injection flaw when control characters are passed to its second argument. A third party researcher Eugene Lim had discovered vulnerability in the way console command passes to a popen function call. Attackers with authenticated access to SSH console of Crestron devices may use to run underlying OS commands. | 2026-05-05 | not yet calculated | CVE-2026-7865 | https://www.crestron.com/Software-Firmware/Firmware/Touchpanels/TS-770-TS-1070-TSS-770-TSS-1070-TSW-570/3-003-0015-001 https://www.crestron.com/release_notes/tsw-xx70_3.003.0015.001_release_notes.pdf |
| DIVD–VerySecureApp | The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation. | 2026-05-07 | not yet calculated | CVE-2026-7891 | https://csirt.divd.nl/DIVD-2026-00006/ https://www.divd.nl/mendix.html |
| Google–Chrome | Integer overflow in Blink in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-06 | not yet calculated | CVE-2026-7896 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493747582 |
| Google–Chrome | Use after free in Mobile in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-06 | not yet calculated | CVE-2026-7897 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504069514 |
| Google–Chrome | Use after free in Chromoting in Google Chrome on Linux prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical) | 2026-05-06 | not yet calculated | CVE-2026-7898 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504587882 |
| Google–Chrome | Out of bounds read and write in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7899 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505481948 |
| Google–Chrome | Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7900 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496503799 |
| Google–Chrome | Use after free in ANGLE in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7901 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497724490 |
| Google–Chrome | Out of bounds memory access in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7902 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502030575 |
| Google–Chrome | Integer overflow in ANGLE in Google Chrome on Mac,Windows prior to 148.0.7778.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7903 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/491760376 |
| Google–Chrome | Out of bounds read in Fonts in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7904 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/492350406 |
| Google–Chrome | Insufficient validation of untrusted input in Media in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7905 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495259842 |
| Google–Chrome | Use after free in SVG in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7906 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496284584 |
| Google–Chrome | Use after free in DOM in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7907 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496292089 |
| Google–Chrome | Use after free in Fullscreen in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7908 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497436531 |
| Google–Chrome | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7909 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497437113 |
| Google–Chrome | Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7910 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497543810 |
| Google–Chrome | Use after free in Aura in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7911 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497548912 |
| Google–Chrome | Integer overflow in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7912 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497639714 |
| Google–Chrome | Insufficient policy enforcement in DevTools in Google Chrome on Android prior to 148.0.7778.96 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7913 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497936728 |
| Google–Chrome | Type Confusion in Accessibility in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7914 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498401609 |
| Google–Chrome | Insufficient data validation in DevTools in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7915 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498454478 |
| Google–Chrome | Insufficient data validation in InterestGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7916 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498720754 |
| Google–Chrome | Use after free in Fullscreen in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7917 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498752242 |
| Google–Chrome | Use after free in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7918 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498780188 |
| Google–Chrome | Use after free in Aura in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7919 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498832921 |
| Google–Chrome | Use after free in Skia in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7920 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498989348 |
| Google–Chrome | Use after free in Passwords in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7921 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499062376 |
| Google–Chrome | Use after free in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7922 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499449324 |
| Google–Chrome | Out of bounds write in Skia in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7923 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500080194 |
| Google–Chrome | Uninitialized Use in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7924 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500087204 |
| Google–Chrome | Use after free in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7925 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501833981 |
| Google–Chrome | Use after free in PresentationAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7926 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502249087 |
| Google–Chrome | Type Confusion in Runtime in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7927 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502830119 |
| Google–Chrome | Use after free in WebRTC in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7928 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504612429 |
| Google–Chrome | Use after free in MediaRecording in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7929 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504660052 |
| Google–Chrome | Insufficient validation of untrusted input in Cookies in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7930 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/434825208 |
| Google–Chrome | Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7931 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/474338157 |
| Google–Chrome | Insufficient policy enforcement in Downloads in Google Chrome prior to 148.0.7778.96 allowed a local attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7932 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/481634116 |
| Google–Chrome | Out of bounds read in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7933 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/488585490 |
| Google–Chrome | Insufficient validation of untrusted input in Popup Blocker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7934 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/489023922 |
| Google–Chrome | Inappropriate implementation in Speech in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7935 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/489624550 |
| Google–Chrome | Object lifecycle issue in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7936 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/490485402 |
| Google–Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7937 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/491766258 |
| Google–Chrome | Use after free in CSS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7938 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/492735384 |
| Google–Chrome | Inappropriate implementation in SanitizerAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7939 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/492963096 |
| Google–Chrome | Use after free in V8 in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7940 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493631402 |
| Google–Chrome | Insufficient validation of untrusted input in Mobile in Google Chrome on Android prior to 148.0.7778.96 allowed a local attacker to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7941 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493955234 |
| Google–Chrome | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7942 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495363705 |
| Google–Chrome | Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7943 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495373657 |
| Google–Chrome | Insufficient validation of untrusted input in Persistent Cache in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7944 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495783187 |
| Google–Chrome | Insufficient validation of untrusted input in COOP in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7945 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495802788 |
| Google–Chrome | Insufficient policy enforcement in WebUI in Google Chrome on Linux, Mac, Windows, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7946 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496016840 |
| Google–Chrome | Insufficient validation of untrusted input in Network in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7947 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496169594 |
| Google–Chrome | Race in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7948 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496193452 |
| Google–Chrome | Out of bounds read in Skia in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7949 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496206134 |
| Google–Chrome | Out of bounds read and write in GFX in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via malicious network traffic. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7950 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496259890 |
| Google–Chrome | Out of bounds write in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7951 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496266456 |
| Google–Chrome | Insufficient policy enforcement in Extensions in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7952 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496279876 |
| Google–Chrome | Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via malicious network traffic. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7953 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496379792 |
| Google–Chrome | Race in Shared Storage in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7954 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496380960 |
| Google–Chrome | Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7955 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496441232 |
| Google–Chrome | Use after free in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7956 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496463315 |
| Google–Chrome | Out of bounds write in Media in Google Chrome on Mac, iOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7957 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496607380 |
| Google–Chrome | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7958 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496632973 |
| Google–Chrome | Inappropriate implementation in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7959 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496645205 |
| Google–Chrome | Race in Speech in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7960 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497007825 |
| Google–Chrome | Insufficient validation of untrusted input in Permissions in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to leak cross-origin data via malicious network traffic. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7961 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497008295 |
| Google–Chrome | Insufficient policy enforcement in DirectSockets in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7962 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497081987 |
| Google–Chrome | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7963 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497250399 |
| Google–Chrome | Insufficient validation of untrusted input in FileSystem in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7964 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497254383 |
| Google–Chrome | Insufficient validation of untrusted input in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7965 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497255035 |
| Google–Chrome | Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7966 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497341787 |
| Google–Chrome | Insufficient validation of untrusted input in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7967 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497365545 |
| Google–Chrome | Insufficient validation of untrusted input in CORS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7968 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497432281 |
| Google–Chrome | Integer overflow in Network in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7969 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497450574 |
| Google–Chrome | Use after free in TopChrome in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7970 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497487462 |
| Google–Chrome | Inappropriate implementation in ORB in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7971 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497529290 |
| Google–Chrome | Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7972 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497546281 |
| Google–Chrome | Integer overflow in Dawn in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7973 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497565944 |
| Google–Chrome | Use after free in Blink in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7974 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497649372 |
| Google–Chrome | Use after free in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7975 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497735587 |
| Google–Chrome | Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7976 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497736679 |
| Google–Chrome | Inappropriate implementation in Canvas in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7977 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497821223 |
| Google–Chrome | Inappropriate implementation in Companion in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to perform OS-level privilege escalation via malicious network traffic. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7978 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497828892 |
| Google–Chrome | Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7979 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497849876 |
| Google–Chrome | Use after free in WebAudio in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7980 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497859275 |
| Google–Chrome | Out of bounds read in Codecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7981 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497926602 |
| Google–Chrome | Uninitialized Use in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7982 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497952533 |
| Google–Chrome | Out of bounds read in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7983 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497975608 |
| Google–Chrome | Use after free in ReadingMode in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7984 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498277368 |
| Google–Chrome | Use after free in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7985 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498352423 |
| Google–Chrome | Insufficient policy enforcement in Autofill in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7986 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498396238 |
| Google–Chrome | Use after free in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7987 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498696266 |
| Google–Chrome | Type Confusion in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7988 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498753456 |
| Google–Chrome | Insufficient data validation in DataTransfer in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7989 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498765082 |
| Google–Chrome | Insufficient validation of untrusted input in Updater in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7990 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498892267 |
| Google–Chrome | Use after free in UI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7991 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499065126 |
| Google–Chrome | Insufficient validation of untrusted input in UI in Google Chrome on Linux, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7992 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499067529 |
| Google–Chrome | Insufficient validation of untrusted input in Payments in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7993 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499099003 |
| Google–Chrome | Inappropriate implementation in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7994 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499116954 |
| Google–Chrome | Out of bounds read in AdFilter in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7995 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501745798 |
| Google–Chrome | Insufficient validation of untrusted input in SSL in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-7996 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/484547631 |
| Google–Chrome | Insufficient validation of untrusted input in Updater in Google Chrome on Mac prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-7997 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/487960705 |
| Google–Chrome | Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-7998 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/491676472 |
| Google–Chrome | Inappropriate implementation in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-7999 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493099941 |
| Google–Chrome | Insufficient validation of untrusted input in ChromeDriver in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8000 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/494464734 |
| Google–Chrome | Use After Free in Printing in Google Chrome on Linux, Mac, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8001 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/494764371 |
| Google–Chrome | Use after free in Audio in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8002 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495779613 |
| Google–Chrome | Insufficient validation of untrusted input in TabGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8003 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495985532 |
| Google–Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8004 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496189510 |
| Google–Chrome | Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to bypass same origin policy via malicious network traffic. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8005 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496298665 |
| Google–Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8006 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496373088 |
| Google–Chrome | Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8007 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496399759 |
| Google–Chrome | Inappropriate implementation in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8008 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496426191 |
| Google–Chrome | Inappropriate implementation in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8009 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496555077 |
| Google–Chrome | Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8010 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496624084 |
| Google–Chrome | Insufficient policy enforcement in Search in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8011 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496626029 |
| Google–Chrome | Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8012 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496628298 |
| Google–Chrome | Insufficient validation of untrusted input in FedCM in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8013 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497427430 |
| Google–Chrome | Inappropriate implementation in Preload in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8014 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497490364 |
| Google–Chrome | Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8015 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497548558 |
| Google–Chrome | Use after free in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8016 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497695401 |
| Google–Chrome | Side-channel information leakage in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8017 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497722578 |
| Google–Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8018 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498292657 |
| Google–Chrome | Insufficient policy enforcement in WebApp in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8019 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498353173 |
| Google–Chrome | Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8020 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498382925 |
| Google–Chrome | Script injection in UI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8021 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498417031 |
| Google–Chrome | Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted MHTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8022 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499194407 |
| GitHub–Enterprise Server | A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-05-07 | not yet calculated | CVE-2026-8034 | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2 |
| Acer–PredatorSense V3 | PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITYSYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges. | 2026-05-08 | not yet calculated | CVE-2026-8069 | https://community.acer.com/en/kb/articles/19652 |
| CashDro–CashDro 3 Administration Panel | Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This could allow an attacker to easily perform a brute-force attack against a user and gain access by trying different PINs without the account being locked. Successful exploitation of this vulnerability could result in unauthorized access to confidential configuration settings, compromising the security of the system. | 2026-05-08 | not yet calculated | CVE-2026-8076 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cashdro-3 https://labs.itresit.es/2026/05/07/cashdro-vulnerabilities-from-pentest-to-stealing-money/ |
| CashDro–CashDro 3 Administration Panel | Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escalate privileges and gain full administrative access. This vulnerability allows all restrictions to be bypassed and completely compromises system management. | 2026-05-08 | not yet calculated | CVE-2026-8077 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cashdro-3 https://labs.itresit.es/2026/05/07/cashdro-vulnerabilities-from-pentest-to-stealing-money/ |
| misp–misp | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value. This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38 | 2026-05-07 | not yet calculated | CVE-2026-8080 | https://github.com/MISP/MISP/commit/62824e5ca0056d01b195f70466ea0d382cca06d0 |
| Mozilla–Firefox | Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2. | 2026-05-07 | not yet calculated | CVE-2026-8090 | https://bugzilla.mozilla.org/show_bug.cgi?id=2034352 https://www.mozilla.org/security/advisories/mfsa2026-40/ https://www.mozilla.org/security/advisories/mfsa2026-41/ https://www.mozilla.org/security/advisories/mfsa2026-42/ https://www.mozilla.org/security/advisories/mfsa2026-43/ https://www.mozilla.org/security/advisories/mfsa2026-44/ |
| Mozilla–Firefox | Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2. | 2026-05-07 | not yet calculated | CVE-2026-8091 | https://bugzilla.mozilla.org/show_bug.cgi?id=2029301 https://www.mozilla.org/security/advisories/mfsa2026-30/ https://www.mozilla.org/security/advisories/mfsa2026-33/ https://www.mozilla.org/security/advisories/mfsa2026-36/ https://www.mozilla.org/security/advisories/mfsa2026-39/ https://www.mozilla.org/security/advisories/mfsa2026-42/ |
| Mozilla–Firefox | Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2. | 2026-05-07 | not yet calculated | CVE-2026-8092 | Memory safety bugs fixed in Thunderbird ESR 140.10.2 and Thunderbird 150.0.2 https://www.mozilla.org/security/advisories/mfsa2026-40/ https://www.mozilla.org/security/advisories/mfsa2026-41/ https://www.mozilla.org/security/advisories/mfsa2026-42/ https://www.mozilla.org/security/advisories/mfsa2026-43/ https://www.mozilla.org/security/advisories/mfsa2026-44/ |
| Mozilla–Firefox | Memory safety bugs present in Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2 and Thunderbird 150.0.2. | 2026-05-07 | not yet calculated | CVE-2026-8093 | Memory safety bugs fixed in Thunderbird 150.0.2 https://www.mozilla.org/security/advisories/mfsa2026-40/ https://www.mozilla.org/security/advisories/mfsa2026-43/ |
| Mozilla–Firefox | Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2. | 2026-05-07 | not yet calculated | CVE-2026-8094 | https://bugzilla.mozilla.org/show_bug.cgi?id=2035939 https://www.mozilla.org/security/advisories/mfsa2026-41/ https://www.mozilla.org/security/advisories/mfsa2026-44/ |
| GitHub–Enterprise Server | A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/unlock endpoint was reflected into an HTML attribute without proper sanitization, enabling an attacker to inject a form element that could capture administrator credentials. Exploitation required an administrator to click a crafted link and enter their credentials. This vulnerability affected GitHub Enterprise Server versions 3.19.1 through 3.19.5 and 3.20.0 through 3.20.1, and was fixed in versions 3.19.6 and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-05-07 | not yet calculated | CVE-2026-8106 | https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2 |
| CERT/CC–VINCE | VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates. | 2026-05-07 | not yet calculated | CVE-2026-8142 | https://kb.cert.org/vince https://github.com/CERTCC/VINCE |
| NAVER–NAVER MYBOX Explorer | NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local attacker to escalate privileges to NT AUTHORITYSYSTEM via registry manipulation due to improper privilege checks. | 2026-05-08 | not yet calculated | CVE-2026-8148 | https://cve.naver.com/detail/cve-2026-8148.html |
| Legion of the Bouncy Castle Inc.–BC-FJA | A vulnerability in Legion of the Bouncy Castle Inc. BC-FJA BC-FIPS on Linux, X86_64, AVX, AVX-512f. This vulnerability is associated with program files gcm128w, gcm512w. This issue affects BC-FJA: from 2.1.0 through 2.1.2. | 2026-05-08 | not yet calculated | CVE-2026-8149 | https://do-not-publish.bouncycastle.org/do_not_publish |
| SHLOMIF–XML::LibXML | XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory. Any Perl process that passes attacker controlled strings to XML::LibXML’s DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service. | 2026-05-10 | not yet calculated | CVE-2026-8177 | https://github.com/cpan-authors/XML-LibXML/issues/146 https://github.com/cpan-authors/XML-LibXML/pull/149 https://github.com/cpan-authors/XML-LibXML/commit/15652bd905a6c9dda59a81b14d4766adbbae2ea8.patch |
| gibbonedu–gibbon | Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145 feature. Successful exploitation requires Teacher or higher privileges. Exploitation could result in unintended read/write activities to the underlying database. | 2026-05-09 | not yet calculated | CVE-2026-8207 | https://projectblack.io/blog/gibbon-v30-authenticated-sql-injection-and-rce/#sql-injectiongetting-warmed-up https://github.com/GibbonEdu/core/releases/tag/v30.0.01 |
| gibbonedu–gibbon | Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server. | 2026-05-09 | not yet calculated | CVE-2026-8208 | https://projectblack.io/blog/gibbon-v30-authenticated-sql-injection-and-rce/#local-file-inclusionthe-next-shiny-new-thing https://github.com/GibbonEdu/core/releases/tag/v30.0.01 |
| gibbonedu–gibbon | Gibbon versions before v30.0.01 are affected by a path traversal vulnerability resulting in DOS by attempting extraction of web application PHP files, failed .zip extraction results in deletion of the file and a DOS condition. Successful exploitation requires Teacher or higher privileges. Exploitation could result in loss of availability of the web application. | 2026-05-09 | not yet calculated | CVE-2026-8209 | https://github.com/GibbonEdu/core/releases/tag/v30.0.01 https://projectblack.io/blog/gibbon-v30-authenticated-sql-injection-and-rce/#denial-of-service-via-path-traversal |