High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 1Panel-dev–MaxKB | MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB’s webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication. The WebhookAuth class unconditionally returns (None, {}), which Django REST Framework interprets as successful authentication. Combined with optional per-trigger token verification and no backend enforcement of token requirements, any unauthenticated attacker who knows a valid trigger ID can invoke webhook triggers to execute their bound tasks. This vulnerability is fixed in 2.9.0. | 2026-05-26 | 7.5 | CVE-2026-44847 |
| AA-Team–Woocommerce Envato Affiliates | Missing Authorization vulnerability in AA-Team Woocommerce Envato Affiliates allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Woocommerce Envato Affiliates: from n/a through 1.2.1. | 2026-05-26 | 7.1 | CVE-2025-14361 |
| Acrel Electrical–EEMS Enterprise Power Operation and Maintenance Cloud Platform | A vulnerability was detected in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2. Affected by this vulnerability is an unknown functionality of the file /SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree. Performing a manipulation of the argument sort results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 7.3 | CVE-2026-9523 |
| Acrel Electrical–EEMS Enterprise Power Operation and Maintenance Cloud Platform | A vulnerability was determined in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. Affected by this issue is some unknown functionality of the file /SubstationWEBV2/app/..;/main/upfile. Executing a manipulation of the argument path can lead to path traversal. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 7.3 | CVE-2026-9550 |
| Agatasoft–Auto PingMaster | AgataSoft Auto PingMaster 1.5 contains a stack-based buffer overflow vulnerability in the Trace Route host name field that allows local attackers to execute arbitrary code by triggering structured exception handling. Attackers can craft a malicious ping.txt file with shellcode and jump instructions that overwrite the SEH handler pointer to achieve code execution when the file contents are pasted into the application. | 2026-05-25 | 8.4 | CVE-2018-25360 |
| agno-agi–agno | agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the delete_by_metadata() method. Attackers can exploit the unsafe f-string interpolation in clickhousedb.py to delete all rows, target specific rows, or extract information through error-based or blind SQL injection techniques. | 2026-05-29 | 8.3 | CVE-2026-10105 |
| Aiopmsd–AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ‘q’ parameter. Attackers can send GET requests to search.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25413 |
| Aiopmsd–AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the actor parameter. Attackers can send GET requests to actor.php with crafted SQL payloads in the actor parameter to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25414 |
| Aiopmsd–AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the director parameter. Attackers can send GET requests to director.php with crafted SQL payloads in the director parameter to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25415 |
| Aiopmsd–AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Attackers can send GET requests to country.php with crafted SQL payloads in the country parameter to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25416 |
| Aiopmsd–AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the quality parameter. Attackers can send GET requests to quality.php with crafted SQL payloads in the quality parameter to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25417 |
| Aiopmsd–AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Attackers can send GET requests to year.php with crafted SQL payloads in the year parameter to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25418 |
| Aiopmsd–AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Attackers can send GET requests to genre.php with crafted SQL payloads in the genre parameter to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25419 |
| Aiopmsd–AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ‘id’ parameter. Attackers can send GET requests to watch.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25420 |
| airjp73–rvf | RVF (formerly Remix Validated Form) provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys __proto__, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on Object.prototype of the running server process. This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator is affected. This vulnerability is fixed in 6.0.4 and 7.0.2. | 2026-05-27 | 8.2 | CVE-2026-44483 |
| amir20–dozzle | Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that sends an HTTP POST to the supplied URL with attacker-controlled request headers, and returns the response status code AND up to 1MB of the response body to the caller, when the target replies non-2xx. This vulnerability is fixed in 10.5.2. | 2026-05-26 | 8.6 | CVE-2026-45298 |
| Arjun Thakur–Duplicate Page and Post | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Arjun Thakur Duplicate Page and Post allows Blind SQL Injection. This issue affects Duplicate Page and Post: from n/a through 2.9.5. | 2026-05-27 | 8.5 | CVE-2026-49046 |
| auth0–auth0.js | Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0. | 2026-05-27 | 7.1 | CVE-2026-42280 |
| Autodesk–3ds Max | A maliciously crafted TIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2026-05-26 | 7.8 | CVE-2026-7451 |
| Autodesk–3ds Max | A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-05-26 | 7.8 | CVE-2026-7452 |
| Autodesk–3ds Max | A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-05-26 | 7.8 | CVE-2026-7454 |
| Avaiga–taipy | Taipy 4.1.1, fixed in commit 129fd40, contains a path traversal vulnerability in the ElementLibrary.get_resource() method in taipy/gui/extension/library.py that allows unauthenticated attackers to escape the intended module directory by exploiting an incomplete path containment check using str.startswith() without a trailing path separator. Attackers can send crafted GET requests with path traversal segments targeting a prefix-matching sibling directory on disk, bypassing the directory containment check because Flask’s path converter and Werkzeug’s WSGI layer preserve the traversal segments while the resolved path still satisfies the flawed startswith comparison, enabling unauthorized file access outside the intended library directory. | 2026-05-27 | 7.5 | CVE-2026-48544 |
| B&R Industrial Automation GmbH–PPT30 Operating System | An Allocation of Resources Without Limits or Throttling vulnerability in the OPC-UA Server used in PPT30 Operating System versions before 1.8.0 may be used by an unauthenticated network-based attacker to permanently prevent legitimate users from interacting with the service. | 2026-05-26 | 7.5 | CVE-2025-11482 |
| babel–babel | Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13. | 2026-05-26 | 8.2 | CVE-2026-44728 |
| bentoml–BentoML | BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2 interpolates docker.base_image raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.base_image value smuggles arbitrary Dockerfile directives into the generated Dockerfile, and bentoml containerize then runs docker build which executes the injected RUN directives on the victim host. This vulnerability is fixed in 1.4.39. | 2026-05-27 | 8.8 | CVE-2026-44345 |
| bentoml–BentoML | BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39. | 2026-05-27 | 8.8 | CVE-2026-44346 |
| better-auth–better-auth | Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth’s HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients controlling a typical /64 allocation could rotate through 2^64 distinct source addresses without exhausting the per-address counter, defeating rate limiting on /sign-in/email, /sign-up/email, /forget-password, and every other path the limiter protects. The same bug allowed a single client to vary the textual encoding of one IPv6 address (uppercase, compression, IPv4-mapped, hex-encoded IPv4-in-IPv6) and produce multiple distinct keys. This vulnerability is fixed in 1.4.17 and 1.5.0-beta.9. | 2026-05-28 | 7.3 | CVE-2026-45364 |
| bgermann–CformsII | Cross-Site Request Forgery (CSRF) vulnerability in bgermann CformsII allows Cross Site Request Forgery. This issue affects CformsII: from n/a through 15.1.3. | 2026-05-25 | 7.1 | CVE-2026-39436 |
| brainstormforce–Spectra Gutenberg Blocks Website Builder for the Block Editor | The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.19.25. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. Exploitation requires a two-block payload embedded in post content: the first block registers a fake uagb/-prefixed block type with an attacker-specified render_callback, and the second block of the same fake type triggers invocation of that callback via call_user_func() during sequential block rendering in the same page request. | 2026-05-30 | 8.8 | CVE-2026-7465 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise feature flag and SCIM config) and doInScimContext (sets the SCIM request context). There is no role check. Any authenticated user who reaches the worker (BASIC role, workspace-scoped builder, anyone) can call SCIM endpoints and CRUD every user and group in the tenant. This vulnerability is fixed in 3.38.2. | 2026-05-27 | 9.9 | CVE-2026-46425 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and workspace-scoped builders (builder.apps set but builder.global unset). The controller then spreads the request body into the SDK call, and the SDK grants builder.global=true or admin.global=true on whichever user ids the caller supplies. Bob, a workspace-scoped builder with an API key, promotes himself or any other user to global admin with one POST. The whole flow is tenant-wide privilege escalation from an app-level role, available to anyone with an Enterprise license that unlocks the EXPANDED_PUBLIC_API feature. This vulnerability is fixed in 3.39.0. | 2026-05-27 | 9 | CVE-2026-48150 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via bulkCreate, accepting arbitrary admin and builder role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation. This vulnerability is fixed in 3.38.1. | 2026-05-27 | 8.8 | CVE-2026-45716 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.38.1, Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group with TABLE/READ permission. This is the same authorization level as the read endpoint (GET /api/datasources/:datasourceId). Every authenticated Budibase app user with the BASIC built-in role or higher carries TABLE/WRITE (and therefore TABLE/READ) permissions, and the datasource update controller performs no additional builder check. As a result, any authenticated non-builder app user can submit a PUT request to rewrite a datasource’s config object – including the connection host, port, database credentials, or the base url of a REST datasource. Because no network-level SSRF protection is applied to SQL driver connections, redirecting a PostgreSQL/MySQL/MongoDB datasource to an internal IP address succeeds and the attacker can probe or interact with internal services on arbitrary ports. This vulnerability is fixed in 3.38.1. | 2026-05-27 | 8.8 | CVE-2026-45717 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, the Budibase Text component renders markdown by assigning marked.parse(markdown) straight to innerHTML with no sanitizer (packages/bbui/src/Markdown/MarkdownViewer.svelte:22). Any column a builder binds to a Text component in Markdown mode is a stored-XSS sink writable by every BASIC app user with WRITE on the underlying table. This vulnerability is fixed in 3.39.0. | 2026-05-27 | 8.1 | CVE-2026-48149 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE permission set, which includes table read/write and query write. A Basic user can therefore read an existing REST datasource, receive redacted authConfigs values, submit an update that changes only config.url while keeping the redacted placeholders, and trigger an existing saved relative-path REST query. During update, mergeConfigs() restores the old stored secret when it sees the redaction placeholder. During query execution, Budibase prefixes the attacker-controlled datasource config.url to the relative query path and applies the resolved stored auth headers. The result is server-side disclosure of the builder-configured REST Authorization secret to an attacker-controlled listener. This vulnerability is fixed in 3.39.0. | 2026-05-27 | 8.1 | CVE-2026-48152 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the OAuth2 URL has no scheme or host restriction. This vulnerability is fixed in 3.39.0. | 2026-05-27 | 8.5 | CVE-2026-48153 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint (POST /api/plugin) validates the submitted URL with a single substring check: url.includes(“.tar.gz”). Any URL containing .tar.gz anywhere in the string – in the path, query string, or fragment – passes this check. The URL then proceeds directly to fetchWithBlacklist() with no further validation of host, scheme, or path. Standalone, this vulnerability is blocked by Budibase’s default SSRF blacklist, which covers private IP ranges. But the URL validation layer itself is broken regardless, and it directly enables SSRF in two realistic situations: (1) when chained with the BLACKLIST_IPS bypass ([001]), where the blacklist is empty; and (2) when the plugin server follows HTTP redirects from an external URL to an internal target (the default node-fetch behavior with redirect: ‘follow’). This vulnerability is fixed in 3.35.10. | 2026-05-27 | 7.7 | CVE-2026-45061 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.34.8, the processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetch(fileUrl) directly without the IP blacklist validation that is consistently applied to all other automation steps. This allows an authenticated user to trigger server-side requests to internal network addresses. This vulnerability is fixed in 3.34.8. | 2026-05-27 | 7.7 | CVE-2026-45548 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.38.1, the REST datasource integration (packages/server/src/integrations/rest.ts) follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services (cloud metadata, databases) by redirecting through an attacker-controlled server. This vulnerability is fixed in 3.38.1. | 2026-05-27 | 7.7 | CVE-2026-45715 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content – SVG files with inline <script> tags, HTML pages with JavaScript, .js modules – which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2. | 2026-05-27 | 7.6 | CVE-2026-46426 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as SENSITIVE_LONGFORM, which the filter skips. GET /api/datasources/:datasourceId lives on authorizedRoutes guarded by PermissionType.TABLE + PermissionLevel.READ. An authenticated BASIC user with any app role and call the endpoint and receive the full Snowflake PEM in plaintext. This vulnerability is fixed in 3.38.3. | 2026-05-27 | 7.7 | CVE-2026-46427 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetch(config.url) with no SSRF protection. The safe wrapper fetchWithBlacklist() exists in the same codebase and is used in every other outbound HTTP call (automation steps, plugin downloads, object store), but was not applied to the OAuth2 token endpoint. A user with BUILDER role can point the OAuth2 token URL to internal services (CouchDB, cloud metadata) to exfiltrate sensitive data. This vulnerability is fixed in 3.39.0. | 2026-05-27 | 7.7 | CVE-2026-48146 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetch(config.url) with no SSRF protection. The safe wrapper fetchWithBlacklist() exists in the same codebase and is used in every other outbound HTTP call (automation steps, plugin downloads, object store), but was not applied to the OAuth2 token endpoint. A user with BUILDER role can point the OAuth2 token URL to internal services (CouchDB, cloud metadata) to exfiltrate sensitive data. This vulnerability is fixed in 3.39.0. | 2026-05-27 | 7.7 | CVE-2026-48146 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the body schema for a known webhook and mutate the corresponding automation trigger output schema. This vulnerability is fixed in 3.39.0. | 2026-05-27 | 7.5 | CVE-2026-48151 |
| Bylancer–Zechat | Zechat 1.5 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the uname parameter. Attackers can send crafted requests to profile.php with UNION-based SQL injection payloads to retrieve table names, column names, and sensitive data from the information_schema database. | 2026-05-29 | 8.2 | CVE-2018-25382 |
| Canonical–Multipass | An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment bypass vulnerability within its validate_path function in src/sshfs_mount/sftp_server.cpp. The function performs a plain string prefix comparison on requested paths without path separator validation or dot-dot (..) normalization. A local attacker with root privileges inside a guest virtual machine can bypass the FUSE layer by injecting raw SFTP frames (such as an SSH_FXP_OPEN request) directly into the sshfs_server process stdin/stdout pipes via procfs. By supplying a path containing directory traversal sequences that match the allowed mount prefix, the attacker can force the host-side root process to resolve the traversal and open files outside the designated mount boundary. This allows a guest-side user to read arbitrary files on the host filesystem, resulting in a virtual machine escape. | 2026-05-28 | 8.4 | CVE-2026-49238 |
| Canonical–Multipass | An issue was discovered in Canonical Multipass for macOS before version 1.16.3 due to an incomplete fix for CVE-2025-5199. While the patch in version 1.16.0 updated the ownership of the multipassd daemon binary to root:wheel, five co-located binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, and sshfs_server) in /Library/Application Support/com.canonical.multipass/bin/ retain ownership by the installing user and remain writable. Because the root LaunchDaemon (com.canonical.multipassd.plist) configures a PATH environment variable that prioritizes this user-writable directory and invokes these auxiliary binaries by their bare names, a local attacker can replace an auxiliary binary (such as qemu-img) with a malicious wrapper. When the root daemon subsequently triggers the binary during routine execution (e.g., via multipass launch), the malicious code executes with root privileges, leading to local privilege escalation. | 2026-05-28 | 7.8 | CVE-2026-49237 |
| Canonical–Ubuntu Linux | Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution. | 2026-05-28 | 7.8 | CVE-2026-47331 |
| Canonical–Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine. | 2026-05-28 | 7.8 | CVE-2026-47333 |
| chatwoot–chatwoot | Chatwoot is a customer engagement suite. From 2.2.0 to before 4.11.2, a SQL injection vulnerability exists in the conversation and contact filter APIs. When filtering by a custom attribute of type date or number using the is_greater_than or is_less_than operators, user-supplied values in the values field of the filter payload are interpolated directly into the SQL query without parameterization. Any authenticated user with access to an account can exploit this to execute arbitrary SQL via time-based blind injection. This affects /api/v1/accounts/{account_id}/conversations/filter, /api/v1/accounts/{account_id}/contacts/filter, and /api/v1/accounts/{account_id}/custom_attribute_definitions. This vulnerability is fixed in 4.11.2. | 2026-05-26 | 8.5 | CVE-2026-44706 |
| checkpoint–Quantum Security Gateway | The VPN service may mishandle an unexpected IKE fragment value received on the IKE port 500/UDP during the early stage of a connection attempt. This can cause the service to terminate unexpectedly, resulting in denial of service (temporary disruption of VPN-related functionality). | 2026-05-26 | 8.1 | CVE-2026-48131 |
| checkpoint–Quantum Security Gateway | The Security Gateway does not correctly validate a length value in certain IKE packets when NAT-T is used (4500/UDP). As a result, a specially crafted or malformed packet can cause the VPN processing service to terminate unexpectedly, leading to denial of service (temporary interruption of VPN negotiations/traffic). | 2026-05-26 | 8.1 | CVE-2026-48132 |
| checkpoint–Quantum Security Gateway | When the Identity Awareness blade is enabled with Browser-Based Authentication, an unauthenticated user may be able to read certain internal files on the Security Gateway. | 2026-05-26 | 7.5 | CVE-2026-48133 |
| cli–cli | GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authentication layer that automatically attaches tokens to outgoing requests. This layer lacks accurate host detection and can incorrectly attribute the target host, providing it with a token it should never receive. Specifically, the host normalization logic collapses any *.github.com subdomain to github.com, so a request to tuf-repo.github.com (a GitHub Pages site, not a GitHub API endpoint) is treated as a request to github.com and receives the user’s github.com token. For hosts that don’t match github.com or a known GHES instance at all, the resolver falls back to GH_ENTERPRISE_TOKEN if set. The gh attestation, gh release verify and gh release verify-asset commands fetch data from several external hosts as part of their normal operation (TUF metadata from tuf-repo.github.com and tuf-repo-cdn.sigstore.dev, artifact bundles from Azure Blob Storage). Because these requests go through the same authenticated HTTP client, the token is sent to all of them. This vulnerability is fixed in 2.93.0. | 2026-05-29 | 7.4 | CVE-2026-48501 |
| code-projects–Online Hospital Management System | A security vulnerability has been detected in code-projects Online Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /patient.php. Such manipulation of the argument editid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2026-05-31 | 7.3 | CVE-2026-10186 |
| code-projects–Online Music Site | A vulnerability was detected in code-projects Online Music Site 1.0. This vulnerability affects unknown code of the file /Administrator/PHP/AdminEditAlbum.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2026-05-31 | 7.3 | CVE-2026-10178 |
| code-projects–Project Management System | A security vulnerability has been detected in code-projects Project Management System 1.0. Affected is an unknown function of the file chk.php of the component Login. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-05-26 | 7.3 | CVE-2026-9584 |
| code-projects–Student Details Management System | A vulnerability was detected in code-projects Student Details Management System 1.0. This affects an unknown function of the file /index.php. Performing a manipulation of the argument roll results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2026-05-30 | 7.3 | CVE-2026-10110 |
| code100x–code100x | code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the ‘g’ HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator. | 2026-05-26 | 8.2 | CVE-2026-8890 |
| CodeRevolution–Crawlomatic Multipage Scraper Post Generator | The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter_content function. This is due to passing the attacker-supplied ‘callback_raw’ shortcode attribute directly into call_user_func() with no sanitization or allowlist validation, relying solely on an is_callable() check that permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the ‘callback’ attribute, providing a second independent vector through the same shortcode. | 2026-05-28 | 8.8 | CVE-2026-9009 |
| CODESYS–CODESYS Control RTE (SL) | The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges. | 2026-05-26 | 8.1 | CVE-2026-8046 |
| CODESYS–CODESYS Control RTE (SL) | The affected products perform improper length checking when parsing incoming HTTP requests, resulting in a size-limited out-of-bounds write. An unauthenticated remote attacker can exploit this flaw to cause a denial of service via a system crash on the affected device. | 2026-05-26 | 7.5 | CVE-2026-8047 |
| CODESYS–CODESYS Development System | The affected product creates a directory with insecure default permissions during administrative installation. This allows a low-privileged local attacker to modify a temporary file defining the components to be installed, enabling local privilege escalation by forcing the deployment of arbitrary components. | 2026-05-26 | 7.8 | CVE-2026-44468 |
| CODESYS–CODESYS Development System | The affected product extracts installation files to a temporary directory with incorrect default permissions during administrative installation. A low-privileged local attacker can exploit a TOCTOU race condition with a practical time window to replace verified files with malicious ones before installation, resulting in local privilege escalation. | 2026-05-26 | 7.8 | CVE-2026-44469 |
| Commentcamarche–Free MP3 CD Ripper | Free MP3 CD Ripper 2.8 contains a stack-based buffer overflow vulnerability in WMA file processing that allows local attackers to bypass DEP protection via structured exception handling manipulation. Attackers can craft a malicious WMA file that triggers the overflow when loaded through the Convert function, enabling execution of arbitrary code through ROP chain gadgets and shellcode injection. | 2026-05-29 | 8.4 | CVE-2018-25383 |
| CP Plus–CP-UNR-108F1 Hardware | A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft. | 2026-05-29 | 8.4 | CVE-2026-6824 |
| Crocoblock–JetEngine | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Crocoblock JetEngine allows SQL Injection. This issue affects JetEngine: from n/a through 3.8.8.1. | 2026-05-25 | 9.3 | CVE-2026-42774 |
| croixhaug–Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the ‘append_where_sql’ parameter in all versions up to, and including, 1.6.11.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The /appointments/bulk REST endpoint is reachable by unauthenticated attackers because its permission check accepts a public nonce that is embedded in the booking widget’s frontend JavaScript (ssa.api.public_nonce) and visible to all site visitors; exploitation requires issuing the request as a PUT with an application/x-www-form-urlencoded body so that PHP’s superglobals are not populated and the blocklist check silently passes. | 2026-05-28 | 7.5 | CVE-2026-7797 |
| cservit–affiliate-toolkit Multi-Network Affiliate & Amazon Product Display | The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine’s runString() method which compiles user-supplied template content into PHP code and executes it via eval() without sanitization or sandboxing. This makes it possible for authenticated attackers, with Editor-level access and above, to execute arbitrary code on the server by injecting PHP into a plugin template. | 2026-05-27 | 7.2 | CVE-2026-6169 |
| cssigniterteam–GutenBee Gutenberg Blocks | The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbee_file_and_ext_json function. This is due to a flawed strpos() substring check that only verifies whether the filename contains the string ‘.json’ rather than confirming the filename ends with a .json extension, allowing double-extension filenames like shell.json.php to bypass validation. This makes it possible for authenticated attackers, with author-level access and above, to upload files that may be executable, which makes remote code execution possible. | 2026-05-28 | 8.8 | CVE-2026-9227 |
| czlonkowski–n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLE_MULTI_TENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that omitted those headers – or supplied only one of them – silently fell back to the process-level N8N_API_URL / N8N_API_KEY credentials configured for the operator’s own n8n instance. As a result, an authenticated MCP tenant could cause n8n management calls to execute against the operator’s instance instead of its own. This affects HTTP-mode deployments of n8n-mcp that are run as a shared multi-tenant service. Single-tenant deployments (ENABLE_MULTI_TENANT unset or false) are not affected. This vulnerability is fixed in 2.51.2. | 2026-05-29 | 8.1 | CVE-2026-45707 |
| Danelec–MacGregor Voyage Data Recorder (VDR) G4e | Danelec MacGregor Voyage Data Recorder includes default accounts with hard-coded credentials. | 2026-05-29 | 8.3 | CVE-2026-42929 |
| Danelec–MacGregor Voyage Data Recorder (VDR) G4e | The Danelec MacGregor Voyage Data Recorder device includes a default username and password, with no enforced password change. | 2026-05-29 | 8.3 | CVE-2026-42941 |
| Das–Parking Management System | A vulnerability was identified in Das Parking Management System åœè½¦åœºç®¡ç†ç³»ç»Ÿ 6.2.0. This affects the function xp_cmdshell of the file ParkingRecord/ExportParkingRecords of the component API Endpoint. The manipulation of the argument Value leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 7.3 | CVE-2026-9551 |
| Das–Parking Management System | A security flaw has been discovered in Das Parking Management System åœè½¦åœºç®¡ç†ç³»ç»Ÿ 6.2.0. This vulnerability affects unknown code of the component Search API Endpoint. The manipulation of the argument Value results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 7.3 | CVE-2026-9552 |
| DataDog–guarddog | GuardDog is a CLI tool to identify malicious PyPI packages. From 1.0.0 to 2.9.0, the programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller’s GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and capture the GH_TOKEN used by GuardDog. This vulnerability is fixed in . | 2026-05-27 | 8.2 | CVE-2026-44971 |
| Delta Electronics–DIAView | There is a mitigation bypass / (incomplete fix) for CVE-2025-62582 (Unauthenticated Remote Database Access) An unauthenticated remote attacker can access configured databases in a DIAView project. | 2026-05-26 | 9.8 | CVE-2026-9642 |
| Deltasql–Delta Sql | Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form data. Attackers can upload PHP files with arbitrary content to the upload directory and execute them on the server for remote code execution. | 2026-05-30 | 9.8 | CVE-2018-25412 |
| devsabbirahmed–Firebase Support & Chat Management | The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the `firebase_auth()` function authenticating the request as the WordPress user whose email is supplied in the `user_email` POST parameter without verifying ownership of that email (no Firebase ID token signature/issuer/audience verification). This makes it possible for authenticated attackers, with Subscriber-level access and above, to log in as an arbitrary existing user – including an Administrator – by submitting that user’s email address to the `acb_firebase_auth` AJAX action, resulting in full account takeover. | 2026-05-27 | 8.8 | CVE-2026-8787 |
| dglingren–Media Library Assistant | The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request. | 2026-05-29 | 8.1 | CVE-2026-6075 |
| Dokploy–dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback (“better-auth-secret-123456789”) lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3. | 2026-05-29 | 10 | CVE-2026-45631 |
| Dokploy–dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping. This requires an authenticated user with application create/edit privileges. | 2026-05-29 | 9.6 | CVE-2026-45628 |
| Dokploy–dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows any organization member to execute arbitrary system commands on remote servers managed by Dokploy, leading to full server compromise. | 2026-05-29 | 9.9 | CVE-2026-45629 |
| Dokploy–dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation. | 2026-05-29 | 9 | CVE-2026-45630 |
| Dokploy–dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId. Schedule types server and dokploy-server write and execute scripts on the host or remote servers, enabling RCE on the Dokploy host or a target server. | 2026-05-29 | 9.9 | CVE-2026-45632 |
| Dokploy–dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges. | 2026-05-29 | 9.9 | CVE-2026-45633 |
| Dokploy–dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows authenticated users to write arbitrary files to the filesystem during application deployment. When combined with Dokploy’s remote server deployment feature, this vulnerability enables arbitrary file write to remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, data exfiltration without user interaction, and persistent backdoor installation. This vulnerability bypasses all container isolation on remote server deployments. | 2026-05-29 | 9.9 | CVE-2026-45661 |
| Dokploy–dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user uploads a file to a container, the destinationPath parameter is not properly sanitized and is directly interpolated into a shell command string. By including shell metacharacters such as ; or “, an attacker can escape the intended docker cp command and execute arbitrary OS commands on the Dokploy host. | 2026-05-29 | 9.9 | CVE-2026-45663 |
| Dokploy–dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.0 and earlier, the deleteRegistry function in Dokploy (packages/server/src/services/registry.ts) executes docker logout ${response.registryUrl} without shell escaping. In the same file, the docker login command correctly uses shEscape() to prevent command injection. This inconsistency creates a command injection vulnerability when deleting a registry with a crafted registryUrl. | 2026-05-29 | 8.8 | CVE-2026-45662 |
| Dylan Kuhn–Geo Mashup | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows Reflected XSS.This issue affects Geo Mashup: from n/a through <= 1.13.19. | 2026-05-27 | 7.1 | CVE-2026-42734 |
| e107inc–e107 | e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks, account takeover, or other security risks. The severity is high, as the vulnerability affects a critical function related to user authentication. This vulnerability is fixed in 2.3.4. | 2026-05-26 | 8.1 | CVE-2026-43935 |
| e4jvikwp–VikBooking Hotel Booking Engine & PMS | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9. | 2026-05-27 | 8.6 | CVE-2026-42737 |
| e4jvikwp–VikBooking Hotel Booking Engine & PMS | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows DOM-Based XSS.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9. | 2026-05-27 | 7.1 | CVE-2026-42762 |
| Edimax–BR-6478AC | A vulnerability was identified in Edimax BR-6478AC 1.23. Affected by this vulnerability is the function formPPPoESetup of the file /goform/formPPPoESetup of the component POST Request Handler. The manipulation of the argument pppUserName leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2026-05-30 | 8.8 | CVE-2026-10125 |
| Edimax–BR-6478AC | A security flaw has been discovered in Edimax BR-6478AC 1.23. Affected by this issue is the function formQoS of the file /goform/formQoS of the component POST Request Handler. The manipulation of the argument selSSID results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-30 | 8.8 | CVE-2026-10126 |
| Edimax–BR-6478AC | A vulnerability has been found in Edimax BR-6478AC 1.23. This issue affects the function formUSBAccount of the file /goform/formUSBAccount of the component POST Request Handler. The manipulation of the argument UserName/Password leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2026-05-31 | 8.8 | CVE-2026-10163 |
| Edimax–BR-6478AC | A vulnerability was found in Edimax BR-6478AC 1.23. Impacted is the function formUSBFolder of the file /goform/formUSBFolder of the component POST Request Handler. The manipulation of the argument ShareName/SelectName results in buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-31 | 8.8 | CVE-2026-10164 |
| Edimax–BR-6478AC | A vulnerability was identified in Edimax BR-6478AC 1.23. The impacted element is the function formWanTcpipSetup of the file /goform/formWanTcpipSetup of the component POST Request Handler. Such manipulation of the argument pppUserName leads to stack-based buffer overflow. The attack may be performed from remote. The exploit is publicly available and might be used. | 2026-05-31 | 8.8 | CVE-2026-10165 |
| Edimax–BR-6478AC | A weakness has been identified in Edimax BR-6478AC 1.23. This affects the function formiNICSiteSurvey of the file /goform/formiNICSiteSurvey of the component POST Request Handler. Executing a manipulation of the argument selSSID can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9442 |
| Edimax–BR-6478AC | A security vulnerability has been detected in Edimax BR-6478AC 1.23. This vulnerability affects the function formL2TPSetup of the file /goform/formL2TPSetup of the component POST Request Handler. The manipulation of the argument L2TPUserName leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9443 |
| Edimax–EW-7438RPn | A security vulnerability has been detected in Edimax EW-7438RPn 1.31. The impacted element is the function formWlanMP of the file /goform/formWlanMP. The manipulation of the argument ateFunc/ateGain/ateTxCount/ateChan/ateRate/ateMacID/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/ateTxFreqOffset/ateMode/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/e2pTxPwDeltaN/readE2P leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9425 |
| Edimax–EW-7438RPn | A vulnerability was detected in Edimax EW-7438RPn 1.31. This affects the function formHwSet of the file /goform/formHwSet. The manipulation of the argument Anntena/Mcs/regDomain/nic0Addr/nic1Addr/wlanAddr/wanAddr/wlanSSID/wlanChan/initgain/txcck/txofdm/submit-url results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9426 |
| Edimax–EW-7438RPn | A flaw has been found in Edimax EW-7438RPn 1.31. This impacts the function formWlSiteSurvey of the file /goform/formWlSiteSurvey of the component webs. This manipulation of the argument selSSID/submit-url causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9427 |
| Edimax–EW-7438RPn | A security flaw has been discovered in Edimax EW-7438RPn 1.31. This affects the function formConnectionSetting of the file /goform/formConnectionSetting. Performing a manipulation of the argument max_Conn/timeOut results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9459 |
| Edimax–EW-7438RPn | A weakness has been identified in Edimax EW-7438RPn 1.31. This impacts the function formAccept of the file /goform/formAccept. Executing a manipulation of the argument submit-url can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9460 |
| Edimax–EW-7438RPn | A security vulnerability has been detected in Edimax EW-7438RPn 1.31. Affected is the function formRadius of the file /goform/formRadius. The manipulation of the argument submit-url leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9461 |
| Edimax–EW-7438RPn | A vulnerability was detected in Edimax EW-7438RPn 1.31. Affected by this vulnerability is the function formWpsProxyEnable of the file /goform/formWpsProxyEnable. The manipulation of the argument submit-url results in stack-based buffer overflow. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9462 |
| Edimax–EW-7438RPn | A flaw has been found in Edimax EW-7438RPn 1.31. Affected by this issue is the function formLicence of the file /goform/formLicence. This manipulation of the argument submit-url causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9463 |
| Edimax–EW-7438RPn | A security vulnerability has been detected in Edimax EW-7438RPn 1.31. The affected element is the function formLogout of the file /goform/formLogout. The manipulation of the argument submit-url leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9479 |
| Edimax–EW-7438RPn | A vulnerability was detected in Edimax EW-7438RPn 1.31. The impacted element is the function formrefresh of the file /goform/formrefresh. The manipulation of the argument submit-url results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9480 |
| Edimax–EW-7438RPn | A flaw has been found in Edimax EW-7438RPn 1.31. This affects the function formStats of the file /goform/formStats. This manipulation of the argument submit-url causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9481 |
| Edimax–EW-7438RPn | A vulnerability has been found in Edimax EW-7438RPn 1.31. This impacts the function formSDHCP of the file /goform/formSDHCP. Such manipulation of the argument submit-url leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9482 |
| edward_plainview–MyCryptoCheckout | Missing Authorization vulnerability in edward_plainview MyCryptoCheckout allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MyCryptoCheckout: from n/a through 2.161. | 2026-05-25 | 7.5 | CVE-2026-45209 |
| Elastic–Kibana | Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block. | 2026-05-28 | 7.7 | CVE-2026-42398 |
| Elastic–Kibana | Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequately validated. An attacker can cause Elastic Agents to be issued API keys with elevated Elasticsearch privileges, potentially granting unauthorized read and write access to sensitive Elasticsearch security indices beyond what is intended for the Fleet management role. | 2026-05-28 | 7.2 | CVE-2026-49095 |
| ellanetworks–core | Ella Core is a 5G core designed for private networks. Prior to 1.10.0, a radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE’s AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE’s logical NG-connection, then creates a GTP tunnel towards that radio. This vulnerability is fixed in 1.10.0. | 2026-05-27 | 7.1 | CVE-2026-44473 |
| eMagicOne–eMagicOne Store Manager | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in eMagicOne eMagicOne Store Manager allows Blind SQL Injection. This issue affects eMagicOne Store Manager: from n/a through 1.3.2. | 2026-05-25 | 9.3 | CVE-2026-42773 |
| Endonesia–eNdonesia Portal | eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25405 |
| Endonesia–eNdonesia Portal | eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database credentials, usernames, and version information. | 2026-05-30 | 8.2 | CVE-2018-25406 |
| Endonesia–eNdonesia Portal | eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25407 |
| Eppendorf–BioFlo 320 | Eppendorf BioFlo 320 is vulnerable to due to VNC server using a hard-coded password. If a remote attacker knows the network address of any BioFlo 320 model with remote access enabled, they can gain full control of the user interface by using this password. Once connected, the attacker would have full access to all control panel features for the BioFlo 320. VNC traffic is not encrypted. | 2026-05-26 | 9.8 | CVE-2026-7251 |
| eregistrasi-kejuaraan-silat–Registrasi Pencak Silat | E-Registrasi Pencak Silat 18.10 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id_partai parameter. Attackers can send GET requests to monitor_nilai.php with crafted SQL payloads in the id_partai parameter to extract sensitive database information including admin credentials and user data. | 2026-05-29 | 8.2 | CVE-2018-25385 |
| error311–FileRise | FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totp_setup.php is callable from a session that has only passed the password check (state pending_login_user). When the target account already has TOTP configured, the endpoint decrypts and returns the user’s existing TOTP secret inside the QR PNG instead of refusing or generating a new secret. An attacker who already possesses the victim’s password can therefore retrieve the live TOTP secret, derive a valid one-time code, submit it to /api/totp_verify.php, and obtain a fully authenticated session without ever possessing the victim’s authenticator device. This vulnerability is fixed in 3.12.0. | 2026-05-27 | 7.4 | CVE-2026-44460 |
| eskapism–Simple History Track, Log, and Audit WordPress Changes | The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events/<id>/react with the _fields=context query parameter and read the full context of any Simple History event – including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link event, extracts the reset key from context.message, and completes the password reset to take over the administrator account. Exploitation requires an administrator to have first enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default. | 2026-05-30 | 7.5 | CVE-2026-7459 |
| esm-dev–esm.sh | esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin’s handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process. | 2026-05-28 | 7.5 | CVE-2026-44594 |
| espressif–shared-github-dangerjs | Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action’s entrypoint.sh invoked DangerJS from the caller’s workspace after copying the fork’s checkout into it, creating an untrusted search path for both binary resolution and Node.js module resolution. A fork pull request processed by a pull_request_target workflow could therefore cause fork-supplied code to execute inside the action container in place of the action’s own code. This vulnerability is fixed in 1.0.1. | 2026-05-28 | 8.2 | CVE-2026-44358 |
| Extro–eXtroForms | Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filter_type_id, filter_pid_id, and filter_search parameters. Attackers can submit POST requests to the extroformfield view with malicious SQL payloads to extract sensitive database information and server data. | 2026-05-25 | 7.1 | CVE-2018-25380 |
| Extro–Responsive Portfolio | Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Attackers can inject malicious SQL code via the filter_type_id, filter_pid_id, and filter_search parameters in POST requests to extract sensitive database information including credentials and server details. | 2026-05-25 | 7.1 | CVE-2018-25381 |
| factionsecurity–faction | FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixed in 1.8.3. | 2026-05-26 | 9.8 | CVE-2026-44668 |
| factionsecurity–faction | FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in remediation verification file preview flows. User-supplied filename values are persisted and then rendered into HTML and attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who opens the affected verification/remediation views. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3. | 2026-05-26 | 8.7 | CVE-2026-44667 |
| factionsecurity–faction | FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in assessment file preview flows. User-supplied filename values are persisted and later rendered into HTML/attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who views the affected page. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3. | 2026-05-26 | 8.7 | CVE-2026-44669 |
| flippercode–WP Maps Pro | The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover. | 2026-05-29 | 9.8 | CVE-2026-8732 |
| FoundDream–miniclawd | A security vulnerability has been detected in FoundDream miniclawd up to 2d65665046e2222eeea76cafc8570ed546a8c125. Affected by this issue is the function ExecTool.execute of the file /src/tools/exec.ts. Such manipulation leads to os command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 7.3 | CVE-2026-9452 |
| FoundDream–miniclawd | A vulnerability was detected in FoundDream miniclawd up to 2d65665046e2222eeea76cafc8570ed546a8c125. This affects the function which of the file /src/application/skills-loader.ts of the component SkillsLoader. Performing a manipulation of the argument requires.bins results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 7.3 | CVE-2026-9453 |
| Fourth Frontier–Frontier X Android application | The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities, triggering vibrations, causing denial-of-service conditions, and fuzzing characteristic values to induce unexpected behavior. Additionally, the Frontier X mobile application lacks proper BLE device authentication, allowing attackers to impersonate a legitimate Frontier X2 device and connect to the application. By cloning BLE advertisements and exposing expected GATT characteristics, attackers can manipulate activity states and inject fabricated health telemetry such as breathing rate, heart rate, strain, and other health-related data into the mobile application. | 2026-05-29 | 8.8 | CVE-2026-5768 |
| fraillt–bitsery | A security vulnerability has been detected in fraillt bitsery up to 5.2.4. Affected is the function loadFromSharedState in the library include/bitsery/ext/std_smart_ptr.h. Such manipulation leads to improper validation of specified type of input. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 5.2.5 is able to address this issue. The name of the patch is 66d16516e24893bebc1c8af52bf2fe9ad0735061. Upgrading the affected component is advised. | 2026-05-26 | 7.3 | CVE-2026-9521 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s NEF mounts the nnef-oam route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can hit the OAM route with no Authorization header at all and the handler returns 200 OK. The current OAM handler is a stub that returns null, but the structural defect is route-group-scoped: the entire OAM route group has no inbound auth middleware, so every future OAM operation added to this group inherits the missing auth boundary by default. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 10 | CVE-2026-44327 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinks with attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 10 | CVE-2026-44329 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) to read PFD application data via GET /applications and GET /applications/{appID}, and to create or delete PFD change-notification subscriptions via POST /subscriptions and DELETE /subscriptions/{subID}. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. Unlike the OAM and traffic-influence groups, nnef-pfdmanagement IS declared in the runtime ServiceList, so this is the production-intended path that operators expect to be protected by OAuth2 setting receive from NRF: true — and it is not. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 10 | CVE-2026-44330 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s NEF mounts the 3gpp-pfd-management API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, and delete PFD-management transaction state with a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token). The route group is also reachable even when the running config’s ServiceList does not declare it, so operators who think they disabled the service via config are still exposed. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 9.4 | CVE-2026-44315 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s NEF mounts the 3gpp-traffic-influence API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, patch, and delete traffic-influence subscriptions either with no Authorization header at all, or with a forged bearer token (e.g. Authorization: Bearer not-a-real-token). This includes creating AnyUeInd=true subscriptions intended to affect group / any-UE traffic steering. The route group is also reachable even when the running config’s ServiceList does not declare it, so operators who think they disabled the service via config are still exposed. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 9.4 | CVE-2026-44326 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI. In NewServer(), the smPolicyGroup route group is created and routes are applied without attaching the router authorization middleware. In contrast, other PCF service groups such as Npcf_PolicyAuthorization do attach RouterAuthorizationCheck before route registration. Because the middleware is missing, requests to the /npcf-smpolicycontrol/v1/sm-policies, /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}, /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/update, and /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete endpoints can reach business logic even when no valid OAuth token is provided. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 8.2 | CVE-2026-42083 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/{upNodeRef} handler unconditionally dereferences upNode.UPF after the type-guarded async release, even though AN-typed nodes are constructed without a UPF object. As a result, a single unauthenticated DELETE /upi/v1/upNodesLinks/gNB1 request crashes the handler with a nil-pointer panic AND mutates the in-memory user-plane topology before panicking (the UpNodeDelete(upNodeRef) line runs first). This is an unauthenticated, state-mutating panic-DoS sink that an off-path network attacker can trigger by name against any AN entry. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 8.2 | CVE-2026-44328 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s PCF POST /npcf-smpolicycontrol/v1/sm-policies handler (HandleCreateSmPolicyRequest) panics with a nil-pointer dereference when a downstream OpenAPI consumer call (UDR lookup) returns 404 Not Found and the consumer wrapper returns err != nil together with a nil response struct. The handler logs the OpenAPI error and continues executing instead of returning, then dereferences the nil response struct on a subsequent line and panics. Gin recovery converts the panic into HTTP 500, so a single attacker-shaped POST returns 500 instead of a clean 4xx whenever the downstream lookup fails. The PCF process keeps running. The trigger is a single POST containing input that causes the downstream UDR lookup to fail (e.g. an unknown DNN). In 4.2.1 this endpoint is also reachable WITHOUT an Authorization header because the PCF Npcf_SMPolicyControl route group is mounted without inbound auth middleware. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 7.5 | CVE-2026-44316 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s NEF terminates the entire process when a stored PFD-subscription notifyUri cannot be reached. In PfdChangeNotifier.FlushNotifications(), the notifier calls NnefPFDmanagementNotify(…) and on any delivery error invokes logger.PFDManageLog.Fatal(err), which is os.Exit(1)-equivalent in Go. An attacker who can create a PFD subscription with an attacker-chosen notifyUri and then trigger a PFD change can deterministically kill NEF on the asynchronous delivery attempt — the process exits with status 1, dropping NEF’s entire SBI surface until restart. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 7.5 | CVE-2026-44319 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler — the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam). This vulnerability is fixed in 4.2.2. | 2026-05-27 | 7.3 | CVE-2026-44320 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s SMF mounts the UPI management route group without inbound OAuth2 middleware. The POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON and passes it directly into UpNodesFromConfiguration(), which calls logger.InitLog.Fatalf(…) on several validation failures. One confirmed path is the UE-IP-pool overlap check: a single unauthenticated POST that adds a new UPF whose pool overlaps an existing UPF terminates the entire SMF process (docker ps shows Exited (1)), not just the goroutine. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 7.5 | CVE-2026-44321 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler’s errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 7.5 | CVE-2026-44322 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s NRF root SBI endpoint POST /oauth2/token contains a parser-level type-confusion bug family. The handler in NFs/nrf/internal/sbi/api_accesstoken.go reflects over models.NrfAccessTokenAccessTokenReq, special-cases only plain string and NrfNfManagementNfType fields, and treats every other field as if it were a single models.PlmnId. The parsed *models.PlmnId is then assigned with reflect.Value.Set() to whichever field name the attacker put in the form body, which panics whenever the destination field’s real type is incompatible (slice, different struct, primitive). Gin recovery converts each panic into HTTP 500, but the endpoint remains remotely panicable from a single unauthenticated form-encoded request and is repeatedly triggerable. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 7.5 | CVE-2026-44325 |
| FreeRDP–FreeRDP | FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash. | 2026-05-26 | 8.8 | CVE-2026-40033 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP’s server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0. | 2026-05-29 | 8.8 | CVE-2026-44420 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0. | 2026-05-29 | 8.8 | CVE-2026-44421 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP’s RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object’s expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client’s RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0. | 2026-05-29 | 7.5 | CVE-2026-44422 |
| freescout-help-desk–freescout | FreeScout is a free help desk and shared inbox built with PHP’s Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout’s FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers. The notification reply path (notify-{thread_id}-{user_id}-…) extracts thread_id and user_id directly from the Message-ID without HMAC verification. An external attacker who can spoof the From address of a helpdesk agent can inject messages that FreeScout processes as legitimate agent replies – which are then automatically forwarded to customers via the legitimate SMTP server. This vulnerability is fixed in 1.8.220. | 2026-05-29 | 7.5 | CVE-2026-47123 |
| Fyffe–PHP-Twitter-Clone | Twitter-Clone 1 contains a SQL injection vulnerability in follow.php that allows attackers to manipulate database queries by injecting SQL code through the userid parameter. Attackers can submit union-based or time-based blind SQL injection payloads to extract sensitive database information including usernames, passwords, and database credentials. | 2026-05-25 | 8.2 | CVE-2018-25362 |
| Fyffe–PHP-Twitter-Clone | Twitter-Clone 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the name parameter. Attackers can submit crafted payloads to the search.php endpoint to extract database information including usernames, credentials, and system data using error-based and union-based SQL injection techniques. | 2026-05-25 | 8.2 | CVE-2018-25364 |
| Gallagher–Command Centre Server | Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure.  Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted. Mitigation: For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%GallagherCommand Centre. | 2026-05-25 | 8.1 | CVE-2026-25193 |
| GDAL–GDAL | In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the netCDF driver allows code execution via a stack-based buffer overflow. It reads a geometry attribute into a fixed-size stack buffer without validating the attribute length. The attacker embeds the exploit as an oversized geometry attribute in a crafted NetCDF file. This achieves arbitrary code execution on the server running GDAL. This is in frmts/netcdf/netcdfsg.cpp. | 2026-05-27 | 7.4 | CVE-2026-49014 |
| Genetec Inc.–Genetec RabbitMQ | A high-severity vulnerability in the deployment of Genetec RabbitMQ that allows a privilege escalation attack. | 2026-05-26 | 7.8 | CVE-2026-25112 |
| getarcaneapp–arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane’s huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync for managing GitOps source repositories and their stored credentials. Eight of those endpoints (list, create, get, update, delete, test, listBranches, browseFiles) never call the checkAdmin(ctx) helper that every other admin-managed resource (container registries, environments, users, API keys, swarm, settings, system, notifications, events) uses, and the huma authentication middleware deliberately enforces only authentication, not the admin role. As a result, any logged-in user with the default user role can list, create, modify, delete, and test git repository configurations. By repointing an existing repository’s URL to an attacker-controlled host while omitting the token/sshKey fields (which UpdateRepository only rewrites when explicitly supplied), the attacker causes Arcane to decrypt the legitimate PAT/SSH key on its next /test, /branches, or /files call and present it as HTTP Basic auth (or SSH key auth) to the attacker’s host – producing a one-step exfiltration of plaintext Git credentials. This vulnerability is fixed in 1.19.0. | 2026-05-29 | 9.9 | CVE-2026-45625 |
| getarcaneapp–arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution lands inside a <style> element of the embedded logo.svg, allowing an attacker to close the style block and inject executable <script> content. Because the response is served as image/svg+xml and Arcane sets no Content-Security-Policy or X-Content-Type-Options headers, navigating a logged-in admin victim to a crafted URL executes attacker-controlled JavaScript in Arcane’s origin and rides the victim’s HttpOnly JWT cookie to fully compromise the admin account. This vulnerability is fixed in 1.19.0. | 2026-05-29 | 8.2 | CVE-2026-45627 |
| getarcaneapp–arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/{id}/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project’s compose file, is missing an admin authorization check. Any authenticated non-admin user can call this endpoint with their bearer token or API key and overwrite the global environment variables that are merged into every project deployment. By overriding values like REGISTRY, IMAGE, DATABASE_URL, or SECRET_KEY that other users reference via ${VAR} in compose files, an attacker can redirect image pulls to attacker-controlled registries (supply-chain RCE on the Docker host), exfiltrate database credentials, or disrupt all projects. This vulnerability is fixed in 1.19.2. | 2026-05-29 | 8.8 | CVE-2026-47125 |
| getarcaneapp–arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project’s compose file before any path-traversal validation runs. Because ProjectService.CreateProject writes attacker-supplied compose content to disk without validating include paths, an authenticated user can create a project whose compose file declares include: [‘../../../../etc/passwd’], then read the include via the project file API. The result is arbitrary read of any file readable by the Arcane backend process, including /app/data/arcane.db (the SQLite database containing every user’s password hash and API key), enabling escalation to admin and, via Arcane’s Docker control plane, RCE on the host. This vulnerability is fixed in 1.19.4. | 2026-05-29 | 7.7 | CVE-2026-47179 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI workflows to run under another user’s identity due to improper user identity resolution when triggering Duo AI workflow runners. | 2026-05-27 | 8.2 | CVE-2026-4868 |
| gitoxide–gitoxide | gix-submodule before 0.29.0 (gitoxide before 0.5.21, gix before 0.84.0) incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution. | 2026-05-26 | 7.8 | CVE-2026-40034 |
| Gladinet–Triofox | A stack-based buffer overflow condition exists in WOSDefaultHttpModule.dll when processing a long URL path starting with /woshome | 2026-05-27 | 9.8 | CVE-2026-8362 |
| Gladinet–Triofox | A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when processing a long URL path starting with /resources: | 2026-05-27 | 9.8 | CVE-2026-8363 |
| Gladinet–Triofox | Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) listens on TCP port 7878 and processes remote HTTP messages with URL paths starting with /resources, /status, /sysinfo, /woshome, /Settings, /schedule, or /DavCache. | 2026-05-27 | 9.8 | CVE-2026-8364 |
| Gladinet–Triofox | When processing a request with a URL path starting with /status or /sysinfo, WOSHttpStatusModule.dll is to be loaded to handle such URL patterns. The WOSBin_LoadHttpModule function in the dll would be called to set up a “module” object for that module. However, WOSHttpStatusModule.dll is not present in the installation. As a result, a function pointer to WOSBin_LoadHttpModule (which would have been in the export table in WOSHttpStatusModule.dll) is set to NULL, resulting in calling a function at address 0. | 2026-05-27 | 7.5 | CVE-2026-8359 |
| Gladinet–Triofox | Function calls to WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface() in various DLLs (i.e., WOSProfileMgrModule.dll, WOSWebDavModule.dll) can return a NULL pointer (i.e., when no user is logged into the Triofox Server Agent Management Console). The returned NULL pointer is not checked before being dereferenced. | 2026-05-27 | 7.5 | CVE-2026-8360 |
| Gladinet–Triofox | A path traversal vulnerability exists in WOSDefaultHttpModule.dll when processing a URL path starting with /woshome | 2026-05-27 | 7.5 | CVE-2026-8361 |
| glboy–OTP Login With Phone Number, OTP Verification | The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the `lwp_ajax_register` AJAX handler not binding the Firebase session to the phone number supplied in the request. The `idehweb_lwp_activate_through_firebase()` function validates that a Firebase OTP session is legitimate, but the `phoneNumber` returned by Firebase is never compared against the victim’s stored phone number. This makes it possible for unauthenticated attackers to authenticate as any user who has a phone number stored in user meta, including administrators, by verifying their own Firebase session and supplying the victim’s phone number in the same request. | 2026-05-29 | 9.8 | CVE-2026-3655 |
| globalscape–CuteFTP | CuteFTP 5.0 XP contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by injecting malicious payload into the Site Manager label field. Attackers can craft a payload exceeding 520 bytes that overwrites the return address and executes shellcode when a shortcut is created and launched. | 2026-05-25 | 8.4 | CVE-2018-25366 |
| GNU–libredwg | A flaw has been found in GNU libredwg up to 0.13.4.8160. This issue affects the function bit_read_RC of the file bits.c of the component Dwgbmp Utility. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 8f03865f37f5d4ffd616fef802acc980be54d300. Applying a patch is the recommended action to fix this issue. | 2026-05-26 | 7.3 | CVE-2026-9605 |
| go-git–go-billy | Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. This vulnerability is fixed in 5.9.0. | 2026-05-28 | 8.1 | CVE-2026-44973 |
| hahwul–dalfox | Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes –api-key. Because model.Options – including FoundAction and FoundActionShell – is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0. | 2026-05-27 | 10 | CVE-2026-45087 |
| hahwul–dalfox | Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options are JSON-tagged and deserialized directly from the attacker’s request body, then propagated unchanged through dalfox.Initialize into the scan engine’s logging path. The logger opens the attacker-supplied path with os.O_APPEND|os.O_CREATE|os.O_WRONLY and writes scan log lines to it. Critically, this file write block lives outside the IsLibrary guard in DalLog, so it executes even in server/library mode where file output was never intended to operate. Because no API key is required in the default configuration, an unauthenticated network caller can create or append to any file writable by the dalfox process on the host filesystem. This vulnerability is fixed in 2.13.0. | 2026-05-27 | 8.2 | CVE-2026-45089 |
| hahwul–dalfox | Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the custom-payload-file field in model.Options is JSON-tagged and deserialized directly from the attacker’s request body, then propagated unchanged through dalfox.Initialize into the scan engine. The engine passes the value to voltFile.ReadLinesOrLiteral, which reads lines from any file path accessible to the dalfox process and embeds each line as an XSS payload in outbound HTTP requests directed at the attacker-controlled target URL. Because the server has no API key by default, an unauthenticated network attacker can exfiltrate the contents of arbitrary files on the dalfox host by reading them line-by-line through scan traffic. This vulnerability is fixed in 2.13.0. | 2026-05-27 | 7.5 | CVE-2026-45088 |
| hahwul–dalfox | Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first stage completes (close(results) at line 438), but the second stage – which processes POST-body parameters (dp) – is then launched with the same already-closed channel as its output. When a scanned parameter is reflected, processParams executes results <- paramResult on the closed channel, triggering a Go runtime panic that crashes the entire dalfox process. In server mode, the crash is remotely triggerable by any unauthenticated caller who can reach the REST API, because the default configuration has no API key and the second stage activates whenever options.Data != “” (i.e., the attacker supplies the data field) and the target reflects at least one parameter. This vulnerability is fixed in 2.13.0. | 2026-05-27 | 7.5 | CVE-2026-45090 |
| hanxi–xiaomusic | xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from sibling directories whose names share the music_path prefix by crafting traversal sequences, bypassing the path restriction due to the missing trailing separator in the comparison logic to retrieve arbitrary files from the server. | 2026-05-29 | 7.5 | CVE-2026-10108 |
| hassantafreshi–Easy Form Builder | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Blind SQL Injection.This issue affects Easy Form Builder: from n/a through <= 4.0.6. | 2026-05-27 | 9.3 | CVE-2026-42747 |
| haxtheweb–haxcms-nodejs | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. @haxtheweb/haxcms-nodejs 26.0.1 and haxcms-php 26.0.2 patch the issue. | 2026-05-29 | 8.7 | CVE-2026-48527 |
| Heatmiser–Heatmiser Wifi Thermostat | Heatmiser Wifi Thermostat 1.7 contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve administrative credentials by accessing the networkSetup.htm page. Attackers can request the networkSetup.htm endpoint and extract plaintext username and password values from HTML form fields to gain administrative access to the thermostat. | 2026-05-29 | 7.5 | CVE-2018-25396 |
| hemant6488–CodeIgniter-StudentManagementSystem | A vulnerability was determined in hemant6488 CodeIgniter-StudentManagementSystem. The affected element is an unknown function of the file /index.php/students/addStudentView of the component Student Management Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-26 | 7.3 | CVE-2026-9517 |
| himmelblau-idm–himmelblau | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant (DAG) flow that allowed a user within the same Entra ID domain to obtain a local Unix session as another user by providing their own valid credentials. The vulnerability existed in the token_validate function, which validated domain aliases for legitimate multi-domain scenarios but failed to verify that the local part (username) of the authenticated user’s UPN matched the requested account username. The function only compared domains, not the complete usernames. This vulnerability is fixed in 3.1.5 and 2.3.11. | 2026-05-27 | 8.4 | CVE-2026-45108 |
| Hitachi Vantara–Pentaho Data Integration and Analytics | Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities. | 2026-05-27 | 7.7 | CVE-2026-2253 |
| HKUDS–DeepCode | DeepCode through commit c991dc2 contains a path traversal vulnerability in the SPA catch-all route in new_ui/backend/main.py that allows unauthenticated attackers to read arbitrary files by supplying percent-encoded path segments to the GET /{full_path:path} endpoint. Attackers can bypass Starlette’s path normalization by encoding slashes as %2F and dots as %2E%2E, causing the joined path to traverse outside FRONTEND_DIST and exposing sensitive files such as SSH private keys, TLS certificates, and application secrets with a single HTTP request. | 2026-05-28 | 7.5 | CVE-2026-32847 |
| Hmbown–CodeWhale | CodeWhale is a DeepSeek + MiMo coding agent in terminal. From 0.3.0 to 0.8.23, the run_tests tool executes cargo test in the workspace with ApprovalRequirement::Auto, meaning it runs without any user approval prompt. cargo test compiles and executes arbitrary code: test binaries, build.rs build scripts, and proc macros. While auto-approving test execution is a deliberate design choice, it creates an inconsistency in the security boundary. However, in a malicious repository, test code can execute arbitrary shell commands, exfiltrate credentials, or establish persistence with zero approval. The attack is amplified by AGENTS.md (auto-loaded into the system prompt), which can instruct the model to run tests proactively at session start. This vulnerability is fixed in 0.8.23. | 2026-05-28 | 9.6 | CVE-2026-45311 |
| Hmbown–CodeWhale | CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the task_create tool spawns durable sub-agents that inherit two insecure defaults, allow_shell defaults to true (config.rs:1499: self.allow_shell.unwrap_or(true)) and auto_approve defaults to true (task_manager.rs:297: auto_approve: Some(true)). When a user approves a task_create call (which requires ApprovalRequirement::Required), they approve what appears to be a benign work prompt. However, the spawned sub-agent silently receives unrestricted, unapproved shell access. This vulnerability is fixed in 0.8.26. | 2026-05-28 | 9.6 | CVE-2026-45374 |
| Hmbown–CodeWhale | CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetch_url tool validates the initial URL’s resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to prevent SSRF attacks against internal services (cloud metadata endpoints, localhost, private networks). However, the HTTP client (reqwest) is configured to automatically follow up to 5 redirects (reqwest::redirect::Policy::limited(5)) without re-validating the redirect target against the same SSRF protections. This vulnerability is fixed in 0.8.22. | 2026-05-28 | 7.4 | CVE-2026-45310 |
| Hmbown–CodeWhale | CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 in‌‌ URL‌ as http://[::1], the SSRF defenses do not work. This vulnerability is fixed in 0.8.26. | 2026-05-28 | 7.4 | CVE-2026-45373 |
| home-assistant–core | Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus) on iOS. Two flaws expose the bridge to all frames (including cross-origin iframes) and unsanitized interpolation of the JavaScript callback identifier allows a cross-origin iframe rendered inside the Companion app to execute arbitrary JavaScript in the Home Assistant frontend’s main-frame origin and exfiltrate the signed-in user’s access token. This vulnerability is fixed in 2026.4.1 for iOS and 2026.4.4 for Android. | 2026-05-29 | 8.3 | CVE-2026-44698 |
| HT Plugins–HT Contact Form 7 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.This issue affects HT Contact Form 7: from n/a through <= 2.8.2. | 2026-05-27 | 7.1 | CVE-2026-42728 |
| htplugins–HT Contact Form Drag & Drop Form Builder for WordPress | The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘file_upload’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the ‘Store Submissions’ setting to be enabled, as this controls whether unsanitized field values are persisted to the database and subsequently rendered via dangerouslySetInnerHTML in the admin entry viewer. | 2026-05-28 | 7.2 | CVE-2026-7052 |
| hwk-fr–Advanced Custom Fields: Extended | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter – with no authentication or integrity verification – to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field. | 2026-05-28 | 9.8 | CVE-2026-8809 |
| IBM–Aspera High-Speed Transfer Endpoint | IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a buffer overflow in the asperahttpd component. This vulnerability could be exploited to cause a denial of service and potentially lead to authentication bypass or remote code execution. | 2026-05-27 | 9.8 | CVE-2026-8175 |
| IBM–Aspera High-Speed Transfer Endpoint | IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a buffer overflow in the asperahttpd component. This vulnerability could allow an authenticated user to execute arbitrary code on the system. | 2026-05-27 | 8.8 | CVE-2026-8179 |
| IBM–Aspera High-Speed Transfer Endpoint | IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential denial of service in the asperahttpd component. An unauthenticated user can cause the asperahttpd service to crash. | 2026-05-27 | 7.5 | CVE-2026-8180 |
| IBM–Controller | IBM Controller 11.0.1, 11.1.0, 11.1.1, and 11.1.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | 2026-05-27 | 8.8 | CVE-2026-5065 |
| IBM–Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service with a specially crafted query when autonomous transactions are enabled. | 2026-05-27 | 7.1 | CVE-2026-1718 |
| IBM–Engineering Lifecycle Management | IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application. | 2026-05-26 | 9.8 | CVE-2026-3660 |
| IBM–Engineering Lifecycle Management | IBM Engineering Lifecycle Management 7.0.3 Interim Fix 001 through Interim Fix 021, 7.1.0 Interim Fix 001 through Interim Fix 009, and 7.2.0 and 7.2.0 Interim Fix 001 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | 2026-05-26 | 7.1 | CVE-2026-3603 |
| IBM–Engineering Lifecycle Management | IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted. | 2026-05-26 | 7.2 | CVE-2026-4051 |
| IBM–HTTP Server | IBM HTTP Server 8.5, and 9.0 contains a buffer overflow vulnerability. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to execute remote code or cause a denial of service. | 2026-05-26 | 8 | CVE-2026-8834 |
| IBM–HTTP Server | IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication). | 2026-05-26 | 8.1 | CVE-2026-8855 |
| IBM–HTTP Server | IBM HTTP Server 8.5, and 9.0 is vulnerable to invalid pointer dereference. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to expose sensitive information or cause a denial of service. | 2026-05-26 | 7.3 | CVE-2026-8835 |
| IBM–HTTP Server | IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_ibm_upload. | 2026-05-26 | 7.5 | CVE-2026-8850 |
| IBM–HTTP Server | IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache. | 2026-05-26 | 7.5 | CVE-2026-8854 |
| IBM–HTTP Server | IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service in configurations where an attacker has write access to parts of the server configuration. | 2026-05-26 | 7.7 | CVE-2026-8856 |
| IBM–InfoSphere Optim Test Data Fabrication | IBM InfoSphere Optim Test Data Fabrication 1.0.0, 1.0.0.1, 1.0.0.2, 1.0.2, 1.0.2.2, 1.0.2.3, 1.0.2.4, 1.0.2.5, 1.0.2.6, 1.0.2.7 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system | 2026-05-27 | 7.5 | CVE-2026-3366 |
| IBM–Langflow OSS | IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction. | 2026-05-27 | 9.8 | CVE-2026-7524 |
| IBM–Langflow OSS | IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption. | 2026-05-27 | 7.1 | CVE-2026-7528 |
| IBM–Netezza Performance Server Replication Services | IBM Netezza Performance Server Replication Services 3.0.2.0 through 3.0.5.0 allows an attacker with low‑privileged access to escalate their privileges to root. By exploiting this flaw, the attacker can execute root‑level commands, obtain a root shell, and change the root user’s password. Successful exploitation also enables modification or removal of system‑wide files and the installation of persistent backdoors. This results in full system compromise with complete loss of confidentiality, integrity, and availability. | 2026-05-27 | 7.8 | CVE-2026-3623 |
| IBM–Operations Analytics – Log Analysis | IBM Operations Analytics – Log Analysis and IBM SmartCloud Analytics – Log Analysis uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication. | 2026-05-27 | 8.4 | CVE-2026-7365 |
| IBM–QRadar | IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002 could allow a privileged user to upload a malicious backup archive that could be restored and used to gain access to the underlying operating system. | 2026-05-27 | 7.2 | CVE-2024-56462 |
| IBM–Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty | IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to remote code execution in the Web Server Plug-ins, through a specially crafted request. | 2026-05-26 | 9.8 | CVE-2026-8633 |
| IBM–Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty | IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request. | 2026-05-26 | 7.5 | CVE-2026-8620 |
| india-web-developer–Login with OTP | The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise. | 2026-05-27 | 9.8 | CVE-2026-8760 |
| inducer–relate | RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator’s browser session, potentially leading to full admin account takeover. The `get_user()` method in `ParticipationAdmin` renders user-controlled input using `mark_safe` combined with Python’s % string formatting. This bypasses Django’s automatic HTML escaping entirely. The value returned by `get_full_name` is derived directly from the `first_name` and `last_name` fields of the User model. These fields are freely editable by any authenticated user through the profile page (`/profile/`) with no sanitization applied. When an admin views the Participation list in the Django admin panel, the unsanitized value is rendered directly into the HTML response, causing the injected script to execute in the admin’s browser. Commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 fixes the issue. | 2026-05-27 | 8.7 | CVE-2026-42197 |
| infiniflow–ragflow | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can register, create a Canvas workflow with a DuckDuckGo + LLM component chain, and trigger the SSTI. | 2026-05-29 | 9.9 | CVE-2026-45312 |
| IniLerm–Advanced IP Blocker | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in IniLerm Advanced IP Blocker advanced-ip-blocker allows DOM-Based XSS.This issue affects Advanced IP Blocker: from n/a through <= 8.10.7. | 2026-05-27 | 7.1 | CVE-2026-42739 |
| Interinfo–DreamMaker | DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-05-29 | 9.8 | CVE-2026-10071 |
| Interinfo–DreamMaker | DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-05-29 | 7.2 | CVE-2026-10072 |
| Interinfo–DreamMaker | DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing unauthenticated local attackers to exploit Relative Path Traversal to download arbitrary system files. | 2026-05-29 | 7.5 | CVE-2026-10073 |
| intranda–goobi-viewer-core | The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records. This vulnerability is fixed in 26.04.1. | 2026-05-27 | 9.8 | CVE-2026-45083 |
| Iqonic Design–KiviCare | Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Password Recovery Exploitation.This issue affects KiviCare: from n/a through <= 4.3.0. | 2026-05-27 | 8.2 | CVE-2026-42735 |
| itsourcecode–Courier Management System | A vulnerability has been found in itsourcecode Courier Management System 1.0. Impacted is an unknown function of the file /manage_user.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-05-26 | 7.3 | CVE-2026-9606 |
| itsourcecode–Electronic Judging System | A vulnerability has been found in itsourcecode Electronic Judging System 1.0. This affects an unknown part of the file /admin/edit_judge.php. The manipulation of the argument judge_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-05-26 | 7.3 | CVE-2026-9525 |
| itsourcecode–Electronic Judging System | A vulnerability was found in itsourcecode Electronic Judging System 1.0. This vulnerability affects unknown code of the file /admin/edit_team.php. The manipulation of the argument num_id results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2026-05-26 | 7.3 | CVE-2026-9526 |
| itsourcecode–Electronic Judging System | A vulnerability was identified in itsourcecode Electronic Judging System 1.0. Impacted is an unknown function of the file /admin/delete_judge.php. Such manipulation of the argument judge_id leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. | 2026-05-26 | 7.3 | CVE-2026-9528 |
| itsourcecode–Student Transcript Processing System | A vulnerability was detected in itsourcecode Student Transcript Processing System 1.0. This affects an unknown part of the file /admin/modules/student/index.php?view=view. Performing a manipulation of the argument studentId results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. | 2026-05-26 | 7.3 | CVE-2026-9573 |
| itsourcecode–Student Transcript Processing System | A flaw has been found in itsourcecode Student Transcript Processing System 1.0. This vulnerability affects unknown code of the file /admin/modules/student/trans.php. Executing a manipulation of the argument studentId/cid can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | 2026-05-26 | 7.3 | CVE-2026-9574 |
| itsourcecode–Student Transcript Processing System | A vulnerability has been found in itsourcecode Student Transcript Processing System 1.0. This issue affects some unknown processing of the file /admin/modules/class/index.php?view=view. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-05-26 | 7.3 | CVE-2026-9575 |
| JasperFx–marten | Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten’s full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink. This vulnerability is fixed in 8.36.1. | 2026-05-28 | 9.8 | CVE-2026-45288 |
| JeecgBoot–JeecgBoot | A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.9.2 is sufficient to fix this issue. It is suggested to upgrade the affected component. | 2026-05-26 | 7.3 | CVE-2026-9580 |
| JetBrains–IntelliJ IDEA | In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account | 2026-05-29 | 8 | CVE-2026-49367 |
| JetBrains–IntelliJ IDEA | In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion | 2026-05-29 | 7.8 | CVE-2026-49366 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible | 2026-05-29 | 7.1 | CVE-2026-49371 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2026.1, 2025.11.5 unauthenticated SSRF via build status was possible | 2026-05-29 | 7.5 | CVE-2026-49372 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings | 2026-05-29 | 7.1 | CVE-2026-49373 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters | 2026-05-29 | 7.6 | CVE-2026-49374 |
| JetBrains–YouTrack | In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible | 2026-05-29 | 8.7 | CVE-2026-49368 |
| Jinan USR IOT Technology Limited (PUSR)–USR-W610 RS232/485 to Wi-Fi/Ethernet Converter | Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter device firmware contains plaintext administrative credentials embedded in the firmware image. These credentials can be extracted through firmware analysis and used to authenticate to device services. | 2026-05-29 | 9.8 | CVE-2026-7786 |
| jpadilla–pyjwt | PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0. | 2026-05-28 | 7.4 | CVE-2026-48526 |
| jpettitt–meshcore-card | MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant frontend of anyone viewing the card. This vulnerability is fixed in 0.3.3. | 2026-05-28 | 9.6 | CVE-2026-45323 |
| Jthemes–Themebox – Digital Products Ecommerce | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Jthemes Themebox – Digital Products Ecommerce allows Reflected XSS. This issue affects Themebox – Digital Products Ecommerce: from n/a through 1.4.2. | 2026-05-27 | 7.1 | CVE-2025-52747 |
| jxxghp–MoviePilot | MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resource_token cookie and a URL whose domain matches the assembled allowlist. Attackers can bypass internal network protections because the SecurityUtils.is_safe_url function performs only domain-membership checking without blocking private, loopback, or link-local addresses, enabling enumeration of internal services such as Jellyfin, Emby, or Plex and exfiltration of data from internal network resources. | 2026-05-29 | 7.7 | CVE-2026-10107 |
| Kados–Kados R10 GreenBee | Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the release_id parameter of boards_buttons/update_release.php. The release_id value is concatenated directly into SQL statements without sanitization, allowing attackers to send a crafted GET request with a UNION-based payload to extract sensitive database information including the current user, database name, and DBMS version. | 2026-05-29 | 8.2 | CVE-2018-25394 |
| Kados–Kados R10 GreenBee | Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the feature_id parameter of boards_buttons/update_feature.php. The feature_id value is concatenated directly into SQL statements without sanitization, allowing attackers to send a crafted GET request with a UNION-based payload to extract sensitive database information including the current user, database name, and DBMS version. | 2026-05-29 | 8.2 | CVE-2018-25395 |
| karakeep-app–karakeep | Karakeep is a elf-hostable bookmark-everything app. A Server-Side Request Forgery (SSRF) protection bypass vulnerability was identified in versions prior to 0.32.0 affecting redirect-following processing components. Although the application implements protections intended to prevent requests toward internal/private network destinations, these protections could be bypassed through crafted HTTP redirect chains. By leveraging attacker-controlled redirects, an authenticated user could cause vulnerable application components to initiate requests toward internally reachable Docker network services accessible from the application environment. The issue affected multiple processing paths, including crawler-related functionality and video download processing flows. Version 0.32.0 contains a patch. | 2026-05-26 | 7.6 | CVE-2026-45082 |
| kaspernj–form-data-objectizer | form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[…] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process. This vulnerability is fixed in 1.0.1. | 2026-05-29 | 8.2 | CVE-2026-46510 |
| klever-io–klever-go | Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress (data/batch/batch.go) allows any peer that participates in a topic served by MultiDataInterceptor to allocate multi-gigabyte heaps on the receiving node from a sub-50 KiB gossip payload. A single packet is sufficient to OOM-kill a validator with conventional memory provisioning. Fleet-wide application affects chain liveness. This vulnerability is fixed in 1.7.17. | 2026-05-29 | 8.6 | CVE-2026-44697 |
| KLiK –KLiK SocialMediaWebsite | A vulnerability was determined in KLiK SocialMediaWebsite 1.0. This vulnerability affects the function uniqid of the file upload.inc.php of the component File Handler. This manipulation causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-25 | 7.3 | CVE-2026-9421 |
| KLiK –KLiK SocialMediaWebsite | A vulnerability was identified in KLiK SocialMediaWebsite 1.0. This issue affects some unknown processing of the component HTTP POST Request Parameter Handler. Such manipulation leads to injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2026-05-25 | 7.3 | CVE-2026-9422 |
| KMW–KM-IP521 | The affected KMW CCTV Security Cameras are vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without authentication, granting full access to the camera feeds and settings. | 2026-05-29 | 9.1 | CVE-2026-5386 |
| Koa–@koa/router | Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an attacker could bypass authentication and authorization, evade rate limiting or bypass input sanitization. | 2026-05-26 | 7.3 | CVE-2026-9495 |
| Kovah–LinkAce | LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup endpoints and supply a database they control can inject mail configuration variables and achieve command execution when the application later sends mail. This vulnerability is fixed in 2.5.6. | 2026-05-28 | 8.1 | CVE-2026-45344 |
| kysely-org–kysely | Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters (., [, ], *, **, ?). When attacker-controlled input flows into eb.ref(col, ‘->$’).key(input) or .at(input) – including type-safe code where the JSON column is shaped like Record<string, T> so K extends string is the inferred type – every dot becomes a path-leg separator, letting an attacker traverse from the intended key into sibling and child fields the developer never meant to expose. The result is read access (and, in update statements, write access) to JSON sub-fields outside the intended scope across MySQL, PostgreSQL ->$/->>$, and SQLite. This vulnerability is fixed in 0.28.17. | 2026-05-27 | 7.5 | CVE-2026-44635 |
| labring–FastGPT | FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, a Server-Side Request Forgery (SSRF) vulnerability allows an authenticated attacker to bypass the global isInternalAddress network protection and make arbitrary HTTP GET requests to internal network services. This is achieved by exploiting an incomplete fix in the dataset preview endpoint /api/core/dataset/file/getPreviewChunks when utilizing the externalFile data import type. This vulnerability is fixed in 4.15.0-beta1. | 2026-05-29 | 7.7 | CVE-2026-44285 |
| Lakeside Software, LLC.–SysTrack Agent | Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service. | 2026-05-28 | 7.5 | CVE-2026-39929 |
| langchain-ai–langchain | LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load() with allowed_objects=”all”. This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments. This vulnerability is fixed in 0.3.85 and 1.3.3. | 2026-05-26 | 8.2 | CVE-2026-44843 |
| langchain-ai–langsmith-sdk | LangSmith Client SDKs provide SDK’s for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK’s prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime behavior. When pulling a public prompt by owner/name identifier, the manifest content is controlled by an external party, but prior versions of the SDK did not distinguish this from pulling a prompt within the caller’s own organization. This vulnerability is fixed in LangSmith SDK Python 0.8.0 and JS/TS 0.6.0. | 2026-05-27 | 7.1 | CVE-2026-45134 |
| learnnearclub–Login with NEAR | The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The `ajaxLoginWithNear()` function – registered as a `wp_ajax_nopriv` action and therefore reachable by unauthenticated users – accepts an attacker-supplied `account` POST parameter and issues a valid WordPress authentication cookie based solely on a substring check for `.near`, with no nonce verification, cryptographic signature validation, challenge-response exchange, or any proof that the requester controls the corresponding NEAR wallet. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, whose email address matches the deterministic `<account>@near.org` pattern derived from the supplied `account` value. If no matching user exists, the handler automatically creates and authenticates a new WordPress account for the attacker-controlled identifier, providing a further avenue for unauthorized account creation. | 2026-05-27 | 8.1 | CVE-2026-8994 |
| leiweibau–Pi.Alert | Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert’s web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. Since the background scan daemon loads this file via Python’s exec(), injected code executes as the daemon process. With web protection disabled (the default configuration), no authentication is required, making this an unauthenticated Remote Code Execution vulnerability. This vulnerability is fixed in 2026-05-07. | 2026-05-27 | 9.8 | CVE-2026-44887 |
| leiweibau–Pi.Alert | Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert’s SaveConfigFile() endpoint writes user-supplied numeric config values (e.g., SMTP_PORT) directly into pialert.conf without validation. Since pialert.conf is loaded via Python’s exec() every 3-5 minutes by the background cron process, an attacker can inject arbitrary Python code and achieve unauthenticated OS-level RCE. On default installations (PIALERT_WEB_PROTECTION = False), no credentials are required. This vulnerability is fixed in 2026-05-07. | 2026-05-27 | 9.8 | CVE-2026-44888 |
| LibVNC–libvncserver | LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient’s Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter, but it does not reject Tight rectangles whose width is larger than 2048 pixels. A malicious VNC server can send a crafted FramebufferUpdate rectangle using Tight encoding with NoZlib | ExplicitFilter and the Gradient filter. When a LibVNCClient-based client connects, the client processes the server-controlled rectangle width and writes beyond fixed-size Gradient buffers. This vulnerability is fixed with commit 5b270544b85233668b98161323297d418a8f5fd1. | 2026-05-27 | 8.8 | CVE-2026-44988 |
| linkwhspr–Link Whisper Free | The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 0.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-29 | 7.2 | CVE-2025-11262 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removing work_list The commit e1168f0 (“RDMA/iwcm: Simplify cm_event_handler()”) changed the work submission logic to unconditionally call queue_work() with the expectation that queue_work() would have no effect if work was already pending. The problem is that a free list of struct iwcm_work is used (for which struct work_struct is embedded), so each call to queue_work() is basically unique and therefore does indeed queue the work. This causes a problem in the work handler which walks the work_list until it’s empty to process entries. This means that a single run of the work handler could process item N+1 and release it back to the free list while the actual workqueue entry is still queued. It could then get reused (INIT_WORK…) and lead to list corruption in the workqueue logic. Fix this by just removing the work_list. The workqueue already does this for us. This fixes the following error that was observed when stress testing with ucmatose on an Intel E830 in iWARP mode: [ 151.465780] list_del corruption. next->prev should be ffff9f0915c69c08, but was ffff9f0a1116be08. (next=ffff9f0a15b11c08) [ 151.466639] ————[ cut here ]———— [ 151.466986] kernel BUG at lib/list_debug.c:67! [ 151.467349] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 151.467753] CPU: 14 UID: 0 PID: 2306 Comm: kworker/u64:18 Not tainted 6.19.0-rc4+ #1 PREEMPT(voluntary) [ 151.468466] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 151.469192] Workqueue: 0x0 (iw_cm_wq) [ 151.469478] RIP: 0010:__list_del_entry_valid_or_report+0xf0/0x100 [ 151.469942] Code: c7 58 5f 4c b2 e8 10 50 aa ff 0f 0b 48 89 ef e8 36 57 cb ff 48 8b 55 08 48 89 e9 48 89 de 48 c7 c7 a8 5f 4c b2 e8 f0 4f aa ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 [ 151.471323] RSP: 0000:ffffb15644e7bd68 EFLAGS: 00010046 [ 151.471712] RAX: 000000000000006d RBX: ffff9f0915c69c08 RCX: 0000000000000027 [ 151.472243] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9f0a37d9c600 [ 151.472768] RBP: ffff9f0a15b11c08 R08: 0000000000000000 R09: c0000000ffff7fff [ 151.473294] R10: 0000000000000001 R11: ffffb15644e7bba8 R12: ffff9f092339ee68 [ 151.473817] R13: ffff9f0900059c28 R14: ffff9f092339ee78 R15: 0000000000000000 [ 151.474344] FS: 0000000000000000(0000) GS:ffff9f0a847b5000(0000) knlGS:0000000000000000 [ 151.474934] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 151.475362] CR2: 0000559e233a9088 CR3: 000000020296b004 CR4: 0000000000770ef0 [ 151.475895] PKRU: 55555554 [ 151.476118] Call Trace: [ 151.476331] <TASK> [ 151.476497] move_linked_works+0x49/0xa0 [ 151.476792] __pwq_activate_work.isra.46+0x2f/0xa0 [ 151.477151] pwq_dec_nr_in_flight+0x1e0/0x2f0 [ 151.477479] process_scheduled_works+0x1c8/0x410 [ 151.477823] worker_thread+0x125/0x260 [ 151.478108] ? __pfx_worker_thread+0x10/0x10 [ 151.478430] kthread+0xfe/0x240 [ 151.478671] ? __pfx_kthread+0x10/0x10 [ 151.478955] ? __pfx_kthread+0x10/0x10 [ 151.479240] ret_from_fork+0x208/0x270 [ 151.479523] ? __pfx_kthread+0x10/0x10 [ 151.479806] ret_from_fork_asm+0x1a/0x30 [ 151.480103] </TASK> | 2026-05-27 | 9.8 | CVE-2026-45898 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF and double free in smb2_open_file() Zero out @err_iov and @err_buftype before retrying SMB2_open() to prevent an UAF bug if @data != NULL, otherwise a double free. | 2026-05-27 | 9.8 | CVE-2026-45972 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix re-decryption of RESPONSE packets If a RESPONSE packet gets a temporary failure during processing, it may end up in a partially decrypted state – and then get requeued for a retry. Fix this by just discarding the packet; we will send another CHALLENGE packet and thereby elicit a further response. Similarly, discard an incoming CHALLENGE packet if we get an error whilst generating a RESPONSE; the server will send another CHALLENGE. | 2026-05-27 | 9.8 | CVE-2026-45988 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rxgk: Fix potential integer overflow in length check Fix potential integer overflow in rxgk_extract_token() when checking the length of the ticket. Rather than rounding up the value to be tested (which might overflow), round down the size of the available data. | 2026-05-27 | 9.8 | CVE-2026-46039 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used. However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen: payload_size = pkt->paylen – offset[RXE_PAYLOAD] – bth_pad(pkt) – RXE_ICRC_SIZE This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users. Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE. | 2026-05-27 | 9.1 | CVE-2026-46043 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps — iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps. | 2026-05-28 | 9.8 | CVE-2026-46115 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this. | 2026-05-28 | 9.1 | CVE-2026-46119 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes. | 2026-05-28 | 9.8 | CVE-2026-46135 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer. | 2026-05-28 | 9.8 | CVE-2026-46137 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory. | 2026-05-28 | 9.1 | CVE-2026-46155 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read. | 2026-05-28 | 9.1 | CVE-2026-46185 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points. | 2026-05-28 | 9.8 | CVE-2026-46195 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: slip: bound decode() reads against the compressed packet length slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for — those error paths are dead code. A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets. Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to. | 2026-05-27 | 8.2 | CVE-2026-45843 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix race condition during PASID entry replacement The Intel VT-d PASID table entry is 512 bits (64 bytes). When replacing an active PASID entry (e.g., during domain replacement), the current implementation calculates a new entry on the stack and copies it to the table using a single structure assignment. struct pasid_entry *pte, new_pte; pte = intel_pasid_get_entry(dev, pasid); pasid_pte_config_first_level(iommu, &new_pte, …); *pte = new_pte; Because the hardware may fetch the 512-bit PASID entry in multiple 128-bit chunks, updating the entire entry while it is active (Present bit set) risks a “torn” read. In this scenario, the IOMMU hardware could observe an inconsistent state – partially new data and partially old data – leading to unpredictable behavior or spurious faults. Fix this by removing the unsafe “replace” helpers and following the “clear-then-update” flow, which ensures the Present bit is cleared and the required invalidation handshake is completed before the new configuration is applied. | 2026-05-27 | 8.8 | CVE-2026-45945 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix error handling in rxgk_extract_token() Fix a missing bit of error handling in rxgk_extract_token(): in the event that rxgk_decrypt_skb() returns -ENOMEM, it should just return that rather than continuing on (for anything else, it generates an abort). | 2026-05-27 | 8.1 | CVE-2026-46010 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: validate reply type before using icmp_pointers Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type. That value is outside the range covered by icmp_pointers[], which only describes the traditional ICMP types up to NR_ICMP_TYPES. Avoid consulting icmp_pointers[] for reply types outside that range, and use array_index_nospec() for the remaining in-range lookup. Normal ICMP replies keep their existing behavior unchanged. | 2026-05-27 | 8.2 | CVE-2026-46037 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage in both handlers. Keep the existing keypress notification behavior unchanged by routing the early exits through a common unlock path. | 2026-05-27 | 8.8 | CVE-2026-46056 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels seg6_input_core() and rpl_input() call ip6_route_input() which sets a NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking dst_hold() unconditionally. On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can release the underlying pcpu_rt between the lookup and the caching through a concurrent FIB lookup on a shared nexthop. Simplified race sequence: ksoftirqd/X higher-prio task (same CPU X) ———– ——————————– seg6_input_core(,skb)/rpl_input(skb) dst_cache_get() -> miss ip6_route_input(skb) -> ip6_pol_route(,skb,flags) [RT6_LOOKUP_F_DST_NOREF in flags] -> FIB lookup resolves fib6_nh [nhid=N route] -> rt6_make_pcpu_route() [creates pcpu_rt, refcount=1] pcpu_rt->sernum = fib6_sernum [fib6_sernum=W] -> cmpxchg(fib6_nh.rt6i_pcpu, NULL, pcpu_rt) [slot was empty, store succeeds] -> skb_dst_set_noref(skb, dst) [dst is pcpu_rt, refcount still 1] rt_genid_bump_ipv6() -> bumps fib6_sernum [fib6_sernum from W to Z] ip6_route_output() -> ip6_pol_route() -> FIB lookup resolves fib6_nh [nhid=N] -> rt6_get_pcpu_route() pcpu_rt->sernum != fib6_sernum [W <> Z, stale] -> prev = xchg(rt6i_pcpu, NULL) -> dst_release(prev) [prev is pcpu_rt, refcount 1->0, dead] dst = skb_dst(skb) [dst is the dead pcpu_rt] dst_cache_set_ip6(dst) -> dst_hold() on dead dst -> WARN / use-after-free For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release the pcpu_rt. Shared nexthop objects provide such a path, as two routes pointing to the same nhid share the same fib6_nh and its rt6i_pcpu entry. Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after ip6_route_input() to force the NOREF dst into a refcounted one before caching. The output path is not affected as ip6_route_output() already returns a refcounted dst. | 2026-05-27 | 8.1 | CVE-2026-46099 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, “KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE”, 2026-03-27). The flow is as follows: – a PDE is installed for a 2MB mapping, and a page in that area is accessed. KVM creates a kvm_mmu_page consisting of 512 4KB pages; the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because the guest’s mapping is a huge page (and thus contiguous). – the PDE mapping is changed from outside the guest. – the guest accesses another page in the same 2MB area. KVM installs a new leaf SPTE and rmap entry; the SPTE uses the “correct” GFN (i.e. based on the new mapping, as changed in the previous step) but that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore the rmap entry cannot be found and removed when the kvm_mmu_page is zapped. – the memslot that covers the first 2MB mapping is deleted, and the kvm_mmu_page for the now-invalid GPA is zapped. However, rmap_remove() only looks at the [sp->gfn, sp->gfn + 511] range established in step 1, and fails to find the rmap entry that was recorded by step 3. – any operation that causes an rmap walk for the same page accessed by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page. This includes dirty logging or MMU notifier invalidations (e.g., from MADV_DONTNEED). The underlying issue is that KVM’s walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn. Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE… which shouldn’t happen, but *actually* only happens in response to a guest write. That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the “wrong” shadow page. However, that was only an imprecision until 2032a93d66fa (“KVM: MMU: Don’t allocate gfns page for direct mmu pages”) came along. Fix it by checking for a target gfn mismatch and zapping the existing SPTE. That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy. | 2026-05-28 | 8.8 | CVE-2026-46113 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: remove station if connection prep fails If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it’s related to the link of the vif being removed. Delete an existing station. Any “new_sta” is already being removed, so that doesn’t need changes. This fixes a use-after-free/double-free in debugfs if that’s enabled, because a vif going from MLD (and to MLD, but that’s not relevant here) recreates its entire debugfs. | 2026-05-28 | 8.8 | CVE-2026-46125 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access. When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held. Fix this by terminating the BIG if in case not all BIS could be setup properly. | 2026-05-28 | 8.1 | CVE-2026-46138 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: drop stray ‘static’ from fast-RX rx_result ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other’s result between ieee80211_rx_mesh_data() and the switch on res. That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued. Make res an automatic variable so each invocation keeps its own result. | 2026-05-28 | 8.8 | CVE-2026-46152 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: use safe list iteration in radar detect work The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error. | 2026-05-28 | 8.8 | CVE-2026-46166 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2’s op cache Make sure resources are not improperly shared in the op cache and cause instruction corruption this way. | 2026-05-28 | 8.8 | CVE-2026-46174 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix integer overflow on buff_pos Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read. | 2026-05-28 | 8.8 | CVE-2026-46198 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: prevent use-after-free when deleting claims When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put(). But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped. | 2026-05-28 | 8.8 | CVE-2026-46212 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Clamp num_touch_reports A device would never lie about the number of touch reports would it? If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array. | 2026-05-28 | 8.1 | CVE-2026-46232 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop caching unowned originator pointers in BAT IV BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs. Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use. [sven: avoid bonding logic for outgoing OGM] | 2026-05-28 | 8.8 | CVE-2026-46238 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_init In rxe_srq_from_init(), the queue pointer ‘q’ is assigned to ‘srq->rq.queue’ before copying the SRQ number to user space. If copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue, but leaves the now-invalid pointer in ‘srq->rq.queue’. The caller of rxe_srq_from_init() (rxe_create_srq) eventually calls rxe_srq_cleanup() upon receiving the error, which triggers a second rxe_queue_cleanup() on the same memory, leading to a double free. The call trace looks like this: kmem_cache_free+0x…/0x… rxe_queue_cleanup+0x1a/0x30 [rdma_rxe] rxe_srq_cleanup+0x42/0x60 [rdma_rxe] rxe_elem_release+0x31/0x70 [rdma_rxe] rxe_create_srq+0x12b/0x1a0 [rdma_rxe] ib_create_srq_user+0x9a/0x150 [ib_core] Fix this by moving ‘srq->rq.queue = q’ after copy_to_user. | 2026-05-27 | 7.8 | CVE-2026-45852 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send ib_uverbs_post_send() uses cmd.wqe_size from userspace without any validation before passing it to kmalloc() and using the allocated buffer as struct ib_uverbs_send_wr. If a user provides a small wqe_size value (e.g., 1), kmalloc() will succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge, and other fields will read beyond the allocated buffer, resulting in an out-of-bounds read from kernel heap memory. This could potentially leak sensitive kernel information to userspace. Additionally, providing an excessively large wqe_size can trigger a WARNING in the memory allocation path, as reported by syzkaller. This is inconsistent with ib_uverbs_unmarshall_recv() which properly validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before proceeding. Add the same validation for ib_uverbs_post_send() to ensure wqe_size is at least sizeof(struct ib_uverbs_send_wr). | 2026-05-27 | 7.1 | CVE-2026-45856 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation Ulrich reports a regression with nfqueue: If an application did not set the ‘F_GSO’ capability flag and a gso packet with an unconfirmed nf_conn entry is received all packets are now dropped instead of queued, because the check happens after skb_gso_segment(). In that case, we did have exclusive ownership of the skb and its associated conntrack entry. The elevated use count is due to skb_clone happening via skb_gso_segment(). Move the check so that its peformed vs. the aggregated packet. Then, annotate the individual segments except the first one so we can do a 2nd check at reinject time. For the normal case, where userspace does in-order reinjects, this avoids packet drops: first reinjected segment continues traversal and confirms entry, remaining segments observe the confirmed entry. While at it, simplify nf_ct_drop_unconfirmed(): We only care about unconfirmed entries with a refcnt > 1, there is no need to special-case dying entries. This only happens with UDP. With TCP, the only unconfirmed packet will be the TCP SYN, those aren’t aggregated by GRO. Next patch adds a udpgro test case to cover this scenario. | 2026-05-27 | 7.5 | CVE-2026-45859 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: increase the connection clean up limit to 64 After the optimization to only perform one GC per jiffy, a new problem was introduced. If more than 8 new connections are tracked per jiffy the list won’t be cleaned up fast enough possibly reaching the limit wrongly. In order to prevent this issue, only skip the GC if it was already triggered during the same jiffy and the increment is lower than the clean up limit. In addition, increase the clean up limit to 64 connections to avoid triggering GC too often and do more effective GCs. This has been tested using a HTTP server and several performance tools while having nft_connlimit/xt_connlimit or OVS limit configured. Output of slowhttptest + OVS limit at 52000 connections: slow HTTP test status on 340th second: initializing: 0 pending: 432 connected: 51998 error: 0 closed: 0 service available: YES | 2026-05-27 | 7.5 | CVE-2026-45860 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in qd_put Commit a475c5dd16e5 (“gfs2: Free quota data objects synchronously”) started freeing quota data objects during filesystem shutdown instead of putting them back onto the LRU list, but it failed to remove these objects from the LRU list, causing LRU list corruption. This caused use-after-free when the shrinker (gfs2_qd_shrink_scan) tried to access already-freed objects on the LRU list. Fix this by removing qd objects from the LRU list before freeing them in qd_put(). Initial fix from Deepanshu Kartikey <kartikey406@gmail.com>. | 2026-05-27 | 7.8 | CVE-2026-45861 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Flush cache for PASID table before using it When writing the address of a freshly allocated zero-initialized PASID table to a PASID directory entry, do that after the CPU cache flush for this PASID table, not before it, to avoid the time window when this PASID table may be already used by non-coherent IOMMU hardware while its contents in RAM is still some random old data, not zero-initialized. | 2026-05-27 | 7.8 | CVE-2026-45862 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix watch_id bounds checking in debug address watch v2 The address watch clear code receives watch_id as an unsigned value (u32), but some helper functions were using a signed int and checked bits by shifting with watch_id. If a very large watch_id is passed from userspace, it can be converted to a negative value. This can cause invalid shifts and may access memory outside the watch_points array. drm/amdkfd: Fix watch_id bounds checking in debug address watch v2 Fix this by checking that watch_id is within MAX_WATCH_ADDRESSES before using it. Also use BIT(watch_id) to test and clear bits safely. This keeps the behavior unchanged for valid watch IDs and avoids undefined behavior for invalid ones. Fixes the below: drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c:448 kfd_dbg_trap_clear_dev_address_watch() error: buffer overflow ‘pdd->watch_points’ 4 <= u32max user_rl=’0-3,2147483648-u32max’ uncapped drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c 433 int kfd_dbg_trap_clear_dev_address_watch(struct kfd_process_device *pdd, 434 uint32_t watch_id) 435 { 436 int r; 437 438 if (!kfd_dbg_owns_dev_watch_id(pdd, watch_id)) kfd_dbg_owns_dev_watch_id() doesn’t check for negative values so if watch_id is larger than INT_MAX it leads to a buffer overflow. (Negative shifts are undefined). 439 return -EINVAL; 440 441 if (!pdd->dev->kfd->shared_resources.enable_mes) { 442 r = debug_lock_and_unmap(pdd->dev->dqm); 443 if (r) 444 return r; 445 } 446 447 amdgpu_gfx_off_ctrl(pdd->dev->adev, false); –> 448 pdd->watch_points[watch_id] = pdd->dev->kfd2kgd->clear_address_watch( 449 pdd->dev->adev, 450 watch_id); v2: (as per, Jonathan Kim) – Add early watch_id >= MAX_WATCH_ADDRESSES validation in the set path to match the clear path. – Drop the redundant bounds check in kfd_dbg_owns_dev_watch_id(). | 2026-05-27 | 7.8 | CVE-2026-45878 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clear Present bit before tearing down PASID entry The Intel VT-d Scalable Mode PASID table entry consists of 512 bits (64 bytes). When tearing down an entry, the current implementation zeros the entire 64-byte structure immediately using multiple 64-bit writes. Since the IOMMU hardware may fetch these 64 bytes using multiple internal transactions (e.g., four 128-bit bursts), updating or zeroing the entire entry while it is active (P=1) risks a “torn” read. If a hardware fetch occurs simultaneously with the CPU zeroing the entry, the hardware could observe an inconsistent state, leading to unpredictable behavior or spurious faults. Follow the “Guidance to Software for Invalidations” in the VT-d spec (Section 6.5.3.3) by implementing the recommended ownership handshake: 1. Clear only the ‘Present’ (P) bit of the PASID entry. 2. Use a dma_wmb() to ensure the cleared bit is visible to hardware before proceeding. 3. Execute the required invalidation sequence (PASID cache, IOTLB, and Device-TLB flush) to ensure the hardware has released all cached references. 4. Only after the flushes are complete, zero out the remaining fields of the PASID entry. Also, add a dma_wmb() in pasid_set_present() to ensure that all other fields of the PASID entry are visible to the hardware before the Present bit is set. | 2026-05-27 | 7.8 | CVE-2026-45894 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: Drop __initconst from gates Since commit 8ceff24a754a (“clk: mediatek: clk-gate: Refactor mtk_clk_register_gate to use mtk_gate struct”) the mtk_gate structs are no longer just used for initialization/registration, but also at runtime. So drop __initconst annotations. | 2026-05-27 | 7.8 | CVE-2026-45909 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix race condition in QP timer handlers I encontered the following warning: WARNING: drivers/infiniband/sw/rxe/rxe_task.c:249 at rxe_sched_task+0x1c8/0x238 [rdma_rxe], CPU#0: swapper/0/0 … libsha1 [last unloaded: ip6_udp_tunnel] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G C 6.19.0-rc5-64k-v8+ #37 PREEMPT Tainted: [C]=CRAP Hardware name: Raspberry Pi 4 Model B Rev 1.2 Call trace: rxe_sched_task+0x1c8/0x238 [rdma_rxe] (P) retransmit_timer+0x130/0x188 [rdma_rxe] call_timer_fn+0x68/0x4d0 __run_timers+0x630/0x888 … WARNING: drivers/infiniband/sw/rxe/rxe_task.c:38 at rxe_sched_task+0x1c0/0x238 [rdma_rxe], CPU#0: swapper/0/0 … WARNING: drivers/infiniband/sw/rxe/rxe_task.c:111 at do_work+0x488/0x5c8 [rdma_rxe], CPU#3: kworker/u17:4/93400 … refcount_t: underflow; use-after-free. WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x138/0x1a0, CPU#3: kworker/u17:4/93400 The issue is caused by a race condition between retransmit_timer() and rxe_destroy_qp, leading to the Queue Pair’s (QP) reference count dropping to zero during timer handler execution. It seems this warning is harmless because rxe_qp_do_cleanup() will flush all pending timers and requests. Example of flow causing the issue: CPU0 CPU1 retransmit_timer() { spin_lock_irqsave rxe_destroy_qp() __rxe_cleanup() __rxe_put() // qp->ref_count decrease to 0 rxe_qp_do_cleanup() { if (qp->valid) { rxe_sched_task() { WARN_ON(rxe_read(task->qp) <= 0); } } spin_unlock_irqrestore } spin_lock_irqsave qp->valid = 0 spin_unlock_irqrestore } Ensure the QP’s reference count is maintained and its validity is checked within the timer callbacks by adding calls to rxe_get(qp) and corresponding rxe_put(qp) after use. | 2026-05-27 | 7.8 | CVE-2026-45910 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ovpn: fix possible use-after-free in ovpn_net_xmit When building the skb_list in ovpn_net_xmit, skb_share_check will free the original skb if it is shared. The current implementation continues to use the stale skb pointer for subsequent operations: – peer lookup, – skb_dst_drop (even though all segments produced by skb_gso_segment will have a dst attached), – ovpn_peer_stats_increment_tx. Fix this by moving the peer lookup and skb_dst_drop before segmentation so that the original skb is still valid when used. Return early if all segments fail skb_share_check and the list ends up empty. Also switch ovpn_peer_stats_increment_tx to use skb_list.next; the next patch fixes the stats logic. | 2026-05-27 | 7.8 | CVE-2026-45929 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Hold mm structure across iommu_sva_unbind_device() Some tests trigger a crash in iommu_sva_unbind_device() due to accessing iommu_mm after the associated mm structure has been freed. Fix this by taking an explicit reference to the mm structure after successfully binding the device, and releasing it only after the device is unbound. This ensures the mm remains valid for the entire SVA bind/unbind lifetime. | 2026-05-27 | 7.8 | CVE-2026-45931 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix tcx/netkit detach permissions when prog fd isn’t given This commit fixes a security issue where BPF_PROG_DETACH on tcx or netkit devices could be executed by any user when no program fd was provided, bypassing permission checks. The fix adds a capability check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case. | 2026-05-27 | 7.3 | CVE-2026-45932 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Preserve id of register in sync_linked_regs() sync_linked_regs() copies the id of known_reg to reg when propagating bounds of known_reg to reg using the off of known_reg, but when known_reg was linked to reg like: known_reg = reg ; both known_reg and reg get same id known_reg += 4 ; known_reg gets off = 4, and its id gets BPF_ADD_CONST now when a call to sync_linked_regs() happens, let’s say with the following: if known_reg >= 10 goto pc+2 known_reg’s new bounds are propagated to reg but now reg gets BPF_ADD_CONST from the copy. This means if another link to reg is created like: another_reg = reg ; another_reg should get the id of reg but assign_scalar_id_before_mov() sees BPF_ADD_CONST on reg and assigns a new id to it. As reg has a new id now, known_reg’s link to reg is broken. If we find new bounds for known_reg, they will not be propagated to reg. This can be seen in the selftest added in the next commit: 0: (85) call bpf_get_prandom_u32#7 ; R0=scalar() 1: (57) r0 &= 255 ; R0=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) 2: (bf) r1 = r0 ; R0=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) R1=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) 3: (07) r1 += 4 ; R1=scalar(id=1+4,smin=umin=smin32=umin32=4,smax=umax=smax32=umax32=259,var_off=(0x0; 0x1ff)) 4: (a5) if r1 < 0xa goto pc+4 ; R1=scalar(id=1+4,smin=umin=smin32=umin32=10,smax=umax=smax32=umax32=259,var_off=(0x0; 0x1ff)) 5: (bf) r2 = r0 ; R0=scalar(id=2,smin=umin=smin32=umin32=6,smax=umax=smax32=umax32=255) R2=scalar(id=2,smin=umin=smin32=umin32=6,smax=umax=smax32=umax32=255) 6: (a5) if r1 < 0xe goto pc+2 ; R1=scalar(id=1+4,smin=umin=smin32=umin32=14,smax=umax=smax32=umax32=259,var_off=(0x0; 0x1ff)) 7: (35) if r0 >= 0xa goto pc+1 ; R0=scalar(id=2,smin=umin=smin32=umin32=6,smax=umax=smax32=umax32=9,var_off=(0x0; 0xf)) 8: (37) r0 /= 0 div by zero When 4 is verified, r1’s bounds are propagated to r0 but r0 also gets BPF_ADD_CONST (bug). When 5 is verified, r0 gets a new id (2) and its link with r1 is broken. After 6 we know r1 has bounds [14, 259] and therefore r0 should have bounds [10, 255], therefore the branch at 7 is always taken. But because r0’s id was changed to 2, r1’s new bounds are not propagated to r0. The verifier still thinks r0 has bounds [6, 255] before 7 and execution can reach div by zero. Fix this by preserving id in sync_linked_regs() like off and subreg_def. | 2026-05-27 | 7.8 | CVE-2026-45933 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot In the ‘DeleteIndexEntryRoot’ case of the ‘do_action’ function, the entry size (‘esize’) is retrieved from the log record without adequate bounds checking. Specifically, the code calculates the end of the entry (‘e2’) using: e2 = Add2Ptr(e1, esize); It then calculates the size for memmove using ‘PtrOffset(e2, …)’, which subtracts the end pointer from the buffer limit. If ‘esize’ is maliciously large, ‘e2’ exceeds the used buffer size. This results in a negative offset which, when cast to size_t for memmove, interprets as a massive unsigned integer, leading to a heap buffer overflow. This commit adds a check to ensure that the entry size (‘esize’) strictly fits within the remaining used space of the index header before performing memory operations. | 2026-05-27 | 7.8 | CVE-2026-45935 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix e4b bitmap inconsistency reports A bitmap inconsistency issue was observed during stress tests under mixed huge-page workloads. Ext4 reported multiple e4b bitmap check failures like: ext4_mb_complex_scan_group:2508: group 350, 8179 free clusters as per group info. But got 8192 blocks Analysis and experimentation confirmed that the issue is caused by a race condition between page migration and bitmap modification. Although this timing window is extremely narrow, it is still hit in practice: folio_lock ext4_mb_load_buddy __migrate_folio check ref count folio_mc_copy __filemap_get_folio folio_try_get(folio) …… mb_mark_used ext4_mb_unload_buddy __folio_migrate_mapping folio_ref_freeze folio_unlock The root cause of this issue is that the fast path of load_buddy only increments the folio’s reference count, which is insufficient to prevent concurrent folio migration. We observed that the folio migration process acquires the folio lock. Therefore, we can determine whether to take the fast path in load_buddy by checking the lock status. If the folio is locked, we opt for the slow path (which acquires the lock) to close this concurrency window. Additionally, this change addresses the following issues: When the DOUBLE_CHECK macro is enabled to inspect bitmap-related issues, the following error may be triggered: corruption in group 324 at byte 784(6272): f in copy != ff on disk/prealloc Analysis reveals that this is a false positive. There is a specific race window where the bitmap and the group descriptor become momentarily inconsistent, leading to this error report: ext4_mb_load_buddy ext4_mb_load_buddy __filemap_get_folio(create|lock) folio_lock ext4_mb_init_cache folio_mark_uptodate __filemap_get_folio(no lock) …… mb_mark_used mb_mark_used_double mb_cmp_bitmaps mb_set_bits(e4b->bd_bitmap) folio_unlock The original logic assumed that since mb_cmp_bitmaps is called when the bitmap is newly loaded from disk, the folio lock would be sufficient to prevent concurrent access. However, this overlooks a specific race condition: if another process attempts to load buddy and finds the folio is already in an uptodate state, it will immediately begin using it without holding folio lock. | 2026-05-27 | 7.8 | CVE-2026-45942 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clear Present bit before tearing down context entry When tearing down a context entry, the current implementation zeros the entire 128-bit entry using multiple 64-bit writes. This creates a window where the hardware can fetch a “torn” entry – where some fields are already zeroed while the ‘Present’ bit is still set – leading to unpredictable behavior or spurious faults. While x86 provides strong write ordering, the compiler may reorder writes to the two 64-bit halves of the context entry. Even without compiler reordering, the hardware fetch is not guaranteed to be atomic with respect to multiple CPU writes. Align with the “Guidance to Software for Invalidations” in the VT-d spec (Section 6.5.3.3) by implementing the recommended ownership handshake: 1. Clear only the ‘Present’ (P) bit of the context entry first to signal the transition of ownership from hardware to software. 2. Use dma_wmb() to ensure the cleared bit is visible to the IOMMU. 3. Perform the required cache and context-cache invalidation to ensure hardware no longer has cached references to the entry. 4. Fully zero out the entry only after the invalidation is complete. Also, add a dma_wmb() to context_set_present() to ensure the entry is fully initialized before the ‘Present’ bit becomes visible. | 2026-05-27 | 7.5 | CVE-2026-45944 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a potential use-after-free of BTF object Refcounting in the check_pseudo_btf_id() function is incorrect: the __check_pseudo_btf_id() function might get called with a zero refcounted btf. Fix this, and patch related code accordingly. v3: rephrase a comment (AI) v2: fix a refcount leak introduced in v1 (AI) | 2026-05-27 | 7.8 | CVE-2026-45951 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: fix to avoid directly dereferencing user pointer In vidi_connection_ioctl(), vidi->edid(user pointer) is directly dereferenced in the kernel. This allows arbitrary kernel memory access from the user space, so instead of directly accessing the user pointer in the kernel, we should modify it to copy edid to kernel memory using copy_from_user() and use it. | 2026-05-27 | 7.1 | CVE-2026-45958 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: ccp – Fix a crash due to incorrect cleanup usage of kfree Annotating a local pointer variable, which will be assigned with the kmalloc-family functions, with the `__cleanup(kfree)` attribute will make the address of the local variable, rather than the address returned by kmalloc, passed to kfree directly and lead to a crash due to invalid deallocation of stack address. According to other places in the repo, the correct usage should be `__free(kfree)`. The code coincidentally compiled because the parameter type `void *` of kfree is compatible with the desired type `struct { … } **`. | 2026-05-27 | 7.8 | CVE-2026-45959 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bonding: alb: fix UAF in rlb_arp_recv during bond up/down The ALB RX path may access rx_hashtbl concurrently with bond teardown. During rapid bond up/down cycles, rlb_deinitialize() frees rx_hashtbl while RX handlers are still running, leading to a null pointer dereference detected by KASAN. However, the root cause is that rlb_arp_recv() can still be accessed after setting recv_probe to NULL, which is actually a use-after-free (UAF) issue. That is the reason for using the referenced commit in the Fixes tag. [ 214.174138] Oops: general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] SMP KASAN PTI [ 214.186478] KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef] [ 214.194933] CPU: 30 UID: 0 PID: 2375 Comm: ping Kdump: loaded Not tainted 6.19.0-rc8+ #2 PREEMPT(voluntary) [ 214.205907] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.14.0 01/14/2022 [ 214.214357] RIP: 0010:rlb_arp_recv+0x505/0xab0 [bonding] [ 214.220320] Code: 0f 85 2b 05 00 00 48 b8 00 00 00 00 00 fc ff df 40 0f b6 ed 48 c1 e5 06 49 03 ad 78 01 00 00 48 8d 7d 28 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 06 0f 8e 12 05 00 00 80 7d 28 00 0f 84 8c 00 [ 214.241280] RSP: 0018:ffffc900073d8870 EFLAGS: 00010206 [ 214.247116] RAX: dffffc0000000000 RBX: ffff888168556822 RCX: ffff88816855681e [ 214.255082] RDX: 000000000000001d RSI: dffffc0000000000 RDI: 00000000000000e8 [ 214.263048] RBP: 00000000000000c0 R08: 0000000000000002 R09: ffffed11192021c8 [ 214.271013] R10: ffff8888c9010e43 R11: 0000000000000001 R12: 1ffff92000e7b119 [ 214.278978] R13: ffff8888c9010e00 R14: ffff888168556822 R15: ffff888168556810 [ 214.286943] FS: 00007f85d2d9cb80(0000) GS:ffff88886ccb3000(0000) knlGS:0000000000000000 [ 214.295966] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 214.302380] CR2: 00007f0d047b5e34 CR3: 00000008a1c2e002 CR4: 00000000001726f0 [ 214.310347] Call Trace: [ 214.313070] <IRQ> [ 214.315318] ? __pfx_rlb_arp_recv+0x10/0x10 [bonding] [ 214.320975] bond_handle_frame+0x166/0xb60 [bonding] [ 214.326537] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] [ 214.332680] __netif_receive_skb_core.constprop.0+0x576/0x2710 [ 214.339199] ? __pfx_arp_process+0x10/0x10 [ 214.343775] ? sched_balance_find_src_group+0x98/0x630 [ 214.349513] ? __pfx___netif_receive_skb_core.constprop.0+0x10/0x10 [ 214.356513] ? arp_rcv+0x307/0x690 [ 214.360311] ? __pfx_arp_rcv+0x10/0x10 [ 214.364499] ? __lock_acquire+0x58c/0xbd0 [ 214.368975] __netif_receive_skb_one_core+0xae/0x1b0 [ 214.374518] ? __pfx___netif_receive_skb_one_core+0x10/0x10 [ 214.380743] ? lock_acquire+0x10b/0x140 [ 214.385026] process_backlog+0x3f1/0x13a0 [ 214.389502] ? process_backlog+0x3aa/0x13a0 [ 214.394174] __napi_poll.constprop.0+0x9f/0x370 [ 214.399233] net_rx_action+0x8c1/0xe60 [ 214.403423] ? __pfx_net_rx_action+0x10/0x10 [ 214.408193] ? lock_acquire.part.0+0xbd/0x260 [ 214.413058] ? sched_clock_cpu+0x6c/0x540 [ 214.417540] ? mark_held_locks+0x40/0x70 [ 214.421920] handle_softirqs+0x1fd/0x860 [ 214.426302] ? __pfx_handle_softirqs+0x10/0x10 [ 214.431264] ? __neigh_event_send+0x2d6/0xf50 [ 214.436131] do_softirq+0xb1/0xf0 [ 214.439830] </IRQ> The issue is reproducible by repeatedly running ip link set bond0 up/down while receiving ARP messages, where rlb_arp_recv() can race with rlb_deinitialize() and dereference a freed rx_hashtbl entry. Fix this by setting recv_probe to NULL and then calling synchronize_net() to wait for any concurrent RX processing to finish. This ensures that no RX handler can access rx_hashtbl after it is freed in bond_alb_deinitialize(). | 2026-05-27 | 7.8 | CVE-2026-45970 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Stop job scheduling across aie2_release_resource() Running jobs on a hardware context while it is in the process of releasing resources can lead to use-after-free and crashes. Fix this by stopping job scheduling before calling aie2_release_resource() and restarting it after the release completes. Additionally, aie2_sched_job_run() now checks whether the hardware context is still active. | 2026-05-27 | 7.8 | CVE-2026-45980 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area. The bug sequence: 1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh 2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode) 3. Calls release_metapath() which calls brelse(dibh), dropping refcount to 0 4. kswapd reclaims the page (~39ms later in the syzbot report) 5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data 6. KASAN detects use-after-free write to freed memory Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation. Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use. [agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().] | 2026-05-27 | 7.8 | CVE-2026-45984 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: udf: fix partition descriptor append bookkeeping Mounting a crafted UDF image with repeated partition descriptors can trigger a heap out-of-bounds write in part_descs_loc[]. handle_partition_descriptor() deduplicates entries by partition number, but appended slots never record partnum. As a result duplicate Partition Descriptors are appended repeatedly and num_part_descs keeps growing. Once the table is full, the growth path still sizes the allocation from partnum even though inserts are indexed by num_part_descs. If partnum is already aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep the old capacity and the next append writes past the end of the table. Store partnum in the appended slot and size growth from the next append count so deduplication and capacity tracking follow the same model. | 2026-05-27 | 7.8 | CVE-2026-45991 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Some crafted images can have illegal (!partial_decoding && m_llen < m_plen) extents, and the LZ4 inplace decompression path can be wrongly hit, but it cannot handle (outpages < inpages) properly: “outpages – inpages” wraps to a large value and the subsequent rq->out[] access reads past the decompressed_pages array. However, such crafted cases can correctly result in a corruption report in the normal LZ4 non-inplace path. Let’s add an additional check to fix this for backporting. Reproducible image (base64-encoded gzipped blob): H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz 2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w ywAAAAAAAADwu14ATsEYtgBQAAA= $ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt $ dd if=/mnt/data of=/dev/null bs=4096 count=1 | 2026-05-27 | 7.1 | CVE-2026-45999 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check nouveau_gem_pushbuf_reloc_apply() validates each relocation with if (r->reloc_bo_offset + 4 > nvbo->bo.base.size) but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer literal 4 promotes to unsigned int, so the addition is performed in 32 bits and wraps before the comparison against the size_t bo size. Cast to u64 so the addition happens in 64-bit arithmetic. [ Add Fixes: tag. – Danilo ] | 2026-05-27 | 7.8 | CVE-2026-46006 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: fix use-after-free in release path due to uncancelled work The mtk_jpeg_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->jpeg_work. This creates a race window where the workqueue callback may still be accessing the context memory after it has been freed. Race condition: CPU 0 (release) CPU 1 (workqueue) —————- —————— close() mtk_jpeg_release() mtk_jpegenc_worker() ctx = work->data // accessing ctx kfree(ctx) // freed! access ctx // UAF! The work is queued via queue_work() during JPEG encode/decode operations (via mtk_jpeg_device_run). If the device is closed while work is pending or running, the work handler will access freed memory. Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This ordering is critical: if cancel_work_sync() is called after mutex_lock(), and the work handler also tries to acquire the same mutex, it would cause a deadlock. Note: The open error path does NOT need cancel_work_sync() because INIT_WORK() only initializes the work structure – it does not schedule it. Work is only scheduled later during ioctl operations. | 2026-05-27 | 7.8 | CVE-2026-46011 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tcp: call sk_data_ready() after listener migration When inet_csk_listen_stop() migrates an established child socket from a closing listener to another socket in the same SO_REUSEPORT group, the target listener gets a new accept-queue entry via inet_csk_reqsk_queue_add(), but that path never notifies the target listener’s waiters. A nonblocking accept() still works because it checks the queue directly, but poll()/epoll_wait() waiters and blocking accept() callers can also remain asleep indefinitely. Call READ_ONCE(nsk->sk_data_ready)(nsk) after a successful migration in inet_csk_listen_stop(). However, after inet_csk_reqsk_queue_add() succeeds, the ref acquired in reuseport_migrate_sock() is effectively transferred to nreq->rsk_listener. Another CPU can then dequeue nreq via accept() or listener shutdown, hit reqsk_put(), and drop that listener ref. Since listeners are SOCK_RCU_FREE, wrap the post-queue_add() dereferences of nsk in rcu_read_lock()/rcu_read_unlock(), which also covers the existing sock_net(nsk) access in that path. The reqsk_timer_handler() path does not need the same changes for two reasons: half-open requests become readable only after the final ACK, where tcp_child_process() already wakes the listener; and once nreq is visible via inet_ehash_insert(), the success path no longer touches nsk directly. | 2026-05-27 | 7.8 | CVE-2026-46015 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both protocol and result, this is currently not treated as an error. In case of ac->negotiating == true and ac->protocol > 0, this leads to setting ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for ac->protocol != protocol returns false, and init_protocol() is not called. Subsequently, ac->ops->handle_reply() is called, which leads to a null pointer dereference, because ac->ops is still NULL. This patch changes the check for ac->protocol != protocol to !ac->protocol, as this also includes the case when the protocol was set to zero in the message. This causes the message to be treated as containing a bad auth protocol. | 2026-05-27 | 7.5 | CVE-2026-46024 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/smc: avoid early lgr access in smc_clc_wait_msg A CLC decline can be received while the handshake is still in an early stage, before the connection has been associated with a link group. The decline handling in smc_clc_wait_msg() updates link-group level sync state for first-contact declines, but that state only exists after link group setup has completed. Guard the link-group update accordingly and keep the per-socket peer diagnosis handling unchanged. This preserves the existing sync_err handling for established link-group contexts and avoids touching link-group state before it is available. | 2026-05-27 | 7.5 | CVE-2026-46027 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/slab: return NULL early from kmalloc_nolock() in NMI on UP On UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that unconditionally succeeds even when the lock is already held. As a result, kmalloc_nolock() called from NMI context can re-enter the slab allocator and acquire n->list_lock that the interrupted context is already holding, corrupting slab state. With CONFIG_DEBUG_SPINLOCK on UP, the following BUG is triggered with the slub_kunit test module: BUG: spinlock trylock failure on UP on CPU#0, kunit_try_catch/243 […] Call Trace: <NMI> dump_stack_lvl+0x3f/0x60 do_raw_spin_trylock+0x41/0x50 _raw_spin_trylock+0x24/0x50 get_from_partial_node+0x120/0x4d0 ___slab_alloc+0x8a/0x4c0 kmalloc_nolock_noprof+0x164/0x310 […] </NMI> Fix this by returning NULL early when invoked from NMI on a UP kernel. | 2026-05-27 | 7 | CVE-2026-46029 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: ks8851: Reinstate disabling of BHs around IRQ handler If the driver executes ks8851_irq() AND a TX packet has been sent, then the driver enables TX queue via netif_wake_queue() which schedules TX softirq to queue packets for this device. If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to allocate SKBs for the received packets. If netdev_alloc_skb_ip_align() is called with BH enabled, then local_bh_enable() at the end of netdev_alloc_skb_ip_align() will trigger the pending softirq processing, which may ultimately call the .xmit callback ks8851_start_xmit_par(). The ks8851_start_xmit_par() will try to lock struct ks8851_net_par .lock spinlock, which is already locked by ks8851_irq() from which ks8851_start_xmit_par() was called. This leads to a deadlock, which is reported by the kernel, including a trace listed below. If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0 (“net: ks8851: Fix deadlock with the SPI chip variant”) the deadlock can also be triggered without received packet in the RX FIFO. The pending softirqs will be processed on return from spin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the deadlock as well. Fix the problem by disabling BH around critical sections, including the IRQ handler, thus preventing the net_tx_action() softirq from triggering during these critical sections. The net_tx_action() softirq is triggered once BH are re-enabled and at the end of the IRQ handler, once all the other IRQ handler actions have been completed. __schedule from schedule_rtlock+0x1c/0x34 schedule_rtlock from rtlock_slowlock_locked+0x548/0x904 rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8 ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44 netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188 dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c sch_direct_xmit from __qdisc_run+0x1f8/0x4ec __qdisc_run from qdisc_run+0x1c/0x28 qdisc_run from net_tx_action+0x1f0/0x268 net_tx_action from handle_softirqs+0x1a4/0x270 handle_softirqs from __local_bh_enable_ip+0xcc/0xe0 __local_bh_enable_ip from __alloc_skb+0xd8/0x128 __alloc_skb from __netdev_alloc_skb+0x3c/0x19c __netdev_alloc_skb from ks8851_irq+0x388/0x4d4 ks8851_irq from irq_thread_fn+0x24/0x64 irq_thread_fn from irq_thread+0x178/0x28c irq_thread from kthread+0x12c/0x138 kthread from ret_from_fork+0x14/0x28 | 2026-05-27 | 7.5 | CVE-2026-46031 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex vfio_cdx_set_msi_trigger() reads vdev->config_msi and operates on the vdev->cdx_irqs array based on its value, but provides no serialization against concurrent VFIO_DEVICE_SET_IRQS ioctls. Two callers can race such that one observes config_msi as set while another clears it and frees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free of the cdx_irqs array. Add a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in vfio_cdx_set_msi_trigger(), which is the single chokepoint through which all updates to config_msi, cdx_irqs, and msi_count flow, covering both the ioctl path and the close-device cleanup path. This keeps the test of config_msi atomic with the subsequent enable, disable, or trigger operations. Drop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part of this change: the optimization it provided is redundant with the !config_msi early-return inside vfio_cdx_msi_disable(), and leaving the test in place would be an unsynchronized read of state the new lock is meant to protect. | 2026-05-27 | 7.8 | CVE-2026-46036 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: only d_add() negative dentries when they are unhashed Ceph can call d_add(dentry, NULL) on a negative dentry that is already present in the primary dcache hash. In the current VFS that is not safe. d_add() goes through __d_add() to __d_rehash(), which unconditionally reinserts dentry->d_hash into the hlist_bl bucket. If the dentry is already hashed, reinserting the same node can corrupt the bucket, including creating a self-loop. Once that happens, __d_lookup() can spin forever in the hlist_bl walk, typically looping only on the d_name.hash mismatch check and eventually triggering RCU stall reports like this one: rcu: INFO: rcu_sched self-detected stall on CPU rcu: 87-….: (2100 ticks this GP) idle=3a4c/1/0x4000000000000000 softirq=25003319/25003319 fqs=829 rcu: (t=2101 jiffies g=79058445 q=698988 ncpus=192) CPU: 87 UID: 2952868916 PID: 3933303 Comm: php-cgi8.3 Not tainted 6.18.17-i1-amd #950 NONE Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.6 09/22/2023 RIP: 0010:__d_lookup+0x46/0xb0 Code: c1 e8 07 48 8d 04 c2 48 8b 00 49 89 fc 49 89 f5 48 89 c3 48 83 e3 fe 48 83 f8 01 77 0f eb 2d 0f 1f 44 00 00 48 8b 1b 48 85 db <74> 20 39 6b 18 75 f3 48 8d 7b 78 e8 ba 85 d0 00 4c 39 63 10 74 1f RSP: 0018:ff745a70c8253898 EFLAGS: 00000282 RAX: ff26e470054cb208 RBX: ff26e470054cb208 RCX: 000000006e958966 RDX: ff26e48267340000 RSI: ff745a70c82539b0 RDI: ff26e458f74655c0 RBP: 000000006e958966 R08: 0000000000000180 R09: 9cd08d909b919a89 R10: ff26e458f74655c0 R11: 0000000000000000 R12: ff26e458f74655c0 R13: ff745a70c82539b0 R14: d0d0d0d0d0d0d0d0 R15: 2f2f2f2f2f2f2f2f FS: 00007f5770896980(0000) GS:ff26e482c5d88000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5764de50c0 CR3: 000000a72abb5001 CR4: 0000000000771ef0 PKRU: 55555554 Call Trace: <TASK> lookup_fast+0x9f/0x100 walk_component+0x1f/0x150 link_path_walk+0x20e/0x3d0 path_lookupat+0x68/0x180 filename_lookup+0xdc/0x1e0 vfs_statx+0x6c/0x140 vfs_fstatat+0x67/0xa0 __do_sys_newfstatat+0x24/0x60 do_syscall_64+0x6a/0x230 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is reachable with reused cached negative dentries. A Ceph lookup or atomic_open can be handed a negative dentry that is already hashed, and fs/ceph/dir.c then hits one of two paths that incorrectly assume “negative” also means “unhashed”: – ceph_finish_lookup(): MDS reply is -ENOENT with no trace -> d_add(dentry, NULL) – ceph_lookup(): local ENOENT fast path for a complete directory with shared caps -> d_add(dentry, NULL) Both paths can therefore re-add an already-hashed negative dentry. Ceph already uses the correct pattern elsewhere: ceph_fill_trace() only calls d_add(dn, NULL) for a negative null-dentry reply when d_unhashed(dn) is true. Fix both fs/ceph/dir.c sites the same way: only call d_add() for a negative dentry when it is actually unhashed. If the negative dentry is already hashed, leave it in place and reuse it as-is. This preserves the existing behavior for unhashed dentries while avoiding d_hash list corruption for reused hashed negatives. | 2026-05-27 | 7.5 | CVE-2026-46052 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: rds: fix MR cleanup on copy error __rds_rdma_map() hands sg/pages ownership to the transport after get_mr() succeeds. If copying the generated cookie back to user space fails after that point, the error path must not free those resources again before dropping the MR reference. Remove the duplicate unpin/free from the put_user() failure branch so that MR teardown is handled only through the existing final cleanup path. | 2026-05-27 | 7.8 | CVE-2026-46053 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: selinux: fix overlayfs mmap() and mprotect() access checks The existing SELinux security model for overlayfs is to allow access if the current task is able to access the top level file (the “user” file) and the mounter’s credentials are sufficient to access the lower level file (the “backing” file). Unfortunately, the current code does not properly enforce these access controls for both mmap() and mprotect() operations on overlayfs filesystems. This patch makes use of the newly created security_mmap_backing_file() LSM hook to provide the missing backing file enforcement for mmap() operations, and leverages the backing file API and new LSM blob to provide the necessary information to properly enforce the mprotect() access controls. | 2026-05-27 | 7.1 | CVE-2026-46054 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix string overrun due to missing termination When booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm Snapdragon X1 we see a string buffer overrun: BUG: KASAN: slab-out-of-bounds in aa_dfa_match (security/apparmor/match.c:535) Read of size 1 at addr ffff0008901cc000 by task snap-update-ns/2120 CPU: 5 UID: 60578 PID: 2120 Comm: snap-update-ns Not tainted 7.0.0-rc4+ #22 PREEMPTLAZY Hardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025 Call trace: show_stack (arch/arm64/kernel/stacktrace.c:501) (C) dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) __asan_report_load1_noabort (mm/kasan/report_generic.c:378) aa_dfa_match (security/apparmor/match.c:535) match_mnt_path_str (security/apparmor/mount.c:244 security/apparmor/mount.c:336) match_mnt (security/apparmor/mount.c:371) aa_bind_mount (security/apparmor/mount.c:447 (discriminator 4)) apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1)) security_sb_mount (security/security.c:1062 (discriminator 31)) path_mount (fs/namespace.c:4101) __arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338) invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49) el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2)) do_el0_svc (arch/arm64/kernel/syscall.c:152) el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744) el0t_64_sync (arch/arm64/kernel/entry.S:596) Allocated by task 2120: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/arm64/include/asm/current.h:19 mm/kasan/common.c:70 mm/kasan/common.c:79) kasan_save_alloc_info (mm/kasan/generic.c:571) __kasan_kmalloc (mm/kasan/common.c:419) __kmalloc_noprof (./include/linux/kasan.h:263 mm/slub.c:5260 mm/slub.c:5272) aa_get_buffer (security/apparmor/lsm.c:2201) aa_bind_mount (security/apparmor/mount.c:442) apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1)) security_sb_mount (security/security.c:1062 (discriminator 31)) path_mount (fs/namespace.c:4101) __arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338) invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49) el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2)) do_el0_svc (arch/arm64/kernel/syscall.c:152) el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744) el0t_64_sync (arch/arm64/kernel/entry.S:596) The buggy address belongs to the object at ffff0008901ca000 which belongs to the cache kmalloc-rnd-06-8k of size 8192 The buggy address is located 0 bytes to the right of allocated 8192-byte region [ffff0008901ca000, ffff0008901cc000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9101c8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:-1 pincount:0 flags: 0x8000000000000040(head|zone=2) page_type: f5(slab) raw: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70 raw: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000 head: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70 head: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000 head: 8000000000000003 fffffdffe2407201 fffffdffffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0008901cbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008 —truncated— | 2026-05-27 | 7.1 | CVE-2026-46055 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: amphion: Fix race between m2m job_abort and device_run Fix kernel panic caused by race condition where v4l2_m2m_ctx_release() frees m2m_ctx while v4l2_m2m_try_run() is about to call device_run with the same context. Race sequence: v4l2_m2m_try_run(): v4l2_m2m_ctx_release(): lock/unlock v4l2_m2m_cancel_job() job_abort() v4l2_m2m_job_finish() kfree(m2m_ctx) <- frees ctx device_run() <- use-after-free crash at 0x538 Crash trace: Unable to handle kernel read from unreadable memory at virtual address 0000000000000538 v4l2_m2m_try_run+0x78/0x138 v4l2_m2m_device_run_work+0x14/0x20 The amphion vpu driver does not rely on the m2m framework’s device_run callback to perform encode/decode operations. Fix the race by preventing m2m framework job scheduling entirely: – Add job_ready callback returning 0 (no jobs ready for m2m framework) – Remove job_abort callback to avoid the race condition | 2026-05-27 | 7.8 | CVE-2026-46058 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: fix integer overflow in run_unpack() volume boundary check The volume boundary check `lcn + len > sbi->used.bitmap.nbits` uses raw addition which can wrap around for large lcn and len values, bypassing the validation. Use check_add_overflow() as is already done for the adjacent prev_lcn + dlcn and vcn64 + len checks added by commit 3ac37e100385 (“ntfs3: Fix integer overflow in run_unpack()”). Found by fuzzing with a source-patched harness (LibAFL + QEMU). | 2026-05-27 | 7.8 | CVE-2026-46062 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Hold state of deferred I/O in struct fb_deferred_io_state. Allocate an instance as part of initializing deferred I/O and remove it only after the final mapping has been closed. If the fb_info and the contained deferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info to invalidate the mapping. Any access will then result in a SIGBUS signal. Fixes a long-standing problem, where a device hot-unplug happens while user space still has an active mapping of the graphics memory. The hot- unplug frees the instance of struct fb_info. Accessing the memory will operate on undefined state. | 2026-05-27 | 7.8 | CVE-2026-46065 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid5: validate payload size before accessing journal metadata r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a journal metadata block using on-disk payload size fields without validating them against the remaining space in the metadata block. A corrupted journal contains payload sizes extending beyond the PAGE_SIZE boundary can cause out-of-bounds reads when accessing payload fields or computing offsets. Add bounds validation for each payload type to ensure the full payload fits within meta_size before processing. | 2026-05-27 | 7.1 | CVE-2026-46070 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Raise #UD if unhandled VMMCALL isn’t intercepted by L1 Explicitly synthesize a #UD for VMMCALL if L2 is active, L1 does NOT want to intercept VMMCALL, nested_svm_l2_tlb_flush_enabled() is true, and the hypercall is something other than one of the supported Hyper-V hypercalls. When all of the above conditions are met, KVM will intercept VMMCALL but never forward it to L1, i.e. will let L2 make hypercalls as if it were L1. The TLFS says a whole lot of nothing about this scenario, so go with the architectural behavior, which says that VMMCALL #UDs if it’s not intercepted. Opportunistically do a 2-for-1 stub trade by stub-ifying the new API instead of the helpers it uses. The last remaining “single” stub will soon be dropped as well. [sean: rewrite changelog and comment, tag for stable, remove defunct stubs] | 2026-05-27 | 7.9 | CVE-2026-46076 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix the out-of-bounds nameoff handling for trailing dirents Currently we already have boundary-checks for nameoffs, but the trailing dirents are special since the namelens are calculated with strnlen() with unchecked nameoffs. If a crafted EROFS has a trailing dirent with nameoff >= maxsize, maxsize – nameoff can underflow, causing strnlen() to read past the directory block. nameoff0 should also be verified to be a multiple of `sizeof(struct erofs_dirent)` as well [1]. [1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com | 2026-05-27 | 7.1 | CVE-2026-46078 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: acomp – fix wrong pointer stored by acomp_save_req() acomp_save_req() stores &req->chain in req->base.data. When acomp_reqchain_done() is invoked on asynchronous completion, it receives &req->chain as the data argument but casts it directly to struct acomp_req. Since data points to the chain member, all subsequent field accesses are at a wrong offset, resulting in memory corruption. The issue occurs when an asynchronous hardware implementation, such as the QAT driver, completes a request that uses the DMA virtual address interface (e.g. acomp_request_set_src_dma()). This combination causes crypto_acomp_compress() to enter the acomp_do_req_chain() path, which sets acomp_reqchain_done() as the completion callback via acomp_save_req(). With KASAN enabled, this manifests as a general protection fault in acomp_reqchain_done(): general protection fault, probably for non-canonical address 0xe000040000000000 KASAN: probably user-memory-access in range [0x0000400000000000-0x0000400000000007] RIP: 0010:acomp_reqchain_done+0x15b/0x4e0 Call Trace: <IRQ> qat_comp_alg_callback+0x5d/0xa0 [intel_qat] adf_ring_response_handler+0x376/0x8b0 [intel_qat] adf_response_handler+0x60/0x170 [intel_qat] tasklet_action_common+0x223/0x820 handle_softirqs+0x1ab/0x640 </IRQ> Fix this by storing the request itself in req->base.data instead of &req->chain, so that acomp_reqchain_done() receives the correct pointer. Simplify acomp_restore_req() accordingly to access req->chain directly. | 2026-05-27 | 7.8 | CVE-2026-46081 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix rxkad crypto unalignment handling Fix handling of a packet with a misaligned crypto length. Also handle non-ENOMEM errors from decryption by aborting. Further, remove the WARN_ON_ONCE() so that it can’t be remotely triggered (a trace line can still be emitted). | 2026-05-27 | 7.5 | CVE-2026-46085 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix peer runtime UAF during format-change stop loopback_check_format() may stop the capture side when playback starts with parameters that no longer match a running capture stream. Commit 826af7fa62e3 (“ALSA: aloop: Fix racy access at PCM trigger”) moved the peer lookup under cable->lock, but the actual snd_pcm_stop() still runs after dropping that lock. A concurrent close can clear the capture entry from cable->streams[] and detach or free its runtime while the playback trigger path still holds a stale peer substream pointer. Keep a per-cable count of in-flight peer stops before dropping cable->lock, and make free_cable() wait for those stops before detaching the runtime. This preserves the existing behavior while making the peer runtime lifetime explicit. | 2026-05-27 | 7.8 | CVE-2026-46090 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: take vmap_purge_lock in shrinker decay_va_pool_node() can be invoked concurrently from two paths: __purge_vmap_area_lazy() when pools are being purged, and the shrinker via vmap_node_shrink_scan(). However, decay_va_pool_node() is not safe to run concurrently, and the shrinker path currently lacks serialization, leading to races and possible leaks. Protect decay_va_pool_node() by taking vmap_purge_lock in the shrinker path to ensure serialization with purge users. | 2026-05-27 | 7.8 | CVE-2026-46093 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs: afs: revert mmap_prepare() change Partially reverts commit 9d5403b1036c (“fs: convert most other generic_file_*mmap() users to .mmap_prepare()”). This is because the .mmap invocation establishes a refcount, but .mmap_prepare is called at a point where a merge or an allocation failure might happen after the call, which would leak the refcount increment. Functionality is being added to permit the use of .mmap_prepare in this case, but in the interim, we need to fix this. | 2026-05-27 | 7.8 | CVE-2026-46100 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: strparser: fix skb_head leak in strp_abort_strp() When the stream parser is aborted, for example after a message assembly timeout, it can still hold a reference to a partially assembled message in strp->skb_head. That skb is not released in strp_abort_strp(), which leaks the partially assembled message and can be triggered repeatedly to exhaust memory. Fix this by freeing strp->skb_head and resetting the parser state in the abort path. Leave strp_stop() unchanged so final cleanup still happens in strp_done() after the work and timer have been synchronized. | 2026-05-27 | 7.5 | CVE-2026-46102 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Limit NVMe request size to 2 MiB The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB. Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops. | 2026-05-28 | 7.8 | CVE-2026-46105 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm-thin: fix metadata refcount underflow There’s a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node’s child to the node itself and then decrement the child’s reference count. If the child node is shared (it has reference count > 1), we won’t free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn’t match the number of pointers that point to the grandchildren. This results in “device mapper: space map common: unable to decrement block” errors. Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared. | 2026-05-28 | 7.8 | CVE-2026-46107 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Prevent NULL deref when RX memory exhausted The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer’s physical address and a status flag (“OWN”) indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both “submissions” and “completions.” In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called. This means descriptors have a three-stage lifecycle (terms my own): – `empty` (OWN=1, buffer valid) – `full` (OWN=0, buffer valid and populated) – `dirty` (OWN=0, buffer NULL) But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see ‘Fixes:’), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop’s iteration limit at `dma_rx_size – 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn’t complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see ‘Closes:’) when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`. Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there. In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it’s given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change. | 2026-05-28 | 7.5 | CVE-2026-46110 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in create_big_sync Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete(). Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()’s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del(). hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way. Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del(). | 2026-05-28 | 7.8 | CVE-2026-46111 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks. The error flow in hns_roce_create_qp_common() doesn’t hold those locks for the error unwind so it risks corrupting memory. Grab the same locks the other two callers use. | 2026-05-28 | 7.8 | CVE-2026-46112 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt): value = *(u64 *)payload_addr(pkt); check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker’s MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet’s own trailing ICRC). IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path. Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker’s MR, including recognisable kernel strings and partial kernel-direct-map pointer words. With this patch applied the responder rejects the PDU and the MR stays all-zero. | 2026-05-28 | 7.5 | CVE-2026-46114 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete KASAN reproduces a slab-use-after-free in __xfrm_state_delete()’s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being: BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline] BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline] BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435 Workqueue: netns cleanup_net Call Trace: __hlist_del / hlist_del_rcu __xfrm_state_delete xfrm_state_delete xfrm_state_flush xfrm_state_fini ops_exit_list cleanup_net The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains. __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates: if (x->km.seq) hlist_del_rcu(&x->byseq); if (x->id.spi) hlist_del_rcu(&x->byspi); while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev. The defensive change here: – Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst, bysrc, byseq and byspi so a second deletion is a no-op rather than a write through LIST_POISON pprev. The byseq/byspi nodes are already initialised in xfrm_state_alloc(). – Test hlist_unhashed() rather than the value predicate for byseq/byspi, so the unhash decision tracks list state rather than mutable scalar fields. Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths — they just no longer crash. Reproduction: – Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV – syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db – 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal – 9 unique signatures collected in ~9h, all within xfrm_state lifecycle | 2026-05-28 | 7.8 | CVE-2026-46116 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel. Just reject it outright and fail the QP creation. | 2026-05-28 | 7.8 | CVE-2026-46117 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ip6_gre: Use cached t->net in ip6erspan_changelink(). After commit 5e72ce3e3980 (“net: ipv6: Use link netns in newlink() of rtnl_link_ops”), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device’s creation netns after IFLA_NET_NS_FD migration. This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify(). Reachable from an unprivileged user namespace (unshare –user –map-root-user –net). ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape. | 2026-05-28 | 7.8 | CVE-2026-46120 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: virtio_bt: clamp rx length before skb_put virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one(). Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device. The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory. Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle(). Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log. Same class of bug as commit c04db81cd028 (“net/9p: Fix buffer overflow in USB transport layer”), which hardened the USB 9p transport against unchecked device-reported length. | 2026-05-28 | 7.7 | CVE-2026-46123 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: isofs: validate block number from NFS file handle in isofs_export_iget isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (“isofs: Prevent the use of too small fid”) can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record. That earlier fix was assigned CVE-2025-37780. sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix. Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line. | 2026-05-28 | 7.5 | CVE-2026-46124 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info() error path When kobject_init_and_add() fails, the call chain is: create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info) Then control returns to create_space_info(): btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info) This causes a double free. Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup. | 2026-05-28 | 7.8 | CVE-2026-46129 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject unknown opcodes before ICRC processing Even after applying commit 7244491dab34 (“RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv”), a single unauthenticated UDP packet can still trigger panic. That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode. The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver. The check added there reads pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes rxe_opcode[pkt->opcode].length – RXE_BTH_BYTES which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload. Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after rdma link add rxe0 type rxe netdev eth0 A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers: BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170 Read of size 1 at addr … The buggy address is located 0 bytes to the right of allocated 704-byte region Call Trace: crc32_le+0x115/0x170 rxe_icrc_hdr.isra.0+0x226/0x300 rxe_icrc_check+0x13f/0x3a0 rxe_rcv+0x6e1/0x16e0 rxe_udp_encap_recv+0x20a/0x320 udp_queue_rcv_one_skb+0x7ed/0x12c0 Subsequent packets with the same shape fault on unmapped memory and panic the kernel. The trigger requires only module load and “rdma link add”; no QP, no connection, and no authentication. Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs. | 2026-05-28 | 7.5 | CVE-2026-46133 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Validate rx_hash_key_len Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow. | 2026-05-28 | 7.8 | CVE-2026-46145 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer. snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes. The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered. Commit 27e06650a5ea (“scsi: target: target_core_configfs: Add length check to avoid buffer overflow”) added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here. | 2026-05-28 | 7.1 | CVE-2026-46149 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fanotify: fix false positive on permission events fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check. Fix by skipping over detached marks that are not in the current group. | 2026-05-28 | 7.1 | CVE-2026-46150 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler’s) but dereferences the freed one – UAF on SCX_HAS_OP(sch, …) / SCX_CALL_OP(sch, …). scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot. | 2026-05-28 | 7 | CVE-2026-46154 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race. And, in this case, it may lead to more severe problem because it’s a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing. Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll(). | 2026-05-28 | 7.8 | CVE-2026-46157 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info_sub_group() error path When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group) Then control returns to create_space_info_sub_group(), where: btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group) Thus, sub_group is freed twice. Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup. | 2026-05-28 | 7 | CVE-2026-46164 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: exit: prevent preemption of oopsing TASK_DEAD task When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled. That is forbidden: do_task_dead() calls __schedule(), which has a comment saying “WARNING: must be called with preemption disabled!”. If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn’t hold if the dead task was preempted (the SM_PREEMPT case). This means that the scheduler ends up repeatedly dropping references on the dead task’s stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption. (This does not just affect “recursively oopsing” tasks; it is enough to oops once during task exit, for example in a file_operations::release handler) | 2026-05-28 | 7.8 | CVE-2026-46173 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix fsck inconsistency caused by FGGC of node block During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data. The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP SPO, “fsck –dry-run” find inode has already checkpointed but still with DENT_BIT_SHIFT set The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes. In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing. This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC. | 2026-05-28 | 7.1 | CVE-2026-46175 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1. This leads to several problems: the lock-free fast path checks “if (devr->s1) return 0;” and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown. Fix by adding the same `goto unlock` in the s1 failure path. | 2026-05-28 | 7.8 | CVE-2026-46176 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi: Add limits to event and receive message requests The driver would just fetch events and receive messages until the BMC said it was done. To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time. In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things. If the attn bit gets stuck, it’s a similar problem. So allow messages in between flag fetches so the driver itself doesn’t get stuck. This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won’t stop saying it has data. This has been there from the beginning of the driver. It’s not a bug per-se, but it is accounting for bugs in BMCs. | 2026-05-28 | 7.5 | CVE-2026-46177 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free(). | 2026-05-28 | 7.8 | CVE-2026-46178 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn’t even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing. Use the spinlock since it isn’t easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized. | 2026-05-28 | 7.8 | CVE-2026-46181 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Sashiko noticed an out-of-bounds read [1]. In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names). Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers (element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended. Inside spi_nor_print_flags(), the ‘names_len’ argument is used to bounds-check the ‘names’ array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array’s actual element count but is within the inflated byte-size count. Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array. | 2026-05-28 | 7.1 | CVE-2026-46190 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: validate SVM ioctl nattr against buffer size Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count. (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f) | 2026-05-28 | 7.8 | CVE-2026-46197 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg Check bounds against the end of the BO whenever we access the msg. | 2026-05-28 | 7.1 | CVE-2026-46199 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import() When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it. (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51) | 2026-05-28 | 7.8 | CVE-2026-46201 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn4: Prevent OOB reads when parsing IB Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks. | 2026-05-28 | 7.1 | CVE-2026-46204 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: staging: media: atomisp: Disallow all private IOCTLs Disallow all private IOCTLs. These aren’t quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy. | 2026-05-28 | 7.8 | CVE-2026-46205 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject new tp_meter sessions during teardown Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE. | 2026-05-28 | 7.8 | CVE-2026-46206 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop tp_meter sessions during mesh teardown TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions. A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues. | 2026-05-28 | 7.8 | CVE-2026-46208 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division: unsigned int width = mode_cmd->width / (i ? info->hsub : 1); unsigned int height = mode_cmd->height / (i ? info->vsub : 1); However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations. For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height – 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object’s bounds. Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check(). | 2026-05-28 | 7.8 | CVE-2026-46209 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: fix use-after-free of fmt_src during MBPF check During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct. The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks. | 2026-05-28 | 7.8 | CVE-2026-46210 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm: Set old handle to NULL before prime swap in change_handle There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free. To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it. create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don’t need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration. v2: cleanups of error paths | 2026-05-28 | 7.8 | CVE-2026-46215 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Add bounds checking to ib_{get,set}_value The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values. Also make the idx a uint32_t to prevent overflows causing the condition to fail. | 2026-05-28 | 7.1 | CVE-2026-46218 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf(). While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu(). The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped. sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the “sk != asoc->base.sk” and “asoc->base.dead” checks, but nothing revalidates @tmp. After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint’s list head (type confusion of &newep->asocs as a struct sctp_association *). Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer. Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns. @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive. The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits ‘continue’ before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (“sctp: walk the list of asoc safely”) was added for. | 2026-05-28 | 7.8 | CVE-2026-46227 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg Check bounds against the end of the BO whenever we access the msg. | 2026-05-28 | 7.1 | CVE-2026-46230 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn3: Avoid overflow on msg bound check As pointed out by SDL, the previous condition may be vulnerable to overflow. (cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10) | 2026-05-28 | 7.1 | CVE-2026-46237 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: Fix use-after-free in iris_release_internal_buffers() The recent change in commit 1dabf00ee206 (“media: iris: gen1: Destroy internal buffers after FW releases”) introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free. Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing. | 2026-05-28 | 7.8 | CVE-2026-46240 |
| litespeedtech–LiteSpeed Cache | The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints in all versions up to, and including, 7.7. These endpoints accept CSS content from QUIC.cloud callback notifications and store it to disk without sanitization. The stored content is later rendered inline frontend page loads without output escaping. The access control protecting these endpoints is IP-based validation that can potentially be bypassed when the WordPress site is deployed behind a reverse proxy, load balancer, or CDN with certain configurations. This makes it possible for unauthenticated attackers, under certain conditions, to inject arbitrary JavaScript into CCSS/UCSS content. | 2026-05-27 | 7.2 | CVE-2026-3375 |
| Livebms–Gate Pass Management System | Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Attackers can submit crafted POST requests to login-exec.php with SQL injection payloads in form parameters to authenticate without valid credentials and gain access to the application. | 2026-05-30 | 8.2 | CVE-2018-25424 |
| Ludwig You–QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Ludwig You QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly quickwebp allows Path Traversal.This issue affects QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly: from n/a through <= 3.2.7. | 2026-05-27 | 9.9 | CVE-2026-42756 |
| M-Gb–MGB OpenSource Guestbook | MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ‘id’ parameter. Attackers can send GET requests to email.php with crafted SQL payloads in the ‘id’ parameter to extract sensitive database information including table and column names. | 2026-05-30 | 8.2 | CVE-2018-25411 |
| Magentech–SW Core | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Magentech SW Core allows PHP Local File Inclusion. This issue affects SW Core: from n/a through 1.7.18. | 2026-05-26 | 7.5 | CVE-2026-39661 |
| MapServer–MapServer | MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> – it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3. | 2026-05-27 | 7.5 | CVE-2026-45104 |
| marcantondahmen–automad | Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /_api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is complete and returns full serialized user data in the JSON response body. This vulnerability is fixed in 2.0.0-beta.28. | 2026-05-28 | 7.5 | CVE-2026-45332 |
| MarcelRoozekrans–roslyn-codelens-mcp | Roslyn CodeLens MCP Server is a Roslyn-based MCP server providing semantic code intelligence for .NET codebases. From 0.0.9 to 1.17.0, the get_diagnostics MCP tool loads and executes all DiagnosticAnalyzer assemblies referenced by the target solution without any allowlist, signature check, or user confirmation; includeAnalyzers defaults to true, so no explicit opt-in is required. An attacker who can place a malicious .csproj referencing an attacker-controlled DLL in a location the victim opens with the MCP server will achieve arbitrary code execution in the server process with the server’s OS privileges. This vulnerability is fixed in 1.17.0. | 2026-05-29 | 7.8 | CVE-2026-45555 |
| masci–banks | Banks generates meaningful LLM prompts using a template language that makes sense. Prior to 2.4.2, banks uses jinja2.Environment() (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt() are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host system. This vulnerability is fixed in 2.4.2. | 2026-05-26 | 7.5 | CVE-2026-44209 |
| Mattermost–Mattermost | Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target server’s filestore via a malicious filename delivered through the shared-channel attachment sync protocol. Mattermost Advisory ID: MMSA-2026-00659 | 2026-05-27 | 8 | CVE-2026-6957 |
| Mautic–API Contact Filtering | An SQL injection vulnerability exists in Mautic’s API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands. | 2026-05-29 | 7.1 | CVE-2026-4776 |
| Mautic–Mautic 7 API v2 | An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform). Under certain conditions, roles configured with owner-scope restrictions (such as `viewown` or `editown`) are not properly enforced. This allows low-privilege authenticated API users to bypass ownership-logic controls and access or modify resources belonging to other users. | 2026-05-29 | 7.1 | CVE-2026-9808 |
| Mautic–Mautic 7 Campaign Import | A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import privileges (campaign:imports:create) can write arbitrary PHP files to sensitive system directories. An attacker can exploit this to overwrite critical internal configuration or cache components, resulting in Remote Code Execution (RCE) under the context of the web server user. | 2026-05-29 | 9.9 | CVE-2026-9559 |
| Mautic–Mautic 7 Projects | A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views (such as campaigns, emails, or forms), user-supplied project names are rendered without proper sanitization. An authenticated user with permissions to create or edit projects can exploit this to inject malicious script payloads. When an administrative user views an entity associated with a compromised project and hovers over its tag, the injected script executes within the context of their active browser session. This could allow an attacker to perform administrative actions on behalf of the victim, alter system configurations, or exfiltrate sensitive data. | 2026-05-29 | 7.6 | CVE-2026-9809 |
| Mautic–Mautic Theme Engine | A Server-Side Template Injection (SSTI) vulnerability exists in Mautic’s theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings. | 2026-05-29 | 9.9 | CVE-2026-9558 |
| MB connect line–mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the userinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40810 |
| MB connect line–mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the ssoabstractservice due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40811 |
| MB connect line–mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions sn parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40812 |
| MB connect line–mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions tagid parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40813 |
| MB connect line–mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dataapi.php files _mb24confi_getTagAlarm function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40814 |
| MB connect line–mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24api_getUserAccount function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40815 |
| MB connect line–mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the mb24alarm.php files _mb24confi_getTagAlarm function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40816 |
| MB connect line–mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAlarmProfiles function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40817 |
| MB connect line–mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24confi_getDevice function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40818 |
| MB connect line–mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the sync_data24 task due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40819 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash.php files saveDashboardLayout function due to improper neutralization of special elements in a SQL INSERT command allowing for reading the whole database and inserting entries into a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 7.1 | CVE-2026-40833 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash_layout.php files saveDashboardLayout function due to improper neutralization of special elements in a SQL INSERT command allowing for reading the whole database and inserting entries into a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 7.1 | CVE-2026-40834 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the inmessage model due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 7.1 | CVE-2026-40836 |
| MB connect line–mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountData function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40850 |
| MB connect line–mbNET/mbNET.rokey | A local attacker can perform a confusion attack on the cfgparser via a specially crafted file on an USB stick leading to code execution. This can result in a total loss of confidentiality, integrity and availability. | 2026-05-27 | 8.4 | CVE-2026-40851 |
| MB connect line–mbNET/mbNET.rokey | A highly authenticated attacker can alter the config generator injecting a payload into future created configurations. The device is not correctly checking this configuration value before passing it to an system execute leading to code execution. This can result in a total loss of confidentiality, integrity and availability. | 2026-05-27 | 7.2 | CVE-2026-40852 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf –reset-pads is run. A USB device with a crafted filesystem UUID (some controllers allow this) can inject the payload at –add-device time. Also, userName from the XML config is passed to os.system() in pamusb-agent, which invokes a shell. This vulnerability is fixed in 0.8.7. | 2026-05-27 | 8.2 | CVE-2026-44712 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user’s $TMUX environment variable, splits it on commas, and interpolates the socket-path component directly into a shell command passed to popen(). Because the value is placed inside double-quotes without sanitisation, any value containing ” terminates the quoted string and injects arbitrary shell syntax. popen() runs as root inside the PAM stack. This vulnerability is fixed in 0.8.7. | 2026-05-27 | 8.8 | CVE-2026-44713 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, when a PAM service is configured with deny_remote=false in pam_usb (commonly done for display managers such as gdm-password or lightdm to bypass process/TTY heuristics for local sessions), the PAM_RHOST check in pusb_do_auth() is also skipped. PAM_RHOST is set by remote daemons (sshd, XDMCP servers) to identify the remote client address. Because the check is gated inside if (opts.deny_remote), a genuine remote XDMCP connection reaches the USB device authentication step instead of being rejected. This vulnerability is fixed in 0.9.1. | 2026-05-27 | 8.1 | CVE-2026-48064 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked can point PINENTRY_FALLBACK_APP at an arbitrary binary or script and have it executed with the privileges of the pam_usb tool chain. This vulnerability is fixed in 0.8.7. | 2026-05-27 | 7.8 | CVE-2026-44709 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, symlink attacks on pad directory and pad files enable authentication bypass and root file corruption. This vulnerability is fixed in 0.8.7. | 2026-05-27 | 7.9 | CVE-2026-44711 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb’s deny_remote feature checks utmpx ut_addr_v6 to detect whether an authentication request originates from a remote session. The outer guard was if (utent->ut_addr_v6[0] != 0), which only tests the first 32-bit word of the 128-bit address field. IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) store the IPv4 address in ut_addr_v6[3] with ut_addr_v6[0] == 0. On systems where the SSH daemon listens on :: (IPv6 wildcard) with AddressFamily any — common on Ubuntu and Debian — incoming IPv4 connections are recorded in utmpx as IPv4-mapped IPv6 addresses. The outer check evaluates to false, the remote-detection block is skipped entirely, and the session is treated as local. deny_remote=true does not block the authentication. An attacker with physical access to a registered USB device can authenticate over SSH on an affected system as if they were sitting at a local terminal, bypassing the deny_remote restriction. This vulnerability is fixed in 0.9.0. | 2026-05-27 | 7.4 | CVE-2026-47269 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusb_pad_compare() function in src/pad.c only verified that the user-side pad (~/.pamusb/device.pad) could be read, but did not enforce that the system-side pad (the pad file on the USB device) was also present and readable. If the user-side pad was deleted or unreadable, the function returned a failure that was treated as non-fatal in certain code paths, allowing authentication to succeed without the USB device being verified. A local user can delete their own ~/.pamusb/device.pad to remove the USB device requirement and authenticate without the physical device. This vulnerability is fixed in 0.9.0. | 2026-05-27 | 7.1 | CVE-2026-47272 |
| MedDream–PACS Server Premium | MedDream PACS Server Premium 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the email parameter. Attackers can submit crafted POST requests to the userSignup.php endpoint with SQL payloads in the email field to extract sensitive database information from the backend MySQL database. | 2026-05-25 | 8.2 | CVE-2018-25372 |
| MediaArea–MediaInfoLib | MediaArea MediaInfoLib LXF parsing heap-based buffer overflow vulnerability | 2026-05-26 | 7.8 | CVE-2026-25104 |
| MediaArea–MediaInfoLib | MediaArea MediaInfoLib ID3v2 parsing heap buffer overflow vulnerability | 2026-05-26 | 7.8 | CVE-2026-25713 |
| microsoft–UFO | Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled task_name value directly when constructing session log paths. An authenticated client can supply path traversal sequences in task_name and cause UFO to create log directories and log files outside the intended logs/ directory. | 2026-05-27 | 8.1 | CVE-2026-46402 |
| microsoft–UFO | Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO’s WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK message claiming client_type=”constellation” and target_id=<victim-device-id>. The server trusts the role and target values from the wire message rather than enforcing the role registered for that WebSocket connection. As a result, any authenticated WebSocket client with the shared server token can spoof the higher-privilege constellation role and dispatch attacker-controlled tasks to another connected device. The same client registry also allows duplicate client_id registration, overwriting an existing live client’s stored websocket, role, and task protocol. This is an authenticated WebSocket role/identity spoofing issue leading to peer task hijacking. | 2026-05-27 | 8.8 | CVE-2026-46414 |
| microsoft–UFO | Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.run_shell() passes a command string from action parameters directly to subprocess.Popen() with shell=True and executable=powershell.exe. The same shell-execution behavior is also reachable through ShellReceiver.execute_command(). The shell receiver is invoked by action classes such as RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters to the shell receiver. Because UFO stores planned and executed actions in per-session JSON records, an attacker who can write or modify a session/action JSON file can plant a shell action. When the session is resumed or replayed, UFO executes the attacker’s command as the UFO process user. | 2026-05-27 | 7.8 | CVE-2026-45322 |
| mikro-orm–mikro-orm | MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM’s identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14. | 2026-05-26 | 7.6 | CVE-2026-44680 |
| miniOrange–miniorange otp verification | Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification allows Privilege Escalation.This issue affects miniorange otp verification: from n/a through <= 5.4.9. | 2026-05-27 | 9.8 | CVE-2026-42731 |
| Mintplex-Labs–anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a — end-of-options separator. ripgrep parses any argument that starts with – as an option, so a pattern of –pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh <file> for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0. | 2026-05-28 | 7.5 | CVE-2026-48116 |
| Mirasvit–Full Page Cache Warmer for Magento 2 | Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP’s native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server. | 2026-05-26 | 9.8 | CVE-2026-45247 |
| Moosocial–mooSocial Store Plugin | mooSocial Store Plugin 2.6 contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries through the product parameter in URL rewrite functionality. Attackers can inject SQL code using boolean-based blind, time-based blind, or stacked query techniques in the product URI parameter to extract sensitive database information. | 2026-05-25 | 8.2 | CVE-2018-25371 |
| mossdef-org–luci-app-https-dns-proxy | luci-app-https-dns-proxy through 2025.12.29-5 – an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default – contains a command injection vulnerability in the setInitAction function. An authenticated user holding the luci.https-dns-proxy ACL permission can inject shell metacharacters through the ‘name’ parameter of a ubus RPC call to luci.https-dns-proxy setInitAction, resulting in arbitrary command execution as root on the underlying device. Core OpenWrt is not affected; only installations that have opted in to the luci-app-https-dns-proxy package are vulnerable. | 2026-05-26 | 8.8 | CVE-2026-46368 |
| mouse07410–asn1c | mouse07410/asn1c is an ASN.1 compiler. In 1.4 and earlier, a memory safety vulnerability was identified in the OER decoding skeleton files generated by asn1c (specifically INTEGER_oer.c). When parsing a maliciously crafted, zero-length OER payload for a variable-length, non-negative INTEGER type, the decoder fails to validate the required bytes before extracting the Most Significant Bit (MSB). This forces a precise 1-byte Heap Out-of-Bounds (OOB) Read. Because asn1c generated code is primarily deployed to parse untrusted network inputs (such as V2X network protocols, 5G telecom headers, or X.509 certificates), when the decoder processes untrusted network-originated input, a remote attacker can exploit this to cause a Denial of Service (DoS) or trigger incorrect integer interpretation in downstream applications (e.g., protocol state poisoning or logic bypass). | 2026-05-29 | 8.2 | CVE-2026-45615 |
| MusicPlayerDaemon–MPD | Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution. | 2026-05-28 | 8.6 | CVE-2026-49127 |
| MusicPlayerDaemon–MPD | Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing ‘..’ segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory. | 2026-05-28 | 7.5 | CVE-2026-49128 |
| nautobot–nautobot | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot’s Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery (SSRF). This vulnerability is fixed in 2.4.33 and 3.1.2. | 2026-05-28 | 8.5 | CVE-2026-44797 |
| nautobot–nautobot | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable. Doing so could cause Nautobot’s local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified branch (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the current_head pointing to a nonexistent commit hash or malformed value. This vulnerability is fixed in 2.4.33 and 3.1.2. | 2026-05-28 | 7.1 | CVE-2026-44798 |
| Network Optix–Nx Witness VMS | CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page visited by the victim. The High security mode is not affected.Workaround: For existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {“supportedOrigins”: “null”}. Alternatively, select High security level during initial setup. Solution: Update to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration. | 2026-05-29 | 7.5 | CVE-2026-10056 |
| NI–SystemLink Enterprise | There is an authentication bypass vulnerability in the NI SystemLink Enterprise Dashboard application that may allow an unauthenticated remote attacker to bypass authentication controls leading to privilege escalation or information disclosure. Successful exploitation requires an attacker to send a specially crafted HTTP request. This vulnerability affects NI SystemLink Enterprise 2026-04 and prior versions. | 2026-05-29 | 9.1 | CVE-2026-9051 |
| ninjew–GEO my WP | The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the ‘swlatlng’ and ‘nelatlng’ parameters in all versions up to, and including, 4.5.5 The parameters are read from $_SERVER[‘QUERY_STRING’] via parse_str() (bypassing WordPress’s wp_magic_quotes protection, which only covers $_POST/$_GET/$_COOKIE/$_REQUEST), then each is split on ‘,’ via explode() and the resulting fragments are interpolated directly into a SQL BETWEEN clause in gmw_get_locations_within_boundaries_sql() without is_numeric() validation, (float) casting, esc_sql(), or $wpdb->prepare(). This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the site to host the Posts Locator search-results shortcode (`[gmw form=”results” form_id=N]`) on a public page and to have at least one published post with an associated gmw_location row. | 2026-05-30 | 7.5 | CVE-2026-9757 |
| Nordvpn–NordVPN | Nord VPN 6.14.31 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting an excessively long string in the password field. Attackers can paste a buffer of repeated characters into the password input field to trigger an application crash when attempting to authenticate. | 2026-05-25 | 7.5 | CVE-2018-25368 |
| NVIDIA–GeForce | NVIDIA Display Driver for Linux contains a vulnerability where an attacker could cause a use-after-free. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. | 2026-05-26 | 8.8 | CVE-2026-24187 |
| NVIDIA–GeForce | NVIDIA Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a user could cause improper access to GPU resources. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. | 2026-05-26 | 7.8 | CVE-2026-24190 |
| NVIDIA–GeForce | NVIDIA Display Driver for Windows contains a vulnerability where an attacker could cause a time-of-check time-of-use issue. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. | 2026-05-26 | 7.8 | CVE-2026-24191 |
| NVIDIA–GeForce | NVIDIA Display Driver for Linux contains a vulnerability where an attacker could cause an incorrect conversion between numeric types, leading to a heap buffer overflow. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. | 2026-05-26 | 7.8 | CVE-2026-24192 |
| NVIDIA–GeForce | NVIDIA Display Driver for Windows and Linux contains a vulnerability where an attacker could cause an out-of-bounds write. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. | 2026-05-26 | 7.8 | CVE-2026-24193 |
| NVIDIA–GeForce | NVIDIA Display Driver for Linux contains a vulnerability in a kernel mode layer handler, where a user could cause improper permission handling. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. | 2026-05-26 | 7.8 | CVE-2026-24194 |
| NVIDIA–GeForce | NVIDIA Display Driver for Linux contains a vulnerability where a user could cause an out-of-bounds read. A successful exploit of this vulnerability might lead to denial of service and information disclosure. | 2026-05-26 | 7.1 | CVE-2026-24196 |
| NVIDIA–Guest driver | NVIDIA Display Driver for Linux contains a vulnerability in UVM, where a user could cause improper input validation. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-26 | 7.1 | CVE-2026-24195 |
| NVIDIA–Guest driver | NVIDIA Display Driver for Linux contains a vulnerability in UVM, where a user could cause improper input validation. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-26 | 7.1 | CVE-2026-24195 |
| NVIDIA–Isaac Launchable | NVIDIA Isaac Launchable for Linux contains a vulnerability where sensitive information is transmitted in clear text. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2026-05-26 | 7.5 | CVE-2026-24212 |
| NVIDIA–Merlin Transformers4Rec | NVIDIA Transformers4Rec for Linux contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure. | 2026-05-26 | 7.8 | CVE-2026-24162 |
| NVIDIA–Virtual GPU Manager | NVIDIA vGPU software contains a vulnerability in the virtual GPU manager, where an attacker could cause a use-after-free for stack memory. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. | 2026-05-26 | 7 | CVE-2026-24200 |
| nyariv–SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. This vulnerability is fixed in 0.9.6. | 2026-05-28 | 10 | CVE-2026-43898 |
| omnivo–Booking Calendar Event Calendar | The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hb_country_iso’, ‘hb_usa_state_iso’, and ‘hb_canada_province_iso’ parameters in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (the HBook Customers admin page). | 2026-05-27 | 7.2 | CVE-2026-8143 |
| OneUptime–oneuptime | OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js’ vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98. | 2026-05-27 | 9.9 | CVE-2026-45102 |
| Open ISES–Open ISES Project | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frm_passwd parameter. Attackers can send POST requests to main.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details. | 2026-05-29 | 8.2 | CVE-2018-25398 |
| Open ISES–Open ISES Project | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tick_lat and tick_lng parameters. Attackers can send GET requests to nearby.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details. | 2026-05-29 | 8.2 | CVE-2018-25399 |
| Open ISES–Open ISES Project | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ‘id’ parameter. Attackers can send GET requests to the ajax/form_post.php endpoint with crafted SQL payloads to extract sensitive database information including schema names and other data. | 2026-05-29 | 8.2 | CVE-2018-25400 |
| Open ISES–Open ISES Project | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to sever_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data. | 2026-05-29 | 8.2 | CVE-2018-25401 |
| Open ISES–Open ISES Project | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inc_types_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data. | 2026-05-29 | 8.2 | CVE-2018-25402 |
| Open ISES–Open ISES Project | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to city_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data. | 2026-05-29 | 8.2 | CVE-2018-25403 |
| Open ISES–Open ISES Project | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ticket_id parameter. Attackers can send GET requests to add_facnote.php with crafted SQL payloads to extract sensitive database information including version details and other data. | 2026-05-29 | 8.2 | CVE-2018-25404 |
| open-telemetry–opentelemetry-js | opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process. This vulnerability is fixed in 0.217.0. | 2026-05-27 | 7.5 | CVE-2026-44902 |
| Open5GS–Open5GS | A vulnerability was identified in Open5GS up to 2.7.6. This impacts an unknown function of the file src/amf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is a188e36b1741ffc2252133f59b1bda4f14d3cb5c. It is suggested to install a patch to address this issue. | 2026-05-31 | 7.3 | CVE-2026-10157 |
| OpenCATS–OpenCATS | OpenCATS through 0.9.7.4 contains a sql injection vulnerability in the sortDirection parameter of the DataGrid component that allows authenticated users to extract database contents. Attackers can inject malicious SQL via the sortDirection parameter in ajax/getDataGridPager.php to perform time-based blind injection attacks and read sensitive data. | 2026-05-31 | 8.5 | CVE-2026-49489 |
| OpenCATS–OpenCATS | OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable restrictions by manipulating filter requests to execute arbitrary SQL queries against the database. | 2026-05-31 | 8.1 | CVE-2026-49490 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll devices with operator/node capabilities, granting persistent credentials until manual removal. | 2026-05-29 | 8.3 | CVE-2026-32905 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization. | 2026-05-29 | 8 | CVE-2026-35630 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external routes to bypass operator.approvals and operator.admin scope requirements, enabling unauthorized plugin, config, MCP, allowlist, and ACP mutations. | 2026-05-29 | 8.8 | CVE-2026-35674 |
| OpenCTI-Platform–opencti | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. This is due to incorrect ACL on userEdit relationAdd. This vulnerability is fixed in 6.9.7. | 2026-05-26 | 7.2 | CVE-2026-44730 |
| Openises–Open ISES Project | The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename parameter. Attackers can supply directory traversal sequences ../ in the filename parameter to access files outside the intended directory, including configuration files and system files. | 2026-05-30 | 7.5 | CVE-2018-25408 |
| Openkm–OpenKM Community Edition | OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs parameter to the /admin/DatabaseQuery endpoint to extract sensitive data including usernames and password hashes from the OKM_USER table, modify permissions, or delete database records. | 2026-05-26 | 7.2 | CVE-2026-42425 |
| Openkm–OpenKM Community Edition | OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system commands in the context of the OpenKM application server. | 2026-05-26 | 7.2 | CVE-2026-42785 |
| openreplay–openreplay | OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay’s Python API exposes several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify that the authenticated API key and the requested project belong to the same tenant. Because the public tracker design exposes projectKey to browser-side code, an attacker who owns any valid API key for their own tenant can target another tenant’s project by reusing that public projectKey. The vulnerable routes allow the attacker to enumerate victim user sessions and then retrieve sensitive session event data across the tenant boundary. This vulnerability is fixed in 1.26.0. | 2026-05-28 | 7.7 | CVE-2026-45296 |
| Oracle Corporation–Oracle Database Server | Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. While the vulnerability is in Net Service, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Net Service. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-05-28 | 9 | CVE-2026-46833 |
| Oracle Corporation–Oracle Database Server | Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-05-28 | 7.5 | CVE-2026-46834 |
| Oracle Corporation–Oracle Database Server | Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-05-28 | 7.5 | CVE-2026-46835 |
| Oracle Corporation–Oracle Financials Common Modules | Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data as well as unauthorized update, insert or delete access to some of Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N). | 2026-05-28 | 8.5 | CVE-2026-46820 |
| Oracle Corporation–Oracle Financials Common Modules | Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). | 2026-05-28 | 7.7 | CVE-2026-46821 |
| Oracle Corporation–Oracle Flow Manufacturing | Vulnerability in the Oracle Flow Manufacturing product of Oracle E-Business Suite (component: Security). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via SQL to compromise Oracle Flow Manufacturing. Successful attacks of this vulnerability can result in takeover of Oracle Flow Manufacturing. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-05-28 | 8.8 | CVE-2026-46837 |
| Oracle Corporation–Oracle Hospitality OPERA 5 Property Services | Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6 and 5.6.28. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality OPERA 5 Property Services. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-05-28 | 9.8 | CVE-2026-34311 |
| Oracle Corporation–Oracle iAssets | Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iAssets. While the vulnerability is in Oracle iAssets, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iAssets. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-05-28 | 9.9 | CVE-2026-46822 |
| Oracle Corporation–Oracle Internet Procurement Connector | Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Internet Procurement Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Internet Procurement Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Internet Procurement Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). | 2026-05-28 | 9.1 | CVE-2026-46819 |
| Oracle Corporation–Oracle Payments | Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-05-28 | 9.8 | CVE-2026-46817 |
| Oracle Corporation–Oracle Payments | Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Payments. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Payments accessible data as well as unauthorized access to critical data or complete access to all Oracle Payments accessible data. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). | 2026-05-28 | 7.4 | CVE-2026-46818 |
| Oracle Corporation–Oracle Payroll | Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Payroll. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-05-28 | 8.8 | CVE-2026-46826 |
| Oracle Corporation–Oracle Payroll | Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Self Service Manager). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Payroll. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-05-28 | 8.8 | CVE-2026-46827 |
| Oracle Corporation–Oracle Payroll | Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Payroll. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Payroll accessible data as well as unauthorized access to critical data or complete access to all Oracle Payroll accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-05-28 | 8.1 | CVE-2026-46828 |
| Oracle Corporation–Oracle Public Sector Financials (International) | Vulnerability in the Oracle Public Sector Financials (International) product of Oracle E-Business Suite (component: Authorization). Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Public Sector Financials (International). While the vulnerability is in Oracle Public Sector Financials (International), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Public Sector Financials (International) accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). | 2026-05-28 | 7.7 | CVE-2026-46823 |
| Oracle Corporation–Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-05-28 | 10 | CVE-2026-46840 |
| Oracle Corporation–Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-05-28 | 9.9 | CVE-2026-46775 |
| Oracle Corporation–Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-05-28 | 9.9 | CVE-2026-46839 |
| Oracle Corporation–Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-05-28 | 8.1 | CVE-2026-35277 |
| Oracle Corporation–Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L). | 2026-05-28 | 7.9 | CVE-2026-35266 |
| Oracle Corporation–Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-05-28 | 7.5 | CVE-2026-46829 |
| Oracle Corporation–Oracle Universal Work Queue | Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-05-28 | 9.9 | CVE-2026-46824 |
| Ourenergy–Collectric CMU | Collectric CMU 1.0 contains a boolean-based blind SQL injection vulnerability in the lang parameter that allows unauthenticated attackers to manipulate database queries during authentication. Attackers can inject SQL code through the lang parameter in login requests to extract sensitive information from the database using time-based blind techniques. | 2026-05-25 | 8.2 | CVE-2018-25379 |
| OUSL-GROUP-BrinaryBrains–School Student Management System | A weakness has been identified in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. This impacts the function sign_auth_cookie of the file application/controllers/Login.php of the component MY_Controller. Executing a manipulation of the argument role can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 7.3 | CVE-2026-10167 |
| oviva-ag–epa4all-client | epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.1, in SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs certificate chain validation, OCSP check, and signature algorithm setup, but never checks whether the signature actually matches. For any structurally valid signature, it returns true. This vulnerability is fixed in 1.2.1. | 2026-05-26 | 8.1 | CVE-2026-44900 |
| oviva-ag–epa4all-client | epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges. This vulnerability is fixed in 1.2.2. | 2026-05-26 | 8.1 | CVE-2026-45574 |
| oviva-ag–epa4all-client | epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker who can MITM the TLS connection between the client and the IDP (within the TI network) can substitute a forged discovery document. The forged document redirects uri_puk_idp_enc and uri_puk_idp_sig to attacker-controlled URLs. The client then encrypts the SMC-B-signed challenge response to the attacker’s encryption key and POSTs it to the attacker’s auth endpoint. This captures the signed authentication material. This vulnerability is fixed in 1.2.2. | 2026-05-26 | 7.4 | CVE-2026-45575 |
| pacote–pacote | Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process. | 2026-05-26 | 7.5 | CVE-2026-9496 |
| PCViewer–PCViewer | PCViewer vt1000 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by submitting relative path sequences in GET requests. Attackers can use path traversal sequences ../../../../../../../../../../../../etc/passwd to access sensitive system files outside the intended directory. | 2026-05-25 | 7.5 | CVE-2018-25365 |
| Pensar–Apex | @pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the extensions array and url parameter into a string passed to Node.js child_process.exec(). Because exec() spawns a shell, shell metacharacters in those values are interpreted by the host shell, resulting in arbitrary OS command execution with the privileges of the running process. | 2026-05-27 | 8.8 | CVE-2026-36044 |
| phbernard–Favicon | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in phbernard Favicon favicon-by-realfavicongenerator allows Reflected XSS.This issue affects Favicon: from n/a through <= 1.3.46. | 2026-05-27 | 7.1 | CVE-2026-42754 |
| Phoenix Contact–AXC F 1152 | The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control. | 2026-05-27 | 8.8 | CVE-2025-41669 |
| Phoenix Contact–AXC F 1152 | A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected against modification by low-privileged users. As the service runs with elevated privileges, successful exploitation may result in a local privilege escalation. | 2026-05-27 | 7.8 | CVE-2025-41670 |
| portainer–portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer offers an environment-level Disable bind mounts for non-administrators security setting that blocks regular users from binding host paths into containers they create through the Portainer-mediated Docker API. The check that enforces this setting only inspected the legacy HostConfig.Binds array on the container-create proxy and never looked at the equivalent HostConfig.Mounts array. Any authenticated user with rights to create containers on a Docker environment where the restriction is enabled could submit a bind-typed entry under HostConfig.Mounts and mount any host path into their container. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0. | 2026-05-28 | 8.5 | CVE-2026-44850 |
| portainer–portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware layer (kubeClientMiddleware) that validates the requesting user’s token before forwarding traffic to the cluster. When security.RetrieveTokenData returned an error, the middleware wrote an HTTP 403 response but was missing a return statement – execution continued into the handler with a nil tokenData value. The Kubernetes endpoints sit behind Portainer’s outer AuthenticatedAccess bouncer, so an attacker requires a valid Portainer session. However, a user whose secondary token validation fails in kubeClientMiddleware – for example a user without permission to access a given Kubernetes endpoint – would have their request forwarded to the cluster anyway, bypassing the authorization check. The same defect was present in both the CE and EE codebases. This vulnerability is fixed in 2.33.8. | 2026-05-28 | 8.1 | CVE-2026-44882 |
| prolix-oc–Lumiverse | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the –ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension that ships a package.json with a preinstall, postinstall, or prepare lifecycle script achieves host-level code execution the moment an admin presses Install before any dist file is inspected. This vulnerability is fixed in 0.9.7. | 2026-05-26 | 9.1 | CVE-2026-44444 |
| prolix-oc–Lumiverse | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation. smbclient interprets ; as a subcommand separator and !cmd as a local-shell escape that runs cmd on the host. A path whose directory component is clean but whose basename contains “; !<cmd>; echo ” achieves arbitrary command execution on the Lumiverse server. This vulnerability is fixed in 0.9.7. | 2026-05-26 | 9.1 | CVE-2026-44449 |
| prolix-oc–Lumiverse | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an inline-code execution flag (-e for node/bun, -c for python3/deno), giving any logged-in user arbitrary OS-level code execution on the Lumiverse server. The route requires only requireAuth (not requireOwner). The server binds on all interfaces (::) and the host-header rebinding check is bypassed trivially by any HTTP client that sends Host: localhost:<port> directly, making this exploitable from any machine with network access to the server port. This vulnerability is fixed in 0.9.7. | 2026-05-26 | 9.9 | CVE-2026-44450 |
| prolix-oc–Lumiverse | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator (validateComponentOverrideSource) additionally blocks these identifiers by word-boundary regex. Both controls are bypassed. String-split bypass of the static validator: any blocked identifier can be reconstructed at runtime from string fragments (‘ownerDoc’ + ‘ument’). DOM ref escape from the sandbox: useRef and useEffect are provided in scope. A ref attached to a rendered element gives a live DOM node. From any real DOM node, node[‘ownerDoc’+’ument’][‘def’+’aultView’] yields the real window, bypassing all identifier shadows. Theme packs (.lumitheme / .lumiverse-theme) are the shareable delivery mechanism. A malicious pack is an exploit path: the victim imports the file, enables one component override in the Theme Editor, and the payload fires in their authenticated session.This vulnerability is fixed in 0.9.7. | 2026-05-26 | 9.3 | CVE-2026-44451 |
| Property Hive–PropertyHive | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Property Hive PropertyHive propertyhive allows DOM-Based XSS.This issue affects PropertyHive: from n/a through <= 2.2.2. | 2026-05-27 | 7.1 | CVE-2026-42729 |
| pyload–pyload | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $(div).html(html). No escaping runs between the API value and innerHTML. An attacker (Alice) who can submit a package link puts a single quote plus event handler into the URL, breaks out of the attribute, and executes JavaScript in every operator’s browser that opens the downloads view. The theme does not set a Content Security Policy that restricts inline script or event handlers. This vulnerability is fixed in 0.5.0b3.dev100. | 2026-05-28 | 8.7 | CVE-2026-45348 |
| rancher–local-path-provisioner | Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template used by rancher/local-path-provisioner. The helperPod.yaml template is loaded by the provisioner and used to create HelperPods during PVC provisioning and cleanup operations. However, the template is not sufficiently validated before use. Security-sensitive fields such as securityContext.privileged, hostPath volumes, and Linux capabilities can be injected into the template. When a PVC operation triggers HelperPod creation, the provisioner creates the HelperPod using the attacker-controlled template. This can result in a privileged pod running on the target node with the host root filesystem mounted. This may allow the attacker to access sensitive host files, read ServiceAccount tokens from other pods on the same node, access other tenants’ local-path volume data, or modify files on the host node. This vulnerability is fixed in 0.0.36. | 2026-05-28 | 8.7 | CVE-2026-44543 |
| ranfdev–deepobj | deepobj provides get, set, delete deep objects in javascript. Prior to 1.0.3, prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not be exposed as user input. This vulnerability is fixed in 1.0.3. | 2026-05-28 | 8.2 | CVE-2026-46509 |
| RealMag777–Active Products Tables for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows Blind SQL Injection.This issue affects Active Products Tables for WooCommerce: from n/a through <= 1.0.8. | 2026-05-27 | 9.3 | CVE-2026-42727 |
| RealMag777–Active Products Tables for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows Blind SQL Injection.This issue affects Active Products Tables for WooCommerce: from n/a through <= 1.0.9. | 2026-05-27 | 9.3 | CVE-2026-42761 |
| RealMag777–TableOn | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in RealMag777 TableOn posts-table-filterable allows Blind SQL Injection.This issue affects TableOn: from n/a through <= 1.0.5.1. | 2026-05-27 | 9.3 | CVE-2026-42755 |
| RealMag777–WPCS | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in RealMag777 WPCS currency-switcher allows DOM-Based XSS.This issue affects WPCS: from n/a through <= 1.3.1. | 2026-05-27 | 7.1 | CVE-2026-42733 |
| Red Hat–Pen Drive Powered by Red Hat Lightspeed | A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive’s top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction. | 2026-05-28 | 7 | CVE-2026-44604 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak’s Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client’s scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user’s authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm. | 2026-05-28 | 7.3 | CVE-2026-9795 |
| Red Hat–Red Hat Container Native Virtualization 4.12 | A flaw was found in KubeVirt’s virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host’s container runtime (CRI-O) socket, an attacker can hijack virt-handler’s privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster. | 2026-05-26 | 9.9 | CVE-2026-7374 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the “check password script” feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the “check password script” is used with %u and the samba-dcerpcd service is started as a system service. | 2026-05-28 | 9 | CVE-2026-4408 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in Samba’s certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker with the ability to intercept or redirect network traffic could exploit this behavior to supply a malicious certificate authority certificate, potentially allowing interception or spoofing of trusted communications. | 2026-05-27 | 8 | CVE-2026-3012 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the “print command” setting via the “%J” substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system. | 2026-05-26 | 8.5 | CVE-2026-4480 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types. | 2026-05-27 | 7.1 | CVE-2026-1933 |
| Red Hat–Red Hat Enterprise Linux 8 | A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks. | 2026-05-26 | 8.2 | CVE-2026-42013 |
| Red Hat–Red Hat Enterprise Linux 8 | A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure. | 2026-05-26 | 8.2 | CVE-2026-5260 |
| Red Hat–Red Hat Enterprise Linux 8 | A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information. | 2026-05-26 | 7.1 | CVE-2026-42012 |
| Red Hat–Red Hat Hardened Images | A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled compressed data within `.solv` files due to insufficient input validation. An attacker can provide a specially crafted `.solv` file, which, when processed by a vulnerable application, can lead to out-of-bounds memory access. This could result in information disclosure, alteration of program execution, or a denial of service. | 2026-05-26 | 7.8 | CVE-2026-48864 |
| Red Hat–Red Hat OpenShift Container Platform 4 | A flaw was found in the OpenShift Router. A user with EndpointSlice write access can exploit this vulnerability by creating a Service backed by an FQDN (Fully Qualified Domain Name) EndpointSlice that resolves to a cloud metadata endpoint. This allows the router to proxy requests to the cloud metadata endpoint, leading to the disclosure of instance credentials and other sensitive metadata. This bypasses previous security measures for validating IP addresses. | 2026-05-29 | 7.7 | CVE-2026-42965 |
| Red Hat–Red Hat OpenShift Container Platform 4 | A flaw was found in the OpenShift Router. When a Route has `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend does not remove `X-SSL-Client-*` headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted `X-SSL-Client-*` headers. As a result, backends relying on these headers for mutual TLS (Transport Layer Security) authentication can be bypassed, enabling the attacker to impersonate client certificate identities. | 2026-05-29 | 7.4 | CVE-2026-46579 |
| Red Hat–Red Hat OpenShift Virtualization 4 | A flaw was found in KubeVirt’s virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (PVC) that points outside its designated mount root, the attacker can read arbitrary files from the exporter pod’s filesystem. This leads to information disclosure, potentially exposing sensitive data. | 2026-05-28 | 7.7 | CVE-2026-9804 |
| revmakx–Backup and Staging by WP Time Capsule | Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and Staging by WP Time Capsule wp-time-capsule allows Password Recovery Exploitation.This issue affects Backup and Staging by WP Time Capsule: from n/a through <= 1.22.25. | 2026-05-27 | 7.5 | CVE-2026-42760 |
| RiceTheme–Felan Framework | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in RiceTheme Felan Framework allows Reflected XSS. This issue affects Felan Framework: from n/a through 1.1.3. | 2026-05-27 | 7.1 | CVE-2025-22741 |
| riebl–vanetza | Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the ASN.1/OER parsing pipeline of Vanetza. When processing malformed network packets containing corrupted ASN.1/OER structures (e.g., invalid length fields or malformed certificate encoding), the ASN.1 wrapper (asn1c_wrapper.cpp) raises a std::runtime_error. This exception is not caught at the parsing boundary and propagates to std::terminate, resulting in process termination. This vulnerability is fixed with commit 62dfe58a8342512b6e1947d75821402ada524f1a. | 2026-05-26 | 7.5 | CVE-2026-43988 |
| riebl–vanetza | Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the cryptographic verification pipeline of Vanetza. When processing incoming V2X messages, the ASN.1 decoder accepts the structure as syntactically valid. However, this reveals a logic-based protocol failure where semantic constraints on specific fields are only strictly enforced during OER re-encoding. Specifically, if a crafted packet contains a certificate where the Psid (Provider Service Identifier) sub-type violates subtype constraints (e.g., out-of-range or invalid CHOICE variant), it is accepted during initial parsing, where subtype constraints are not enforced. Later, when StraightVerifyService attempts to calculate a message hash for cryptographic verification, it must re-encode the signing certificate. The underlying ASN.1 wrapper (asn1c_wrapper.cpp) detects the semantic violation during encoding and raises a std::runtime_error. This exception is not caught within the encoding path and propagates to std::terminate, resulting in immediate process termination. This vulnerability is fixed with commit e1a2e2709210d309458c3d77f98d50dec26c0df0. | 2026-05-26 | 7.5 | CVE-2026-44905 |
| robertpeake–Login No Captcha reCAPTCHA | The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` superglobal in all versions up to, and including, 1.8.0. This is due to the `authenticate()` function storing the unsanitized output of `basename($_SERVER[‘PHP_SELF’])` in the `login_nocaptcha_error` WordPress option when a login attempt is made from a non-standard login page (e.g., xmlrpc.php). The `admin_notices()` function then echoes this stored value directly into the admin dashboard HTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator with a whitelisted IP address visits the WordPress dashboard within 30 seconds of the attack. | 2026-05-28 | 7.2 | CVE-2026-2374 |
| Roundcube–Webmail | Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass. | 2026-05-25 | 8.1 | CVE-2026-48842 |
| Roundcube–Webmail | Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540. | 2026-05-25 | 7.2 | CVE-2026-48843 |
| Roundcube–Webmail | Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.) | 2026-05-25 | 7.5 | CVE-2026-48844 |
| Roundcube–Webmail | Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute. | 2026-05-25 | 7.2 | CVE-2026-48848 |
| rustfs–rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in crates/ecstore/src/rpc/http_auth.rs, falls back to the public, source-tree-embedded DEFAULT_SECRET_KEY = “rustfsadmin” when neither the RUSTFS_RPC_SECRET environment variable nor the global S3 secret key has been configured. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-28 | 9.8 | CVE-2026-45039 |
| Saleswonder Team: Tobias–WebinarIgnition | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Path Traversal.This issue affects WebinarIgnition: from n/a through < 4.08.253. | 2026-05-27 | 9.9 | CVE-2026-42757 |
| Saleswonder Team: Tobias–WebinarIgnition | Incorrect Privilege Assignment vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Privilege Escalation.This issue affects WebinarIgnition: from n/a through < 4.08.253. | 2026-05-27 | 9.8 | CVE-2026-42758 |
| sambitraj–STUDENT-MANAGEMENT-SYSTEM | A flaw has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0. This impacts an unknown function of the component Login Page. Executing a manipulation of the argument email can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-30 | 7.3 | CVE-2026-10111 |
| sambitraj–STUDENT-MANAGEMENT-SYSTEM | A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM up to 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5. The affected element is an unknown function of the component Dashboard. Such manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. Multiple endpoints are affected. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-26 | 7.3 | CVE-2026-9562 |
| Samsung Open Source–Escargot | Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers. This issue affects Escargot: 36f5fb58366a67b713c02f6fd985e924fcc09e31. | 2026-05-28 | 8.8 | CVE-2026-8915 |
| sbthemes–WooCommerce Infinite Scroll and Ajax Pagination | The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8 via the ‘settings’ parameter in the ‘import_settings’ function. This is due to deserialization of untrusted data supplied via the import configuration feature without capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No POP chain is present within the vulnerable plugin itself, but if a POP chain is present via an additional plugin or theme installed on the target system, it could allow an attacker to delete arbitrary files, retrieve sensitive data, or execute code. | 2026-05-29 | 8.8 | CVE-2025-11993 |
| ScadaBR–ScadaBR | Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. The scripts execute with full access, enabling complete system compromise as commands are executed as root. | 2026-05-28 | 9.9 | CVE-2026-9645 |
| SDMC Technology Co., Ltd–NE6037 | SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 contain a hardcoded password vulnerability in the web management interface recovery endpoints (mgmt.php, npcmd.php) that allows unauthenticated attackers to gain root access by submitting the hardcoded credential to the recovery endpoint via HTTP. Attackers can leverage this hardcoded password to enable filtered SSH and Telnet services on the device, resulting in unauthenticated root-level remote access to the underlying system. | 2026-05-28 | 9.8 | CVE-2026-24444 |
| sebhildebrandt–systeminformation | systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6. | 2026-05-27 | 7.8 | CVE-2026-44724 |
| SeedProd LLC–SeedProd Pro | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in SeedProd LLC SeedProd Pro allows PHP Local File Inclusion. This issue affects SeedProd Pro: from n/a before 6.19.5. | 2026-05-27 | 7.5 | CVE-2026-48972 |
| servo–smallbitvec | smallbitvec is a growable bit-vector for Rust, optimized for size. From 1.0.1 to 2.6.0, an integer overflow in the internal capacity calculation of smallbitvec can lead to an undersized heap allocation, resulting in a heap buffer overflow through safe APIs only. This allows memory corruption without requiring unsafe code from the caller. This vulnerability is fixed in 2.6.1. | 2026-05-26 | 7.3 | CVE-2026-44983 |
| shabti–Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $_POST[‘_acf_form’] is an array (rather than a form ID), the validate_form() function bypasses database lookup and directly processes the attacker-controlled structure. The create_record() function preserves attacker-supplied record data if present, and the user action’s run() function falls back to attacker-controlled field definitions from $form[‘fields’] when legitimate fields cannot be found. The role field’s pre_update_value() validation reads $field[‘role_options’] from this attacker-controlled definition, allowing an attacker to specify [‘administrator’] as an allowed role and bypass the security check. This makes it possible for unauthenticated attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field. | 2026-05-28 | 8.8 | CVE-2026-6226 |
| shabti–Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite an administrator’s user_pass, user_email, first_name, last_name, and other profile fields by supplying an arbitrary ?user_id= value, enabling full administrator account takeover via direct password replacement or email-redirect password reset. Exploitation requires the targeted Edit-User form to have its ‘Roles’ configuration setting left empty; when a non-empty roles list is configured, load_data() sets the user ID to ‘none’ for users whose roles fall outside the allowed list, preventing administrators from being targeted through that form. | 2026-05-28 | 8.8 | CVE-2026-7802 |
| shazdeh–Query Shortcode | The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | 2026-05-27 | 7.5 | CVE-2026-9200 |
| Shenzhen Sixun Software–Sixun Shanghui Group Business Management System | A vulnerability was found in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 10. Affected by this vulnerability is an unknown functionality of the file /api/Dinner/PayConfig. Performing a manipulation of the argument tableno results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 7.3 | CVE-2026-9544 |
| shepherdwind–velocity.js | Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment. | 2026-05-26 | 8.3 | CVE-2026-44966 |
| sherlock-project–sherlock | Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validate_modified_targets.yml is vulnerable to command injection via the pull_request_target trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltrate the GITHUB_TOKEN by opening a pull request. No approval, review, or merge is required. This vulnerability is fixed in 0.16.1. | 2026-05-27 | 9.3 | CVE-2026-44590 |
| Shibby–Tomato | A weakness has been identified in Shibby Tomato 1.28. This vulnerability affects the function get_ups_field of the file tomatodata.cgi. Executing a manipulation of the argument Date can lead to stack-based buffer overflow. It is possible to launch the attack remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 8.8 | CVE-2026-10065 |
| Shibby–Tomato | A security vulnerability has been detected in Shibby Tomato up to 1.28. This issue affects the function sub_9068 of the file tomatoups.cgi of the component UPS Service. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 8.8 | CVE-2026-10066 |
| Shibby–Tomato | A vulnerability was detected in Shibby Tomato 1.28. Impacted is the function sub_90F0 of the file multimon.cgi. The manipulation results in stack-based buffer overflow. The attack can be launched remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 8.8 | CVE-2026-10067 |
| Shibby–Tomato | A vulnerability was determined in Shibby Tomato up to 1.28. Affected is the function rip_zebra_read_ipv4 of the file /usr/sbin/ripd of the component Zserv Handler. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-30 | 8.8 | CVE-2026-10124 |
| Shibby–Tomato | A flaw has been found in Shibby Tomato 1.28. The affected element is the function send of the file usr/sbin/miniupnpd of the component SUBSCRIBE Call Handler. This manipulation causes server-side request forgery. The attack may be initiated remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 7.3 | CVE-2026-10068 |
| Shibby–Tomato | A vulnerability has been found in Shibby Tomato 1.28. The impacted element is an unknown function of the file usr/sbin/miniupnpd. Such manipulation leads to resource consumption. The attack may be launched remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 7.5 | CVE-2026-10069 |
| shopperlabs–shopper | Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators. Settings/Team/RolePermission gated its write actions on the read-only view_users permission. Any user holding view_users could grant themselves or any other user arbitrary permissions, including manage_users and edit_orders, effectively escalating to full panel administrator from a read-only account. Combined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel. This vulnerability is fixed in 2.8.0. | 2026-05-29 | 9.9 | CVE-2026-47744 |
| shopperlabs–shopper | Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing were callable with the read-only read_orders permission and did not require edit_orders. capturePayment could trigger an actual PSP capture (real funds movement). The order shipments table actions mark delivered and edit tracking were callable with the read-only browse_orders permission. A user with read access to orders could therefore alter the lifecycle of every order in the panel and trigger real-world payment captures. This vulnerability is fixed in 2.8.0. | 2026-05-29 | 8.1 | CVE-2026-47740 |
| silabs.com–Simplicity SDK | An attacker is able to downgrade the security of a Bluetooth LE connection by deleting an existing bond, spoofing the bonded device and creating a new bond. | 2026-05-26 | 8.8 | CVE-2026-8676 |
| SillyTavern–SillyTavern | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when sso.autheliaAuth: true or sso.authentikAuth: true is set in config.yaml (both default to false). This vulnerability is fixed in 1.18.0. | 2026-05-29 | 9.8 | CVE-2026-44649 |
| SillyTavern–SillyTavern | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, POST /api/extensions/delete endpoint accepts extensionName: “.” which bypasses sanitize-filename validation, causing the entire user extensions directory to be recursively deleted. No authentication is required in the default configuration. This vulnerability is fixed in 1.18.0. | 2026-05-29 | 9.1 | CVE-2026-44650 |
| SillyTavern–SillyTavern | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it directly to build outbound server-side fetches. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the /search response body. This vulnerability is fixed in 1.18.0. | 2026-05-29 | 8.5 | CVE-2026-46372 |
| SillyTavern–SillyTavern | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session for authentication, storing all session data (user handle, permissions) in a signed cookie. The endpoints POST /api/users/change-password and POST /api/users/recover-step2 only update the password hash in the database but do not expire current sessions. Because the session is stateless and stored entirely in the client cookie, there is no server-side mechanism to revoke a token once issued. This vulnerability is fixed in 1.18.0. | 2026-05-29 | 7.5 | CVE-2026-44648 |
| Simpkh–SIM-PKH | SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts. | 2026-05-30 | 8.8 | CVE-2018-25409 |
| Simpkh–SIM-PKH | SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ‘id’ parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus parameters containing SQL UNION statements to extract database information including usernames, database names, and version details. | 2026-05-30 | 7.1 | CVE-2018-25410 |
| Sitejo–HaPe PKH | HaPe PKH 1.1 contains multiple SQL injection vulnerabilities in admin/media.php that allow attackers to manipulate database queries by injecting SQL code through the ‘id’ parameter. An unauthenticated attacker can exploit the desa module (module=desa&act=hapus), while authenticated users can exploit the pengurus, fasilitas, and kelompok modules (for example act=print, act=editpengurus, act=editfasilitas, and act=editkelompok). Successful exploitation allows extraction of sensitive database information including the current user, database name, and DBMS version. | 2026-05-29 | 8.2 | CVE-2018-25386 |
| Sitejo–HaPe PKH | HaPe PKH 1.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by bypassing file type validation. Attackers can upload PHP files through multiple endpoints including aksi_foto.php, aksi_user.php, and aksi_kecamatan.php to execute arbitrary code on the server. | 2026-05-29 | 8.8 | CVE-2018-25388 |
| Sitejo–HaPe PKH | HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the ‘nama_kelompok’ POST parameter sent to lap-anggota-kelompok-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information. | 2026-05-29 | 8.2 | CVE-2018-25389 |
| Sitejo–HaPe PKH | HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the ‘desa’ POST parameter sent to lap-peserta-perdesa-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information. | 2026-05-29 | 8.2 | CVE-2018-25390 |
| Sitejo–HaPe PKH | HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record’s id. The admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (module=update&act=hapus) endpoints process deletions without verifying the requester’s privileges, enabling removal of pengurus (administrator) and update records. | 2026-05-29 | 7.5 | CVE-2018-25391 |
| smub–WPCode Insert Headers and Footers + Custom Code Snippets WordPress Code Manager | The WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the ‘wpcode’ custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode. | 2026-05-27 | 8.8 | CVE-2026-8832 |
| SocuSoft–3GP Photo Slideshow | Socusoft 3GP Photo Slideshow 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception handling. Attackers can craft malicious input in the Registration Name and Registration Key fields to overwrite the SEH chain and execute shellcode for reverse shell access. | 2026-05-25 | 8.4 | CVE-2018-25376 |
| SocuSoft–DVD Photo Slideshow Professional | SocuSoft DVD Photo Slideshow Professional 8.07 contains a stack-based buffer overflow vulnerability in the registration name field that allows local attackers to execute arbitrary code by exploiting structured exception handling. Attackers can craft a malicious text file with carefully constructed payload containing junk bytes, SEH chain overwrite, and shellcode, then paste the contents into the Registration Name field via Help > Register to trigger code execution. | 2026-05-25 | 8.4 | CVE-2018-25373 |
| SocuSoft–Flash Slideshow Maker Professional | Flash Slideshow Maker Professional 5.20 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception handling. Attackers can craft a malicious payload and paste it into the Name and Code fields of the Help > Register dialog to trigger a reverse shell with system privileges. | 2026-05-25 | 8.4 | CVE-2018-25377 |
| SocuSoft–iPod Photo Slideshow | SocuSoft iPod Photo Slideshow 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by overwriting the structured exception handler. Attackers can craft malicious input in the Registration Name and Registration Key fields to trigger a stack-based buffer overflow and execute a reverse shell payload. | 2026-05-25 | 8.4 | CVE-2018-25375 |
| Softneta–MedDream PACS Server Premium | Softneta MedDream PACS Server Premium 6.7.1.1 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the path parameter. Attackers can send requests to nocache.php with encoded backslash sequences to traverse directories and access sensitive files including system configuration and password files. | 2026-05-25 | 7.5 | CVE-2018-25374 |
| solana-foundation–anchor | Anchor is a framework providing several convenient developer tools for writing Solana programs. From 1.0.0 to before 1.0.2, an logic error causes anchor programs to accept any program id when requiring the system program id, causing false assumptions resulting in potential arbitrary cpi in programs that invoke system program instructions. In the TryFrom<&’a AccountInfo<‘a>> implementation for Program<‘a, T>, the id of T is compared with Pubkey::default() to check whether anchor should allow any executable account, or a specific account, because when no T is supplied, T defaults to (), which implements Id::id() by returning Pubkey::default(). This results in T = () and T = System (which has Pubkey::default() as the id) having the same behavior, both allow any executable account. Programs built with anchor assume that the anchor runtime verifies passed in programs of type Program<‘a, System> are in fact the system program. This false assumption can lead to arbitrary CPI or payment bypassing when programs try making CPI calls to the system program using the passed in system program due to the fact that the attacker can pass in any program instead of the system program. This vulnerability is fixed in 1.0.2. | 2026-05-27 | 8.2 | CVE-2026-45137 |
| SourceCodester–Hospitals Patient Records Management System | A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. This impacts an unknown function of the file /classes/Users.php?f=delete. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-31 | 7.3 | CVE-2026-10184 |
| SourceCodester–Hospitals Patient Records Management System | A weakness has been identified in SourceCodester Hospitals Patient Records Management System 1.0. Affected is an unknown function of the file /classes/Users.php?f=save. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | 2026-05-31 | 7.3 | CVE-2026-10185 |
| SourceCodester–Simple POS and Inventory System | A vulnerability was found in SourceCodester Simple POS and Inventory System 1.0. The impacted element is an unknown function of the file /user/search.php. Performing a manipulation of the argument Name results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2026-05-25 | 7.3 | CVE-2026-9447 |
| spatie–laravel-medialibrary | Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not. | 2026-05-29 | 8.8 | CVE-2026-48557 |
| spatie–laravel-medialibrary | Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php. | 2026-05-29 | 7.4 | CVE-2026-48555 |
| spider312–MOGG web simulator Script | MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Attackers can send GET requests to play.php with crafted SQL payloads in the id parameter to extract sensitive database information including usernames and other data. | 2026-05-30 | 8.2 | CVE-2018-25422 |
| Splinterware–Splinterware System Scheduler Pro | Splinterware System Scheduler Pro 5.12 contains an insecure file permissions vulnerability that allows low-privilege users to escalate privileges by modifying service executable files. Attackers can rename the WService.exe file in the installation directory and replace it with a malicious executable that executes with LocalSystem privileges when the service is triggered. | 2026-05-25 | 8.4 | CVE-2018-25359 |
| spring-ai-community–mcp-security | mcp-security provides Security and Authorization support for Model Context Protocol in Spring AI. Prior to 0.1.9, the mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network. This only affects installations with Dynamic Client Registration (DCR) enabled This vulnerability is fixed in 0.1.9. | 2026-05-29 | 7.2 | CVE-2026-45609 |
| StoreApps–Smart Manager | Incorrect Privilege Assignment vulnerability in StoreApps Smart Manager allows Privilege Escalation. This issue affects Smart Manager: from n/a through 8.85.0. | 2026-05-25 | 8.8 | CVE-2026-45216 |
| Studio-42–elFinder | elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service. This vulnerability only affects installations configured to use the MySQL volume driver. This vulnerability is fixed in 2.1.68. | 2026-05-27 | 8.8 | CVE-2026-44521 |
| Stylemix–MasterStudy LMS | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through <= 3.7.29. | 2026-05-27 | 8.5 | CVE-2026-42730 |
| Synology–Active Backup for Business | A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files. | 2026-05-27 | 8.6 | CVE-2025-30028 |
| Synology–BeeDrive for desktop | Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors. | 2026-05-27 | 7.8 | CVE-2023-52945 |
| Synology–BeeStation OS | Buffer copy without checking size of input (‘Classic Buffer Overflow’) vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors. | 2026-05-27 | 9.8 | CVE-2025-12686 |
| Synology–C2 Identity Edge Server | An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 allows remote attackers to obtain user credentials from the edge server. | 2026-05-27 | 7.5 | CVE-2025-14713 |
| Synology–DiskStation Manager (DSM) | Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN). | 2026-05-27 | 8.1 | CVE-2025-13392 |
| tainacan–Tainacan | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in tainacan Tainacan tainacan allows Blind SQL Injection.This issue affects Tainacan: from n/a through <= 1.0.3. | 2026-05-27 | 9.3 | CVE-2026-42740 |
| Talagasoft–MaxOn ERP | MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity function. Attackers can send POST requests to /index.php/user/log_activity with malicious SQL code in these parameters to extract sensitive database information including version and database names. | 2026-05-29 | 7.1 | CVE-2018-25392 |
| Tanium–Connect | Tanium addressed an unauthorized code execution vulnerability in Connect. | 2026-05-27 | 8.8 | CVE-2026-9207 |
| Tanium–Connect | Tanium addressed an unauthorized code execution vulnerability in Connect. | 2026-05-27 | 8.8 | CVE-2026-9208 |
| Tenda–F1202 | A vulnerability has been found in Tenda F1202 1.2.0.20(408). Affected is the function fromPPTPUserSetting of the file /goform/PPTPUserSetting. Such manipulation of the argument delno leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-05-25 | 8.8 | CVE-2026-9428 |
| Tenda–F1202 | A vulnerability was found in Tenda F1202 1.2.0.20(408). Affected by this vulnerability is the function formWrlExtraSet of the file /goform/WrlExtraSet. Performing a manipulation of the argument delno results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2026-05-25 | 8.8 | CVE-2026-9429 |
| Tenda–F1202 | A vulnerability was determined in Tenda F1202 1.2.0.20(408). Affected by this issue is the function formGstDhcpSetSer of the file /goform/GstDhcpSetSerof. Executing a manipulation of the argument dips can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-25 | 8.8 | CVE-2026-9430 |
| Tenda–F1202 | A vulnerability was identified in Tenda F1202 1.2.0.20(408). This affects the function fromPptpUserAdd of the file /goform/PptpUserAdd. The manipulation of the argument opttype leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2026-05-25 | 8.8 | CVE-2026-9431 |
| Tenda–W12 | A flaw has been found in Tenda W12 3.0.0.7(4763). This affects the function cgistaKickOff of the file /bin/httpd. Executing a manipulation of the argument staMac can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. | 2026-05-31 | 8.8 | CVE-2026-10188 |
| Tenda–W12 | A vulnerability has been found in Tenda W12 3.0.0.7(4763). This vulnerability affects the function cgiSysTimeInfoSet of the file /bin/httpd. The manipulation of the argument sec leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-05-31 | 8.8 | CVE-2026-10189 |
| Tenda–W12 | A vulnerability was determined in Tenda W12 3.0.0.7(4763). Impacted is the function cgiWifiMacFilterSet of the file /bin/httpd. This manipulation of the argument wifiMacFilterSet.macList.mac causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-31 | 8.8 | CVE-2026-10191 |
| Tenda–W12 | A vulnerability was identified in Tenda W12 3.0.0.7(4763). The affected element is the function set_local_time_0 of the file /bin/httpd. Such manipulation of the argument Time leads to stack-based buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used. | 2026-05-31 | 8.8 | CVE-2026-10192 |
| Themeisle–Disable Comments for Any Post Types (Remove comments) | Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeisle Disable Comments for Any Post Types (Remove comments) comments-plus allows Password Recovery Exploitation.This issue affects Disable Comments for Any Post Types (Remove comments): from n/a through <= 1.3.0. | 2026-05-27 | 7.1 | CVE-2026-42749 |
| thorsten–phpMyFAQ | phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user’s password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request. | 2026-05-28 | 8.8 | CVE-2026-35671 |
| thorsten–phpMyFAQ | phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access. | 2026-05-28 | 8.2 | CVE-2026-35675 |
| thorsten–phpMyFAQ | phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials. | 2026-05-28 | 8.2 | CVE-2026-35676 |
| thorsten–phpMyFAQ | phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question. | 2026-05-28 | 7.5 | CVE-2026-35672 |
| Tiandy–Easy7 Integrated Management Platform | A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/GetDBDataEx.jsp. Performing a manipulation of the argument strTBName results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 7.3 | CVE-2026-9465 |
| Timo–Affiliate Super Assistent | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Timo Affiliate Super Assistent amazonsimpleadmin allows Stored XSS.This issue affects Affiliate Super Assistent: from n/a through <= 1.10.1. | 2026-05-27 | 7.1 | CVE-2026-42759 |
| tinymce–tinymce | TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1. | 2026-05-28 | 8.7 | CVE-2026-47759 |
| tinymce–tinymce | TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0. | 2026-05-28 | 8.7 | CVE-2026-47760 |
| tinymce–tinymce | TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1. | 2026-05-28 | 8.7 | CVE-2026-47761 |
| tinymce–tinymce | TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1. | 2026-05-28 | 8.7 | CVE-2026-47762 |
| Totolink–A8000RU | A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setStaticDhcpRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enable results in os command injection. The attack may be performed from remote. The exploit is now public and may be used. | 2026-05-25 | 9.8 | CVE-2026-9408 |
| Totolink–A8000RU | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setWiFiAdvancedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument bgProtection results in os command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-25 | 9.8 | CVE-2026-9432 |
| Totolink–A8000RU | A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setMacFilterRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument enable causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-25 | 9.8 | CVE-2026-9433 |
| Totolink–A8000RU | A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setWiFiWpsCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument wscDisabled leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-05-25 | 9.8 | CVE-2026-9434 |
| Totolink–A8000RU | A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setQosCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2026-05-25 | 9.8 | CVE-2026-9435 |
| Totolink–A8000RU | A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setL2tpServerCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. | 2026-05-25 | 9.8 | CVE-2026-9436 |
| Totolink–A8000RU | A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setOpenVpnCertGenerationCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument servername can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used. | 2026-05-25 | 9.8 | CVE-2026-9454 |
| Totolink–A8000RU | A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument FileName leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2026-05-25 | 9.8 | CVE-2026-9455 |
| Totolink–A8000RU | A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setOpenVpnCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enabled results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-25 | 9.8 | CVE-2026-9456 |
| Totolink–A8000RU | A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-25 | 9.8 | CVE-2026-9457 |
| Totolink–A8000RU | A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument enabled leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2026-05-25 | 9.8 | CVE-2026-9458 |
| Totolink–A8000RU | A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument Comment causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2026-05-25 | 9.8 | CVE-2026-9475 |
| Totolink–A8000RU | A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. | 2026-05-25 | 9.8 | CVE-2026-9476 |
| Totolink–A8000RU | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-25 | 9.8 | CVE-2026-9477 |
| Totolink–A8000RU | A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setParentalRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | 2026-05-25 | 9.8 | CVE-2026-9478 |
| Totolink–N300RH | A vulnerability was detected in Totolink N300RH 6.1c.1353_B20190305. Affected by this issue is the function setWiFiBasicConfig of the file wireless.so of the component Web Management Interface. Performing a manipulation of the argument KeyStr results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2026-05-31 | 9.8 | CVE-2026-10187 |
| Totolink–N300RH | A vulnerability has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2026-05-26 | 9.8 | CVE-2026-9543 |
| TRENDnet–TEW-432BRP | A vulnerability was determined in TRENDnet TEW-432BRP 3.10B20. Affected by this vulnerability is the function formSetRoute of the file /goform/formSetRoute. This manipulation of the argument ip/mask/gateway causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 8.8 | CVE-2026-10062 |
| TRENDnet–TEW-432BRP | A vulnerability was identified in TRENDnet TEW-432BRP 3.10B20. Affected by this issue is the function formWPS of the file /goform/formWPS. Such manipulation of the argument peerPin leads to stack-based buffer overflow. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 8.8 | CVE-2026-10063 |
| TRENDnet–TEW-432BRP | A security vulnerability has been detected in TRENDnet TEW-432BRP 3.10B20. Impacted is the function formSetMACFilter of the file /goform/formSetMACFilter. The manipulation of the argument filter_name leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-30 | 8.8 | CVE-2026-10119 |
| TRENDnet–TEW-432BRP | A vulnerability was detected in TRENDnet TEW-432BRP 3.10B20. The affected element is the function formSetFirewallRule of the file /goform/formSetFirewallRule. The manipulation of the argument firewall_name results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-30 | 8.8 | CVE-2026-10120 |
| TRENDnet–TEW-432BRP | A flaw has been found in TRENDnet TEW-432BRP 3.10B20. The impacted element is the function formSetUrlFilter of the file /goform/formSetUrlFilter. This manipulation of the argument keyword_list/keyword causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-30 | 8.8 | CVE-2026-10121 |
| TRENDnet–TEW-432BRP | A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. This affects the function formSetProtocolFilter of the file /goform/formSetProtocolFilter. Such manipulation of the argument protocol_name leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-30 | 8.8 | CVE-2026-10122 |
| TRENDnet–TEW-432BRP | A vulnerability was found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetDomainFilter of the file /goform/formSetDomainFilter. Performing a manipulation of the argument blocked_domain/permitted_domain/blocked_domain_list/permitted_domain_list results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-30 | 8.8 | CVE-2026-10123 |
| TRENDnet–TEW-432BRP | A security flaw has been discovered in TRENDnet TEW-432BRP 3.10B20. Affected is the function formPortFw of the file /goform/formPortFw. The manipulation of the argument server_name results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10158 |
| TRENDnet–TEW-432BRP | A weakness has been identified in TRENDnet TEW-432BRP 3.10B20. Affected by this vulnerability is the function formSysLog of the file /goform/formSysLog. This manipulation of the argument current_page causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10159 |
| TRENDnet–TEW-432BRP | A security vulnerability has been detected in TRENDnet TEW-432BRP 3.10B20. Affected by this issue is the function formSetEnableWizard of the file /goform/formSetEnableWizard. Such manipulation of the argument start_wizard leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10160 |
| TRENDnet–TEW-432BRP | A vulnerability was detected in TRENDnet TEW-432BRP 3.10B20. This affects the function formResetStatistic of the file /goform/formResetStatistic. Performing a manipulation of the argument status_statistic results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10161 |
| TRENDnet–TEW-432BRP | A flaw has been found in TRENDnet TEW-432BRP 3.10B20. This vulnerability affects the function formSetPassword of the file /goform/formSetPassword. Executing a manipulation of the argument webpage can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been published and may be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10162 |
| TRENDnet–TEW-432BRP | A flaw has been found in TRENDnet TEW-432BRP 3.10B20. This issue affects the function formSetWlanEncrypt of the file /goform/formSetWlanEncrypt. This manipulation of the argument webpage causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10179 |
| TRENDnet–TEW-432BRP | A vulnerability was found in TRENDnet TEW-432BRP 3.10B20. The affected element is the function formSysCmd of the file /goform/formSysCmd. Performing a manipulation of the argument submit-url results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10181 |
| TRENDnet–TEW-432BRP | A vulnerability was identified in TRENDnet TEW-432BRP 3.10B20. This affects the function formWlanSetup of the file /goform/formWlanSetup. The manipulation of the argument enrollee leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10183 |
| twentyhq–twenty | Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If Postgres user is a super user then any authenticated user can execute arbitrary OS commands on the database server by injecting SQL through the unsanitized timeZone parameter in the REST API groupBy endpoint. The timeZone field within the group_by query parameter is directly interpolated into a raw SQL expression using JavaScript template literals without any parameterization, validation, or escaping. This affects engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts. | 2026-05-26 | 9.9 | CVE-2026-46624 |
| twentyhq–twenty | Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim’s browser in the context of the Twenty CRM domain when accessed – enabling session hijacking, account takeover, and data theft. | 2026-05-26 | 8.7 | CVE-2026-44729 |
| uniget-org–cli | uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files using /bin/bash -c. Because the check field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victim’s system when common uniget operations such as describe, install, update, or inspect are performed. This vulnerability can lead to arbitrary code execution with the privileges of the user running uniget. This vulnerability is fixed in 0.27.1. | 2026-05-27 | 7.8 | CVE-2026-45152 |
| Unlimited Elements–Unlimited Elements For Elementor | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Unlimited Elements For Elementor allows Blind SQL Injection. This issue affects Unlimited Elements For Elementor: from n/a through 2.0.8. | 2026-05-25 | 8.5 | CVE-2026-48837 |
| Usagi-org–ai-goofish-monitor | Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET /api/prompts/{filename} endpoint on Windows deployments that allows unauthenticated remote attackers to read arbitrary files by supplying absolute Windows paths or backslash-based traversal sequences. Attackers can bypass the incomplete path traversal guard, which only blocks forward slashes and ‘..’, by providing absolute paths such as Windows system file locations, causing os.path.join to discard the intended prompts directory prefix and expose files accessible to the application process. | 2026-05-28 | 7.5 | CVE-2026-10044 |
| UTT–HiPER 1200GW | A security flaw has been discovered in UTT HiPER 1200GW up to 2.5.3-170306. This impacts the function strcpy of the file /goform/setSysAdm of the component Web Management Interface. The manipulation of the argument sysAdmUser/sysAdmPass results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-27 | 8.8 | CVE-2026-9627 |
| UTT–HiPER 1200GW | A weakness has been identified in UTT HiPER 1200GW up to 2.5.3-170306. Affected is an unknown function of the file /goform/formPptpClientConfig of the component Web Management Interface. This manipulation of the argument PPTP server address/username/password/tunnel name causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-27 | 8.8 | CVE-2026-9628 |
| UTT–HiPER 1250GW | A vulnerability was detected in UTT HiPER 1250GW up to 3.2.7-210907-180535. Affected by this vulnerability is the function strcpy of the file /goform/formConfigFastDirectionW of the component Web Management Interface. Performing a manipulation of the argument Profile results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-05-27 | 8.8 | CVE-2026-9631 |
| UTT–HiPER 1250GW | A flaw has been found in UTT HiPER 1250GW up to 3.2.7-210907-180535. Affected by this issue is the function strcpy of the file /goform/formGroupConfig of the component Web Management Interface. Executing a manipulation of the argument Profile can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-05-27 | 8.8 | CVE-2026-9632 |
| verbb–formie | Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). This vulnerability is fixed in 2.2.20 and 3.1.24. | 2026-05-29 | 9.8 | CVE-2026-45697 |
| veronalabs–SlimStat Analytics | The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘User-Agent’ header in all versions up to, and including, 5.4.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The show_complete_user_agent_tooltip setting must be explicitly enabled by an administrator (disabled by default) for the stored payload to be rendered and executed. | 2026-05-28 | 7.2 | CVE-2026-7634 |
| VideoWhisper.com–Broadcast Live Video | Improper Control of Generation of Code (‘Code Injection’) vulnerability in VideoWhisper.Com Broadcast Live Video allows Code Injection. This issue affects Broadcast Live Video: from n/a before 7.1.3. | 2026-05-25 | 7.2 | CVE-2026-24937 |
| WC Lovers–WCFM Membership | Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Membership: from n/a through <= 2.11.10. | 2026-05-27 | 7.3 | CVE-2026-42753 |
| WebPros–Comet Backup | Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices. | 2026-05-28 | 9.1 | CVE-2026-32999 |
| WebPros–Plesk | Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation. | 2026-05-29 | 10 | CVE-2026-44962 |
| WebToffee–Smart Coupons for WooCommerce | Missing Authorization vulnerability in WebToffee Smart Coupons for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Coupons for WooCommerce: from n/a before 2.3.0. | 2026-05-25 | 7.5 | CVE-2026-45438 |
| Winmtr–WinMTR | WinMTR 0.91 contains a denial of service vulnerability that allows attackers to crash the application by sending a malformed payload file containing a large buffer of repeated characters. Attackers can create a specially crafted input file with 238 bytes of data to trigger a buffer overflow condition that causes the application to crash. | 2026-05-30 | 7.5 | CVE-2018-25426 |
| wordplus–BP Better Messages | Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: from n/a through <= 2.14.16. | 2026-05-27 | 7.5 | CVE-2026-42736 |
| WPify–WPify Woo Czech | Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czech: from n/a through <= 5.4.1. | 2026-05-27 | 9.9 | CVE-2026-42748 |
| WPTravel–WP Travel Pro | The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators. | 2026-05-29 | 9.1 | CVE-2026-4290 |
| WWBN–AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsync() command line by string concatenation, single-quoting each argument but never calling escapeshellarg(). A ‘ in any of the three interpolated values ($users_id, $m3u8, $obj->liveTransmitionHistory_id) closes the quoted token and lets the attacker append arbitrary commands. | 2026-05-29 | 8.8 | CVE-2026-45578 |
| xddxdd–bird-lg-go | bird-lg-go is a BIRD looking glass in Go. Prior to 1.4.5, the apiHandler (and similarly webHandlerTelegramBot) processes user-provided JSON payloads by directly using json.NewDecoder(r.Body).Decode(&request) without restricting the maximum read size. An unauthenticated remote attacker can stream an extremely large, endless JSON payload (e.g., several Gigabytes of padding) over a single TCP connection. Because Go’s JSON decoder attempts to allocate memory for the entire parsed structure, this rapidly exhausts the host’s physical RAM or container limits, leading to an unrecoverable fatal error: runtime: out of memory. This vulnerability is fixed in 1.4.5. | 2026-05-27 | 7.5 | CVE-2026-45047 |
| xyproto–algernon | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories – past the configured server root – looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancestor steps or when filepath.Dir returns ., so on any absolute server-root path the search reaches the filesystem root (/ on Unix, drive letter on Windows). The first handler.lua it finds is loaded into the Lua interpreter with the full Algernon API exposed – including run3(), httpclient, os.execute, io.popen, PQ, MSSQL, raw filesystem access, and the userstate database. Any process that can write handler.lua anywhere in a parent directory of the server root obtains pre-authenticated remote code execution on the next HTTP request. This is reachable without authentication – the lookup happens before the permission check returns a hit (the perm system only gates URL prefixes, not the handler-resolution step), and any URL pointing at a directory without an index triggers the walk. On a fresh stock Algernon install the request GET / is enough. This vulnerability is fixed in 1.17.7. | 2026-05-26 | 9 | CVE-2026-45721 |
| xyproto–algernon | Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with –domain (or –letsencrypt, which silently turns on –domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured –dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory – arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8. | 2026-05-26 | 8.2 | CVE-2026-48126 |
| xyproto–algernon | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error response dumps the absolute path of the file that errored, complete byte contents of that file, and exception or parser error text. This response is served with HTTP 200 OK to whoever sent the request that triggered the error. Any client able to reach the server and able to provoke a runtime error in the served script obtains the full server-side source of that script and of any sibling Lua data file consulted during the request. This vulnerability is fixed in 1.17.7. | 2026-05-26 | 7.5 | CVE-2026-45728 |
| yashpokharna2555–StudentManagementSystem | A weakness has been identified in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. The impacted element is an unknown function of the file /success.php. This manipulation of the argument User causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 7.3 | CVE-2026-9469 |
| yashpokharna2555–StudentManagementSystem | A security vulnerability has been detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This affects the function confirm_logged_in of the file student_trans.php. Such manipulation of the argument FIRST_NAME/Last_Name/EMAIL leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 7.3 | CVE-2026-9470 |
| yashpokharna2555–StudentManagementSystem | A vulnerability was found in yashpokharna2555 StudentManagementSystem up to cb2f558ddf8d19396de0f92abf2d224d46a0a203. Affected by this issue is the function confirm_logged_in of the file /studentdel.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 7.3 | CVE-2026-9474 |
| yhirose–cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib’s server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal rn byte pair inside the stored header value. This vulnerability is fixed in 0.44.0. | 2026-05-29 | 9.9 | CVE-2026-45372 |
| Yot–Yot CMS | Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Attackers can send GET requests to index.php with crafted SQL payloads in the aid or cid parameters to extract database information including table and column names. | 2026-05-30 | 8.2 | CVE-2018-25425 |
| yudiz–WP Contact Form 7 DB Handler | The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result’s post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing ‘ys_cfdbh_file’ are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files). | 2026-05-28 | 8.1 | CVE-2026-6455 |
| ZAYTECH–Smart Online Order for Clover | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Stored XSS.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0. | 2026-05-27 | 7.1 | CVE-2026-42738 |
| ZAYTECH–Smart Online Order for Clover | Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Authentication Bypass.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0. | 2026-05-27 | 7.3 | CVE-2026-42745 |
| ZAYTECH–Smart Online Order for Clover | Insertion of Sensitive Information Into Sent Data vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Retrieve Embedded Sensitive Data.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0. | 2026-05-27 | 7.3 | CVE-2026-42746 |
| zed-industries–zed | Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env …, but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key (for example via project terminal settings), shell expansions in the key (such as $(…)) are evaluated by the remote shell when a terminal is opened. This can lead to arbitrary command execution on the remote host under the victim user’s account. This vulnerability is fixed in 0.227.1. | 2026-05-28 | 8.6 | CVE-2026-44461 |
| zed-industries–zed | Zed is a code editor. Prior to 0.229.0, Zed’s terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior (e.g., PAGER) to execute arbitrary code. This vulnerability is fixed in 0.229.0. | 2026-05-28 | 8.6 | CVE-2026-44463 |
| zed-industries–zed | Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmonitor Git configuration option. This allows an attacker to achieve Remote Code Execution (RCE) when a victim open a folder in untrusted mode. This vulnerability is fixed in 0.227.1. | 2026-05-28 | 8.6 | CVE-2026-44465 |
| zed-industries–zed | Zed is a code editor. Prior to 0.229.0, Zed’s terminal tool permission system can be bypassed via bash arithmetic expansion $((…)), allowing execution of arbitrary commands nested inside an allowlisted command like echo. This vulnerability is fixed in 0.229.0. | 2026-05-28 | 8.6 | CVE-2026-44466 |
| ZTE–ZXUniPOS NDS-LTE | Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information. | 2026-05-27 | 9.1 | CVE-2026-49002 |
| ZTE–ZXUniPOS NDS-LTE | An insecure password scheme refers to vulnerabilities arising from improper selection of encryption algorithms, inadequate key management, or flawed code implementation, which may lead to data leakage or tampering, such as hard-coded keys or the use of weak encryption algorithms. | 2026-05-27 | 7 | CVE-2026-49000 |
| zyddnys–manga-image-translator | manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root. | 2026-05-29 | 9.8 | CVE-2026-10042 |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 10web–Photo Gallery by 10Web Mobile-Friendly Image Gallery | The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the ‘order_by’ parameter in all versions up to, and including, 1.8.40 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is exploitable by embedding a malicious shortcode in a post or draft, allowing the injected SQL to execute when the shortcode is rendered. | 2026-05-28 | 6.5 | CVE-2026-7048 |
| 3clyp50–agent-zero | Agent Zero before version 1.15 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by supplying crafted paths to the image file serving endpoint, which relies solely on an extension allowlist while the path containment check is explicitly disabled. Attackers can request any file with an image extension readable by the process, including files outside the agent workspace, user home directories, and mounted volumes, and can also leverage symlink-based escapes due to the lack of path canonicalization in the path resolution logic. | 2026-05-27 | 6.5 | CVE-2026-47118 |
| 3clyp50–agent-zero | Agent Zero before version 1.15 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript in the application origin by serving SVG files through the image_get API endpoint without Content-Security-Policy, X-Content-Type-Options, or Content-Disposition headers. Attackers can place a crafted SVG file containing script tags in any path readable by the agent-zero process and lure an authenticated user to the image_get endpoint, causing the browser to execute the malicious script, steal the csrf_token cookie, and perform unauthorized API calls on behalf of the victim. | 2026-05-27 | 6.1 | CVE-2026-47119 |
| 3uu–Shariff Wrapper | The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘headline’ parameter in the [shariff] shortcode in all versions up to, and including, 4.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability occurs because the plugin uses a custom wp_kses implementation with permissive allowed HTML tags, and then performs a str_replace operation that injects HTML after sanitization, allowing event handlers to be introduced through the %total placeholder in the style attribute. | 2026-05-28 | 6.4 | CVE-2026-4334 |
| a3rev–a3 Lazy Load | The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HTML attribute quoting when processing crafted <video> elements, combined with unescaped output in the admin/views/form-data.php template. An authenticated attacker with Contributor-level access can insert a crafted <video> tag whose src attribute contains an embedded class=” substring that tricks the plugin’s class-replacement regex into consuming an attribute-value closing quote. This shifts the HTML5 parser’s quote boundary, promoting attacker-controlled text from inside a quoted attribute value into standalone event-handler attributes (autofocus, onfocus). The injected script executes in the browser of any user (including administrators) who views the post. | 2026-05-28 | 6.4 | CVE-2026-6427 |
| adamhathcock–sharpcompress | SharpCompress is a fully managed C# library to deal with many compression types and formats. In 0.47.4 and earlier, a path traversal vulnerability in IArchive.WriteToDirectory() allows a malicious archive to create directories outside the intended extraction root. For TAR archives, this can be escalated to arbitrary file writes by chaining with a symlink entry, giving a full write primitive on the target filesystem subject to the permissions of the running process. | 2026-05-26 | 5.9 | CVE-2026-44788 |
| Admidio–Admidio | Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Attackers can craft malicious HTML forms targeting roles_function.php with parameters like rol_assign_roles, rol_approve_users, and rol_edit_user set to 1 to escalate privileges without authentication. | 2026-05-25 | 5.3 | CVE-2018-25370 |
| adnanmoqsood–Team Master A Modern WordPress Team Showcase | The Team Master – A Modern WordPress Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8870 |
| Ads by WPQuads–Ads by WPQuads | Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Input Data Manipulation.This issue affects Ads by WPQuads: from n/a through <= 3.0.2. | 2026-05-27 | 6.5 | CVE-2026-42732 |
| Ads by WPQuads–Ads by WPQuads | Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Manipulating Hidden Fields.This issue affects Ads by WPQuads: from n/a through <= 3.0.2. | 2026-05-27 | 6.5 | CVE-2026-42744 |
| Aider-AI–Aider | A vulnerability was identified in Aider-AI Aider 0.86.3. Affected is an unknown function of the file aider/args.py of the component Pre-commit Hook Handler. Such manipulation of the argument git-commit-verify leads to protection mechanism failure. The attack may be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10174 |
| Aider-AI–Aider | A security flaw has been discovered in Aider-AI Aider 0.86.3. Affected by this vulnerability is the function editor_coder.run of the file auth.py of the component Architect Mode. Performing a manipulation results in code injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10175 |
| Aider-AI–Aider | A weakness has been identified in Aider-AI Aider 0.86.3. Affected by this issue is some unknown functionality of the component Code Generation Workflow. Executing a manipulation can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10176 |
| Aider-AI–Aider | A security vulnerability has been detected in Aider-AI Aider 0.86.3. This affects the function requests.get of the file api_docs.py of the component AWS EC2 Metadata Endpoint. The manipulation leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. It is suggested to install a patch to address this issue. The pull request to fix this issue awaits acceptance. | 2026-05-31 | 6.3 | CVE-2026-10177 |
| analogwp–Style Kits for Elementor | The Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘/wp-json/agwp/v1/tokens/save’ endpoint kit title parameter in versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping in an admin attribute context. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-6565 |
| Armcode–Arm Whois | Arm Whois 3.11 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized input string. Attackers can paste a malicious buffer of 700 bytes into the IP address or domain input field to trigger a denial of service condition. | 2026-05-30 | 6.2 | CVE-2018-25423 |
| Assimp–Assimp | A vulnerability was found in Assimp up to 6.0.4. This affects the function glTFCommon::CopyValue in the library glTFCommon.h of the component 4×4 Matrix Parser. Performing a manipulation results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been made public and could be used. The project tagged the reported issue as bug. | 2026-05-31 | 5.3 | CVE-2026-10200 |
| authlib–authlib | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib’s OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1. | 2026-05-27 | 6.1 | CVE-2026-44681 |
| Autodesk–3ds Max | A maliciously crafted PAR file, when parsed through Autodesk 3ds Max, can force a NULL Pointer Dereference vulnerability. Successful exploitation may cause the application to crash, leading to a denial-of-service condition. | 2026-05-26 | 5.3 | CVE-2026-7450 |
| Autodesk–3ds Max | A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can cause a Stack Exhaustion vulnerability, leading to a denial-of-service condition. | 2026-05-26 | 5.3 | CVE-2026-7453 |
| Averta–Master Slider | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Averta Master Slider allows DOM-Based XSS. This issue affects Master Slider: from n/a through 3.10.8. | 2026-05-27 | 6.5 | CVE-2026-48968 |
| ays-pro–Poll Maker by AYS Versus Polls, Anonymous Polls, Image Polls | The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient access controls on the ‘ays_poll_get_user_information’ AJAX action, which serializes and returns the complete WP_User object – including the user_pass (bcrypt password hash), user_email, user_login, user_registered, roles, and all capabilities – without any nonce verification or capability check beyond is_user_logged_in(). This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive account data including their own password hash, which WordPress does not expose through any of its standard interfaces and which can be leveraged for offline password-cracking attacks. | 2026-05-29 | 4.3 | CVE-2026-8995 |
| BankPro E-Service Technology–Service Center | Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query function to access other users’ EC order details. | 2026-05-29 | 6.5 | CVE-2026-9493 |
| Bdtask–Multi-Store Inventory Management System | A security flaw has been discovered in Bdtask Multi-Store Inventory Management System 1.0. The affected element is the function Upload of the file application/modules/dashboard/controllers/Module.php of the component Component Module. The manipulation of the argument module results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. | 2026-05-31 | 6.3 | CVE-2026-10172 |
| Bdtask–Multi-Store Inventory Management System | A vulnerability was found in Bdtask Multi-Store Inventory Management System 1.0. The impacted element is the function accounts_report_search of the file application/modules/accounts/controllers/Accounts.php of the component Accounts Report Handler. Performing a manipulation of the argument dtpToDate results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2026-05-30 | 4.7 | CVE-2026-10155 |
| Benbodhi–SVG Support | Missing Authorization vulnerability in Benbodhi SVG Support allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SVG Support: from n/a through 2.5.14. | 2026-05-27 | 4.3 | CVE-2026-48973 |
| bensibley–Independent Analytics WordPress Analytics Plugin | The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrer_url values when the signature matches, combined with a scheduled favicon fetcher that performs unrestricted cURL requests to stored domains. The signature validation is insufficient because the signature is embedded in publicly-accessible JavaScript and the salt is static per site, allowing attackers to extract valid signatures. The favicon downloader uses raw cURL functions without any SSRF protection mechanisms (no localhost blocking, no private network filtering, and does not use WordPress’s wp_safe_remote_* functions). This makes it possible for unauthenticated attackers to inject malicious referrer domains into the database and trigger server-side requests to arbitrary hosts including internal services. | 2026-05-28 | 6.5 | CVE-2026-5737 |
| bitform–BitForm Data management solution for WordPress | The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘bitform’ shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (‘width’ and ‘height’) in the Shortcode::shortcode() function, which are interpolated directly into the ‘style’ attribute of an <iframe> element. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8891 |
| Bizswoop–Account Manager for WooCommerce | Missing Authorization vulnerability in Bizswoop Account Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Account Manager for WooCommerce: from n/a through 2.1.2. | 2026-05-27 | 4.3 | CVE-2022-41656 |
| blitz-js–blitz | A weakness has been identified in blitz-js blitz up to 3.0.2 on GitHub. This impacts an unknown function of the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx of the component Sign-in. This manipulation of the argument Next causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 4.3 | CVE-2026-9520 |
| bPlugins–Tiktok Feed | Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tiktok Feed: from n/a through 1.0.24. | 2026-05-26 | 4.3 | CVE-2026-24520 |
| bradyholt–jQuery googleslides | The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘googleslides’ shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes (userid, albumid, authkey, imgmax, maxresults, random, caption, albumlink, time, and fadespeed) in the googleslides_handler() function, which interpolates the attribute values directly into single-quoted HTML attributes without using esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8866 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal SCHEMA_MAP object defines the valid calculation types (sum, count, stats), no actual validation is performed against this map before the value is used in string interpolation. A user with Builder permissions can inject arbitrary JavaScript code that will be executed within the CouchDB JavaScript engine when the view is queried. This vulnerability is fixed in 3.38.1. | 2026-05-27 | 6.5 | CVE-2026-45719 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the full query string. The CSRF middleware in the Budibase Worker uses this matching system to decide whether to skip CSRF token validation. An unauthenticated attacker can forge state-changing cross-origin requests against any Worker API endpoint by injecting a public route pattern into the query string, causing the CSRF middleware to skip token validation entirely. This allows actions such as sending admin invites, modifying global configuration, and managing users without a valid CSRF token. This vulnerability is fixed in 3.35.4. | 2026-05-27 | 6.5 | CVE-2026-48147 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view’s row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view’s security filters. This vulnerability is fixed in 3.38.1. | 2026-05-27 | 5.4 | CVE-2026-45718 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache (TTL: 3600 seconds), a user whose admin, builder, or app-level roles have been revoked via the public API retains those privileges for up to 1 hour. This vulnerability is fixed in 3.38.2. | 2026-05-27 | 4.2 | CVE-2026-46424 |
| bugsink–bugsink | Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be (partially) bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For malformed inputs involving backslashes and @, those components can disagree about where the authority ends and which hostname is the real target. A URL may therefore appear to target an allowlisted public hostname during validation, while the HTTP client actually connects to a different host. This vulnerability is fixed in 2.1.3. | 2026-05-26 | 4.3 | CVE-2026-44502 |
| bugsink–bugsink | Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced. This vulnerability is fixed in 2.2.0. | 2026-05-26 | 4.3 | CVE-2026-47728 |
| c-rick–jimeng-mcp | A vulnerability has been found in c-rick jimeng-mcp 1.10.0. Affected by this vulnerability is the function getFileContent/uploadCoverFile/generateImage/generateVideo of the file src/api.ts. The manipulation of the argument filePath leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 6.3 | CVE-2026-9473 |
| Canon Inc.–Canon PIXUS iX6800 Series CUPS Printer Driver for macOS | Improper handling of symbolic links in the installer of CUPS Printer Driver for macOS(*) may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installation to modify permissions of directories for which they would not normally have authorization. *:Canon PIXUS iX6800 Series CUPS Printer Driver for macOS Version 16.91.0.0 or earlier (Japan) Canon PIXMA MG2500 Series and iX6800 Series CUPS Printer Driver for macOS Version 16.91.0.0 or earlier (US and Europe) | 2026-05-29 | 5 | CVE-2026-6892 |
| Canon Inc.–My Image Garden for macOS | Improper handling of symbolic links in the installer of My Image Garden for macOS Version 3.6.8 or earlier may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installation to modify permissions of files for which they would not normally have authorization. | 2026-05-28 | 5 | CVE-2026-6891 |
| Canonical–Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion. | 2026-05-28 | 6.1 | CVE-2026-47328 |
| Canonical–Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion. | 2026-05-28 | 5.5 | CVE-2026-47326 |
| Canonical–Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects. | 2026-05-28 | 5.5 | CVE-2026-47332 |
| Canonical–Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock. | 2026-05-28 | 5.5 | CVE-2026-47334 |
| Canonical–Ubuntu Linux | Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic. | 2026-05-28 | 5.5 | CVE-2026-47335 |
| celloexpressions–Content Slideshow | The Content Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8873 |
| changmingxie–tcc-transaction | A flaw has been found in changmingxie tcc-transaction up to 2.1.0. This issue affects the function Fastjson.parseObject of the component Fastjson AutoType REST API. This manipulation causes deserialization. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 6.3 | CVE-2026-9497 |
| chatwoot–chatwoot | Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot’s authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not own and set a password. If the legitimate owner of that email later signed in to Chatwoot using Google OAuth (or another OmniAuth provider), the OAuth flow silently confirmed the existing account without invalidating the attacker’s pre-set credentials. The attacker could then continue to log in with the password they had originally chosen and access any data the victim subsequently entered into the dashboard, including PII, API keys, and other sensitive information. This vulnerability is fixed in 4.13.0. | 2026-05-26 | 6.8 | CVE-2026-44707 |
| checkpoint–Quantum Security Gateway | When the DLP is active, the UserCheck Web Portal contains an input-handling issue in the UserChoice flow. Under specific conditions, an attacker who can access the UserCheck Ask page could attempt to manipulate the Security Gateway’s stored DLP/UserCheck incident information. This could lead to disruptions such as loss of stored incident entries, incorrect handling of pending approvals, or resource impact if the issue is abused repeatedly. Exposure is reduced if the UserCheck Portal is not accessible from untrusted networks. | 2026-05-26 | 5.6 | CVE-2026-48134 |
| checkpoint–Quantum Security Gateway | A Check Point HTTP-based service can incorrectly handle malformed HTTP requests. The issue is related to HTTP request parsing and validation. | 2026-05-26 | 5.3 | CVE-2026-48135 |
| checkpoint–Quantum Security Management | When Compliance is enabled on Check Point Multi-Domain Management, an authenticated administrator with read-write access to one Management Domain (CMA) can modify stored metadata associated with Compliance Best Practices in another Management Domain, where the administrator has no access permissions, bypassing Role-Based Access Control (RBAC). | 2026-05-26 | 4.1 | CVE-2026-48136 |
| clorith–Enable jQuery Migrate Helper | The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `downgrade_jquery_version()` function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to downgrade the site-wide jQuery version from 3.7.1 to the legacy 1.12.4-wp release, which has knowns security vulnerabilities. | 2026-05-27 | 6.5 | CVE-2026-3279 |
| Cloud Foundry Foundation–BOSH Director | When the director sends a long-running request (e.g. compile_package), the agent’s reply JSON is consumed by AgentClient. inject_compile_log (line 332-339) reads response[‘value’][‘result’][‘compile_log_id’] and format_exception (line 318-325) reads exception[‘blobstore_id’]; both pass the agent-supplied string unmodified to download_and_delete_blob(blob_id) (line 344-349), which calls @resource_manager.get_resource(blob_id) and, in an ensure block, @resource_manager.delete_resource(blob_id). Api::ResourceManager forwards the id straight to blobstore.get(id) / blobstore.delete(id). When the director is configured with the local blobstore provider, Blobstore::LocalClient#object_file_path(oid) is File.join(@blobstore_path, oid) (local_client.rb:54-56) with no normalisation, so oid = “../../jobs/director/config/director.yml” resolves outside the blobstore root. Affected versions: BOSH Director: All versions prior to v282.1.12 | 2026-05-27 | 5.8 | CVE-2026-41009 |
| Cloud Foundry Foundation–BOSH Director | AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response[‘value’][‘result’][‘compile_log_id’] (line 332-338) and passes it to download_and_delete_blob. Separately, any response containing ‘exception’ goes through format_exception (lines 308-325), which reads exception[‘blobstore_id’] and also calls download_and_delete_blob. That helper (lines 344-349) calls ResourceManager#get_resource(blob_id) and, in an ensure block, ResourceManager#delete_resource(blob_id). ResourceManager (resource_manager.rb:62-70) calls blobstore.delete(id) on the single shared Director blobstore with no UUID-format check, no ownership check, and no namespace prefix. Affected versions: BOSH Director: All versions prior to v282.1.12 | 2026-05-27 | 5 | CVE-2026-41704 |
| cloudways–Breeze Cache | The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the `wordpress_logged_in_` cookie in the `inc/cache/execute-cache.php` file when the “Cache Logged-in Users” setting is enabled. The plugin parses the username directly from the cookie value (e.g., `username|hash`) using `substr()` to retrieve the corresponding cache file but fails to verify the session’s cryptographic signature or validity with WordPress core. This makes it possible for unauthenticated attackers to supply a crafted cookie (e.g., `wordpress_logged_in_fake=admin|fake`) to trick the plugin into serving the cached HTML content generated for an administrator, leading to the disclosure of sensitive information such as private posts (including their full content), the Admin Bar, WordPress nonces, and other data visible only to logged-in administrators or other users. | 2026-05-29 | 5.3 | CVE-2026-2128 |
| code-projects–Employee Management System | A vulnerability was identified in code-projects Employee Management System 1.0. This impacts an unknown function of the file /changepassemp.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2026-05-25 | 6.3 | CVE-2026-9449 |
| code-projects–Employee Management System | A security flaw has been discovered in code-projects Employee Management System 1.0. Affected is an unknown function of the file /psubmit.php. The manipulation of the argument pid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-25 | 6.3 | CVE-2026-9450 |
| code-projects–Employee Management System | A weakness has been identified in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /process/applyleaveprocess.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-25 | 6.3 | CVE-2026-9451 |
| code-projects–Employee Management System | A weakness has been identified in code-projects Employee Management System 1.0. This affects an unknown function of the file /eloginwel.php. This manipulation of the argument ID causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | 2026-05-25 | 4.3 | CVE-2026-9415 |
| code-projects–Employee Management System | A security vulnerability has been detected in code-projects Employee Management System 1.0. This impacts an unknown function of the file /myprofile.php. Such manipulation of the argument ID leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2026-05-25 | 4.3 | CVE-2026-9416 |
| code-projects–Employee Management System | A vulnerability was detected in code-projects Employee Management System 1.0. Affected is an unknown function of the file /myprofileup.php. Performing a manipulation of the argument ID results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2026-05-25 | 4.3 | CVE-2026-9417 |
| code-projects–Employee Management System | A flaw has been found in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /changepassemp.php. Executing a manipulation of the argument ID can lead to cross site scripting. The attack may be performed from remote. The exploit has been published and may be used. | 2026-05-25 | 4.3 | CVE-2026-9418 |
| code-projects–Employee Management System | A vulnerability has been found in code-projects Employee Management System 1.0. Affected by this issue is some unknown functionality of the file /empproject.php. The manipulation of the argument ID leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-05-25 | 4.3 | CVE-2026-9419 |
| code-projects–Employee Management System | A vulnerability was determined in code-projects Employee Management System 1.0. This affects an unknown function of the file /applyleave.php. Executing a manipulation of the argument ID can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-05-25 | 4.3 | CVE-2026-9448 |
| code-projects–Online Music Site | A vulnerability has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminUpdateAlbum.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2026-05-31 | 4.7 | CVE-2026-10171 |
| code-projects–Visitor Management System | A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone_0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2026-05-31 | 6.3 | CVE-2026-10170 |
| CodeAstro–Leave Management System | A weakness has been identified in CodeAstro Leave Management System 1.0. The affected element is an unknown function of the file /admin/add_staff.php. Executing a manipulation of the argument email_id can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-26 | 6.3 | CVE-2026-9542 |
| codycave–Endless Scroll | The Endless Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8703 |
| Convers Lab–WPSubscription | Cross-Site Request Forgery (CSRF) vulnerability in Convers Lab WPSubscription allows Cross Site Request Forgery. This issue affects WPSubscription: from n/a through 1.9.1. | 2026-05-25 | 4.3 | CVE-2026-24554 |
| Cornel Raiu–WP Search Analytics | Missing Authorization vulnerability in Cornel Raiu WP Search Analytics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Search Analytics: from n/a before 1.5.0. | 2026-05-25 | 5.3 | CVE-2026-27357 |
| creativemindssolutions–CM Ad Changer A simple tool to control and optimize your site’s banners | The CM Ad Changer – A simple tool to control and optimize your site’s banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmac_campaigns_action function. This makes it possible for unauthenticated attackers to permanently delete arbitrary advertising campaigns, including their associated banner records and uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-9236 |
| creaweb2b–Simple Divi Shortcode | The Simple Divi Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter of the [showmodule] shortcode in versions up to, and including, 1.2 This is due to insufficient input sanitization and output escaping in the showmodule_shortcode() function, which concatenates the ‘id’ shortcode attribute directly into a dynamically constructed shortcode string without applying esc_attr() or any escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-29 | 6.4 | CVE-2026-9714 |
| croixhaug–Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.11.8 due to the plugin not properly verifying that a user is authorized to perform an action via the bulk appointments REST API endpoint. This makes it possible for unauthenticated attackers to modify arbitrary appointment records including customer PII, payment status, and meeting URL fields, and to expose full customer PII from existing appointment records via the bulk endpoint response. The public nonce is a static, user-independent value present in the HTML source of any page hosting the [ssa_booking] shortcode, meaning any visitor who has viewed such a page can obtain it and target any appointment in the system without authentication. | 2026-05-28 | 5.3 | CVE-2026-6937 |
| croixhaug–Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) that calls PHP’s sleep() function on a user-supplied delay parameter without any rate limiting. This makes it possible for unauthenticated attackers to exhaust PHP worker processes, denying access to the site to legitimate users. | 2026-05-27 | 5.3 | CVE-2026-7493 |
| cryptoprijzen–Cryptocurrency Prijsvergelijking Widget | The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the as_get_coin_shortcode() function, which renders the ‘width’ (and ‘height’) shortcode attribute directly into the style attribute of an <iframe> element without applying any escaping function such as esc_attr(). An attacker-controlled value like ‘100px;”onload=”alert(1)” x=”‘ terminates the style attribute prematurely and injects an arbitrary HTML attribute into the iframe tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8698 |
| cuamckuy–Easy Prism Syntax Highlighter | The Easy Prism Syntax Highlighter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘code’ (and ‘c’) shortcode in versions up to, and including, 1.0.2. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes in the shortcode() function, which concatenates the first positional attribute directly into the class attribute of the generated <pre>/<code> HTML without calling esc_attr() or any other escaping function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8875 |
| cyberhobo–Geo Mashup | The Geo Mashup plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.13.19. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to expose sensitive plugin configuration data, including Google Maps API keys and GeoNames service credentials, to unauthenticated attackers. | 2026-05-28 | 5.3 | CVE-2026-7552 |
| czlonkowski–n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project’s anonymous telemetry backend. Values placed in HTTP-Request-style node parameters – such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters – could therefore appear in stored telemetry, contrary to the collection boundary documented in PRIVACY.md. This vulnerability is fixed in 2.51.3. | 2026-05-29 | 6.5 | CVE-2026-45582 |
| DALIBO–PostgreSQL Anonymizer | PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a table and placing malicious code inside a column identifier. If a superuser calls the k-anonymity function, the malicious code is executed with superuser privileges. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version. With PostgreSQL 15 and later, the creation permission on the public schema is revoked by default and this exploit can only be achieved by a user who was explicitly granted the CREATE TABLE privilege. The problem is resolved in PostgreSQL Anonymizer 3.1.0 and further versions | 2026-05-27 | 6.8 | CVE-2026-9617 |
| Danelec–MacGregor Voyage Data Recorder (VDR) G4e | The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to authentication, potentially changing the root password. | 2026-05-29 | 5.7 | CVE-2026-40425 |
| Danelec–MacGregor Voyage Data Recorder (VDR) G4e | An authenticated user can download a backup of the Danelec MacGregor Voyage Data Recorder device which includes account data and password hashes. | 2026-05-29 | 5.4 | CVE-2026-42951 |
| Danelec–MacGregor Voyage Data Recorder (VDR) G4e | Danelec MacGregor Voyage Data Recorder passwords are stored with a hashing method which limits password length and is susceptible to brute force attacks. | 2026-05-29 | 5.4 | CVE-2026-44611 |
| DataDog–guarddog | GuardDog is a CLI tool to identify malicious PyPI packages. From 2.6.0 to 2.9.0, GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs. | 2026-05-27 | 5 | CVE-2026-44972 |
| dattateccom–EnvaloSimple: Email Marketing y Newsletters | The EnvÃaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-27 | 4.9 | CVE-2026-7618 |
| davidanderson–Easy Updates Manager | The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘paged’ parameter in versions up to, and including, 9.0.20 This is due to insufficient input sanitization and output escaping in the pagination() function. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page granted they can trick an administrator into performing an action such as clicking on a link. | 2026-05-28 | 6.1 | CVE-2026-7660 |
| dazeb–cline-mcp-memory-bank | A security flaw has been discovered in dazeb cline-mcp-memory-bank up to 55c81b9cf6c16700983c84dc4cdea3cafa19a75f. The affected element is the function handleInitializeMemoryBank of the file src/index.ts. The manipulation of the argument projectPath results in path traversal. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 6.3 | CVE-2026-9468 |
| dazeb–markdown-downloader | A flaw has been found in dazeb markdown-downloader up to 3d4394b34b6c99d81af817623af55e3384df5a6a. Affected is the function download_markdown/list_downloaded_files/create_subdirectory of the file src/index.ts. Executing a manipulation can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 6.3 | CVE-2026-9472 |
| DearHive–DearFlip | Missing Authorization vulnerability in DearHive DearFlip allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects DearFlip: from n/a through 2.4.27. | 2026-05-27 | 4.3 | CVE-2026-49047 |
| debugmcp–mcp-debugger | A vulnerability was identified in debugmcp mcp-debugger up to 0.20.0. Impacted is the function handleGetSourceContext of the file src/server.ts. The manipulation leads to path traversal. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 4.3 | CVE-2026-9467 |
| devitemsllc–ShopLentor All-in-One WooCommerce Growth & Store Enhancement Plugin | The ShopLentor – WooCommerce Builder for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘blockUniqId’ block attribute in multiple Product Gride blocks in versions up to, and including, 3.3.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 5.4 | CVE-2026-6287 |
| dkjensen–Splide Carousel Block | The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ‘url’ Block Attribute in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload must be published before it executes for site visitors, which requires an editor or administrator to approve and publish the contributor’s post. | 2026-05-27 | 6.4 | CVE-2026-9022 |
| Dolibarr–ERP CRM | A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component. | 2026-05-30 | 4.3 | CVE-2026-10154 |
| Dromara–lamp-cloud | A vulnerability has been found in Dromara lamp-cloud up to 5.6.2. Impacted is the function GroovyClassLoader.parseClass of the component Message Template Handler. Such manipulation of the argument DefMsgTemplate.content leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 6.3 | CVE-2026-9498 |
| DTStack–Taier | A vulnerability has been found in DTStack Taier 1.4.0. This affects the function Runtime.exec of the component REST API. The manipulation of the argument sqlText leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 6.3 | CVE-2026-9437 |
| Dylan Kuhn–Geo Mashup | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Dylan Kuhn Geo Mashup allows Stored XSS. This issue affects Geo Mashup: from n/a through 1.13.18. | 2026-05-26 | 6.5 | CVE-2026-27427 |
| e107inc–e107 | e107 is a content management system (CMS). Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to edit comments posted by others. This stems from inadequate server-side access control validation, where the application depends only on a predictable identifier in the request to determine which comment to edit, without confirming the requesting user’s ownership of the comment. This vulnerability is fixed in 2.3.4. | 2026-05-26 | 6.5 | CVE-2026-43934 |
| e107inc–e107 | e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check() handles CSRF tokens. Instead of requiring a token on every state-changing request, it only validates the token if one happens to be present. If there is no token at all, the check is skipped entirely. This vulnerability is fixed in 2.3.5. | 2026-05-26 | 6.5 | CVE-2026-46620 |
| e107inc–e107 | e107 is a content management system (CMS). Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from “Image/File URL:” of “From a remote location” in “Media Manager” on the administrator screen. This vulnerability is fixed in 2.3.4. | 2026-05-26 | 4.3 | CVE-2026-43936 |
| Edimax–BR-6478AC | A weakness has been identified in Edimax BR-6478AC 1.23. This affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-30 | 6.3 | CVE-2026-10127 |
| Edimax–BR-6478AC | A vulnerability was determined in Edimax BR-6478AC 1.23. The affected element is the function formWlbasic of the file /goform/formWlbasic of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-31 | 6.3 | CVE-2026-10166 |
| Edimax–BR-6478AC | A vulnerability was identified in Edimax BR-6478AC 1.23. Affected by this vulnerability is the function formAccept of the file /goform/formAccept of the component POST Request Handler. Such manipulation of the argument submit-url leads to command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 6.3 | CVE-2026-9440 |
| Edimax–BR-6478AC | A security flaw has been discovered in Edimax BR-6478AC 1.23. Affected by this issue is the function formiNICbasic of the file /goform/formiNICbasic of the component POST Request Handler. Performing a manipulation of the argument rootAPmac results in command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 6.3 | CVE-2026-9441 |
| Edimax–BR-6675nD | A vulnerability was determined in Edimax BR-6675nD 1.12. Affected is the function stainfo of the file /goform/stainfo. This manipulation of the argument interface causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 6.3 | CVE-2026-9439 |
| Edimax–BR-6675nD | A security flaw has been discovered in Edimax BR-6675nD 1.12. Impacted is the function mp of the file /goform/mp of the component POST Request Handler. Performing a manipulation of the argument command results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 4.7 | CVE-2026-9423 |
| Edimax–EW-7438RPn | A weakness has been identified in Edimax EW-7438RPn 1.31. The affected element is the function formWlanMP of the file /goform/formWlanMP of the component Content-Type Handler. Executing a manipulation of the argument ateFunc/ateGain/ateTxCount/ateChan/ateRate/ateMacID/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/ateTxFreqOffset/ateMode/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/e2pTxPwDeltaN/readE2P can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 6.3 | CVE-2026-9424 |
| ektorcaba–WP Iframe Geo Style for Amazon affiliates | The WP Iframe Geo Style for Amazon affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ‘adid’ Shortcode Attribute in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8837 |
| Elastic–Kibana | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users until the service recovers or is restarted. | 2026-05-28 | 6.5 | CVE-2026-33464 |
| Elastic–Kibana | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users. | 2026-05-28 | 6.5 | CVE-2026-42399 |
| Elastic–Kibana | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and CPU resource consumption that can result in a Kibana instance becoming unresponsive or crashing. | 2026-05-28 | 6.5 | CVE-2026-42400 |
| Elastic–Kibana | Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block. | 2026-05-28 | 6.3 | CVE-2026-49093 |
| Elastic–Kibana | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint. Kibana will consume excessive CPU and memory resources while processing the request. This results in Kibana becoming unavailable to all users until the service is manually recovered. | 2026-05-28 | 6.5 | CVE-2026-49094 |
| Elastic–Kibana | Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in possession of the token to retrieve the associated content after expiration. | 2026-05-28 | 5.3 | CVE-2026-33463 |
| Elastic–Kibana | A path traversal vulnerability was identified in Kibana’s dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object. | 2026-05-28 | 4.6 | CVE-2026-33462 |
| Elastic–Kibana | Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user’s browser session. | 2026-05-28 | 4.1 | CVE-2026-42401 |
| eldougo–Tuxquote | The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘TUXQUOTE’ shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes (‘title’, ‘align’, and ‘width’) in the tuxquote_build_format() function, which are concatenated into the rendered HTML without being passed through esc_attr() or esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8846 |
| ellanetworks–core | Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core’s stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest. This vulnerability is fixed in 1.10.0. | 2026-05-27 | 6.1 | CVE-2026-44475 |
| equalizedigital–Equalize Digital Accessibility Checker WCAG, ADA, EAA and Section 508 compliance | The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site – including mass modification of all rows sharing an ‘object’ identifier when largeBatch=true is supplied – corrupting accessibility audit integrity by hiding or dismissing findings outside their authorization scope. | 2026-05-28 | 4.3 | CVE-2026-9015 |
| esiteq–Responsive Video Embedder | The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘rem_video’ shortcode in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (notably ‘id’ and ‘list’) in the video_shortcode() function, which are concatenated directly into an HTML iframe’s src attribute without escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8877 |
| espocrm–espocrm | EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity (Contact, Lead, Account, or User) without performing an ACL check. An authenticated user with EmailTemplate read permission can extract all field values of any entity by supplying the target’s email address, bypassing read: own or read: team ACL restrictions. This vulnerability is fixed in 9.3.5. | 2026-05-28 | 6.5 | CVE-2026-41141 |
| espocrm–espocrm | EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a “write first, authorize later” execution flaw in the backend API, even though the server correctly returns a 403 Forbidden error, the targeted note’s pinned status is already persistently modified in the database. The root cause lies in the server-side processing of the POST /api/v1/Note/{id}/pin endpoint. In application/Espo/Tools/Stream/Api/PostNotePin.php, the process() method first calls getNote($id) before calling checkParent($note). This vulnerability is fixed in 9.3.5. | 2026-05-28 | 4.3 | CVE-2026-41160 |
| Exim–Exim | Exim 4.88 before 4.99.4, in some proxy configurations, mishandles certain short payloads, leading to disclosure of uninitialized stack memory values to a client. | 2026-05-30 | 5.3 | CVE-2026-48840 |
| Extreme Networks–Extreme Platform ONE | A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issue was observed through ExtremeCloud IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE /Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT authentication were not affected. | 2026-05-29 | 6.3 | CVE-2026-9831 |
| Facebook–Facebook for WooCommerce | URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in Facebook Facebook for WooCommerce allows Phishing. This issue affects Facebook for WooCommerce: from n/a through 3.7.0. | 2026-05-27 | 4.7 | CVE-2026-49059 |
| fides-it–Animate Your Content | The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘animation-set’ shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_args_to_html_attrs() function, which concatenates shortcode attribute values directly into double-quoted HTML attributes without calling esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8872 |
| fides-it–Post Categories Gallery | The Post Category Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘postcategorygallery’ shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (such as total_width, color_scheme, and caption_font_size) inside the sc_horcatbar() function, which are concatenated directly into HTML attribute values. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8867 |
| frappe–hrms | Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0. | 2026-05-27 | 6.5 | CVE-2026-45081 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF’s stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge messages and subsequent Handover Request messages. This leads to persistent handover denial-of-service for affected UEs. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 6.1 | CVE-2026-42081 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose ascReqData.suppFeat == “1” (enabling traffic-routing feature negotiation) and whose medComponents entries supply an afAppId but NO AfRoutReq. The create path then calls provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, …) with routeReq == nil and dereferences routeReq.RouteToLocs (and other fields) without a nil check, causing runtime error: invalid memory address or nil pointer dereference. Gin recovery converts the panic into HTTP 500. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 6.5 | CVE-2026-44317 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock() via BSFContext.GetSubscription(subId), but if the subscription does not exist, ReplaceIndividualSubcription() writes back to the same map directly without taking the mutex (bsfContext.BsfSelf.Subscriptions[subId] = subscription). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with fatal error: concurrent map read and map write (Go runtime panics that come from concurrent map access bypass recover() and terminate the process). The BSF container exits with code 2 — the entire BSF SBI surface goes down until restart. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 6.5 | CVE-2026-44318 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) — a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 6.5 | CVE-2026-44324 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC’s UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks _, ok = UESubsData.EeSubscriptionCollection[subsId] and sets a 404 problem-details on the miss path, but then continues to UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos — dereferencing the same missing entry instead of returning. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 4.3 | CVE-2026-44323 |
| freescout-help-desk–freescout | FreeScout is a free help desk and shared inbox built with PHP’s Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219. | 2026-05-29 | 5.3 | CVE-2026-45294 |
| freescout-help-desk–freescout | FreeScout is a free help desk and shared inbox built with PHP’s Laravel framework. Prior to 1.8.221, while investigating the ThreadPolicy::delete issue reported previously, the same missing mailbox membership check was found in the sibling ThreadPolicy::edit method. A user with the PERM_EDIT_CONVERSATIONS permission who created a message or internal note in Mailbox A can rewrite that thread’s body after an administrator removes them from Mailbox A, because the policy checks only authorship and a global permission flag – not current mailbox membership. This vulnerability is fixed in 1.8.221. | 2026-05-29 | 4.3 | CVE-2026-48810 |
| freescout-help-desk–freescout | FreeScout is a free help desk and shared inbox built with PHP’s Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note (private thread) from any conversation, even after that user’s access to the mailbox containing the conversation has been revoked. The ThreadPolicy::delete authorization policy does not verify mailbox membership, so a former team member retains destructive write access to notes they created. This vulnerability is fixed in 1.8.221. | 2026-05-29 | 4.3 | CVE-2026-48811 |
| Fyffe–PHP-Twitter-Clone | Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms targeting tweetdel.php with tweet IDs and automatically submit them to delete arbitrary posts from authenticated user sessions. | 2026-05-25 | 4.3 | CVE-2018-25363 |
| gapgag55–Auto Thumbnails | The Auto Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘thumbnails’ shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on the shortcode’s ‘width’ and ‘height’ attributes in the athn_thumbnails() function, which are concatenated directly into an HTML <img> tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8899 |
| garber–GBI To Print | The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the ‘div’ attribute of the ‘gbitoprint’ shortcode. This is due to insufficient output escaping in the gbi_toprint_shortcode() function, which concatenates the raw shortcode attribute value directly into an HTML attribute without applying esc_attr() or any other sanitization. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8702 |
| Genetec Inc.–Genetec Security Center | SQL Injection affecting the Access Manager role. | 2026-05-25 | 6.6 | CVE-2026-27768 |
| getarcaneapp–arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/{id}/volumes/{volumeName}/browse accepts a path query parameter that is passed to a shell command (sh -c “find … | while …”) inside an Arcane helper container. The path sanitiser blocks ../ traversal but does not strip Bourne-shell metacharacters such as $() or backticks, and strconv.Quote only escapes Go string metacharacters, not shell substitution sequences. Any authenticated user with access to a browseable volume can execute arbitrary commands inside the helper container; command output is reflected back in the 500 error body. | 2026-05-29 | 6.3 | CVE-2026-45626 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to cause denial of service due to insufficient validation. | 2026-05-27 | 6.5 | CVE-2026-1402 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks. | 2026-05-27 | 5.3 | CVE-2026-6713 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 11.5 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to access sensitive deployment data on projects due to improper authorization checks. | 2026-05-27 | 4.3 | CVE-2026-2601 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions. | 2026-05-27 | 4.3 | CVE-2026-5296 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to access CI data from a different ref type than intended. | 2026-05-27 | 4.3 | CVE-2026-8716 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed a blocked Project Access Token to continue accessing private resources due to incorrect authorization enforcement. | 2026-05-28 | 4.3 | CVE-2026-9807 |
| GNU–LibreDWG | A vulnerability was found in GNU LibreDWG up to 0.14. The affected element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgread Utility. Performing a manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 5.3 | CVE-2026-9500 |
| GNU–LibreDWG | A vulnerability was identified in GNU LibreDWG up to 0.14. This affects the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. To fix this issue, it is recommended to deploy a patch. | 2026-05-25 | 5.3 | CVE-2026-9502 |
| go-git–go-git | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository’s .git directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4. | 2026-05-27 | 5.4 | CVE-2026-45571 |
| godlessons–WP AutoBuzz | The WP AutoBuzz plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This vulnerability bypasses WordPress’s DISALLOW_UNFILTERED_HTML protection because the unsanitized value is written directly via update_option at the plugin level, entirely outside of WordPress post content handling. | 2026-05-27 | 6.1 | CVE-2026-8911 |
| golzarrahman–GNTT Post Title Ticker | The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the `title-ticker-slide`, `title-ticker-fade`, and `title-ticker-typing` shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes (notably `border`, `width`, `height`, `header_background`, `header_text_color`, and `id`) within the `gntt_title_ticker_slide()`, `gntt_title_ticker_fade()`, and `gntt_title_ticker_typing()` functions. None of these attribute values are passed through `esc_attr()` or any other escaping function before being concatenated into HTML output. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8701 |
| gradio-app–gradio | Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment. | 2026-05-27 | 6.8 | CVE-2026-48545 |
| grokability–snipe-it | Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulnerability is fixed in 8.4.1. | 2026-05-26 | 5.9 | CVE-2026-44833 |
| grokability–snipe-it | Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1. | 2026-05-26 | 4.8 | CVE-2026-44831 |
| haojing8312–WorkClaw | A vulnerability was determined in haojing8312 WorkClaw up to 0.6.4. This affects the function is_dangerous of the file apps/runtime/src-tauri/src/agent/tools/bash.rs of the component Blacklist Handler. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-26 | 6.3 | CVE-2026-9565 |
| hasanazizul–3D Viewer 3D Model Viewer Augmented Reality Virtual Try On | The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint. | 2026-05-28 | 4.3 | CVE-2026-8682 |
| HCLSoftware–BigFix Remote Control Server | A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources. | 2026-05-27 | 4 | CVE-2026-21785 |
| hemant6488–CodeIgniter-StudentManagementSystem | A vulnerability was identified in hemant6488 CodeIgniter-StudentManagementSystem. The impacted element is the function addStudent of the file view_students.php of the component Students Controller. The manipulation of the argument Name leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-26 | 4.3 | CVE-2026-9518 |
| Hitachi Vantara–Pentaho Data Integration and Analytics | Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications. | 2026-05-27 | 6.3 | CVE-2026-2254 |
| Hitachi Vantara–Pentaho Data Integration and Analytics | Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API. | 2026-05-27 | 4.3 | CVE-2026-2255 |
| Hitachi–Hitachi Ops Center Analyzer | Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules). This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00. | 2026-05-26 | 4.6 | CVE-2026-3314 |
| honojs–hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule – such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses – do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21. | 2026-05-28 | 5.3 | CVE-2026-47674 |
| honojs–hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21. | 2026-05-28 | 5.3 | CVE-2026-47676 |
| honojs–hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value – regardless of the scheme name in the first position – proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21. | 2026-05-28 | 4.8 | CVE-2026-47673 |
| honojs–hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, r, n), but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a Set-Cookie response header containing attacker-chosen additional attributes. This vulnerability is fixed in 4.12.21. | 2026-05-28 | 4.3 | CVE-2026-47675 |
| huankong–hk_shortcode | The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title-plane’ shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the huankong_post_short_title_plane() function, where the ‘title’ attribute is concatenated directly into HTML output without any escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8886 |
| IBM–App Connect Enterprise | IBM App Connect Enterprise 13.0.1.0 through 13.0.7.0 stores potentially sensitive information in log files that could be read by a local user. | 2026-05-27 | 5.5 | CVE-2026-5515 |
| IBM–Aspera High-Speed Transfer Endpoint | IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential arbitrary file read in the asperahttpd component. An authenticated user may be able to take advantage of this vulnerability to access files in the server’s local storage that they should not have access to. | 2026-05-27 | 6.5 | CVE-2026-9035 |
| IBM–Cloud APM, Base Private | IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment. | 2026-05-27 | 6.5 | CVE-2026-3676 |
| IBM–Cloud Pak for Data System – Cyclops | IBM Cloud Pak for Data System – Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication. | 2026-05-26 | 5.3 | CVE-2025-36221 |
| IBM–Cloud Pak for Data System – Cyclops | IBM Cloud Pak for Data System – Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | 2026-05-26 | 4.3 | CVE-2025-36220 |
| IBM–Cognos Analytics | IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-05-26 | 6.4 | CVE-2025-36126 |
| IBM–Cognos Analytics | IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session. | 2026-05-27 | 5.4 | CVE-2025-3633 |
| IBM–Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to running out of memory when executing certain queries with MDC tables. | 2026-05-27 | 6.5 | CVE-2026-6052 |
| IBM–Db2 | IBM Db2 12.1.0 through 12.1.4 is vulnerable to authorization bypass when uploading to a remote object storage path with a special query. | 2026-05-27 | 6.5 | CVE-2026-6938 |
| IBM–Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes DB2 Connect Server) stores potentially sensitive information in log files that could be read by a local user. | 2026-05-26 | 5.5 | CVE-2025-13755 |
| IBM–Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service when executing a specially crafted query with a small statement heap. | 2026-05-27 | 5.5 | CVE-2026-6051 |
| IBM–Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service when a specially crafted query is run with range partitioned tables. | 2026-05-27 | 5.5 | CVE-2026-6053 |
| IBM–Financial Transaction Manager for SWIFT Services for Multiplatforms | IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4.0 through 3.2.4.15 IBM Financial Transaction Manager SWIFT is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-05-26 | 5.4 | CVE-2025-36148 |
| IBM–Guardium Data Protection | IBM Guardium Data Protection 12.2.1, and 12.2.2 ‘s add-on feature of Guardium Data Protection named “Long Term Retention” (LTR) can expose sensitive credentials in debug mode. | 2026-05-27 | 6.5 | CVE-2026-8405 |
| IBM–HTTP Server | IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_fastcgi module. | 2026-05-26 | 6.2 | CVE-2026-8852 |
| IBM–i | IBM i 7.6, 7.5, 7.4, and 7.3 s vulnerable to a denial-of-service attack due to uncontrolled recursion in the Integrated Language Environment (ILE) compiler. An authenticated attacker could exploit this vulnerability by compiling specially crafted source code containing a specific combination of statements. | 2026-05-27 | 6.5 | CVE-2026-6936 |
| IBM–MQ Operator | IBM MQ Operator SC2: v3.2.0 through 3.2.23CD: v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 – v3.5.3, v3.6.0 – v3.6.4, v3.7.0 – v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1LTS: v2.0.0 – 2.0.29 and IBM supplied MQ Advanced container images SC2: 9.4.0.6 through r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.12-r1, 9.4.0.15-r1 – 9.4.0.15-r4, 9.4.0.16-r1, 9.4.0.16-r2, 9.4.0.17-r1, 9.4.0.17-r2, 9.4.0.20-r1CD: 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2, 9.4.3.0-r1, 9.4.3.0-r2, 9.4.3.1-r1 – 9.4.3.1-r3, 9.4.4.0-r1 – 9.4.4.0-r4, 9.4.4.1-r1, 9.4.5.0-r1, 9.4.5.0-r2LTS: 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2 IBM MQ stores potentially sensitive information in log files that could be read by a local user. | 2026-05-27 | 5.1 | CVE-2026-2607 |
| IBM–Operations Analytics – Log Analysis | IBM Operations Analytics – Log Analysis 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, and 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4 IBM SmartCloud Analytics – Log Analysis does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. | 2026-05-27 | 5.9 | CVE-2024-40684 |
| IBM–SDI | IBM SDI 7.2.0.0 through 7.2.0.14 and IBM Security Directory Integrator 10.0.0.0 through 10.0.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. | 2026-05-27 | 5.3 | CVE-2024-28765 |
| IBM–watsonx.data | IBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions. | 2026-05-26 | 5.4 | CVE-2025-36145 |
| IBM–webMethods Integration (on prem) -Integration Server | IBM webMethods Integration (on prem) -Integration Server 10.15 through IS_10.15_Core_Fix2611.1 to IS_11.1_Core_Fix10 IBM webMethods Integration is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | 2026-05-26 | 5.4 | CVE-2025-14290 |
| IBM–WebSphere Application Server – Liberty | IBM WebSphere Application Server – Liberty 19.0.0.7 through 26.0.0.5 and IBM WebSphere Application Server 9.0, and 8.5 and WebSphere Application Server Liberty are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. | 2026-05-27 | 4.8 | CVE-2026-4410 |
| IBM–WebSphere Application Server – Liberty | IBM WebSphere Application Server – Liberty 22.0.0.11 through 26.0.0.5 IBM WebSphere Application Server Liberty could allow a remote attacker to bypass security under limited conditions by exploiting a specific timing window. | 2026-05-27 | 4.4 | CVE-2026-5516 |
| Indian Motorcycle (Polaris Inc.)–Scout Bobber + Tech | Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle’s anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller’s transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation. | 2026-05-29 | 4.6 | CVE-2026-49316 |
| Indian Motorcycle (Polaris Inc.)–Scout Bobber + Tech | Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle’s primary user-authentication control. Specific protocol details have been withheld pending vendor remediation. | 2026-05-29 | 4.3 | CVE-2026-49322 |
| Indian Motorcycle (Polaris Inc.)–Scout Bobber + Tech | Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the per-vehicle ECM immobilizer secret by passively observing a single seed/key exchange. The WCM derives its response using a reversible, non-cryptographic operation rather than a cryptographic challenge-response, so the persistent immobilizer secret can be reconstructed from one captured exchange. With this secret the attacker can authenticate to the ECM independently of the WCM and start the engine, defeating the immobilizer. Specific protocol details have been withheld pending vendor remediation. | 2026-05-29 | 4.3 | CVE-2026-49323 |
| Indian Motorcycle (Polaris Inc.)–Scout Bobber + Tech | Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM enforces a brute-force lockout on the immobilizer authentication algorithm, but the lockout counter is reachable by any unauthenticated message, has no session binding, and does not reset on power cycle. An attacker can deliberately trip the lockout with a small number of crafted frames, leaving the bike un-startable until dealer service. Specific thresholds have been withheld pending vendor remediation. | 2026-05-29 | 4.6 | CVE-2026-49324 |
| Indian Motorcycle (Polaris Inc.)–Scout Bobber + Tech | Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit / disconnected condition; interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider’s PIN. Specific connector details have been withheld pending vendor remediation. | 2026-05-29 | 4.6 | CVE-2026-49325 |
| Interinfo–DreamMaker | DreamMaker developed by Interinfo has a Path Traversal vulnerability, allowing unauthenticated remote attackers to read file names under arbitrary path by exploiting an Absolute Path Traversal vulnerability. | 2026-05-29 | 5.3 | CVE-2026-10075 |
| Interinfo–DreamMaker | DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing privileged local attackers to exploit Relative Path Traversal to download arbitrary system files. | 2026-05-29 | 4.9 | CVE-2026-10074 |
| ipld–go-ipld-prime | go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic). This vulnerability is fixed in 0.23.0. | 2026-05-27 | 6.2 | CVE-2026-42328 |
| ITP Technology–ITS Intelligent SCADA System | ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users’ browsers upon page load. | 2026-05-29 | 4.8 | CVE-2026-10057 |
| ITP Technology–ITS Intelligent SCADA System | ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users’ browsers upon page load. | 2026-05-29 | 4.8 | CVE-2026-10058 |
| itsourcecode–Courier Management System | A vulnerability was found in itsourcecode Courier Management System 1.0. The affected element is an unknown function of the file /parcel_list.php. Performing a manipulation of the argument s results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2026-05-27 | 6.3 | CVE-2026-9607 |
| itsourcecode–Electronic Judging System | A vulnerability was determined in itsourcecode Electronic Judging System 1.0. This issue affects some unknown processing of the file /admin/judges.php. This manipulation of the argument fname causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2026-05-26 | 4.3 | CVE-2026-9527 |
| JeecgBoot–JeecgBoot | A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access controls. The attack may be launched remotely. The exploit has been made public and could be used. Upgrading to version 3.9.2 is recommended to address this issue. The affected component should be upgraded. | 2026-05-26 | 6.3 | CVE-2026-9579 |
| JeecgBoot–JeecgBoot | A vulnerability was identified in JeecgBoot up to 3.9.1. The impacted element is an unknown function of the file /sys/comment/add. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit is publicly available and might be used. Upgrading to version 3.9.2 is sufficient to resolve this issue. Upgrading the affected component is recommended. | 2026-05-26 | 6.3 | CVE-2026-9581 |
| JeecgBoot–JeecgBoot | A vulnerability was detected in JeecgBoot up to 3.9.1. This vulnerability affects unknown code of the component AiragModelController. The manipulation of the argument list/queryById results in improper access controls. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 3.9.2 is able to resolve this issue. The affected component should be upgraded. | 2026-05-26 | 4.3 | CVE-2026-9604 |
| jegstudio–Gutenverse WordPress Blocks, Page Builder & Site Editor | The Gutenverse plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘s’ parameter in all versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. Specifically, the `render_content()` method in `class-search-result-title.php` outputs the value of `get_query_var(‘s’)` directly into the page HTML without applying `esc_html()` or any other escaping function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a crafted URL that execute if a user clicks the link, provided the `gutenverse/search-result-title` block is present on the site’s search results template. | 2026-05-27 | 6.1 | CVE-2026-3001 |
| JetBrains–IntelliJ IDEA | In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin | 2026-05-29 | 4.5 | CVE-2026-49382 |
| JetBrains–PyCharm | In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible | 2026-05-29 | 6.1 | CVE-2026-49384 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2026.1, 2025.11.5 reflected XSS was possible on the repository download page | 2026-05-29 | 6.1 | CVE-2026-49375 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin | 2026-05-29 | 6.5 | CVE-2026-49376 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2026.1 credentials could be exposed in thread names | 2026-05-29 | 6.5 | CVE-2026-49379 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2025.11.2 exposure of sensitive data via default agent parameters | 2026-05-29 | 4.3 | CVE-2026-49377 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion | 2026-05-29 | 4.3 | CVE-2026-49378 |
| JetBrains–YouTrack | In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts | 2026-05-29 | 6.5 | CVE-2026-49385 |
| JetBrains–YouTrack | In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas | 2026-05-29 | 6.5 | CVE-2026-49386 |
| JetBrains–YouTrack | In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages | 2026-05-29 | 4.3 | CVE-2026-49369 |
| jetmonsters–Timetable and Event Schedule by MotoPress | The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the action_get_event_data due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to enumerate timeslot IDs and read the full WP_Post object – including post_content, post_excerpt, post_status, and post_author – of draft, pending, and private mp-event posts belonging to other users, along with their associated raw timeslot descriptions. | 2026-05-28 | 4.3 | CVE-2026-9228 |
| joeyrush–PHP-SHOP master | PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST requests to the users.php endpoint with parameters like name, email, password, and permissions set to admin to create unauthorized admin accounts. | 2026-05-29 | 5.3 | CVE-2018-25397 |
| jonathan-robrecht–Single Mailchimp | The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘single-mailchimp’ shortcode in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (autocomplete, label, placeholder, btn_text, success_msg, error_msg) which are concatenated directly into HTML output by the single_mailchimp() function in shortcodes.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8868 |
| jpadilla–pyjwt | PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature verification is performed with the algorithm bound to the PyJWK object instead of the header algorithm. An attacker who controls a registered JWK/JWKS private key can sign with a disallowed algorithm, advertise an allowed algorithm in the JWT header, and still be accepted. The issue affects the documented PyJWKClient.get_signing_key_from_jwt(…) flow. This vulnerability is fixed in 2.13.0. | 2026-05-28 | 5.4 | CVE-2026-48523 |
| jpadilla–pyjwt | PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option (“b64”: false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled “work amplifier”: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0. | 2026-05-28 | 5.3 | CVE-2026-48525 |
| jpadilla–pyjwt | PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib’s default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application’s jku URL ingestion path accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained “plant a JWKS to forge tokens” scenario described in the original report requires additional application-layer flaws (attacker write access to a filesystem path, untrusted jku derivation) that this fix does not address. This vulnerability is fixed in 2.13.0. | 2026-05-28 | 4.2 | CVE-2026-48522 |
| json-2-csv–json-2-csv | Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications. | 2026-05-28 | 6.8 | CVE-2026-9673 |
| juliangruber–brace-expansion | The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6. | 2026-05-29 | 6.5 | CVE-2026-45149 |
| Justin Kruit–Advanced Custom Fields: Font Awesome Field | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Justin Kruit Advanced Custom Fields: Font Awesome Field allows Stored XSS. This issue affects Advanced Custom Fields: Font Awesome Field: from n/a through 5.0.2. | 2026-05-27 | 6.5 | CVE-2026-49044 |
| kevin1804–Responsive Check | The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘rspcheck’ shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the ‘url’ (and ‘button’) shortcode attributes in the rspc_check_shortcode() function, which are echoed directly into iframe src attributes without esc_attr() or esc_url(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8844 |
| Kings Plugins–B2BKing | Missing Authorization vulnerability in Kings Plugins B2BKing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects B2BKing: from n/a before 5.2.10. | 2026-05-25 | 4.9 | CVE-2026-27346 |
| KLiK –KLiK SocialMediaWebsite | A vulnerability was found in KLiK SocialMediaWebsite 1.0. This affects an unknown part of the component HTTP GET Request Parameter Handler. The manipulation results in injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2026-05-25 | 6.3 | CVE-2026-9420 |
| Kludex–starlette | Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope[“server”]` for malformed values. | 2026-05-26 | 6.5 | CVE-2026-48710 |
| konforti–Listen Shortcode | The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘listen’ shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes (src, start, end) in the listenEmbedJS() function, which are echoed inside a single-quoted HTML attribute without escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8887 |
| LabRedesCefetRJ–WeGIA | WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes the submitted password using PHP’s hash() function with the SHA-256 algorithm and no salt before comparing it to the stored value. The password change flow in controle/FuncionarioControle.php follows the same pattern. SHA-256 is a general-purpose cryptographic hash built for speed, not password storage. Without a salt, identical passwords produce identical digests, making the entire hash database vulnerable to a single precomputed rainbow table lookup. This vulnerability is fixed in 3.7.3. | 2026-05-27 | 5.9 | CVE-2026-45027 |
| LabRedesCefetRJ–WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=InternoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.7.3. | 2026-05-27 | 5.4 | CVE-2026-45335 |
| labring–FastGPT | FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /bimports*(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the s character class. The payload import/**/(“child_process”) parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync – arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1. | 2026-05-29 | 6.3 | CVE-2026-44287 |
| larsdrasmussen–rexCrawler | The rexCrawler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-05-27 | 4.8 | CVE-2026-2280 |
| LearningCircuit–local-deep-research | Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.0, PDFService._markdown_to_html() constructs an HTML document by interpolating user-controlled values – specifically title (sourced from research.title or research.query) and metadata key-value pairs – directly into an f-string without any HTML escaping. An authenticated attacker can craft a research query containing HTML special characters to inject arbitrary HTML tags into the document processed by WeasyPrint during PDF export. This injection can be chained to trigger a Server-Side Request Forgery (SSRF), bypassing the application’s existing SSRF defenses in ssrf_validator.py. This vulnerability is fixed in 1.6.0. | 2026-05-28 | 5 | CVE-2026-43979 |
| LearningCircuit–local-deep-research | Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.10, the URL checking logic in local-deep-research has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. The current project uses validate_url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by urlparse to prevent SSRF attacks. However, there are indeed differences in parsing between urlparse and the library that actually sends the request. For example, in safe_get, validate_url is first used to perform an SSRF check, and then requests.get is used to send the actual request. This vulnerability is fixed in 1.6.10. | 2026-05-28 | 5 | CVE-2026-46526 |
| lepture–mistune | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the mistune math plugin renders inline math ($…$) and block math ($$…$$) by concatenating the raw user-supplied content directly into the HTML output without any HTML escaping. This occurs even when the parser is explicitly created with escape=True, which is supposed to guarantee that all user-controlled text is sanitised before reaching the DOM. This vulnerability is fixed in 3.2.1. | 2026-05-26 | 6.1 | CVE-2026-44708 |
| lepture–mistune | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening <hN> tag by string-concatenating the id attribute value directly into the HTML – with no call to escape(), safe_entity(), or any other sanitisation function. A double-quote character ” in the id value terminates the attribute, allowing an attacker to inject arbitrary additional attributes (event handlers, src=, href=, etc.) into the heading element. This vulnerability is fixed in 3.2.1. | 2026-05-26 | 6.1 | CVE-2026-44897 |
| lepture–mistune | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a <ul> table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href=”#<id>”) and the text value (used as the visible link label) are inserted into <a> tags via a plain Python format string – with no HTML escaping applied to either value. When heading IDs are derived from user-supplied heading text (the standard use-case for readable slug anchors), an attacker can craft a heading whose text breaks out of the href=”#…” attribute context, injecting arbitrary HTML tags including <script> blocks directly into the rendered TOC. This vulnerability is fixed in 3.2.1. | 2026-05-26 | 6.1 | CVE-2026-44898 |
| lepture–mistune | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the Image directive plugin validates the :width: and :height: options with a regex compiled as _num_re = re.compile(r”^d+(?:.d*)?”). When the validated value is not a plain integer, render_block_image() inserts it directly into a style=”width:…;” or style=”height:…;” attribute. Because the value was accepted by the prefix-only regex, any CSS after the leading digits reaches the style= attribute verbatim and without escaping. This vulnerability is fixed in 3.2.1. | 2026-05-26 | 4.7 | CVE-2026-44899 |
| lhughes33472–MetaMagic SEO Plugin | The MetaMagic SEO Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the metamagic_update_options function. This makes it possible for unauthenticated attackers to modify the plugin’s SEO settings, including enabling or disabling the plugin and toggling description and keyword meta tag output via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-8942 |
| libusb–libusb | libusb before version 1.0.30 contains a NULL pointer dereference vulnerability that allows attackers to crash applications by supplying a malformed USB configuration descriptor where an interface claims bNumEndpoints greater than zero but is followed by a class-specific descriptor whose bLength exceeds the remaining buffer size, causing parse_interface() to return early without allocating the endpoint array. Attackers can exploit this flaw through libusb_get_active_config_descriptor or libusb_get_config_descriptor by providing crafted descriptors via virtualized USB passthrough, file-based descriptor parsing, or network sources, causing any application iterating over endpoints to dereference a NULL endpoint pointer and crash. | 2026-05-27 | 6.2 | CVE-2026-23679 |
| libusb–libusb | libusb before version 1.0.30 contains a one-byte out-of-bounds read vulnerability in parse_iad_array() in descriptor.c that allows attackers to trigger a denial of service by supplying a malformed USB descriptor whose bLength equals size minus one, causing the bounds check to use the original buffer size instead of the remaining size. Attackers in virtualized environments with USB passthrough can supply crafted descriptors through libusb_get_active_interface_association_descriptors or libusb_get_interface_association_descriptors to read one byte past the end of the malloc allocation, resulting in a denial of service. | 2026-05-27 | 4 | CVE-2026-47104 |
| libyang–libyang | libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution. | 2026-05-26 | 6.5 | CVE-2026-41401 |
| Linethemes–NanoCare | Missing Authorization vulnerability in Linethemes NanoCare allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects NanoCare: from n/a before 1.2.2. | 2026-05-25 | 5.4 | CVE-2026-32389 |
| livemesh–Livemesh Addons for Beaver Builder | The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `labb_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend. | 2026-05-27 | 6.4 | CVE-2026-3897 |
| livemesh–Livemesh SiteOrigin Widgets | The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lsow_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend. | 2026-05-27 | 6.4 | CVE-2026-3896 |
| livemesh–WPBakery Page Builder Addons by Livemesh | The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcode attributes in all versions up to, and including, 3.9.4 due to insufficient input sanitization and output escaping. Specifically, shortcode attributes are encoded with `wp_json_encode()` and output into single-quoted `data-settings` HTML attributes without using `esc_attr()`, allowing attackers to break out of the attribute by injecting single quotes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-2030 |
| livemesh–WPBakery Page Builder Addons by Livemesh | The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lvca_admin_ajax` AJAX action in all versions up to, and including, 3.9.4 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend. | 2026-05-27 | 6.4 | CVE-2026-3895 |
| Lucian Apostol–Auto Affiliate Links | Missing Authorization vulnerability in Lucian Apostol Auto Affiliate Links allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Auto Affiliate Links: from n/a through 6.8.8.3. | 2026-05-25 | 5.3 | CVE-2026-24592 |
| macrozheng–mall | A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way. | 2026-05-29 | 4.7 | CVE-2026-10070 |
| Magepeople inc.–Taxi Booking Manager for WooCommerce | Missing Authorization vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 2.0.1. | 2026-05-26 | 5.3 | CVE-2026-25426 |
| Magepeople inc.–WpBookingly | Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9. | 2026-05-26 | 4.3 | CVE-2026-25444 |
| Magepeople inc.–WpTravelly | Missing Authorization vulnerability in Magepeople inc. WpTravelly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpTravelly: from n/a through 2.1.5. | 2026-05-26 | 6.3 | CVE-2026-27331 |
| Mamunur Rashid–The Post Grid | Missing Authorization vulnerability in Mamunur Rashid The Post Grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Post Grid: from n/a through 7.9.2. | 2026-05-27 | 4.3 | CVE-2026-49054 |
| Mattermost–Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termination) via a crafted webhook callback response containing a null attachment entry.. Mattermost Advisory ID: MMSA-2026-00641 | 2026-05-25 | 6.5 | CVE-2026-4915 |
| mauriceboe–TREK | TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before returning a 401 Unauthorized, adding ~370 ms of latency. When the email did not exist, the backend returned immediately (~10 ms). This ~14× timing difference could be detected without any difference in HTTP status codes or response bodies. This vulnerability is fixed in 3.0.18. | 2026-05-28 | 5.3 | CVE-2026-45410 |
| Mautic–Mautic 7 Project Selector | A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields. An authenticated user with permissions to create projects can exploit this to store a malicious script payload in the project’s name. When another administrative user subsequently opens an entity editor containing the project selector, the injected script executes within the context of their active browser session. This could allow an attacker to hijack the session, perform unauthorized state coordination, or access organizational data within the dashboard. | 2026-05-29 | 5.4 | CVE-2026-9811 |
| Mautic–Mautic Focus Component | A Server-Side Request Forgery (SSRF) vulnerability exists in Mautic’s Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests from the hosting server, enabling internal network reconnaissance or forcing requests to arbitrary internal or external destinations. | 2026-05-29 | 6.4 | CVE-2026-9557 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the Easy View due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40831 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDevicegroups function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40832 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the saveObjectFromData function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40835 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40837 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDeviceScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40838 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getComponentScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40839 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the VerifyCreateLicences function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40840 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectTags function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40841 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getWidgetTags function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40842 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the alarming view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40843 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashboard view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40844 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the devices_configuration view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40845 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40846 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system_tag view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40847 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the tag view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40848 |
| MB connect line–mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the user_alarmprofile view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40849 |
| MB connect line–mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 5.5 | CVE-2026-40823 |
| MB connect line–mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view userid parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 5.5 | CVE-2026-40824 |
| MB connect line–mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view devices parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 5.5 | CVE-2026-40825 |
| MB connect line–mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _RemoveRequest function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 5.5 | CVE-2026-40827 |
| MB connect line–mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DeleteSysLogEntry function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 5.5 | CVE-2026-40828 |
| MB connect line–mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the view.html.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 5.5 | CVE-2026-40829 |
| MB connect line–mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the admin.mbnetj.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 5.5 | CVE-2026-40830 |
| MB connect line–mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountByID function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 4.9 | CVE-2026-40821 |
| MB connect line–mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 4.9 | CVE-2026-40822 |
| MB connect line–mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dsgvo_contracts view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 4.9 | CVE-2026-40826 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb is a PAM module loaded into the host process (sudo, login, GDM, GNOME Shell). Display managers such as GDM run multiple concurrent authentication threads. Three functions used by the deny_remote feature called the non-reentrant strtok(), which stores state in a single global pointer. If two authentications race, one thread’s strtok() call can overwrite the other’s in-progress tokenisation pointer, causing incorrect parsing of the tmux session data or the /proc environ scan that backs the remote-session detection logic. Additionally, pusb_tmux_get_client_tty() passed the raw pointer returned by getenv(TMUX) directly to strtok(). getenv() returns a pointer into the live process environment block; strtok() inserts NUL bytes into that block, permanently corrupting the TMUX variable for subsequent code running in the same process. In long-lived display managers this affects all future authentications in that process. The combined effect can cause deny_remote=true to return an incorrect decision for a remote session, or an incorrect decision for a local session, depending on thread interleaving. This vulnerability is fixed in 0.9.0. | 2026-05-27 | 6.3 | CVE-2026-47270 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and device-supplied identifiers (USB device serial, model, vendor) to query /etc/pamusb.conf. These identifiers were not validated for XPath metacharacters, allowing injection of arbitrary XPath predicates. This vulnerability is fixed in 0.9.0. | 2026-05-27 | 6.5 | CVE-2026-47273 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, multiple pam_usb helper tools resolved external binaries through the PATH environment variable rather than using absolute paths. An attacker who can influence the process environment during PAM authentication or tool execution could substitute malicious binaries. The affected tools are pamusb-check (src/tmux.c), pamusb-conf (tools/pamusb-conf), and pamusb-keyring-unlock-gnome (tools/pamusb-keyring-unlock-gnome). This vulnerability is fixed in 0.9.0. | 2026-05-27 | 6.3 | CVE-2026-47274 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/conf.c allocates heap memory proportional to n_devices, a count derived from libxml2 XPath evaluation of the config file, without first enforcing an upper bound. On 32-bit targets (armv7l, i686 — both listed in the project Makefile), the multiplication n_devices * sizeof(t_pusb_device) wraps around size_t, causing xmalloc() to receive a very small size. Because xmalloc() only calls abort() on NULL return, a small-but-non-NULL allocation is accepted, and subsequent array writes overflow the heap. This vulnerability is fixed in 0.9.1. | 2026-05-27 | 6.7 | CVE-2026-48065 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, src/mem.c implemented out-of-memory guards for xmalloc(), xrealloc(), and xstrdup() using assert(data != NULL). The C standard specifies that all assert() expressions are compiled out when NDEBUG is defined at build time. NDEBUG is commonly defined in release and packaging builds (Debian, Fedora, Arch package flags all define it via -DNDEBUG in CFLAGS). With the guard removed, xmalloc/xrealloc/xstrdup silently return NULL on allocation failure. Every caller in the codebase dereferences the return value without a NULL check — this is the intended design, as the guard was supposed to abort before the dereference. With the guard gone, any allocation failure causes a NULL pointer dereference, crashing the PAM module. A crash in a PAM module loaded by sudo or login causes authentication to fail for the duration of the crash, creating a local denial-of-service condition. An attacker who can induce memory pressure at authentication time can lock all users out of sudo and login. This vulnerability is fixed in 0.9.0. | 2026-05-27 | 5.1 | CVE-2026-47271 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/log.c contains a process-wide static pointer that is written on every PAM invocation with the address of a stack-local variable. This violates the PAM re-entrancy requirement and creates a data race when the PAM stack is invoked concurrently from multiple threads. This vulnerability is fixed in 0.9.1. | 2026-05-27 | 5.7 | CVE-2026-48066 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/device.c passed the return values of udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strcmp() without NULL checks. The GIO/UDisks API documentation states these accessors can return NULL for devices that do not expose the corresponding field. Passing NULL to strcmp() is undefined behaviour (typically a SIGSEGV). This vulnerability is fixed in 0.8.7. | 2026-05-27 | 4.6 | CVE-2026-44710 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/evdev.c silently ignores EACCES errors when opening /dev/input/event* nodes, causing pusb_has_virtual_input_device() to return 0 (no virtual devices found) even when every open() call failed due to insufficient permissions. The caller in src/local.c cannot distinguish a clean absence of virtual devices from a permission-denied scan, and acts on the false negative by continuing authentication without denying. This vulnerability is fixed in 0.9.1. | 2026-05-27 | 4.4 | CVE-2026-48792 |
| Melapress–WP Activity Log | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Melapress WP Activity Log allows DOM-Based XSS. This issue affects WP Activity Log: from n/a through 5.6.3. | 2026-05-25 | 6.5 | CVE-2026-45435 |
| microsoft–UFO | Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections. The handler stores per-connection protocol objects in mutable instance fields. Each new WebSocket connection overwrites those fields. Later, message handlers send responses through the shared fields instead of through protocol objects bound to the originating connection. As a result, the most recently connected authenticated client can receive protocol responses that belong to another authenticated client. | 2026-05-27 | 6.3 | CVE-2026-46416 |
| microsoft–UFO | Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO’s constellation client tracks pending task responses by session_id only and does not verify that a TASK_END message came from the device that originally received the task. When the constellation sends a task to a target device, it records a pending Future under a session key. The pending task record stores the expected device ID, but the completion path ignores that binding. If another authenticated peer device sends a forged TASK_END with the same session_id, the constellation accepts the response and completes the victim device’s pending Future with attacker-controlled result data. This is an authenticated cross-device task-result injection issue. | 2026-05-27 | 5.9 | CVE-2026-46538 |
| microsoft–UFO | Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied session_id values in WebSocket task messages and reuses an existing in-memory session object if that session_id already exists. If a prior session has completed and remains in memory with populated results, a different authenticated client can send a new TASK message using the same session_id. The server re-enters the existing session object and sends the stale stored result to the new requester through the normal send_task_end() callback path. This is an authenticated cross-client stale result replay issue. The issue requires that the attacker knows or can predict a live or recently completed session_id. | 2026-05-27 | 5.3 | CVE-2026-46544 |
| minhnhut–MinhNhut Link Gateway | The MinhNhut Link Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘url’ parameter on the redirect page in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-05-27 | 6.1 | CVE-2026-3349 |
| minhnhut–MinhNhut Link Gateway | The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s settings (Description, Title, and other fields) in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the redirect page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-05-27 | 4.4 | CVE-2026-3348 |
| mkhfr–Old Posts Highlighter | The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the OPH_options function. This makes it possible for unauthenticated attackers to update the plugin’s configuration settings without authorization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-7614 |
| morettolss–Google+ Link Name | The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘gplusnamelink’ shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes (‘id’ and ‘name’) in the gplusnamelink_generate() function, which are concatenated directly into the rendered HTML without calling esc_attr() or esc_html(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8842 |
| mr2p–Meta Field Block Display custom fields in the Block Editor without coding | The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object’s metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing/shipping information), this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses. | 2026-05-28 | 6.5 | CVE-2026-3173 |
| mshomali–Dideo | The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘dideo’ shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the ‘id’ shortcode attribute, which is interpolated directly into an HTML iframe ‘src’ attribute without escaping in the dideo() shortcode handler. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8847 |
| murtaza-nasir–speakr | Speakr is a personal, self-hosted web application designed for transcribing audio recordings. Prior to 0.8.20-alpha, the is_safe_url() helper used to validate post-login redirect targets applied urljoin(request.host_url, target) before parsing, while the controller passed the raw target to redirect(). A scheme-relative input such as ////evil.com resolved to a same-host URL during validation but was emitted verbatim in the Location header, where the browser interpreted it as a network-path-relative redirect to an attacker-controlled host. This vulnerability is fixed in 0.8.20-alpha. | 2026-05-28 | 6.1 | CVE-2026-45307 |
| MusicPlayerDaemon–MPD | Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP server to redirect to non-HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp. Attackers can trigger this vulnerability via MPD commands that initiate URL fetches, including add, readcomments, albumart, readpicture, or load, to interact with internal or restricted network services on systems running libcurl versions prior to 7.85.0. | 2026-05-28 | 5.8 | CVE-2026-49129 |
| MusicPlayerDaemon–MPD | Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat’s decoding of numeric character references prior to the character data callback. | 2026-05-28 | 5.3 | CVE-2026-49130 |
| mutualfunddata–Mutual Funds Data | The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ shortcode attribute in versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the user supplied ‘title’ attribute in the mfd_shortcode() function, which is concatenated directly into the HTML output within a <caption> element. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8869 |
| nakamura1458–auto making JSON-LD | The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the amJL_certification function. This makes it possible for unauthenticated attackers to update the plugin’s license key option, and subsequently trigger license validation and pro feature installation on the victim site without the administrator’s consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation can trigger downstream calls to amJL_is_license_valid() and amJL_download_and_install_pro_features(), meaning the impact extends beyond a simple settings change to unauthorized installation of plugin components. | 2026-05-27 | 4.3 | CVE-2026-8938 |
| nanomq–nanomq | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to 0.24.14, aio->prov_data is stored as nni_quic_conn* during dialing, but read as ex_quic_conn* during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This vulnerability is fixed in 0.24.14. | 2026-05-29 | 4.5 | CVE-2026-44640 |
| NASA–openVSP | NASA openVSP 3.16.1 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the geometry name field. Attackers can trigger a denial of service by pasting a 5000-byte payload into the name input field within the Geom browser pod addition interface. | 2026-05-25 | 6.2 | CVE-2018-25367 |
| nautobot–nautobot | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the find field in combination with the use_regex flag. This vulnerability is fixed in 2.4.33 and 3.1.2. | 2026-05-28 | 6.5 | CVE-2026-44796 |
| nautobot–nautobot | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different “content types” or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot’s REST API failed to enforce user “view” permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2. | 2026-05-28 | 5.4 | CVE-2026-44794 |
| Navigatecms–Navigate CMS | Navigate CMS 2.8.5 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by injecting directory traversal sequences in the id parameter. Attackers can send GET requests to navigate_download.php with path traversal payloads ../../../cfg/globals.php to access sensitive configuration files and system files outside the intended directory. | 2026-05-29 | 6.5 | CVE-2018-25393 |
| neilmccutcheon–Instant-Quote.co Quotation Page | The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A Contributor-level user can trigger execution against higher-privileged users by embedding the malicious shortcode in a post submitted for review, causing the injected scripts to execute when an administrator previews or views the post. | 2026-05-27 | 6.4 | CVE-2026-8884 |
| NeoRazorX–facturascripts | FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts’ product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php. The vulnerability exists the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php. | 2026-05-27 | 6.3 | CVE-2026-42879 |
| NeoRazorX–facturascripts | FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/AjaxForms/SalesModalHTML.php) and purchases documents (Core/Lib/AjaxForms/PurchasesModalHTML.php). An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other user who opens the product search modal inside an invoice, order, or delivery note. | 2026-05-27 | 5.4 | CVE-2026-42877 |
| NeoRazorX–facturascripts | FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated. This vulnerability is fixed in v2026. | 2026-05-27 | 5.3 | CVE-2026-42878 |
| Nexcess–WPComplete | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Nexcess WPComplete wpcomplete allows Stored XSS.This issue affects WPComplete: from n/a through <= 2.9.5.4. | 2026-05-27 | 6.5 | CVE-2026-42750 |
| nhadjidimitrov–LiveSmart Video Chat Live Video Chat | The LiveSmart Video Chat Live Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘livesmart_widget’ shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-28 | 6.4 | CVE-2026-9644 |
| Nikki Blight–QR Redirector | Missing Authorization vulnerability in Nikki Blight QR Redirector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects QR Redirector: from n/a through 2.0.3. | 2026-05-25 | 4.3 | CVE-2026-24545 |
| nsthemes–NS Product icon badge | The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-05-27 | 6.1 | CVE-2026-8707 |
| nuts-foundation–nuts-node | nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint (/auth/v1/introspect_access_token) accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation (VP) JWT to be replayed as an access token and receive an active: true introspection response. This vulnerability is fixed in 6.2.3 and 5.4.31. | 2026-05-26 | 4.4 | CVE-2026-41164 |
| NVIDIA–GeForce | NVIDIA Display Driver for Windows and Linux contains a vulnerability where an attacker could leak held driver locks. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-26 | 6.5 | CVE-2026-24182 |
| NVIDIA–GeForce | NVIDIA Display Driver for Linux contains a vulnerability in the Multi-Instance GPU (MIG) partition management, where an insecure default initialization of memory subsystem routing resources could lead to data corruption or a hang during partition reconfiguration. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-26 | 6.5 | CVE-2026-24197 |
| NVIDIA–GeForce | NVIDIA GPU Display Driver for Linux contains a vulnerability where an advanced attacker could use a race condition to leak sensitive memory, which might cause limited exposure of sensitive information to an unauthorized actor. A successful exploit of this vulnerability might lead to denial of service, data tampering, and information disclosure. | 2026-05-26 | 5.6 | CVE-2026-24198 |
| NVIDIA–GeForce | NVIDIA Display Driver for Windows and Linux contains a vulnerability in the kernel driver, where a user could cause an incorrect permission assignment for a critical resource. A successful exploit of this vulnerability might lead to data tampering and denial of service. | 2026-05-26 | 4.4 | CVE-2025-33221 |
| NVIDIA–GeForce | NVIDIA Display Driver for Linux contains a vulnerability in a kernel module, where a user could cause a race condition by reordering compiler or processor memory instructions. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-26 | 4.7 | CVE-2026-24199 |
| NVIDIA–Virtual GPU Manager | NVIDIA vGPU software contains a vulnerability in the virtual GPU manager, where an attacker could cause an out-of-bound access. A successful exploit of this vulnerability might lead to data tampering, denial of service, or information disclosure. | 2026-05-26 | 5.8 | CVE-2026-24201 |
| octalmage–Github Shortcode | The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘repo’ shortcode attribute in the ‘github’ shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8042 |
| OFCMS–OFCMS | A security flaw has been discovered in OFCMS up to 1.1.3. The impacted element is the function Query of the file ofcms-adminsrcmainjavacomofsoftcmsadmincontrollerComnController.java of the component ComnController. Performing a manipulation of the argument system.user.query results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10193 |
| OFCMS–OFCMS | A vulnerability was identified in OFCMS 1.1.3. This issue affects the function Query of the file ofcms-adminsrcmainjavacomofsoftcmsadmincontrollersystemSystemDictController.java of the component JSON Query Interface. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10202 |
| OFCMS–OFCMS | A security flaw has been discovered in OFCMS 1.1.3. Impacted is the function Query of the file ofcms-adminsrcmainjavacomofsoftcmsadmincontrollersystemSystemParamController.java of the component JSON Query Interface. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10203 |
| OFCMS–OFCMS | A weakness has been identified in OFCMS 1.1.3. The affected element is the function Query of the file ofcms-adminsrcmainjavacomofsoftcmsadmincontrollersystemSysUserController.java of the component JSON Query Interface. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10204 |
| OFFIS–DCMTK | A weakness has been identified in OFFIS DCMTK 3.7.0. This affects the function DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages of the file dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. This patch is called 0f78a4ef6f645ea5530166e445e5436a5de58e75. A patch should be applied to remediate this issue. | 2026-05-31 | 6.3 | CVE-2026-10194 |
| open-quantum-safe–liboqs | liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a signature buffer shorter than the expected signature size for the given parameter set, the implementation does not validate the caller-supplied length and proceeds to read past the end of the buffer. The out-of-bounds bytes are consumed only as input to an internal hash computation and are not returned to the caller, so no oracle exists to leak their contents to an attacker. The primary observable effect is a possible crash (denial of service) of the verifying process if the read crosses into an unmapped memory page. This vulnerability is fixed in 0.16.0. | 2026-05-29 | 5.3 | CVE-2026-44518 |
| open-quantum-safe–liboqs | liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a correctly-sized signature buffer for the declared algorithm but a public key whose OID bytes (pk[0..3]) reference a different XMSS parameter set with a larger sig_bytes, the implementation re-parses the OID from the public key inside xmss_sign_open / xmssmt_sign_open and uses the resulting (larger) sig_bytes to index the caller-supplied signature buffer. As with CVE-2026-44518, the out-of-bounds bytes are consumed only as input to an internal hash computation and are not returned to the caller, so no oracle exists to leak their contents to an attacker. The primary observable effect is a possible crash (denial of service) of the verifying process if the read crosses into an unmapped memory page. This vulnerability is fixed in 0.16.0. | 2026-05-29 | 5.3 | CVE-2026-46344 |
| open-telemetry–opentelemetry-dotnet-contrib | The OpenTelemetry.Exporter.Instana exports telemetry to Instana backend. Prior to 1.1.0, the OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the INSTANA_ENDPOINT_PROXY environment variable. If a network attacker can Man-in-the-Middle (MitM) the proxy connection, all OpenTelemetry telemetry data and the Instana API key are exposed to the attacker. This vulnerability is fixed in 1.1.0. | 2026-05-26 | 6.5 | CVE-2026-44213 |
| open-telemetry–opentelemetry-java | opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request. This vulnerability is fixed in 1.62.0. | 2026-05-28 | 5.3 | CVE-2026-45292 |
| Open5GS–Open5GS | A vulnerability was found in Open5GS up to 2.7.7. Affected by this vulnerability is an unknown functionality in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. The manipulation results in denial of service. It is possible to launch the attack remotely. The exploit has been made public and could be used. A patch should be applied to remediate this issue. | 2026-05-30 | 4.3 | CVE-2026-10113 |
| Open5GS–Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. Affected by this issue is the function handle_scp_info in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. This manipulation causes out-of-bounds write. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. To fix this issue, it is recommended to deploy a patch. | 2026-05-30 | 4.3 | CVE-2026-10114 |
| Open5GS–Open5GS | A vulnerability was identified in Open5GS up to 2.7.7. This affects an unknown part in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. Such manipulation leads to denial of service. The attack can be launched remotely. The exploit is publicly available and might be used. It is advisable to implement a patch to correct this issue. | 2026-05-30 | 4.3 | CVE-2026-10115 |
| Open5GS–Open5GS | A security flaw has been discovered in Open5GS up to 2.7.7. This vulnerability affects the function ogs_sbi_xact_add in the library /lib/core/ogs-timer.c of the component ue-authentications Endpoint. Performing a manipulation results in denial of service. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. Applying a patch is the recommended action to fix this issue. | 2026-05-30 | 4.3 | CVE-2026-10116 |
| Open5GS–Open5GS | A weakness has been identified in Open5GS up to 2.7.7. This issue affects the function ogs_pool_id_calloc in the library /lib/sbi/nghttp2-server.c. Executing a manipulation can lead to denial of service. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. It is best practice to apply a patch to resolve this issue. | 2026-05-30 | 4.3 | CVE-2026-10117 |
| Open5GS–Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. This affects the function handle_amf_info in the library /lib/sbi/nnrf-handler.c of the component nf-instances Endpoint. Executing a manipulation of the argument nf_info_pool can lead to resource consumption. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. Applying a patch is advised to resolve this issue. The issue report is flagged as already-fixed. | 2026-05-30 | 4.3 | CVE-2026-10156 |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can bypass private-network SSRF policies by reusing blocked tabs to export or inspect content that should remain protected. | 2026-05-29 | 6.5 | CVE-2026-35673 |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have blocked. | 2026-05-29 | 5.4 | CVE-2026-34507 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attackers with limited exec approval permissions can bypass intended approval splits to approve plugin actions outside operator configuration. | 2026-05-29 | 4.3 | CVE-2026-32906 |
| Openkm–OpenKM Community Edition | OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers can exploit this to access sensitive files including /etc/passwd, configuration files containing database credentials, and JVM keystores accessible to the OpenKM process. | 2026-05-26 | 4.9 | CVE-2026-41917 |
| Openkm–OpenKM Community Edition | OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers can exploit this to access sensitive files including /etc/passwd, configuration files containing database credentials, and JVM keystores accessible to the OpenKM process. | 2026-05-26 | 4.9 | CVE-2026-41917 |
| OpenStack–Keystone | An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user’s name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential’s roles and the victim’s actual roles on the project. This enables audit evasion, reading the victim’s credentials, and acting as the victim within shared projects. | 2026-05-28 | 6 | CVE-2026-42998 |
| OpenStack–Keystone | An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0). | 2026-05-28 | 6 | CVE-2026-42999 |
| OpenStack–Keystone | An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim’s identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim’s actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim’s admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim’s identity. | 2026-05-28 | 6 | CVE-2026-43000 |
| OpenStack–Keystone | An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token’s expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected. | 2026-05-28 | 6 | CVE-2026-44394 |
| Openstamanager–Open STA Manager | Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Attackers can send GET requests to modules/backup/actions.php with op=getfile and traverse directories using ../ sequences to access sensitive system files. | 2026-05-30 | 6.5 | CVE-2018-25421 |
| Oracle Corporation–Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-05-28 | 5.3 | CVE-2026-46830 |
| Oracle Corporation–Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: General). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-05-28 | 5.3 | CVE-2026-46841 |
| Oracle Corporation–Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). | 2026-05-28 | 5.3 | CVE-2026-46842 |
| Oracle Corporation–Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). | 2026-05-28 | 5.3 | CVE-2026-46843 |
| Orthanc–Explorer 2 | A weakness has been identified in Orthanc Explorer 2 up to 1.12.0. The impacted element is an unknown function of the file WebApplication/src/components/StudyList.vue of the component URL Handler. This manipulation of the argument remote-source causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 21f78ce5da668bf5233efcd1896ec7c6e3b22eae. Applying a patch is the recommended action to fix this issue. | 2026-05-31 | 4.3 | CVE-2026-10173 |
| OTRS AG–OTRS | An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend This issue affects OTRS 2026.3.1 | 2026-05-31 | 5.7 | CVE-2026-48210 |
| OUSL-GROUP-BrinaryBrains–School Student Management System | A security vulnerability has been detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected is the function marks of the file application/controllers/Parents.php. The manipulation of the argument param1 leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10168 |
| oviva-ag–epa4all-client | epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. In 1.2.4 and earlier, any network-reachable caller can write arbitrary documents to any patient’s electronic health record accessible by the institution’s SMC-B card. In a misconfigured deployment (e.g., following the production Docker example in the README), this is exploitable from the local network without credentials. | 2026-05-26 | 6.5 | CVE-2026-47672 |
| Patterns in the cloud–Autoship Cloud for WooCommerce Subscription Products | Missing Authorization vulnerability in Patterns in the cloud Autoship Cloud for WooCommerce Subscription Products allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Autoship Cloud for WooCommerce Subscription Products: from n/a through 2.14.0. | 2026-05-25 | 4.3 | CVE-2026-24527 |
| paulpela–My Email Shortcode | The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subject’ shortcode attribute in the ‘my-email’ shortcode in all versions up to, and including, 0.91 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8048 |
| peachpay–PeachPay Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) | The PeachPay – Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the peachpay_stripe_handle_admin_actions function. This makes it possible for unauthenticated attackers to permanently delete all stored Stripe credentials – including publishable keys, secret keys, webhook secrets, and Apple Pay configuration – from the WordPress database, disabling Stripe payment processing for the store via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-28 | 4.3 | CVE-2026-9618 |
| PickPlugins–Team Showcase | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in PickPlugins Team Showcase allows Stored XSS. This issue affects Team Showcase: from n/a through 1.22.28. | 2026-05-25 | 6.5 | CVE-2025-62745 |
| portainer–portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, Portainer’s backup restore feature accepts a .tar.gz archive and extracts it to a target directory on the server. The extraction function (ExtractTarGz in api/archive/targz.go) constructed output paths using filepath.Clean(filepath.Join(outputDirPath, header.Name)). This combination does not prevent directory traversal – a tar entry named ../../etc/cron.d/evil resolves to a path outside the extraction root, so a crafted archive can write files to arbitrary locations on the server filesystem. This vulnerability is fixed in 2.33.8. | 2026-05-28 | 5.5 | CVE-2026-44885 |
| posimyththemes–The Plus Addons for Elementor Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce | The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘carousel_direction’ parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render() function, where the carousel_direction value is placed into an unquoted HTML attribute (dir=) allowing attribute injection despite the use of esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-29 | 6.4 | CVE-2026-9243 |
| Prasad Kirpekar–WP Meta and Date Remover | Missing Authorization vulnerability in Prasad Kirpekar WP Meta and Date Remover allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Meta and Date Remover: from n/a through 2.3.6. | 2026-05-27 | 4.3 | CVE-2026-49051 |
| prolix-oc–Lumiverse | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin’s session. If the admin’s auth.api.signUpEmail() call fails before the before hook fires (e.g. BetterAuth rejects a duplicate email at the validation layer), the nonce is set but never consumed. Any POST /api/auth/sign-up/email request that arrives during the remaining window registers successfully regardless of who sent it. An attacker who can observe or predict when the admin is creating users (must be a dupplicate user) can race the 10-second window to register an unauthorized account. This vulnerability is fixed in 0.9.7. | 2026-05-26 | 4.8 | CVE-2026-44443 |
| pyload–pyload | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to account takeover. This vulnerability is fixed in 0.5.0b3.dev100. | 2026-05-28 | 6.5 | CVE-2026-45306 |
| pyload–pyload | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the PREREQFUNCTION-based private IP check was not applied to HTTPRequest (used by the parse_urls API). An authenticated attacker can supply a URL pointing to an attacker-controlled server that responds with a 302 redirect to an internal/private IP address, bypassing the is_global_host() check on the initial URL. This vulnerability is fixed in 0.5.0b3.dev100. | 2026-05-28 | 5 | CVE-2026-46561 |
| QianFox–FoxCMS | A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-27 | 4.7 | CVE-2026-9609 |
| rahulbhangale–WP Promoter | The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 6.1 | CVE-2026-8906 |
| rahulbhangale–WP Promoter | The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_stats() function in versions up to, and including, 1.3. The function is hooked to both the wp_ajax_wpp-reset_stats and wp_ajax_nopriv_wpp-reset_stats actions and contains no authentication, authorization, or nonce validation. This makes it possible for unauthenticated attackers to reset the plugin’s bar and popup statistics by deleting the wpp_bar and wpp_popup options. | 2026-05-27 | 5.3 | CVE-2026-9014 |
| rankmath–Rank Math SEO AI SEO Tools to Dominate SEO Rankings | The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the update_site_editor_homepage function in all versions up to, and including, 1.0.271. This makes it possible for unauthenticated attackers to modify several plugin settings including homepage title, meta description, breadcrumbs label, and social media metadata, which can have severe impact on SEO rankings and display malicious content across all site pages where breadcrumbs are used. | 2026-05-29 | 5.3 | CVE-2025-12714 |
| rchmura–GoStats for WordPress | The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gostats_manage() function. This makes it possible for unauthenticated attackers to update the plugin’s settings (gostats_siteid and gostats_server options) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-8943 |
| realmag777–FOX Currency Switcher Professional for WooCommerce | The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST[‘wooc_order_user_roles’]` parameter to determine the user’s role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user’s session object via `$user->roles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles – such as wholesale customer or administrator – and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured. | 2026-05-28 | 4.3 | CVE-2026-9241 |
| Recorp–Export WP Page to Static HTML/CSS | Cross-Site Request Forgery (CSRF) vulnerability in Recorp Export WP Page to Static HTML/CSS allows Cross Site Request Forgery. This issue affects Export WP Page to Static HTML/CSS: from n/a through 6.0.0. | 2026-05-25 | 6.5 | CVE-2026-24574 |
| Red Hat–Multicluster Engine for Kubernetes | ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret’s `.dockerconfigjson` data from status. This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`. | 2026-05-29 | 6.3 | CVE-2026-10101 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client’s service account, leading to privilege escalation. | 2026-05-27 | 6.8 | CVE-2026-9704 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak’s Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure. | 2026-05-28 | 6.5 | CVE-2026-9792 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker’s own permissions are revoked and across system reboots. | 2026-05-28 | 6.5 | CVE-2026-9796 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user’s refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim’s account, potentially leading to information disclosure or privilege escalation. | 2026-05-28 | 6.8 | CVE-2026-9802 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leading to a compromise of data integrity within the OpenID Connect (OIDC) authorization flow. While a redirect URI allowlist acts as a compensating control, this vulnerability violates OIDC Core and Financial-grade API (FAPI) signing requirements. | 2026-05-28 | 5.9 | CVE-2026-9793 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client’s protocol type, leading to information disclosure. | 2026-05-28 | 5.3 | CVE-2026-9794 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak’s ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed ‘Authorization: Bearer’ header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service. | 2026-05-28 | 5.3 | CVE-2026-9803 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web address. If a user clicks this link, the client application might incorrectly prioritize attacker-controlled information over legitimate data. This vulnerability, known as HTTP parameter pollution, could allow an attacker to bypass security measures or gain unauthorized access to resources. | 2026-05-27 | 4.2 | CVE-2026-9689 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the ‘organization’ scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers. | 2026-05-28 | 4.3 | CVE-2026-9791 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts. | 2026-05-28 | 4.3 | CVE-2026-9798 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node. | 2026-05-28 | 4.9 | CVE-2026-9801 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file. | 2026-05-27 | 6.5 | CVE-2026-2340 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in glib-networking. A remote attacker can exploit this vulnerability by presenting a specially crafted certificate chain to an application that uses glib-networking with the GnuTLS backend enabled and performs certificate verification. This crafted chain, which contains circular issuer relationships, can cause an infinite loop during certificate verification. The unbounded traversal consumes excessive CPU resources, leading to a denial of service for the affected process or worker. | 2026-05-28 | 4.3 | CVE-2026-10028 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion error in the `soup_body_input_stream_read_chunked()` function by sending a malicious HTTP request. This vulnerability occurs when libsoup operates behind a non-libsoup proxy server or as a proxy in front of a non-libsoup backend server. Successful exploitation can allow an attacker to bypass security controls, poison web caches, or gain unauthorized access. | 2026-05-29 | 4.8 | CVE-2026-6324 |
| Red Hat–Red Hat Enterprise Linux 8 | A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts. | 2026-05-26 | 5.3 | CVE-2026-42015 |
| Red Hat–Red Hat Quay 3 | A flaw was found in the Quay config-tool’s LDAP and SMTP validation functions. An attacker with config editor access can exploit these functions, which make outbound connections to user-supplied endpoints without proper IP or host filtering. This allows the attacker to perform internal network reconnaissance from the Quay pod’s network position, potentially mapping the internal network infrastructure. | 2026-05-29 | 4.1 | CVE-2026-10052 |
| rexxars–eventsource-encoder | eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (n, r, or rn) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2. | 2026-05-26 | 5.8 | CVE-2026-44214 |
| Roundcube–Webmail | In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message. | 2026-05-25 | 6.5 | CVE-2026-48845 |
| Roundcube–Webmail | In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass. | 2026-05-25 | 6.5 | CVE-2026-48846 |
| Roundcube–Webmail | In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes. | 2026-05-25 | 4.4 | CVE-2026-48849 |
| Ruben Garcia–GamiPress | Missing Authorization vulnerability in Ruben Garcia GamiPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GamiPress: from n/a through 7.6.3. | 2026-05-25 | 5.3 | CVE-2026-24546 |
| ruchit47–Events In City | The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘org-events’ shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitization and output escaping on user supplied attributes (such as ‘organizer_id’, ‘width’, ‘height’, ‘transparency’, ‘header’, ‘border’, and ‘layout’) in the org_event_scode() function. The attribute values are concatenated directly into HTML attributes without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8898 |
| saadiqbal–Post Snippets Custom WordPress Code Snippets Customizer | The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of imported snippet content when rendering JavaScript variables in the post editor. Specifically, the `jqueryUiDialog()` method in `WPEditor.php` embeds snippet content directly into JavaScript string literals without escaping double quotes (the quote-escaping code on line 214 is commented out). When snippets are imported via the Import/Export feature, the content bypasses WordPress’s `wp_magic_quotes()` (which would otherwise add protective backslashes), allowing double quotes in snippet content to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via a malicious import file that execute whenever any administrator accesses a post editor page. Please note that this does not affect single-site installations as administrators already have the `unfiltered_html` capability. | 2026-05-29 | 4.4 | CVE-2026-7430 |
| safedep–gryph | Gryph provides a security layer for AI coding agents. Prior to 0.7.0, Gryph implements logging levels that determine what content is logged to a local sqlite database. The README incorrectly mentions that the default log level is minimal while it is standard. Source code review shows sensitive file-write content remains in the stored payload as ContentPreview, OldString, or NewString at the default standard logging level and at full. This leads to logging of potentially sensitive file content in the local sqlite database, violating Gryphs sensitive file filter and log level contracts. This vulnerability is fixed in 0.7.0. | 2026-05-27 | 5.5 | CVE-2026-45046 |
| samiullah-kaifi–Islamic Database | The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘islamicDB-roqya’ shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied ‘width’ and ‘height’ shortcode attributes within the islamicDB_sc_quran_qari_roqya() function, which are concatenated directly into HTML iframe attribute values. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8845 |
| SAP_SE–SAP Gateway | The SAP Gateway allows attackers to inject content into error messages, potentially leading to disclosure of request artefacts (e.g., regex patterns) and revealing underlying URI parsing logic. Leading to low impact on confidentiality. Integrity and availability are unaffected. | 2026-05-26 | 4.3 | CVE-2026-44749 |
| ScadaBR–ScadaBR | A reflected cross-site scripting issue exists in URL handling. | 2026-05-28 | 6.1 | CVE-2026-9646 |
| scanwith–Visual Ping | Visual Ping 0.8.0.0 contains a buffer overflow vulnerability in input field handling that allows local attackers to crash the application by supplying oversized data. Attackers can inject malicious payloads exceeding 4108 bytes into the Host, Time Out, Packet Size, Pause, or Loops fields to trigger a denial of service condition. | 2026-05-25 | 6.2 | CVE-2018-25369 |
| scottpaterson–Contact Form 7 PayPal & Stripe Add-on | The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload’s `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount. | 2026-05-29 | 5.3 | CVE-2026-9189 |
| SePay team–SePay Gateway | Missing Authorization vulnerability in SePay team SePay Gateway allows Retrieve Embedded Sensitive Data. This issue affects SePay Gateway: from n/a through 1.1.20. | 2026-05-25 | 6.5 | CVE-2026-42763 |
| shabti–Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires that the attacker also supply a valid ‘orderby’ parameter in the same request, as this is necessary to reach the vulnerable code path that processes and concatenates the ‘order’ value into the SQL query. | 2026-05-29 | 4.9 | CVE-2026-10039 |
| shopperlabs–shopper | Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product’s pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client. This vulnerability is fixed in 2.8.0. | 2026-05-29 | 6.5 | CVE-2026-47742 |
| shopperlabs–shopper | Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could disable every payment method on the store, disable or alter the default currency, or disable carriers. The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user. This vulnerability is fixed in 2.8.0. | 2026-05-29 | 6.5 | CVE-2026-47745 |
| shopperlabs–shopper | Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount’s total_use counter. Under concurrent checkout pressure (Black Friday, flash sale, viral coupon), the global usage_limit was silently exceeded: orders were committed with the discount fully applied to price_amount while the counter blocked at usage_limit. The merchant had no signal that an over-redemption had occurred. This vulnerability is fixed in 2.8.0. | 2026-05-29 | 5.9 | CVE-2026-47741 |
| shra–Genzel breadcrumbs | The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the _options_page function. This makes it possible for unauthenticated attackers to update the plugin’s breadcrumb configuration, including templates, delimiter, home label, home URI, and breadcrumb rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-8708 |
| Significant-Gravitas–AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.59, POST /api/blocks/{block_id}/execute endpoint executes blocks without consuming any credits, regardless of the user’s balance. The credit check that exists in the graph execution path (manager.py) is never reached when blocks are called directly via the external API, allowing unlimited free execution of all blocks. This vulnerability is fixed in 0.6.59. | 2026-05-28 | 5.4 | CVE-2026-45023 |
| silvercover–myLinksDump | The myLinksDump plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link_title’ parameter in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-05-27 | 4.8 | CVE-2026-2288 |
| simonailie–Search Simple Fields | The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search_simple_fields_options() function in functions_admin.php. This makes it possible for unauthenticated attackers to modify the plugin’s settings – including post types to search in, custom fields, media fields and the custom media function name – via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-8939 |
| Sitejo–HaPe PKH | HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksi_user.php script with parameters like id_user, password, and level to modify admin credentials without authentication. | 2026-05-29 | 5.3 | CVE-2018-25387 |
| smtp2go–SMTP2GO for WordPress Email Made Easy | The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate all SMTP2GO log records from the database or download a CSV export of all SMTP log data including recipient addresses, sender addresses, message subjects, and API response data. | 2026-05-28 | 4.3 | CVE-2026-7621 |
| smub–Easy Digital Downloads eCommerce Payments and Subscriptions made easy | The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_redirect()` function, which is registered on the `admin_init` hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store’s Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking. | 2026-05-28 | 4.3 | CVE-2026-7533 |
| smub–PDF Embedder | The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan. | 2026-05-28 | 4.3 | CVE-2026-7526 |
| Soroush–Soroush IM Desktop App | Soroush IM Desktop App 0.17.0 contains an authentication bypass vulnerability that allows local attackers to remove passcodes by injecting pre-encrypted database entries using a constant encryption key. Attackers can inject malicious database records into the application’s database files to unlock the client and access all stored data, chats, images, and files without knowing the original passcode. | 2026-05-25 | 6.8 | CVE-2018-25361 |
| SourceCodester–CET Automated Grading System with AI Predictive Analytics | A security flaw has been discovered in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-26 | 4.3 | CVE-2026-9582 |
| SourceCodester–CET Automated Grading System with AI Predictive Analytics | A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. Executing a manipulation can lead to information exposure through error message. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | 2026-05-26 | 4.3 | CVE-2026-9583 |
| SourceCodester–eDoc Doctor Appointment System | A security vulnerability has been detected in SourceCodester eDoc Doctor Appointment System 1.0. This affects an unknown part of the file /admin/delete-session.php. The manipulation of the argument ID leads to missing authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2026-05-26 | 6.5 | CVE-2026-9603 |
| SourceCodester–Indian Invoicing System | A vulnerability was found in SourceCodester Indian Invoicing System 1.0. This issue affects some unknown processing of the file /Invoicing/IGST_Invoice.php of the component Invoice Generation Handler. Performing a manipulation of the argument customer_name/category results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-05-25 | 6.3 | CVE-2026-9411 |
| SourceCodester–Indian Invoicing System | A vulnerability was determined in SourceCodester Indian Invoicing System 1.0. Impacted is an unknown function of the component Backend Endpoint. Executing a manipulation can lead to improper access controls. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Multiple endpoints are affected. | 2026-05-25 | 6.3 | CVE-2026-9412 |
| SourceCodester–Indian Invoicing System | A vulnerability was identified in SourceCodester Indian Invoicing System 1.0. The affected element is an unknown function of the file /Invoicing/category.php. The manipulation of the argument msg leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-05-25 | 4.3 | CVE-2026-9413 |
| SourceCodester–Simple POS and Inventory System | A flaw has been found in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-05-25 | 6.3 | CVE-2026-9445 |
| SourceCodester–Simple POS and Inventory System | A vulnerability was detected in SourceCodester Simple POS and Inventory System 1.0. This issue affects the function delete of the file /admin/deleteproduct.php of the component GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. | 2026-05-25 | 4.7 | CVE-2026-9444 |
| SourceCodester–Simple POS and Inventory System | A vulnerability has been found in SourceCodester Simple POS and Inventory System 1.0. The affected element is an unknown function of the file /admin/edit_customer.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2026-05-25 | 4.7 | CVE-2026-9446 |
| SourceCodester–Student Grades Management System | A vulnerability was found in SourceCodester Student Grades Management System 1.0. Affected is an unknown function of the file grades.php. Performing a manipulation of the argument student_id results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. | 2026-05-25 | 6.3 | CVE-2026-9483 |
| SourceCodester–Student Grades Management System | A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected by this vulnerability is the function getClassroomStudents/removeStudentFromClassroom of the file classroom.php. Executing a manipulation of the argument classroom_id can lead to improper authorization. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-25 | 6.3 | CVE-2026-9484 |
| SourceCodester–Student Grades Management System | A security flaw has been discovered in SourceCodester Student Grades Management System 1.0. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-25 | 4.3 | CVE-2026-9486 |
| SpabRice–Nyla | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in SpabRice Nyla allows Code Injection. This issue affects Nyla: from n/a through 1.7. | 2026-05-26 | 5.3 | CVE-2026-39642 |
| Spring–Spring AI | Spring AI’s support for Anthropic’s Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories. Affected versions: Spring AI: 1.1.0 through 1.1.x | 2026-05-25 | 6.5 | CVE-2026-41863 |
| Squirrel–Squirrel | A security flaw has been discovered in Squirrel up to 3.2. Impacted is the function ReadObject of the file squirrel/sqobject.cpp of the component Cnut File Handler. Performing a manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-26 | 5.3 | CVE-2026-9541 |
| statamic–cms | Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, the Glide image proxy’s URL validation could be bypassed using an IP representation that wasn’t normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses – including loopback, private network, and cloud metadata endpoints. This affects sites that pass user-supplied URLs to Glide. Sites running PHP 8.3 or newer are not affected. This vulnerability is fixed in 5.73.22 and 6.18.1. | 2026-05-29 | 5.4 | CVE-2026-45660 |
| statcounter–StatCounter Free Real Time Visitor Stats | The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author’s nickname in the statcounter_addToTags() function. The function is hooked to wp_head and fires on every single post page. It retrieves the post author’s nickname via the_author_meta() and echoes it directly into a JavaScript double-quoted string context inside a <script> block without applying esc_js() or any equivalent JavaScript-context escaping. This makes it possible for authenticated attackers with Author-level access and above to inject arbitrary web scripts into pages that will execute whenever any user (including unauthenticated visitors) accesses a post authored by the attacker. | 2026-05-29 | 6.4 | CVE-2026-6275 |
| Stokedonit–Notebook Pro | Notebook Pro 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the notebook name field. Attackers can create a malicious text file containing 500 or more characters, paste the content into the New Notebook Name field, and trigger an application crash when attempting to create and save the notebook. | 2026-05-25 | 6.2 | CVE-2018-25378 |
| stonith404–pingvin-share | A security flaw has been discovered in stonith404 pingvin-share up to 1.13.0. This affects the function getServerSideProps of the file frontend/src/pages/auth/signIn.tsx of the component Sign-in Auto-Redirect. The manipulation of the argument redirect results in cross site scripting. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 4.3 | CVE-2026-9519 |
| Strategy11 Team–AWP Classifieds | Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AWP Classifieds: from n/a through <= 4.4.5. | 2026-05-27 | 6.5 | CVE-2026-42726 |
| streamlink–streamlink | Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink’s HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream. This vulnerability is fixed in 8.4.0. | 2026-05-27 | 6.5 | CVE-2026-44353 |
| Sushmi-pal–Invoice-System | A flaw has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This affects an unknown part of the file /user of the component User Management Handler. This manipulation of the argument role causes improper authorization. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 4.3 | CVE-2026-9409 |
| Sushmi-pal–Invoice-System | A vulnerability has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This vulnerability affects unknown code of the file /profile of the component Profile Workflow. Such manipulation of the argument ID leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 4.3 | CVE-2026-9410 |
| Synology–ActiveProtect Agent | Origin validation error vulnerability in Synology ActiveProtect Agent before 1.1.0-0439 allows local users to write arbitrary files with restricted content when installing. | 2026-05-27 | 6.1 | CVE-2025-13593 |
| Synology–BeeDrive for desktop | Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks via unspecified vectors. | 2026-05-27 | 6.8 | CVE-2024-11399 |
| Synology–Safe Access | Improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information or conduct limited denial-of-service in SRM. | 2026-05-27 | 5.9 | CVE-2025-10466 |
| Synology–Storage Manager | A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local attackers to obtain sensitive information. | 2026-05-27 | 6.2 | CVE-2026-2237 |
| Synology–Surveillance Station | Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors. | 2026-05-27 | 4.9 | CVE-2024-47268 |
| Synology–Surveillance Station | Cleartext transmission of sensitive information vulnerability in Export Key functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors. | 2026-05-27 | 4.9 | CVE-2024-47269 |
| Synology–Surveillance Station | Insufficiently protected credentials vulnerability in IPSpeaker component in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors. | 2026-05-27 | 4.9 | CVE-2024-47271 |
| Synology–Synology Active Backup for Business Agent | An origin validation error vulnerability in Synology Active Backup for Business Agent before 3.1.0-4967 allows local users to write arbitrary files with restricted content during installation. | 2026-05-27 | 6.1 | CVE-2025-66592 |
| Synology–Synology Assistant | An origin validation error vulnerability in Synology Assistant before 7.0.6-50085 allows local users to write arbitrary files with restricted content during installation. | 2026-05-27 | 6.1 | CVE-2025-66593 |
| Synology–Synology Contacts | Improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via unspecified vectors. | 2026-05-27 | 5.4 | CVE-2025-13167 |
| TaleLin–lin-cms-spring-boot | A vulnerability was detected in TaleLin lin-cms-spring-boot up to 0.2.1. This issue affects some unknown processing of the file src/main/java/io/github/talelin/latticy/controller/v1/BookController.java of the component book Endpoint. The manipulation results in improper access controls. The attack may be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-30 | 6.3 | CVE-2026-10152 |
| Tanium–Tanium Server | Tanium addressed a denial of service vulnerability in Tanium Server. | 2026-05-27 | 6.5 | CVE-2026-9156 |
| teableio–teable | A vulnerability was identified in teableio teable up to 1.9.x. This impacts an unknown function of the file apps/nextjs-app/src/features/auth/pages/LoginPage.tsx of the component Sign-up. The manipulation of the argument redirect leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. Upgrading to version release.2026-04-21T08-57-20Z.1513 will fix this issue. The affected component should be upgraded. The vendor confirms: “The default branch of teableio/teable is develop, and the reported login redirect issue has already been fixed there. The login redirect flow now validates the redirect parameter with isValidRedirectPath() before navigation, which blocks javascript:, data:, and cross-origin redirects.” | 2026-05-26 | 4.3 | CVE-2026-9566 |
| TeamSpeak–TeamSpeak 3 Server | A weakness has been identified in TeamSpeak 3 Server up to 3.13.7. This affects the function process_resend_queue of the component Connection State Management. This manipulation causes use after free. The attack may be initiated remotely. Upgrading to version 3.13.8 is able to mitigate this issue. The affected component should be upgraded. | 2026-05-27 | 5.4 | CVE-2026-4390 |
| TeamSpeak–TeamSpeak 3 Server | A security vulnerability has been detected in TeamSpeak 3 Server up to 3.13.7. This vulnerability affects unknown code of the component ECC Key Parser. Such manipulation leads to heap-based buffer overflow. The attack may be launched remotely. Upgrading to version 3.13.8 is able to resolve this issue. It is suggested to upgrade the affected component. | 2026-05-27 | 5.3 | CVE-2026-4391 |
| TeamSpeak–TeamSpeak 3 Server | A vulnerability was detected in TeamSpeak 3 Server up to 3.13.7. This issue affects some unknown processing of the component clientek Handshake Handler. Performing a manipulation of the argument proof results in reachable assertion. Remote exploitation of the attack is possible. Upgrading to version 3.13.8 is capable of addressing this issue. Upgrading the affected component is recommended. | 2026-05-27 | 5.3 | CVE-2026-4392 |
| TeconceTheme–Mayosis Core | Missing Authorization vulnerability in TeconceTheme Mayosis Core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Mayosis Core: from n/a through 5.4.7. | 2026-05-26 | 5.3 | CVE-2026-39655 |
| Tenda–W12 | A vulnerability was found in Tenda W12 3.0.0.7(4763). This issue affects the function cgiSysWebTimeoutSet of the file /bin/httpd of the component Web Management Interface. The manipulation of the argument web_over_time results in denial of service. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2026-05-31 | 6.5 | CVE-2026-10190 |
| Themeansar–Newses | Missing Authorization vulnerability in Themeansar Newses allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Newses: from n/a through 2.0.0.77. | 2026-05-25 | 5.4 | CVE-2026-24586 |
| ThemeHigh–Stripe Payment Gateway for WooCommerce | Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemeHigh Stripe Payment Gateway for WooCommerce allows Password Recovery Exploitation. This issue affects Stripe Payment Gateway for WooCommerce: from n/a through 5.0.7. | 2026-05-25 | 6.5 | CVE-2026-45217 |
| themeisle–Visualizer: Tables and Charts Manager for WordPress | The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators. | 2026-05-28 | 4.3 | CVE-2026-8689 |
| themesuite–Automotive Car Dealership Business WordPress Theme | The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Project Details’ custom field in Portfolio Items in all versions up to, and including, 13.4.1. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the ‘project_details’ custom field. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-29 | 6.4 | CVE-2025-14042 |
| ThingsBoard–ThingsBoard | A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is the function getGatewayDockerComposeFile of the file /api/v1/provision of the component YAML Handler. This manipulation causes code injection. It is possible to initiate the attack remotely. The attack’s complexity is rated as high. The exploitation appears to be difficult. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-26 | 5 | CVE-2026-9568 |
| thomstark–Formidable Kinetic | The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘kinetic_link’ shortcode in versions up to, and including, 1.1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (notably ‘window’, ‘class’, and ‘label’) in the FrmKinetic::link() function, which are concatenated directly into HTML attributes of an anchor tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8871 |
| Tiandy–Easy7 Integrated Management Platform | A vulnerability was determined in Tiandy Easy7 Integrated Management Platform 7.17.0. This issue affects some unknown processing of the file /rest/user/updateUserPassword of the component API Endpoint. Executing a manipulation can lead to weak password recovery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 5.3 | CVE-2026-9466 |
| Tom–GenerateBlocks | Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0. | 2026-05-27 | 6.5 | CVE-2026-48877 |
| Totolink–CA750-PoE | A vulnerability was identified in Totolink CA750-PoE 6.2c.510. This affects the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Such manipulation of the argument webWlanIdx leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2026-05-25 | 6.3 | CVE-2026-9511 |
| Totolink–CA750-PoE | A security flaw has been discovered in Totolink CA750-PoE 6.2c.510. This vulnerability affects the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Performing a manipulation of the argument admuser/admpass results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-25 | 6.3 | CVE-2026-9512 |
| Totolink–CA750-PoE | A weakness has been identified in Totolink CA750-PoE 6.2c.510. This issue affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Executing a manipulation of the argument host_time can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-25 | 6.3 | CVE-2026-9513 |
| Totolink–CA750-PoE | A security vulnerability has been detected in Totolink CA750-PoE 6.2c.510. Impacted is the function setNetworkDiag of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument NetDiagHost/NetDiagPingNum/NetDiagPingSize/NetDiagPingTimeOut/NetDiagTracertHop is directly passed by the attacker/so we can control the NetDiagHost/NetDiagPingNum/NetDiagPingSize/NetDiagPingTimeOut/NetDiagTracertHop leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-05-25 | 6.3 | CVE-2026-9514 |
| Totolink–CA750-PoE | A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument plugin_version results in os command injection. The attack may be launched remotely. The exploit is now public and may be used. | 2026-05-25 | 6.3 | CVE-2026-9515 |
| Totolink–CA750-PoE | A weakness has been identified in Totolink CA750-PoE 6.2c.510. Impacted is the function setUpgradeUboot of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-26 | 6.3 | CVE-2026-9531 |
| Totolink–CA750-PoE | A security vulnerability has been detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Such manipulation of the argument FileName leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-05-26 | 6.3 | CVE-2026-9532 |
| Totolink–CA750-PoE | A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The impacted element is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Performing a manipulation of the argument fwUrl/magicid results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-05-26 | 6.3 | CVE-2026-9533 |
| Totolink–CA750-PoE | A flaw has been found in Totolink CA750-PoE 6.2c.510. This affects the function setWiFiWpsConfig of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Executing a manipulation of the argument PIN can lead to os command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-05-26 | 6.3 | CVE-2026-9534 |
| TRENDnet–TEW-432BRP | A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetRoute of the file /goform/formSetRoute. The manipulation of the argument ip/mask/gateway leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 6.3 | CVE-2026-10060 |
| TRENDnet–TEW-432BRP | A vulnerability was found in TRENDnet TEW-432BRP 3.10B20. Affected is the function formWPS of the file /goform/formWPS. The manipulation of the argument peerPin results in command injection. The attack can be executed remotely. The exploit has been made public and could be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 6.3 | CVE-2026-10061 |
| TRENDnet–TEW-432BRP | A security flaw has been discovered in TRENDnet TEW-432BRP 3.10B20. This affects the function formSetPortTr of the file /goform/formSetPortTr. Performing a manipulation of the argument special_name results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 6.3 | CVE-2026-10064 |
| TRENDnet–TEW-432BRP | A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. Impacted is the function formSysCmd of the file /goform/formSysCmd. Such manipulation of the argument sysCmd leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 6.3 | CVE-2026-10180 |
| TRENDnet–TEW-432BRP | A vulnerability was determined in TRENDnet TEW-432BRP 3.10B20. The impacted element is the function formWlanSetup of the file /goform/formWlanSetup. Executing a manipulation of the argument enrollee can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains: “This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 6.3 | CVE-2026-10182 |
| universal-tool-calling-protocol–typescript-utcp | typescript-utcp is a typescript implementation of UTCP. Prior to 1.1.2, the @utcp/http package is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual() validates the discovery URL against an HTTPS / loopback allowlist, but callTool() reuses the resolved toolCallTemplate.url directly without revalidating, and the OpenApiConverter blindly trusts whatever servers[0].url an attacker-hosted spec declares. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare e.g. servers: [{ url: “http://127.0.0.1:9090” }] or servers: [{ url: “http://169.254.169.254” }]; the converter then produces tools whose URL points at internal services on the agent host. This vulnerability is fixed in 1.1.2. | 2026-05-28 | 4.7 | CVE-2026-45366 |
| VideoWhisper.com–Paid Videochat Turnkey Site | Missing Authorization vulnerability in VideoWhisper.Com Paid Videochat Turnkey Site allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Paid Videochat Turnkey Site: from n/a through 7.3.23. | 2026-05-26 | 5.3 | CVE-2026-24590 |
| ViewComponent–view_component | view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0. | 2026-05-26 | 6.5 | CVE-2026-44836 |
| ViewComponent–view_component | view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0. | 2026-05-26 | 5.9 | CVE-2026-44837 |
| vinaysankhyan–iWR Tooltip | The iWR Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `iwrtooltip` shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the iwr_tooltip() shortcode handler – the `title` attribute is concatenated directly into an HTML attribute without esc_attr() or any other escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8894 |
| vincentastolfi–Shortcode Buddy | The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8897 |
| vllm-project–vllm | A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance. | 2026-05-26 | 5.3 | CVE-2026-9540 |
| volcano-sh–volcano | Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook server exposed to in-cluster traffic are affected. This vulnerability is fixed in v1.14.2, v1.13.3, and v1.12.4. | 2026-05-27 | 6.8 | CVE-2026-44247 |
| VowpalWabbit–vowpal_wabbit | Vowpal Wabbit is a machine learning system. The workflow .github/workflows/python_checks.yml embeds ${{ github.event.pull_request.title }} directly inside double-quoted bash strings in four separate steps across four jobs, each passing it as a CLI argument to the Python test script run_tests_model_gen_and_load.py. The shell interprets the expanded string before invoking Python, allowing an attacker to break out of the quotes and execute arbitrary commands on the runner. The pull_request trigger fires on PRs targeting any branch (branches: [‘*’]), with no additional access gate. This vulnerability is fixed by the 998e390e80a7e8192d7849b7784bc113dbd190ad commit. | 2026-05-26 | 5 | CVE-2026-44723 |
| Webful Creations–RepairBuddy | Missing Authorization vulnerability in Webful Creations RepairBuddy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects RepairBuddy: from n/a through 4.1121. | 2026-05-26 | 4.3 | CVE-2026-24638 |
| Webmin–Webmin | Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type (e.g., text/plain). | 2026-05-27 | 6.1 | CVE-2026-49102 |
| WebToffee–Product Import Export for WooCommerce | Missing Authorization vulnerability in WebToffee Product Import Export for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Import Export for WooCommerce: from n/a through 2.5.6. | 2026-05-27 | 4.3 | CVE-2026-48971 |
| westboy–CicadasCMS | A flaw has been found in westboy CicadasCMS up to 2431154dac8d0735e04f1fd2a3c3556668fc8dab. Impacted is the function Search of the file org/springframework/cache/support/AbstractCacheManager.java. This manipulation of the argument s causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-30 | 4.3 | CVE-2026-10153 |
| wikidforum–Wikidforum | Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the reply_text parameter. Attackers can post comments containing JavaScript code through the rpc.php endpoint that executes in other users’ browsers when viewing forum replies. | 2026-05-29 | 5.4 | CVE-2018-25384 |
| Wireshark Foundation–Wireshark | ROHC protocol dissector crash in Wireshark 4.6.0 to 4.6.5 and 4.4.0 to 4.4.15 allows denial of service | 2026-05-27 | 5.5 | CVE-2026-9759 |
| wmark–CDN Linker lite | The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdl_off_options() function. This makes it possible for unauthenticated attackers to update the plugin’s settings – including the CDN URL used to rewrite all static asset references on the site – via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-8941 |
| WP Chill–RSVP and Event Management | Missing Authorization vulnerability in WP Chill RSVP and Event Management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects RSVP and Event Management: from n/a through 2.7.16. | 2026-05-25 | 5.3 | CVE-2026-27398 |
| WP Media–Adminimize | Missing Authorization vulnerability in WP Media Adminimize allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Adminimize: from n/a through 1.11.11. | 2026-05-27 | 4.3 | CVE-2026-49045 |
| WP Sunshine–Sunshine Photo Cart | Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sunshine Photo Cart: from n/a through 3.6.7. | 2026-05-25 | 6.3 | CVE-2026-42776 |
| WP Wham–Checkout Files Upload for WooCommerce | Authorization Bypass Through User-Controlled Key vulnerability in WP Wham Checkout Files Upload for WooCommerce checkout-files-upload-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Checkout Files Upload for WooCommerce: from n/a through <= 2.2.5. | 2026-05-27 | 6.5 | CVE-2026-42725 |
| WpDevArt–Organization chart | Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart allows Cross Site Request Forgery. This issue affects Organization chart: from n/a through 1.7.5. | 2026-05-25 | 4.3 | CVE-2026-24597 |
| wpdevelop–Booking Manager | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in wpdevelop Booking Manager booking-manager allows Stored XSS.This issue affects Booking Manager: from n/a through <= 2.1.18. | 2026-05-27 | 6.5 | CVE-2026-42751 |
| wpengine–Advanced Custom Fields (ACF) | The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request. | 2026-05-31 | 5.3 | CVE-2026-8382 |
| wpeverest–Everest Forms Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | The Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 3.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send test emails to arbitrary addresses from the server. | 2026-05-27 | 4.3 | CVE-2026-4888 |
| wpeverest–User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing ownership validation on a user-controlled attachment ID, allowing the plugin to store and subsequently delete arbitrary media attachments without verifying that the referenced attachment belongs to the requesting user. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently delete arbitrary media attachments uploaded by any other user, including administrators. | 2026-05-28 | 5.3 | CVE-2026-7651 |
| Wpmet–ElementsKit Elementor addons Lite | Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6. | 2026-05-27 | 5.3 | CVE-2026-49053 |
| Wpmet–ElementsKit Elementor addons Lite | Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6. | 2026-05-27 | 4.3 | CVE-2026-49052 |
| WPPOOL–FlexTable | Missing Authorization vulnerability in WPPOOL FlexTable allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FlexTable: from n/a through 3.24.0. | 2026-05-25 | 4.3 | CVE-2026-24582 |
| WPXpro–Xpro Elementor Addons – Pro | The Xpro Elementor Addons – Pro plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 1.4.7 via the Draw SVG widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-05-27 | 6.5 | CVE-2025-0898 |
| WWBN–AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE, opening DNS-rebinding TOCTOU. | 2026-05-29 | 6.5 | CVE-2026-45619 |
| WWBN–AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin’s “YouTube-style” view renders the live transmission’s stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing ” plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream’s live page executes attacker JavaScript in the platform origin. | 2026-05-29 | 5.4 | CVE-2026-45580 |
| WWBN–AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FA(User::getId(), false) on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest() call, no isTokenValid() check, no X-CSRF-Token/SameSite enforcement, and no re-authentication step. A cross-origin page that the victim visits while logged into the AVideo dashboard issues the POST via a hidden form (or fetch without credentials:”omit”) and disables the victim’s 2FA in one request. | 2026-05-29 | 5.7 | CVE-2026-45610 |
| WWBN–AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match(‘/^@/’, $_REQUEST[‘term’]) and hard-coded rowCount=10. This enables unauthenticated user enumeration. | 2026-05-29 | 5.3 | CVE-2026-45620 |
| WWBN–AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category page. This is a stored XSS in the category description field, separate from previously fixed XSS issues in video titles or comments. | 2026-05-29 | 5.4 | CVE-2026-47694 |
| xianrendzw–EasyReport | A flaw has been found in xianrendzw EasyReport up to 2.0.17.0522_Beta. Affected by this issue is the function execute of the component REST Endpoint. Executing a manipulation of the argument reportParams can lead to sql injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 6.3 | CVE-2026-9524 |
| XX-net–XX-Net | XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations. | 2026-05-29 | 4 | CVE-2026-10099 |
| xyproto–algernon | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = “” for non-Windows, and utils.JoinHostPort(“”, “:5553”) resolves to “:5553”. This vulnerability is fixed in 1.17.7. | 2026-05-26 | 4.3 | CVE-2026-46430 |
| xyproto–algernon | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server’s Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller’s Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7. | 2026-05-26 | 4.3 | CVE-2026-46431 |
| yashpokharna2555–StudentManagementSystem | A vulnerability was found in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file courseDel.php. The manipulation of the argument ID results in improper control of resource identifiers. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 5.4 | CVE-2026-9438 |
| yehudah–faq shortocde | The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘color’ shortcode attribute in the ‘faq’ shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8040 |
| yhirose–cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul(“-2”, …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE). The library’s only guard (line 12833) rejects ULONG_MAX (the result of “-1”), but any other negative value such as “-2” passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server’s read loop consumes from the network. This vulnerability is fixed in 0.43.4. | 2026-05-29 | 5.3 | CVE-2026-45352 |
| yoast–Yoast SEO Advanced SEO with real-time guidance and built-in AI | The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to read sensitive SEO metadata from any post on the site via the ‘post_id’ parameter, including posts owned by other users, private posts, and draft posts. | 2026-05-27 | 4.3 | CVE-2025-14481 |
| youtag–Two-factor authentication (formerly IP Vault) | The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the ipv_save_changes function. This makes it possible for unauthenticated attackers to modify the plugin’s firewall and two-factor authentication settings – including the operating mode, request include/exclude rules, authentication slug, and log retention period – potentially disabling protection entirely via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-8903 |
| YunaiV–yudao-cloud | A vulnerability has been found in YunaiV yudao-cloud 2026.03. This affects the function IotDataSinkHttpConfig of the file /admin-api/iot/data-sink/create of the component Admin API Endpoint. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 4.7 | CVE-2026-9464 |
| zed-industries–zed | Zed is a code editor. Prior to 0.229.0, Zed’s terminal tool permission system can be bypassed via bash variable expansion chaining (${var@P}), allowing arbitrary command execution under an allowlisted command prefix. This vulnerability is fixed in 0.229.0. | 2026-05-28 | 6.4 | CVE-2026-44462 |
| zephyrproject-rtos–Zephyr | The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a userspace application that controls the length passed to a sendto syscall can supply an incomplete or truncated frame, causing socketcan_to_can_frame() to dereference fields beyond the end of the buffer. This results in an out-of-bounds read that can cause denial-of-service crashes or, because the parsed frame contents are transmitted on the network, leak adjacent memory. | 2026-05-30 | 6.1 | CVE-2026-5071 |
| Zohocorp–Zoho Mail wordpress plugin | Zohocorp Zoho Mail wordpress plugin is vulnerable to Cross-Site request forgery (CSRF). This issue affects Zoho Mail wordpress plugin versions before 1.6.2. | 2026-05-26 | 5.7 | CVE-2026-8174 |
| ZTE–ZXUniPOS NDS-LTE | Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically loaded and executed in the victim’s browser.Attackers can thereby steal user cookies, hijack session privileges, and tamper with page content.Since the malicious code is stored within the system, the attack scope is broad and the concealment is strong, making it frequently employed for data theft attacks. | 2026-05-27 | 5.7 | CVE-2026-48999 |
| ZTE–ZXUniPOS NDS-LTE | Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user’s authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampering with configuration data. | 2026-05-27 | 5.3 | CVE-2026-49001 |
| Zyxel–GS1200-5v3 firmware | A missing authorization vulnerability in Zyxel GS1200-5v3 firmware versions through 1.00(ACPS.2)C0, GS1200-8v3 firmware versions through 1.00(ACPT.2)C0, GS1200-5HPv3 firmware versions through 1.00(ACPU.2)C0, GS1200-8HPv3 firmware versions through 1.00(ACPV.2)C0, and GS1200-10v3 firmware versions through 1.00(ACPW.2)C0 could allow a LAN-based, unauthenticated attacker to read the system configuration from a log file via a crafted HTTP request. | 2026-05-26 | 6.5 | CVE-2026-4795 |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Assimp–Assimp | A vulnerability was detected in Assimp up to 6.0.4. Affected is the function glTF2Importer::ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp of the component TF File Handler. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue. The pull request to fix this issue awaits acceptance. | 2026-05-31 | 3.3 | CVE-2026-10197 |
| Assimp–Assimp | A flaw has been found in Assimp up to 6.0.4. Affected by this vulnerability is the function Assimp::glTFImporter::ImportMeshes of the file glTFImporter.cpp of the component glTFImporter. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been published and may be used. The project tagged the reported issue as bug. | 2026-05-31 | 3.3 | CVE-2026-10198 |
| Assimp–Assimp | A vulnerability has been found in Assimp up to 6.0.4. Affected by this issue is the function glTF2::LazyDict in the library glTF2Asset.h. Such manipulation of the argument operator[] leads to null pointer dereference. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is best practice to apply a patch to resolve this issue. | 2026-05-31 | 3.3 | CVE-2026-10199 |
| Assimp–Assimp | A vulnerability was determined in Assimp up to 6.0.4. This vulnerability affects the function FBXExporter::WriteObjects of the file FBXExporter.cpp of the component UV Channel Handler. Executing a manipulation can lead to divide by zero. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. Applying a patch is advised to resolve this issue. The project tagged the reported issue as bug. | 2026-05-31 | 3.3 | CVE-2026-10201 |
| bugsink–bugsink | Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a logged-in user with access to one project can view another project’s event data through an issue they are allowed to access. The affected views include the stacktrace, details, and breadcrumbs pages for an issue event. This vulnerability is fixed in 2.2.0. | 2026-05-26 | 3.1 | CVE-2026-47715 |
| bugsink–bugsink | Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that project. This vulnerability is fixed in 2.2.0. | 2026-05-26 | 3.1 | CVE-2026-47716 |
| Canonical–Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops. | 2026-05-28 | 3.3 | CVE-2026-47327 |
| Canonical–Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses. | 2026-05-28 | 3.3 | CVE-2026-47329 |
| Canonical–Ubuntu Linux | Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses. | 2026-05-28 | 3.3 | CVE-2026-47330 |
| Canonical–Ubuntu Linux | Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets. | 2026-05-28 | 3.3 | CVE-2026-47336 |
| Canonical–Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops. | 2026-05-28 | 3.3 | CVE-2026-47337 |
| ellanetworks–core | Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core didn’t enforce security rules on concurrent running of security procedures defined in TS 33.501 §6.9.5.1 – it could send a NAS Security Mode Command while an N2 handover was still pending (and vice versa). Concurrent Security Mode Command and N2 handover produce a KgNB mismatch between the UE and target gNB, causing the handover to fail. Requires a stalled gNB + re-registration race to trigger. This vulnerability is fixed in 1.10.0. | 2026-05-27 | 3.7 | CVE-2026-44474 |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not enforce the concurrent security procedure rules defined in 3GPP TS 33.501 §6.9.5.1. The AMF does not check for ongoing N2 handover procedures before initiating a NAS Security Mode Command, and vice versa. This can lead to mismatches between NAS and AS security contexts in the network and the UE. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 3.7 | CVE-2026-42082 |
| GNU–LibreDWG | A vulnerability was determined in GNU LibreDWG up to 0.14. The impacted element is the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. Executing a manipulation can lead to reachable assertion. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. A patch should be applied to remediate this issue. | 2026-05-25 | 3.3 | CVE-2026-9501 |
| GNU–LibreDWG | A security flaw has been discovered in GNU LibreDWG up to 0.14. This impacts the function dwg_next_entity of the file src/decode.c of the component DWG File Handler. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as 8f03865f37f5d4ffd616fef802acc980be54d300. Upgrading the affected component is advised. | 2026-05-25 | 3.3 | CVE-2026-9503 |
| GNU–LibreDWG | A weakness has been identified in GNU LibreDWG up to 0.14. Affected is the function bit_convert_TU of the file programs/dwggrep.c of the component Dwggrep Utility. This manipulation causes out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: be996bf2178a40e98720f18c2414815d244413db. Applying a patch is the recommended action to fix this issue. | 2026-05-25 | 3.3 | CVE-2026-9504 |
| GNU–LibreDWG | A security flaw has been discovered in GNU LibreDWG up to 0.14. The affected element is the function match_BLOCK_HEADER of the file dwggrep.c of the component Dwggrep Utility. Performing a manipulation results in null pointer dereference. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. | 2026-05-26 | 3.3 | CVE-2026-9529 |
| GNU–LibreDWG | A weakness has been identified in GNU LibreDWG up to 0.14. The impacted element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgbmp Utility. Executing a manipulation can lead to out-of-bounds read. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called 8f03865f37f5d4ffd616fef802acc980be54d300. It is advisable to implement a patch to correct this issue. | 2026-05-26 | 3.3 | CVE-2026-9530 |
| GPAC–GPAC | A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is identified as 525bf1af642c30af04e4df5345e6d798c0a4d8a1. It is advisable to implement a patch to correct this issue. | 2026-05-26 | 3.3 | CVE-2026-9567 |
| GPAC–GPAC | A security vulnerability has been detected in GPAC up to 2.4.0. Affected by this issue is the function Media_GetSample of the file src/isomedia/media.c of the component MP4Box. Such manipulation of the argument cat leads to memory leak. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The name of the patch is e79c5cbe8b3fed27f4854ec229457d30c96206f1. It is best practice to apply a patch to resolve this issue. | 2026-05-26 | 3.3 | CVE-2026-9572 |
| Indian Motorcycle (Polaris Inc.)–Scout Bobber + Tech | Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window – for example via a separately tracked CAN bus-off technique – can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation. | 2026-05-29 | 2.4 | CVE-2026-49317 |
| Indian Motorcycle (Polaris Inc.)–Scout Bobber + Tech | Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window – for example via a separately tracked CAN bus-off technique – can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation. | 2026-05-29 | 2.4 | CVE-2026-49318 |
| JetBrains–IntelliJ IDEA | In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible | 2026-05-29 | 3.3 | CVE-2026-49383 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2026.1 open redirect in the SAML plugin was possible | 2026-05-29 | 3.1 | CVE-2026-49380 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible | 2026-05-29 | 3.4 | CVE-2026-49381 |
| JetBrains–YouTrack | In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests | 2026-05-29 | 3.4 | CVE-2026-49370 |
| jpadilla–pyjwt | PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker’s control. This vulnerability is fixed in 2.13.0. | 2026-05-28 | 3.7 | CVE-2026-48524 |
| magic-wormhole–magic-wormhole | Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies “–output <dir>” where that output directory currently exists (as a directory). This vulnerability is fixed in 0.24.0. | 2026-05-26 | 3.5 | CVE-2026-42448 |
| Mintplex-Labs–anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child entries using fs.stat() and copies files with fs.copyFile() without validating each child or rejecting symlinks. Because both APIs follow symlinks, a symlink nested inside an allowed source directory can point outside the allowed filesystem root and cause outside file contents to be copied into an allowed destination as a regular file. This vulnerability is fixed in 1.13.0. | 2026-05-28 | 2 | CVE-2026-45403 |
| Mintplex-Labs–anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -> multi-user migration even when the device record has userId = null. In multi-user mode, that stale token is still accepted by the mobile authentication middleware. Because no user is attached to the request, downstream mobile handlers fall back to unscoped data-access branches and return workspaces and workspace content without per-user filtering. This permits a pre-migration mobile token to enumerate a workspace assigned only to another user and retrieve victim-owned thread metadata and chat content in multi-user mode. This vulnerability is fixed in 1.13.0. | 2026-05-28 | 2 | CVE-2026-47713 |
| OpenSC–OpenSC | OpenSC before 0.27.0-rc1, fixed in commit 3f24f0b, contains a stack buffer overflow vulnerability in piv_process_history() in src/libopensc/card-piv.c that allows physically present attackers to trigger memory corruption by presenting a crafted PIV smart card or USB device returning a URL field longer than 118 bytes in the Key History Object ASN.1 response. | 2026-05-29 | 3.8 | CVE-2026-40510 |
| OpenSC–OpenSC | OpenSC before 0.27.0, fixed in commit 0358817, contains a stack and heap buffer overrun vulnerability in the do_key_value() function in src/pkcs15init/profile.c that allows attackers to corrupt memory by supplying a crafted profile configuration file. During pkcs15-init invocation, a key value entry beginning with ‘=’ followed by more than sizeof(keybuf) characters is copied into keybuf via memcpy without a length check, causing both stack and heap buffer overruns. | 2026-05-29 | 3.8 | CVE-2026-40528 |
| OUSL-GROUP-BrinaryBrains–School Student Management System | A vulnerability was detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected by this vulnerability is the function ajax_forgot_password of the file application/controllers/Login.php of the component Forgot Password Endpoint. The manipulation of the argument email results in weak password recovery. The attack can be launched remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 3.7 | CVE-2026-10169 |
| PuTTY–PuTTY | PuTTY 0.72 before 0.84 has a double free in RSA KEX. | 2026-05-25 | 3.7 | CVE-2026-48850 |
| PuTTY–PuTTY | PuTTY 0.77 before 0.84 uses a copy of the PuTTY icon as a trust indication for TELNET data but the trust status is not cleared between proxy authentication and the main session. | 2026-05-25 | 3.1 | CVE-2026-48851 |
| PuTTY–PuTTY | PuTTY 0.71 before 0.84 has an assertion failure in ECDSA signature verification. | 2026-05-25 | 3.7 | CVE-2026-48852 |
| QianFox–FoxCMS | A vulnerability was determined in QianFox FoxCMS up to 1.2.6. The impacted element is an unknown function of the file /Tag/edit of the component Administrator Backend. Executing a manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-27 | 2.4 | CVE-2026-9608 |
| Red Hat–Red Hat Quay 3 | A flaw was found in the Quay config-tool’s GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to the disclosure of these credentials in various system logs, such as server access logs, reverse proxy logs, and other monitoring systems. An attacker with access to these logs could potentially obtain these credentials, leading to unauthorized information disclosure. | 2026-05-29 | 2.7 | CVE-2026-10078 |
| rizinorg–rizin | Rizin is a UNIX-like reverse engineering framework and command-line toolset. There is a double free in librz/core/cmd/cmd_search.c:byte_pattern_search() due wrong pointer ownership declared. This vulnerability is fixed by commit 045fff363b42b8a6dda8ad5229c29ec3267e7dbe. | 2026-05-29 | 3.3 | CVE-2026-45324 |
| rizinorg–rizin | Rizin is a UNIX-like reverse engineering framework and command-line toolset. There is a heap-buffer-overflow in librz/bin/format/omf/omf.c. This vulnerability is fixed by commit e6d0937c8a083e23ed76ccfb9f631cdc50c7af47. | 2026-05-29 | 3.3 | CVE-2026-45613 |
| Roundcube–Webmail | Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass. | 2026-05-25 | 3.7 | CVE-2026-48847 |
| sambitraj–STUDENT-MANAGEMENT-SYSTEM | A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0. Affected is an unknown function of the component Dashboard Page. The manipulation of the argument Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-30 | 2.4 | CVE-2026-10112 |
| SourceCodester–Hospitals Patient Records Management System | A vulnerability was found in SourceCodester/oretnom23 Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /admin/?page=patients/view_patient. Performing a manipulation of the argument Remarks results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2026-05-26 | 2.4 | CVE-2026-9564 |
| SourceCodester–Indian Invoicing System | A security flaw has been discovered in SourceCodester Indian Invoicing System up to 0.x/1.0. The impacted element is an unknown function of the file /Invoicing/add_order.php of the component Invoice Template Render Database-Backed. The manipulation of the argument customer_name results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-25 | 3.5 | CVE-2026-9414 |
| SourceCodester–Student Grades Management System | A vulnerability was identified in SourceCodester Student Grades Management System 1.0. Affected by this issue is some unknown functionality of the file students.php. The manipulation of the argument Remarks leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-05-25 | 3.5 | CVE-2026-9485 |
| Synology–Surveillance Station | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors. | 2026-05-27 | 2.7 | CVE-2024-47267 |
| Synology–Surveillance Station | Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors. | 2026-05-27 | 2.7 | CVE-2024-47270 |
| Synology–Surveillance Station | Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors. | 2026-05-27 | 2.7 | CVE-2024-47272 |
| yashpokharna2555–StudentManagementSystem | A vulnerability was detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file /student.php. Performing a manipulation of the argument FIRST_NAME results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 3.5 | CVE-2026-9471 |
| ZTE–ZXUniPOS NDS-LTE | This vulnerability stems from a business logic flaw.Attackers can exploit legitimate application functions in unintended and abnormal ways, deviating from the designer’s expectations, to carry out malicious attacks. | 2026-05-26 | 3.8 | CVE-2026-44410 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 1Panel-dev–MaxKB | MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) bypass in the OSS file service URL fetch (chat/api/oss/get_url) endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse validation function and the requests HTTP client, allowing attackers to access internal network services. This vulnerability is fixed in 2.8.1. | 2026-05-26 | not yet calculated | CVE-2026-42335 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-r8hf-mwwr-hxgc |
| 1Panel-dev–MaxKB | MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) bypass in the OSS file service URL fetch functionality due to inconsistent DNS resolution between validation and actual request execution, allowing attackers to access internal network services. This vulnerability is fixed in 2.8.1. | 2026-05-26 | not yet calculated | CVE-2026-42336 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-6m4p-9wwc-4q5q |
| 1Panel-dev–MaxKB | MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API (chat/api/oss/get_url). The endpoint uses application_id from the URL path without validating ownership, allowing attackers to perform operations under other applications’ policies. This vulnerability is fixed in 2.8.1. | 2026-05-26 | not yet calculated | CVE-2026-42337 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-2jmj-gwvg-3gp2 |
| 1Panel-dev–MaxKB | MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via work_flow_template Import. Authenticated users can supply arbitrary URLs in work_flow_template.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in 2.9.1. | 2026-05-26 | not yet calculated | CVE-2026-45412 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-x9g5-j56j-4mfj |
| 1Panel-dev–MaxKB | MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force (hashcat). This vulnerability is fixed in 2.9.1. | 2026-05-26 | not yet calculated | CVE-2026-45413 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-2m4c-mcq5-q8xq |
| Acer–Care Center | A security vulnerability has been identified in Acer Care Center where the ACCSvc service creates a Named Pipe with a weak Security Descriptor. This vulnerability allows an authenticated local user to connect and send a specially crafted message (message type 0x03) to the pipe, causing the service to crash with exit code 1067 (ERROR_PROCESS_ABORTED). To mitigate this potential local service disruption, Acer requires users to update the software to the latest version. | 2026-05-25 | not yet calculated | CVE-2026-9490 | https://community.acer.com/en/kb/articles/19668 |
| Acer–NitrorSense V3 | NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITYSYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges. | 2026-05-25 | not yet calculated | CVE-2026-9489 | https://community.acer.com/en/kb/articles/19652 |
| Acer–NitrorSense V3 | A Local Privilege Escalation (LPE) vulnerability affects Acer NitroSense software versions prior to 3.01.3052. The vulnerability stems from the the PSAdminAgent service, which creates a Named Pipe with a weak Access Control List (ACL). This allows any authenticated local user to connect and send commands. Because the service does not check the caller’s privileges before running file deletion commands, a low-privileged local user can exploit this to delete arbitrary files with system authority. | 2026-05-28 | not yet calculated | CVE-2026-9789 | https://community.acer.com/en/kb/articles/19670 |
| Acer–Predator Connect W6x | Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, allowing any LAN-based attacker to execute arbitrary UCC commands. | 2026-05-29 | not yet calculated | CVE-2026-49195 | https://community.acer.com/en/kb/articles/19672 |
| Acer–Predator Connect W6x | The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arbitrary shell commands. | 2026-05-29 | not yet calculated | CVE-2026-49196 | https://community.acer.com/en/kb/articles/19672 |
| Acer–Predator Connect W6x | Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails. | 2026-05-29 | not yet calculated | CVE-2026-49197 | https://community.acer.com/en/kb/articles/19672 |
| Acer–Predator Connect W6x | Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors. | 2026-05-29 | not yet calculated | CVE-2026-49198 | https://community.acer.com/en/kb/articles/19672 |
| Acer–Predator Connect W6x | Crafted MQTT messages can trigger command injection, resulting in root-level code execution on the target device. | 2026-05-29 | not yet calculated | CVE-2026-49199 | https://community.acer.com/en/kb/articles/19672 |
| Acer–Wave 7 router | The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access. | 2026-05-29 | not yet calculated | CVE-2026-49200 | https://community.acer.com/en/kb/articles/19673 |
| Acer–Wave 7 router | The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection. | 2026-05-29 | not yet calculated | CVE-2026-49201 | https://community.acer.com/en/kb/articles/19673 |
| amir20–dozzle | Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bool { return true }, accepting upgrade requests from any origin. Combined with the JWT cookie using SameSite: Lax, this enables Cross-Site WebSocket Hijacking (CSWSH). An attacker hosting a page on a same-site origin (e.g., a sibling subdomain, or another service on localhost) can initiate a WebSocket connection to the exec endpoint that carries the victim’s valid JWT cookie, gaining interactive shell access in any container the victim is authorized to access. This vulnerability is fixed in 10.5.2. | 2026-05-26 | not yet calculated | CVE-2026-44985 | https://github.com/amir20/dozzle/security/advisories/GHSA-j643-x8pv-8m67 https://github.com/amir20/dozzle/releases/tag/v10.5.2 |
| Apache Software Foundation–Apache Airflow FAB provider | Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated. | 2026-05-25 | not yet calculated | CVE-2026-46745 | https://github.com/apache/airflow/pull/66417 https://lists.apache.org/thread/dvfy0bs181xwsrjrd3y5c55ztbzm8yhh |
| Apache Software Foundation–Apache Airflow Google provider | Apache Airflow providers-google’s `ComputeEngineSSHHook` disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to `apache-airflow-providers-google` 22.0.0 or later. | 2026-05-25 | not yet calculated | CVE-2026-45361 | https://github.com/apache/airflow/pull/66746 https://lists.apache.org/thread/3lpj7ppwxp7jtp81rnxk75xvln7qd7h2 |
| Apache Software Foundation–Apache Artemis Stomp Protocol | A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn’t have the createAddress permission for that particular address. A user could successfully send a message to an address or consume a message from a queue with a routing-type not supported by the corresponding address when that operation should actually be rejected on the basis that the user doesn’t have permission to change the routing-type of the address. Even though the user was already granted permission to send and/or consume messages, they should not be able to augment the routing-type of the address without the createAddress permission. This issue affects Apache Artemis: from 2.50.0 through 2.53.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0. Users are recommended to upgrade to version 2.54.0, which fixes the issue. | 2026-05-28 | not yet calculated | CVE-2026-40914 | https://lists.apache.org/thread/6q3st8dlorz2q05svqn11k1xl7jkmm4c |
| Apache Software Foundation–Apache ECharts | A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and series.data[i].name is specified, raw HTML string series.data[i].name can be rendered through innerHTML sink into tooltip content. Although tooltip is allowed to accept user-provided raw HTML via a custom tooltip.formatter, the built-in tooltip formatters conventionally perform HTML escaping automatically. This case breaks that convention and may unexpectedly lead to script execution when tooltips are displayed. Users are recommended to upgrade to version 6.1.0 if using the Lines series in this way, which fixes the issue. | 2026-05-25 | not yet calculated | CVE-2026-45249 | https://github.com/apache/echarts/pull/21608 https://echarts.apache.org/en/option.html#series-lines https://echarts.apache.org/handbook/en/best-practices/security/#passing_raw_html_safely https://lists.apache.org/thread/1g6xk7gd9vg1c6zyqqt2lnko10zomc3o |
| Apache Software Foundation–Apache Flink Kubernetes Operator | Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses. This lets a user with CR create permissions read files from the operator pod’s filesystem and pull content from any backing store reachable through Flink’s pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0. Users are recommended to upgrade to version 1.15.0, which fixes the issue. | 2026-05-26 | not yet calculated | CVE-2026-40564 | https://lists.apache.org/thread/jvxs2kh2o60sl7qkl5nss4r5phzfl4cz |
| Apache Software Foundation–Apache Ignite | Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can read any file on the server with “cmd=log” command and a log path crafted in a certain way. This issue affects Apache Ignite: from 2.0.0 through 2.17.0. Users are recommended to upgrade to version 2.18.0, which fixes the issue. | 2026-05-28 | not yet calculated | CVE-2025-48977 | https://lists.apache.org/thread/hgct6918sowd8l58yjohryhpxx81t4n1 |
| Apache Software Foundation–Apache Shiro | Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID. | 2026-05-25 | not yet calculated | CVE-2026-43827 | https://shiro.apache.org/security-reports.html#cve_2026_43827 |
| Apache Software Foundation–Apache Shiro | Default configurations of Apache Shiro send sensitive cookies in HTTPS session without ‘Secure’ attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without ‘secure’ attribute by default. | 2026-05-25 | not yet calculated | CVE-2026-43828 | https://shiro.apache.org/security-reports.html#cve_2026_43828 |
| Apache Software Foundation–Apache Shiro | Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. | 2026-05-25 | not yet calculated | CVE-2026-48589 | https://shiro.apache.org/security-reports.html#cve_2026_48589 |
| Apache Software Foundation–Apache Shiro Jakarta EE module | With valid login credentials, URL Redirection to Untrusted Site (‘Open Redirect’), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie. | 2026-05-25 | not yet calculated | CVE-2026-44598 | https://shiro.apache.org/security-reports.html#cve_2026_44598 |
| Apache Software Foundation–Apache Syncope | Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer. This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0. Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox. | 2026-05-25 | not yet calculated | CVE-2026-42782 | https://lists.apache.org/thread/b869ms0ofrd129f7tgsn9flxgv9ztg2r |
| Apache Software Foundation–Apache Syncope | Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope. An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related security-sensitive information. This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0. Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by further restricting the JEXL expression definition. | 2026-05-25 | not yet calculated | CVE-2026-42797 | https://lists.apache.org/thread/5y7d277sntyytrmxnx2tfjr9ftcpq1s6 |
| Apple–macOS | A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. A malicious app may be able to access sensitive user data. | 2026-05-26 | not yet calculated | CVE-2025-43289 | https://support.apple.com/en-us/125110 https://support.apple.com/en-us/125111 https://support.apple.com/en-us/125112 |
| Apple–macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to modify protected parts of the file system. | 2026-05-26 | not yet calculated | CVE-2025-43290 | https://support.apple.com/en-us/125110 https://support.apple.com/en-us/125111 https://support.apple.com/en-us/125112 |
| Apple–macOS | A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. A malicious app may be able to gain root privileges. | 2026-05-26 | not yet calculated | CVE-2025-43306 | https://support.apple.com/en-us/125110 https://support.apple.com/en-us/125111 https://support.apple.com/en-us/125112 |
| Apple–macOS | A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data. | 2026-05-26 | not yet calculated | CVE-2025-43451 | https://support.apple.com/en-us/125110 |
| Apple–macOS | An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Tahoe 26. An app may be able to cause unexpected system termination. | 2026-05-26 | not yet calculated | CVE-2025-46280 | https://support.apple.com/en-us/125110 |
| Apple–macOS | A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.7, macOS Tahoe 26. An app may be able to gain root privileges. | 2026-05-26 | not yet calculated | CVE-2025-46284 | https://support.apple.com/en-us/125110 https://support.apple.com/en-us/125111 |
| Apple–macOS | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data. | 2026-05-26 | not yet calculated | CVE-2025-46307 | https://support.apple.com/en-us/125110 |
| AppLockZ–App Lock and Fingerprint Lock | AppLockZ App Lock and Fingerprint Lock (applock.passwordfingerprint.applockz) 4.2.11 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android’s secure authentication APIs. By navigating cascading interface flows – insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents, an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation. | 2026-05-26 | not yet calculated | CVE-2025-68711 | https://play.google.com/store/apps/details?id=applock.passwordfingerprint.applockz https://github.com/actuator/applock.passwordfingerprint.applockz https://github.com/actuator/applock.passwordfingerprint.applockz/blob/main/CVE-2025-68711 |
| ASUS–Armoury Crate | Incorrect permission assignment for a critical resource in Armoury Crate allows a local user to bypass the driver’s validation mechanism, resulting in unauthorized read and write access to physical memory.Refer to the ‘ Security Update for Armoury Crate App ‘ section on the ASUS Security Advisory for more information. | 2026-05-29 | not yet calculated | CVE-2026-8070 | https://www.asus.com/security-advisory |
| ASUS–ASUS System Control Interface | An Incorrect Permission Assignment for Critical Resource vulnerability in ASUS System Control Interface allows a local user to elevate privileges to SYSTEM and execute arbitrary code via a crafted RPC call that bypass the validation mechanism. Refer to the ‘Security Update for ASUS System Control Interface’ section on the ASUS Security Advisory for more information. | 2026-05-29 | not yet calculated | CVE-2026-7480 | https://www.asus.com/security-advisory/ |
| BackdropCMS–GDPR cookies module for Backdrop CMS | The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn’t sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional ‘Info content’ field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission “Create a GDPR Cookies Service” or “Edit any GDPR Cookies Service” and a site must have added a YouTube service as configuration. | 2026-05-26 | not yet calculated | CVE-2025-71310 | https://backdropcms.org/security/sa-contrib-2025-013 |
| benoitc–hackney | Loop with Unreachable Exit Condition (‘Infinite Loop’) vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 receives a non-token, non-whitespace, non-comma byte (e.g. !, @, =, ;), it returns the input unchanged. skip_comma/1 also returns the buffer unchanged when the first byte is not a comma. parse_entries/2 then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. The calling process never returns. The entry point parse_and_cache/3 is called synchronously in the connection process on every HTTP response. A single-byte Alt-Svc: ! response header is sufficient to trigger the hang; the header is fully controlled by any HTTP origin the client connects to. This issue affects hackney: from 2.0.0-beta.1 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47066 | https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j https://cna.erlef.org/cves/CVE-2026-47066.html https://osv.dev/vulnerability/EEF-CVE-2026-47066 https://github.com/benoitc/hackney/commit/e548aba1f97ffa3f4750da7b772998fb78c01894 |
| benoitc–hackney | Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes – directly as request targets, as configured webhook URLs, or via Location headers followed during redirects – can exhaust the atom table and crash the entire BEAM VM with system_limit. This issue affects hackney: from 2.0.0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47067 | https://github.com/benoitc/hackney/security/advisories/GHSA-9653-rcfr-5c62 https://cna.erlef.org/cves/CVE-2026-47067.html https://osv.dev/vulnerability/EEF-CVE-2026-47067 https://github.com/benoitc/hackney/commit/31f6f0e27e096ad88743dfded4f030a3ee74972e |
| benoitc–hackney | Improper Neutralization of CRLF Sequences (‘CRLF Injection’) vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim into the output iolist with no equivalent check. An attacker who controls either option – for example by supplying a Host header value forwarded as the cookie domain, or a request path forwarded as the cookie path – can inject a literal CRLF sequence and arbitrary additional Set-Cookie headers into the HTTP response. This issue affects hackney: from 0.9.0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47069 | https://github.com/benoitc/hackney/security/advisories/GHSA-mp55-p8c9-rfw2 https://cna.erlef.org/cves/CVE-2026-47069.html https://osv.dev/vulnerability/EEF-CVE-2026-47069 https://github.com/benoitc/hackney/commit/8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540 |
| benoitc–hackney | Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request with follow_redirect enabled and includes Authorization or Cookie headers, a server responding with a 3xx redirect to a different host will cause the client to forward those credentials verbatim to the new origin. The main hackney.erl module has maybe_strip_auth_on_redirect/2 (guarded by the location_trusted option) to address CVE-2018-1000007, but hackney_h3.erl is missing this protection entirely. This issue affects hackney: from 3.1.1 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47070 | https://github.com/benoitc/hackney/security/advisories/GHSA-h73q-4w9q-82h4 https://cna.erlef.org/cves/CVE-2026-47070.html https://osv.dev/vulnerability/EEF-CVE-2026-47070 https://github.com/benoitc/hackney/commit/c58d5b50bade146360b85caf3dc8065807b08246 |
| benoitc–hackney | Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which defaults to an infinite timeout. The Timeout value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the connect_timeout or recv_timeout options supplied by the caller. This issue affects hackney: from 0.10.0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47071 | https://github.com/benoitc/hackney/security/advisories/GHSA-gp9c-pm5m-5cxr https://cna.erlef.org/cves/CVE-2026-47071.html https://osv.dev/vulnerability/EEF-CVE-2026-47071 https://github.com/benoitc/hackney/commit/5ccdab725c561a6f03d05a51f2d0664f98236dae |
| benoitc–hackney | Improper Neutralization of CRLF Sequences (‘CRLF Injection’) vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options – for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 – can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies. This issue affects hackney: from 2.0.0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47072 | https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg https://cna.erlef.org/cves/CVE-2026-47072.html https://osv.dev/vulnerability/EEF-CVE-2026-47072 https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1 |
| benoitc–hackney | Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackney_ws.erl imposes no upper bound on memory consumption in three code paths. First, read_handshake_response/3 accumulates received bytes into a growing buffer with no size cap; the per-receive timeout resets on every chunk, so a server that streams bytes without ever sending rnrn causes the buffer to grow until memory is exhausted. Second, parse_payload/9 and parse_active_payload/8 do not validate the declared frame payload length against any limit; because RFC 6455 allows payload lengths up to 2^63-1 bytes, a server that announces a very large frame and dribbles bytes causes the accumulation buffer to grow until OOM. Third, the frag_buffer field in #ws_data{} accumulates continuation frames indefinitely; a server that sends an endless stream of non-final (nofin) fragmented frames without ever sending a final (fin) frame grows frag_buffer without bound. In all three cases the attacker only needs to control the WebSocket server the hackney client connects to, with no authentication or special client configuration required. This issue affects hackney: from 2.0.0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47073 | https://github.com/benoitc/hackney/security/advisories/GHSA-q8jg-fgj4-fphf https://cna.erlef.org/cves/CVE-2026-47073.html https://osv.dev/vulnerability/EEF-CVE-2026-47073 https://github.com/benoitc/hackney/commit/ce0109e2970ace6e20ff29bae9d05c3ac22ec6dc |
| benoitc–hackney | Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (r) or line feed (n) characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar defined in RFC 3986 Section 3.4 must be percent-encoded, but hackney_url:make_url/3 passes the query binary directly without validation or escaping. An attacker who can control all or part of a URL passed to hackney can inject raw CRLF sequences into the query string, which are then sent as HTTP line breaks in the request target. This enables injection of arbitrary HTTP headers or splitting of the HTTP request. This issue affects hackney: from 0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47075 | https://github.com/benoitc/hackney/security/advisories/GHSA-j9wq-vxxc-94wf https://cna.erlef.org/cves/CVE-2026-47075.html https://osv.dev/vulnerability/EEF-CVE-2026-47075 https://github.com/benoitc/hackney/commit/ca73dd0aba0ed557449c18288bf07241671a43c9 |
| benoitc–hackney | Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP’s uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://%31%32%37%2E%30%2E%30%2E%31/ is seen by a caller’s allowlist validator with host %31%32%37%2E%30%2E%30%2E%31 (not an IP address), which passes the allowlist check. hackney’s normalizer then decodes the host to 127.0.0.1 and opens a TCP connection to loopback. Because hackney:request/5 always calls hackney_url:normalize/2 with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost. This issue affects hackney: from 0.13.0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47076 | https://github.com/benoitc/hackney/security/advisories/GHSA-pj7v-xfvx-wmjq https://cna.erlef.org/cves/CVE-2026-47076.html https://osv.dev/vulnerability/EEF-CVE-2026-47076 https://github.com/benoitc/hackney/commit/452620a92ec1da2e6b4862a049a2a4f04b42068f |
| benoitc–hackney | Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame – it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout – 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition. This issue affects hackney: from 2.0.0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47077 | https://github.com/benoitc/hackney/security/advisories/GHSA-jq4m-q6p2-8gwc https://cna.erlef.org/cves/CVE-2026-47077.html https://osv.dev/vulnerability/EEF-CVE-2026-47077 https://github.com/benoitc/hackney/commit/3d25f9fea26c90609de9d64366fedfe5065413bc |
| BINGOS–Archive::Tar | Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header’s linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path. | 2026-05-26 | not yet calculated | CVE-2026-42496 | https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes https://www.cve.org/CVERecord?id=CVE-2026-42497 |
| BINGOS–Archive::Tar | Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. _make_special_file() passes the tar header’s linkname to link() without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file’s inode. A subsequent write through the extracted name modifies the victim file, and the post-extraction chmod, chown, and utime block in _extract_file() (guarded only against symlinks via -l) applies the tar header’s mode, owner, and timestamps to the shared inode during extraction alone. | 2026-05-26 | not yet calculated | CVE-2026-42497 | https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes https://www.cve.org/CVERecord?id=CVE-2026-42496 |
| BINGOS–Archive::Tar | Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header. _read_tar() reads each entry’s payload with $handle->read($$data, $block), where $block is derived from the entry’s 12-byte size field in the tar header with no upper bound on that value. A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size. | 2026-05-26 | not yet calculated | CVE-2026-9538 | https://github.com/jib/archive-tar-new/commit/f9af01426038e29d9578825a0cd3626946ab08c7.patch https://metacpan.org/release/BINGOS/Archive-Tar-3.10/changes |
| Bolt–Bolt CMS | Bolt CMS through 3.7.0 allows SQL Injection in the ‘order’ parameter of the content listing pages. An authenticated attacker with low-level privileges can exploit this through the OrderDirective component. This allows for the extraction of sensitive information | 2026-05-29 | not yet calculated | CVE-2026-39229 | https://github.com/bolt/bolt https://boltcms.io/ https://github.com/Tonoss-412/My-CVE/blob/main/CVE-2026-39229.md |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource configured to target internal infrastructure, this creates a server-side request forgery path where automation execution causes the Budibase server to make outbound HTTP requests to attacker-influenced destinations. The automation output then returns the response, potentially exposing internal service data. This vulnerability is fixed in 3.39.0. | 2026-05-27 | not yet calculated | CVE-2026-48128 | https://github.com/Budibase/budibase/security/advisories/GHSA-6964-pp88-6wp9 |
| Budibase–budibase | Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access can supply an arbitrary host value such as 169.254.169.254 or localhost, causing the server to initiate outbound TCP connections to internal network addresses or cloud metadata endpoints on their behalf.This vulnerability is fixed in 3.35.3. | 2026-05-27 | not yet calculated | CVE-2026-48148 | https://github.com/Budibase/budibase/security/advisories/GHSA-cv96-5348-p5p8 |
| bzip2–bzip2 | bzip2 contains an off‑by‑one error in the bzip2recover utility. When processing a specially crafted file, the application performs an out‑of‑bounds write to a global buffer, resulting in memory corruption and a crash (denial of service). This issue was fixed in bzip2 patch 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 | 2026-05-28 | not yet calculated | CVE-2026-42250 | https://cert.pl/en/posts/2026/05/CVE-2026-42250/ https://sourceware.org/bzip2/ https://inbox.sourceware.org/bzip2-devel/20260528145407.293768-1-mark@klomp.org/ https://sourceware.org/cgit/bzip2/commit/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 |
| Casdoor–Casdoor | Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key. | 2026-05-28 | not yet calculated | CVE-2026-9090 | https://kb.cert.org/vuls/id/780781 |
| Casdoor–Casdoor | Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement. | 2026-05-28 | not yet calculated | CVE-2026-9091 | https://kb.cert.org/vuls/id/780781 |
| Casdoor–Casdoor | Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address. | 2026-05-28 | not yet calculated | CVE-2026-9092 | https://kb.cert.org/vuls/id/780781 |
| Casdoor–Casdoor | In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor. | 2026-05-28 | not yet calculated | CVE-2026-9093 | https://kb.cert.org/vuls/id/780781 |
| Casdoor–Casdoor | Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token’s user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries. | 2026-05-28 | not yet calculated | CVE-2026-9094 | https://kb.cert.org/vuls/id/780781 |
| Casdoor–Casdoor | Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials. | 2026-05-28 | not yet calculated | CVE-2026-9095 | https://kb.cert.org/vuls/id/780781 |
| Casdoor–Casdoor | Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued. | 2026-05-28 | not yet calculated | CVE-2026-9096 | https://kb.cert.org/vuls/id/780781 |
| Casdoor–Casdoor | Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens. | 2026-05-28 | not yet calculated | CVE-2026-9097 | https://kb.cert.org/vuls/id/780781 |
| Casdoor–Casdoor | In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access. | 2026-05-28 | not yet calculated | CVE-2026-9098 | https://kb.cert.org/vuls/id/780781 |
| cinnyapp–cinny | Cinny is a Matrix client. Prior to 4.10.3, A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes (for example in a DM) can cause the victim’s client to send their Matrix access token to an attacker-controlled server. This occurs when the victim opens the emoji or sticker picker for the room containing a malicious emote pack. This is caused by an incorrect fallback in EmojiBoard that uses untrusted pack.meta.avatar (user-controlled) without converting/validating it as an MXC URL, allowing arbitrary HTTP(S) URLs to be used. Also, the service worker attaching the user’s Authorization bearer token to all outbound GET requests whose URL contains /_matrix/client/v1/media/download or /_matrix/client/v1/media/thumbnail without verifying the request host matches the configured homeserver origin. An attacker-controlled URL containing those path fragments and permissive CORS will receive the victim’s Authorization header (access token). This vulnerability is fixed in 4.10.3. | 2026-05-27 | not yet calculated | CVE-2026-42553 | https://github.com/cinnyapp/cinny/security/advisories/GHSA-j944-w549-3453 https://github.com/cinnyapp/cinny/releases/tag/v4.10.3 |
| cloudnative-pg–cloudnative-pg | CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY … TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3. | 2026-05-28 | not yet calculated | CVE-2026-44477 | https://github.com/cloudnative-pg/cloudnative-pg/security/advisories/GHSA-423p-g724-fr39 https://github.com/cloudnative-pg/cloudnative-pg/pull/10576 |
| cnighswonger–claude-code-cache-fix | claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code’s hook stdin payload directly into a Python triple-quoted string literal. A ”’ byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user’s Claude Code process. This vulnerability is fixed in 3.5.2. | 2026-05-27 | not yet calculated | CVE-2026-45136 | https://github.com/cnighswonger/claude-code-cache-fix/security/advisories/GHSA-g3xq-3gmv-qq8g https://github.com/cnighswonger/claude-code-cache-fix/issues/108 https://github.com/cnighswonger/claude-code-cache-fix/pull/110 |
| CP Plus–Wi-Fi Camera CP-E38Q, CP-E48Q, CP-E25Q, CP-E35Q, CP-E45Q, CP-E28Q, CP-E21Q, CP-E31Q, CP-E41Q, CP-E24Q, CP-Z43Q, CP-E34Q, CP-E44Q, CP-T31Q, CP-V48Q, CP-V41Q, CP-Z45Q | This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device. Successful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device. | 2026-05-25 | not yet calculated | CVE-2026-9274 | https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0266 |
| Craft–CMS 5.9.5 | Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint (/actions/app/migrate). | 2026-05-27 | not yet calculated | CVE-2026-31266 | https://github.com/craftcms/cms https://github.com/0xrixet/cms-security-poc |
| creatorsofcode–simplephp | A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload. | 2026-05-27 | not yet calculated | CVE-2026-38931 | http://creatorsofcode.com http://simplephp.com https://moworn.github.io/post/cve-2026-38931/ |
| D-Link Corporation–DWR-X1820 | Dlink DWR-X1820 router uses weak default password generated from its IMEI number and does not require users to change it. An attacker who knows how passwords are generated can easily crack the default password if they have the device IMEI number. This issue was fixed in version 1.00B16CP. | 2026-05-28 | not yet calculated | CVE-2026-4377 | https://cert.pl/posts/2026/05/CVE-2026-4377 https://www.dlink.com/pl/pl/products/dwr-1820-cp#support |
| Dataojitori–nocturne_memory | Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when API_TOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS allow_origins=[“*”], operators following the Docker setup without explicitly setting API_TOKEN expose the full Knowledge-Graph read/write API to any LAN-reachable client. An attacker on the same network can read, write, or delete all memory entries – including system://boot and core://* URIs that auto-load into downstream agent sessions, enabling persistent prompt-injection. This vulnerability is fixed in 2.4.1. | 2026-05-27 | not yet calculated | CVE-2026-44830 | https://github.com/Dataojitori/nocturne_memory/security/advisories/GHSA-crr4-xrj9-ww8g |
| Dokploy–dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated – it does NOT enforce organization scoping. Each endpoint must individually verify the resource’s org matches the session’s activeOrganizationId. This affects the following endpoints: allByType, killProcess, and removeDeployment in deployment.ts; delete in rollbacks.ts; create, one, update, remove, manualBackupPostgres, MySql, Mariadb, Mongo, Compose, WebServer, and listBackupFiles in backup.ts; list, one, delete, update, runManually, and restoreVolumeBackupWithLogs in volume-backups.ts; getNodes, removeWorker, addWorker, and addManager in cluster.ts; and create in mount.ts. | 2026-05-29 | not yet calculated | CVE-2026-43917 | https://github.com/Dokploy/dokploy/security/advisories/GHSA-f8wj-5c4w-frhg |
| Dolibarr–ERP/CRM | An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/actions_addupdatedelete.inc.php | 2026-05-27 | not yet calculated | CVE-2026-37711 | https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-grw9-6m4w-mhcq https://bryamzxz.github.io/2026/05/25/dol_eval-five-years/ |
| Dolibarr–ERP/CRM | An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/cron/class/cronjob.class.php, call_user_func_array() in function job type | 2026-05-27 | not yet calculated | CVE-2026-37712 | https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-c2jp-w9cj-6cx4 https://bryamzxz.github.io/2026/05/25/dol_eval-five-years/ |
| Dolibarr–ERP/CRM | An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/class/commonobject.class.php. | 2026-05-27 | not yet calculated | CVE-2026-37713 | https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-cq92-jp5j-rwvj https://bryamzxz.github.io/2026/05/25/dol_eval-five-years/ |
| dotCMS–dotCMS Core | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported. | 2026-05-27 | not yet calculated | CVE-2026-8054 | dotCMS Known Security Issues — SI-75 dotCMS/core#35553 — Fix SQL injection in Publish Audit API |
| Drupal–SAML SSO – Service Provider | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO – Service Provider allows Privilege Escalation. This issue affects SAML SSO – Service Provider: from 0.0.0 before 3.1.4. | 2026-05-28 | not yet calculated | CVE-2026-5343 | https://www.drupal.org/sa-contrib-2026-031 |
| Drupal–TFA Basic Plugins | An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2. | 2026-05-28 | not yet calculated | CVE-2026-6816 | Drupal security advisory SA-CONTRIB-2025-085 https://d7es.tag1.com/security-advisories/tfa-basic-plugins-less-critical-access-bypass-sa-contrib-2025-085 |
| Easyelife–App Lock | Easyelife App lock (aka Fingerprint,Applock or locker.app.safe.applocker) 1.9.2 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android’s secure authentication APIs. By navigating cascading interface flows – insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents – an attacker can evade lockscreen verification and access protected apps (e.g., Chrome), resulting in information disclosure and privilege escalation. | 2026-05-26 | not yet calculated | CVE-2025-68710 | https://play.google.com/store/apps/details?id=locker.app.safe.applocker https://github.com/actuator/locker.app.safe.applocker https://github.com/actuator/locker.app.safe.applocker/blob/main/CVE-2025-68710 |
| electerm–electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can inject exec* fields or global config to cause remote code to run when a bookmark is opened or when sync is applied. | 2026-05-28 | not yet calculated | CVE-2026-45058 | https://github.com/electerm/electerm/security/advisories/GHSA-jgg9-rw32-44pj |
| electerm–electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From 3.0.6 to 3.8.8, This vulnerability is fixed in 3.9.0. | 2026-05-28 | not yet calculated | CVE-2026-45353 | https://github.com/electerm/electerm/security/advisories/GHSA-7p5m-v798-f8vv https://github.com/electerm/electerm/commit/0599e67069b00e376a2e962649aaad6096e63507 |
| electerm–electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to alter config/bookmarks. This vulnerability is fixed in 3.9.5. | 2026-05-28 | not yet calculated | CVE-2026-45787 | https://github.com/electerm/electerm/security/advisories/GHSA-g29v-q6h7-76wh https://github.com/electerm/electerm/commit/9dd8295e37d53396b980cd45dfc5ed11ad79b937 |
| element-hq–synapse | Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1. | 2026-05-28 | not yet calculated | CVE-2026-45076 | https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7×63-mm6v |
| element-hq–synapse | Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1. | 2026-05-28 | not yet calculated | CVE-2026-45078 | https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g |
| Emlog–Emlog Pro v2.6.9 | The template upload feature in Emlog Pro v2.6.9 has a path traversal vulnerability, allowing authenticated administrators to execute arbitrary PHP code. By uploading a malicious ZIP archive containing directory traversal sequences in filenames, an attacker can overwrite default template files or directly include malicious code files in the current template. | 2026-05-29 | not yet calculated | CVE-2026-39276 | https://www.emlog.net/ https://github.com/LING12138-sg/Emlog-v2.6.9-Vulnerability-Report |
| Erlang–OTP | Improper Following of a Certificate’s Chain of Trust vulnerability in Erlang OTP public_key (pubkey_cert module) allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery. In lib/public_key/src/pubkey_cert.erl, pubkey_cert:validate_extensions/7 contains two flaws that together allow a certificate with basicConstraints cA:false and no keyUsage extension to be used as an intermediate issuer in a chain passed to public_key:pkix_path_validation/3: the cA:false clause recurses into the remaining extensions without rejecting the certificate when it is in issuer position, and the keyUsage check only fires when the extension is present, so a certificate lacking keyUsage entirely bypasses the keyCertSign enforcement. Any party holding an end-entity certificate with basicConstraints cA:false and no keyUsage extension, issued by any CA in the victim’s trust store, can use that certificate’s private key to sign forged leaf certificates for arbitrary identities. public_key:pkix_path_validation/3 accepts the resulting chain, and by extension every TLS or mTLS endpoint built on the OTP ssl application that relies on the default verifier is affected, including server identity verification on the client side and client certificate verification on mTLS servers. This issue affects OTP from OTP 17.0 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 0.22 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1. | 2026-05-27 | not yet calculated | CVE-2026-42789 | https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq https://cna.erlef.org/cves/CVE-2026-42789.html https://osv.dev/vulnerability/EEF-CVE-2026-42789 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/471cd2f664300a95353c467873800bbe706005db https://github.com/erlang/otp/commit/59c8d824386b2eb1614ff9340624843ef6aca0fd |
| Erlang–OTP | Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com): First, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:… constraint regardless of its subject commonName. Second, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback. The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher. This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1. | 2026-05-27 | not yet calculated | CVE-2026-42790 | https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447 https://cna.erlef.org/cves/CVE-2026-42790.html https://osv.dev/vulnerability/EEF-CVE-2026-42790 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759 https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457 https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a |
| Erlang–OTP | Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows forged OCSP responses signed with an expired responder certificate to be accepted as valid. OCSP response verification in pubkey_ocsp:verify_response/5 and pubkey_ocsp:is_authorized_responder/3 in lib/public_key/src/pubkey_ocsp.erl does not check the validity period (notBefore/notAfter) of the OCSP responder certificate. An attacker who has obtained the private key of an expired CA-designated OCSP responder certificate can forge OCSP responses that Erlang/OTP accepts as valid. This affects TLS clients using OCSP stapling via the ssl application: a malicious or compromised server can present a revoked TLS certificate together with a forged OCSP response signed by an expired responder key, and the client will accept the revoked certificate as valid. It also affects applications calling public_key:pkix_ocsp_validate/5 directly, where the impact depends on the use case – server-side client certificate validation using this API may allow authentication bypass with a revoked client certificate. This issue affects OTP from OTP 27.0 before OTP 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.16 before 1.17.1.3, 1.20.3.1, and 1.21.1. | 2026-05-27 | not yet calculated | CVE-2026-42791 | https://github.com/erlang/otp/security/advisories/GHSA-cjxj-wj6x-3fff https://cna.erlef.org/cves/CVE-2026-42791.html https://osv.dev/vulnerability/EEF-CVE-2026-42791 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/7995f1fdaee3da569bb810358ce0f546471d169b https://github.com/erlang/otp/commit/b3870e02405c709a872b01ba6086065620cdfe76 |
| esm-dev–esm.sh | esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When this key is used, the underlying file system resolves the relative segments and writes the file to the specified path. Thus an attacker can craft a request that writes data to arbitrary locations on the server. | 2026-05-28 | not yet calculated | CVE-2026-44593 | https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3636-h3vx-6465 |
| ex-aws–ex_aws_sns | Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/ex_aws/sns.ex, lib/ex_aws/sns/public_key_cache.ex and program routines ‘Elixir.ExAws.SNS’:verify_message/1, ‘Elixir.ExAws.SNS.PublicKeyCache’:get/1. ‘Elixir.ExAws.SNS’:verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification. This issue affects ex_aws_sns: from 2.0.1 before 2.3.5. | 2026-05-28 | not yet calculated | CVE-2026-47074 | https://github.com/ex-aws/ex_aws_sns/security/advisories/GHSA-8jgf-23q5-x7xx https://cna.erlef.org/cves/CVE-2026-47074.html https://osv.dev/vulnerability/EEF-CVE-2026-47074 https://github.com/ex-aws/ex_aws_sns/commit/1853d280b152d10384a1e21a22cf22152a60be48 |
| Falco Solutions–PHPPageBuilding v0.31.0 | Falco Solutions PHPPageBuilder v0.31.0 contains an unrestricted file upload vulnerability in the pagemanager/pagebuilder module that allows remote attackers to upload arbitrary files and achieve remote code execution. The vulnerability exists due to insufficient validation of uploaded file types and executable content. | 2026-05-29 | not yet calculated | CVE-2026-39292 | https://github.com/HansSchouten/PHPageBuilder https://github.com/krishnadevpmelevila/CVE-2026-39292/tree/main |
| FastNetMon–FastNetMon Communit Edition | FastNetMon Community Edition through 1.2.9 has out-of-bounds memory access because it incorrectly parses BGP path attributes with the extended length flag set. In src/bgp_protocol.hpp, the parse_raw_bgp_attribute() function correctly identifies when extended_length_bit is set and sets length_of_length_field to 2, but then reads only a single byte for the attribute value length (attribute_value_length = value[2] at line 173). Per RFC 4271 Section 4.3, when the Extended Length bit is set, the Attribute Length field is two octets and the value should be read as a 16-bit big-endian integer from value[2] and value[3]. As a result, any attribute longer than 255 bytes has its length silently truncated to the low byte (e.g., 300 bytes = 0x012C is read as 0x2C = 44 bytes). The remaining 256 bytes are then misinterpreted as subsequent attributes, causing cascading parse failures and potential out-of-bounds memory access. | 2026-05-26 | not yet calculated | CVE-2026-48685 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/bgp_protocol.hpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48685-bgp-extended-length |
| FastNetMon–FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read vulnerability in the NetFlow v9 data flowset processor. In src/netflow_plugin/netflow_v9_collector.cpp, the Data template branch (lines 1695-1702) iterates over flow records without performing a per-iteration bounds check against the packet end pointer. In contrast, the Options template branch (lines 1709-1719) correctly checks ‘if (pkt + offset + field_template->total_length > packet_end)’ before each iteration. The Data branch omits this check entirely. Since template definitions are sent by the network peer (and are unauthenticated UDP), an attacker can craft templates that cause the parser to read arbitrary memory past the packet buffer. This can leak sensitive memory contents or cause a crash. | 2026-05-26 | not yet calculated | CVE-2026-48683 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/netflow_plugin/netflow_v9_collector.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48683-netflow-v9-data-oob |
| FastNetMon–FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the NetFlow v9 options template parser. In process_netflow_v9_options_template() (src/netflow_plugin/netflow_v9_collector.cpp), the scope parsing loop (lines 224-229) iterates until scopes_offset reaches the attacker-controlled option_scope_length value, reading netflow9_template_flowset_record_t structures at each step. No bounds check validates that (zone_address + scopes_offset + sizeof(record)) stays within the flowset. The same issue affects the options field loop (lines 241-257) with option_length. Furthermore, option_scope_length is not validated to be a multiple of sizeof(netflow9_template_flowset_record_t), potentially causing misaligned reads. An attacker can trigger reads past the end of the UDP packet buffer. | 2026-05-26 | not yet calculated | CVE-2026-48684 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/netflow_plugin/netflow_v9_collector.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48684-netflow-v9-options-oob |
| FastNetMon–FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask() which computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a prefix_bit_length of 255. The result is used as the length argument to memcpy() (line 106), which copies into a 4-byte uint32_t stack variable (prefix_ipv4). This causes a stack buffer overflow of up to 28 bytes, which can be exploited for arbitrary code execution. Additionally, the unvalidated prefix_bit_length is passed to convert_cidr_to_binary_netmask_local_function_copy() (line 111), where a shift of (32 – cidr) with cidr > 32 causes undefined behavior. | 2026-05-26 | not yet calculated | CVE-2026-48686 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/bgp_protocol.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48686-bgp-nlri-stack-overflow |
| FastNetMon–FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec(“echo `date` “- {FASTNETMON] – ” . $msg . ” ” >> ” . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon’s C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters. | 2026-05-26 | not yet calculated | CVE-2026-48687 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/juniper_plugin/fastnetmon_juniper.php https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48687-juniper-cmd-injection |
| FastNetMon–FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder. The function decode_mp_reach_ipv6() in src/bgp_protocol.cpp contains a TODO comment at line 156 explicitly acknowledging ‘we should add sanity checks to avoid reads after attribute memory block.’ The function casts raw pointers to structure types without verifying sufficient data exists (line 158), uses the attacker-controlled length_of_next_hop field to determine memcpy size (line 181), and computes prefix_length by dereferencing a pointer calculated from multiple attacker-controlled offsets without bounds validation (line 189). The prefix_length is then used to calculate number_of_bytes_required_for_prefix which becomes a memcpy length (line 202) with no check against remaining buffer size. | 2026-05-26 | not yet calculated | CVE-2026-48688 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/bgp_protocol.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48688-bgp-mp-reach-nlri-ipv6 |
| FastNetMon–FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buffer overflow in the dynamic_binary_buffer_t class (src/dynamic_binary_buffer.hpp). Five methods (append_dynamic_buffer, append_data_as_pointer, append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr) use an incorrect bounds check of the form ‘if (offset + length > maximum_internal_storage_size + 1)’ instead of the correct ‘if (offset + length > maximum_internal_storage_size)’. This allows writing exactly one byte past the end of the heap-allocated buffer. The class is used pervasively in BGP message encoding/decoding, NetFlow template processing, and Flow Spec NLRI construction. An attacker who can send network traffic (NetFlow, sFlow, IPFIX, or BGP) to a FastNetMon instance can trigger this overflow, potentially achieving arbitrary code execution by corrupting heap metadata. Notably, the append_byte() method uses the correct bounds check, confirming the inconsistency. | 2026-05-26 | not yet calculated | CVE-2026-48689 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/dynamic_binary_buffer.hpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48689-dynamic-buffer-off-by-one |
| FastNetMon–FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture buffer allocation. In src/packet_storage.hpp, the allocate_buffer() function computes memory_size_in_bytes as ‘buffer_size_in_packets * (max_captured_packet_size + sizeof(fastnetmon_pcap_pkthdr_t)) + sizeof(fastnetmon_pcap_file_header_t)’ using unsigned int (32-bit) arithmetic. With max_captured_packet_size=1500 and sizeof(fastnetmon_pcap_pkthdr_t)=16, each packet requires approximately 1516 bytes. If buffer_size_in_packets exceeds approximately 2,832,542, the multiplication overflows, resulting in a much smaller allocation than expected. Subsequent write_packet() calls then write past the allocated buffer, causing heap corruption. The buffer_size_in_packets value is derived from the ban_details_records_count configuration parameter, which is parsed using atoi() with no overflow checking. | 2026-05-26 | not yet calculated | CVE-2026-48690 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/packet_storage.hpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48690-packet-storage-integer-overflow |
| FastNetMon–FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. In src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() function computes attribute_length as ‘sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() * sizeof(uint32_t)’ and stores it in a uint8_t field (line 600-605). Since uint8_t can only hold values 0-255, an AS_PATH containing more than 63 ASNs (2 + 64*4 = 258 > 255) causes silent truncation. The truncated length is used for buffer sizing, while the actual data written is the full untruncated amount, resulting in a heap buffer overflow. Similarly, the path_segment_length field at line 621 is also uint8_t, truncating with more than 255 ASNs. | 2026-05-26 | not yet calculated | CVE-2026-48691 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/bgp_protocol.hpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48691-bgp-as-path-overflow |
| FastNetMon–FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials() (src/fastnetmon.cpp line 477) and a source code comment explicitly acknowledges ‘Listen on the given address without any authentication mechanism.’ None of the RPC methods in src/api.cpp (ExecuteBan, ExecuteUnBan, GetBanlist, GetTotalTrafficCounters, etc.) perform any credential verification. The ExecuteBan and ExecuteUnBan methods trigger security-critical actions: BGP route announcements that can blackhole network traffic, and execution of external notification scripts via popen(). An attacker with local network access can ban arbitrary IP addresses (causing denial of service to legitimate traffic), unban active attacks (disabling DDoS mitigation), and trigger script execution. There is also no role-based access control separating read-only monitoring from destructive administrative operations. | 2026-05-26 | not yet calculated | CVE-2026-48692 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/api.cpp https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fastnetmon.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48692-grpc-no-auth |
| FastNetMon–FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 is vulnerable to a local symlink attack via predictable file paths in /tmp. The statistics file path defaults to ‘/tmp/fastnetmon.dat’ (src/fastnetmon.cpp line 159). The print_screen_contents_into_file() function (src/fastnetmon_logic.cpp line 2186) opens this path with std::ios::trunc without checking for symlinks or using O_NOFOLLOW. Additionally, the chmod() call on line 2190 always operates on cli_stats_file_path regardless of which file_path parameter was passed (a bug that applies wrong permissions), and the umask is set to 0 during daemonization (src/fastnetmon.cpp line 1821), making all created files world-writable. A local attacker can exploit this to overwrite arbitrary files as the FastNetMon process user (typically root). | 2026-05-26 | not yet calculated | CVE-2026-48693 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fastnetmon.cpp https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fastnetmon_logic.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48693-symlink-tmp |
| FastNetMon–FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains a configuration injection vulnerability in the Juniper router integration plugin. In src/juniper_plugin/fastnetmon_juniper.php, the $IP_ATTACK variable (received from argv[1]) is directly interpolated into Juniper NETCONF set-configuration commands at lines 69 and 90 without any validation or sanitization. Line 69: $conn->load_set_configuration(“set routing-options static route {$IP_ATTACK} community 65535:666 discard”). Line 90: $conn->load_set_configuration(“delete routing-options static route {$IP_ATTACK}/32”). An attacker who can control the IP address string can inject additional Juniper CLI configuration commands by embedding newline characters followed by arbitrary set/delete commands. This could modify the router’s routing table, firewall filters, user accounts, or any other configuration element accessible via NETCONF. The impact is full router compromise. | 2026-05-26 | not yet calculated | CVE-2026-48694 | https://github.com/pavel-odintsov/fastnetmon https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48694-juniper-netconf-injection |
| FastNetMon–FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router integration plugin. The _log() function in src/mikrotik_plugin/fastnetmon_mikrotik.php (lines 107-108) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec(“echo `date` “- {FASTNETMON] – ” . $msg . ” ” >> ” . $FILE_LOG_TMP). This is identical in pattern to the Juniper plugin vulnerability. The $msg variable contains unsanitized attack data from command-line arguments. An attacker who can influence argv[] values can inject arbitrary shell commands. The fix is to replace exec() with file_put_contents() or use escapeshellarg(). | 2026-05-26 | not yet calculated | CVE-2026-48695 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/mikrotik_plugin/fastnetmon_mikrotik.php https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48695-mikrotik-cmd-injection |
| FastNetMon–FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 has a buffer overflow, a different vulnerability than CVE-2026-48686 and CVE-2026-48689. | 2026-05-26 | not yet calculated | CVE-2026-48696 | https://github.com/pavel-odintsov/fastnetmon https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48696-exabgp-sprintf-overflow |
| FastNetMon–FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 does not verify TLS certificates on outbound HTTPS connections. The execute_web_request_secure() function in src/fast_library.cpp creates a boost::asio::ssl::context with tls_client mode and calls set_default_verify_paths() to load CA certificates, but never calls set_verify_mode(boost::asio::ssl::verify_peer). Without this call, OpenSSL performs the TLS handshake without validating the server’s certificate chain, making all HTTPS connections vulnerable to man-in-the-middle attacks. This function is used for telemetry reporting to community-stats.fastnetmon.com, which sends system information including CPU model, kernel version, traffic statistics, and software configuration. An attacker can intercept and modify this data or redirect it to a malicious server. | 2026-05-26 | not yet calculated | CVE-2026-48697 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fast_library.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48697-missing-tls-validation |
| flowintel–flowintel | FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specified destination. Due to insufficient validation of the URL scheme and resolved destination address, affected versions may allow requests to loopback, link-local, private, reserved, or other restricted network resources, potentially enabling interaction with internal services or cloud metadata endpoints from the server’s network context. | 2026-05-28 | not yet calculated | CVE-2026-9813 | https://github.com/flowintel/flowintel/commit/68b523b47854c54bf36fd706c0fd5353063b5409 |
| Follet School Solutions–Destiny | Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the showSupportExpiredMessage parameter of handleloginform.do. | 2026-05-28 | not yet calculated | CVE-2024-47096 | https://www.securin.io/zero-day/cve-2024-47096-reflected-cross-site-scripting-in-follett-school-solutions-destiny-library-manager/ |
| Follet School Solutions–Destiny | Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the site parameter of handleloginform.do. | 2026-05-28 | not yet calculated | CVE-2024-47097 | https://www.securin.io/zero-day/cve-2024-47097-reflected-cross-site-scripting-in-follett-school-solutions-destiny-library-manager/ |
| free5gc–free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticated attacker can inject control characters into the SUPI parameter, causing UDM to forward a malformed request to UDR and return a 500 Internal Server Error response that exposes internal infrastructure details. This vulnerability is fixed in 4.2.2. | 2026-05-27 | not yet calculated | CVE-2026-42459 | https://github.com/free5gc/free5gc/security/advisories/GHSA-585v-hcgf-jhfr |
| FreePBX–security-reporting | FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module’s OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client_id to obtain OAuth2 access tokens without providing the correct client_secret. This vulnerability is fixed in 17.0.8. | 2026-05-29 | not yet calculated | CVE-2026-44237 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vgjf-4h63-8vcc |
| FreePBX–security-reporting | FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11. | 2026-05-29 | not yet calculated | CVE-2026-44238 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p9fq-fmpw-2h9x |
| FreePBX–security-reporting | FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module’s getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST[‘rawname’] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file’s PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5. | 2026-05-29 | not yet calculated | CVE-2026-44239 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-hw7v-v2jp-wc4v |
| FreePBX–security-reporting | FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if these were not immediately changed by the Administrator who enabled UCP. Authenticated access to ACP is required for the initial setup of UCP generic templates, but after that, without further steps by the admin, unauthenticated users may be able to gain access. This vulnerability is fixed in 16.0.45 and 17.0.7. | 2026-05-29 | not yet calculated | CVE-2026-46376 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m55x-h47x-v3gx |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP’s planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller-provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0. | 2026-05-29 | not yet calculated | CVE-2026-45700 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mpxh-8fq3-x8mh |
| gitbutlerapp–gitbutler | GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by the user allows for arbitrary script execution in the Tauri webview. Users that have not enabled forge integration are not at risk. This vulnerability is fixed in 0.19.7. | 2026-05-28 | not yet calculated | CVE-2026-45261 | https://github.com/gitbutlerapp/gitbutler/security/advisories/GHSA-xpmj-536r-9fc6 |
| GitHub–Enterprise Server | A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the values of sensitive environment variables, including signing secrets and private keys. Exploitation required GitHub Packages to be enabled; on instances not running in private mode the vulnerability was exploitable without authentication, otherwise any authenticated user could exploit it. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-05-26 | not yet calculated | CVE-2026-8606 | https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.1 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.3 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.7 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.10 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.16 https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.19 |
| GitHub–Enterprise Server | A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-05-27 | not yet calculated | CVE-2026-9312 | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.20 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.17 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.11 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.8 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.4 https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.1 |
| go-git–go-git | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This vulnerability is fixed in 5.19.0 and 6.0.0-alpha.3. | 2026-05-27 | not yet calculated | CVE-2026-45022 | https://github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp |
| go-git–go-git | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git’s SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4. | 2026-05-27 | not yet calculated | CVE-2026-45570 | https://github.com/go-git/go-git/security/advisories/GHSA-m7cr-m3pv-hgrp |
| golang.org/x/image–golang.org/x/image/bmp | Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image. | 2026-05-29 | not yet calculated | CVE-2026-42500 | https://go.dev/issue/79576 https://groups.google.com/g/golang-announce/c/uhYX90BlBvI https://go.dev/cl/781500 https://pkg.go.dev/vuln/GO-2026-5031 |
| golang.org/x/image–golang.org/x/image/tiff | The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data. | 2026-05-29 | not yet calculated | CVE-2026-46599 | https://go.dev/issue/79577 https://go.dev/cl/759960 https://groups.google.com/g/golang-announce/c/uhYX90BlBvI https://pkg.go.dev/vuln/GO-2026-5032 |
| Google Cloud–Apigee-X | A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy. | 2026-05-26 | not yet calculated | CVE-2026-2264 | https://docs.cloud.google.com/apigee/docs/security-bulletins/security-bulletins#gcp-2026-034 |
| Google–Chrome | Use after free in Passwords in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10000 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513505608 |
| Google–Chrome | Use after free in PerformanceManager in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10001 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513505927 |
| Google–Chrome | Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10002 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513536416 |
| Google–Chrome | Use after free in Views in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10003 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513609324 |
| Google–Chrome | Insufficient validation of untrusted input in Passwords in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10004 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513730012 |
| Google–Chrome | Use after free in WebAppInstalls in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10005 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513750089 |
| Google–Chrome | Race in WebAudio in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10006 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513750691 |
| Google–Chrome | Use after free in SVG in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10007 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513754619 |
| Google–Chrome | Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10008 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513768979 |
| Google–Chrome | Integer overflow in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10009 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513973560 |
| Google–Chrome | Inappropriate implementation in Input in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10010 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513995565 |
| Google–Chrome | Inappropriate implementation in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10011 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/514017326 |
| Google–Chrome | Use after free in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10012 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/514063977 |
| Google–Chrome | Use after free in WebCodecs in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10013 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/514715455 |
| Google–Chrome | Use after free in WebMIDI in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10014 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/514742327 |
| Google–Chrome | Integer overflow in WTF in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10015 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/514746176 |
| Google–Chrome | Use after free in DOM in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10016 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/515155946 |
| Google–Chrome | Out of bounds read in Headless in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-28 | not yet calculated | CVE-2026-10017 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504156069 |
| Google–Chrome | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-28 | not yet calculated | CVE-2026-10018 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504175501 |
| Google–Chrome | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-28 | not yet calculated | CVE-2026-10019 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/505056913 |
| Google–Chrome | Insufficient validation of untrusted input in Skia in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-28 | not yet calculated | CVE-2026-10020 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/496565479 |
| Google–Chrome | Insufficient validation of untrusted input in USB in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-28 | not yet calculated | CVE-2026-10021 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/497327715 |
| Google–Chrome | Type Confusion in V8 in Google Chrome prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-28 | not yet calculated | CVE-2026-10022 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513289241 |
| Google–Chrome | Out of bounds write in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9872 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/505077859 |
| Google–Chrome | Use after free in Network in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9873 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/507365348 |
| Google–Chrome | Use after free in Dawn in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9874 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500609038 |
| Google–Chrome | Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9875 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/507508103 |
| Google–Chrome | Use after free in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9876 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/493747593 |
| Google–Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9877 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/496445460 |
| Google–Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9878 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499054245 |
| Google–Chrome | Out of bounds write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9879 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499129768 |
| Google–Chrome | Insufficient validation of untrusted input in WebGL in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9880 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503615025 |
| Google–Chrome | Use after free in Bluetooth in Google Chrome on Mac prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9881 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/505140741 |
| Google–Chrome | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9882 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506375217 |
| Google–Chrome | Use after free in Base in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9883 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506477192 |
| Google–Chrome | Use after free in Browser in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9884 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/508289938 |
| Google–Chrome | Insufficient validation of untrusted input in UI in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9885 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/508452241 |
| Google–Chrome | Use after free in Base in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9886 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/508456788 |
| Google–Chrome | Use after free in Proxy in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted PAC script. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9887 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511249104 |
| Google–Chrome | Use after free in WebView in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9888 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511715166 |
| Google–Chrome | Out of bounds read and write in Dawn in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9889 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511727159 |
| Google–Chrome | Use after free in XR in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9890 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513135985 |
| Google–Chrome | Use after free in Extensions in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9891 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513508128 |
| Google–Chrome | Inappropriate implementation in Skia in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9892 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513948178 |
| Google–Chrome | Use after free in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9893 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513972075 |
| Google–Chrome | Use after free in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9894 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/507707838 |
| Google–Chrome | Out of bounds read in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9895 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/491685406 |
| Google–Chrome | Out of bounds write in V8 in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9896 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/508811474 |
| Google–Chrome | Use after free in DOM in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9897 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/496271580 |
| Google–Chrome | Insufficient validation of untrusted input in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9898 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/496282591 |
| Google–Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9899 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/497533569 |
| Google–Chrome | Out of bounds write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9900 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/497637277 |
| Google–Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9901 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/497737770 |
| Google–Chrome | Use after free in Accessibility in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9902 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/498205735 |
| Google–Chrome | Insufficient validation of untrusted input in Site Isolation in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted MHTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9903 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/498783665 |
| Google–Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9904 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/498804020 |
| Google–Chrome | Use after free in Accessibility in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9905 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/498883610 |
| Google–Chrome | Out of bounds write in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9906 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499005260 |
| Google–Chrome | Out of bounds read in Dawn in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9907 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499091269 |
| Google–Chrome | Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9908 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499091328 |
| Google–Chrome | Integer overflow in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9909 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499152771 |
| Google–Chrome | Out of bounds memory access in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9910 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499176133 |
| Google–Chrome | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9911 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499205491 |
| Google–Chrome | Inappropriate implementation in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9912 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499873765 |
| Google–Chrome | Inappropriate implementation in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9913 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500046096 |
| Google–Chrome | Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9914 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500047428 |
| Google–Chrome | Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9915 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500063836 |
| Google–Chrome | Out of bounds write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9916 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500080303 |
| Google–Chrome | Uninitialized Use in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9917 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500095304 |
| Google–Chrome | Inappropriate implementation in Tint in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9918 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500099471 |
| Google–Chrome | Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9919 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500114058 |
| Google–Chrome | Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9920 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500138014 |
| Google–Chrome | Uninitialized Use in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin information via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9921 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500150338 |
| Google–Chrome | Use after free in GPU in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9922 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500187083 |
| Google–Chrome | Use after free in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9923 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500393328 |
| Google–Chrome | Heap buffer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9924 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500398345 |
| Google–Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9925 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500536458 |
| Google–Chrome | Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9926 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500540748 |
| Google–Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9927 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500540958 |
| Google–Chrome | Out of bounds read in ANGLE in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9928 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501125002 |
| Google–Chrome | Inappropriate implementation in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9929 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501367791 |
| Google–Chrome | Out of bounds write in Dawn in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9930 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501499832 |
| Google–Chrome | Use after free in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9931 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501524262 |
| Google–Chrome | Use after free in ANGLE in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9932 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501563323 |
| Google–Chrome | Use after free in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9933 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501575979 |
| Google–Chrome | Use after free in Aura in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9934 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501576946 |
| Google–Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9935 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501584689 |
| Google–Chrome | Use after free in GFX in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9936 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/502104354 |
| Google–Chrome | Use after free in UI in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9937 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/502112506 |
| Google–Chrome | Inappropriate implementation in V8 in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9938 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/502300817 |
| Google–Chrome | Heap buffer overflow in WebCodecs in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9939 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/502735235 |
| Google–Chrome | Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9940 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/502738003 |
| Google–Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9941 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/502812366 |
| Google–Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9942 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503438092 |
| Google–Chrome | Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9943 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503464551 |
| Google–Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9944 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503471286 |
| Google–Chrome | Use after free in Media in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9945 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503565293 |
| Google–Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9946 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503596863 |
| Google–Chrome | Use after free in XML in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9947 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503627446 |
| Google–Chrome | Use after free in Views in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9948 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503790201 |
| Google–Chrome | Use after free in Core in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9949 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503793153 |
| Google–Chrome | Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9950 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503862359 |
| Google–Chrome | Use after free in UI in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9951 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503873388 |
| Google–Chrome | Use after free in WebAudio in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9952 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503929476 |
| Google–Chrome | Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9953 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503985322 |
| Google–Chrome | Use after free in TabStrip in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9954 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504175497 |
| Google–Chrome | Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9955 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504184408 |
| Google–Chrome | Use after free in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9956 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504195132 |
| Google–Chrome | Use after free in PDF in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9957 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504516117 |
| Google–Chrome | Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9958 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504555886 |
| Google–Chrome | Race in WebRTC in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9959 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504557432 |
| Google–Chrome | Integer overflow in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted font file. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9960 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504573260 |
| Google–Chrome | Use after free in SurfaceCapture in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9961 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504710769 |
| Google–Chrome | Use after free in WebRTC in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9962 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504716948 |
| Google–Chrome | Uninitialized Use in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9963 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/505143241 |
| Google–Chrome | Use after free in Bluetooth in Google Chrome on Mac prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9964 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/505190999 |
| Google–Chrome | Out of bounds write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9965 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506377574 |
| Google–Chrome | Integer overflow in XML in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9966 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506388321 |
| Google–Chrome | Out of bounds write in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9967 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506414791 |
| Google–Chrome | Integer overflow in V8 in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9968 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506499280 |
| Google–Chrome | Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9969 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506550494 |
| Google–Chrome | Use after free in WebGL in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9970 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506653647 |
| Google–Chrome | Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9971 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/508448586 |
| Google–Chrome | Uninitialized Use in Gamepad in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9972 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/508463705 |
| Google–Chrome | Out of bounds write in V8 in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9973 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/509268941 |
| Google–Chrome | Out of bounds write in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9974 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511710468 |
| Google–Chrome | Out of bounds read and write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9975 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511719039 |
| Google–Chrome | Inappropriate implementation in USB in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9976 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511732828 |
| Google–Chrome | Insufficient validation of untrusted input in WebShare in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9977 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511741173 |
| Google–Chrome | Use after free in Glic in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9978 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511741396 |
| Google–Chrome | Insufficient validation of untrusted input in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9979 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511742228 |
| Google–Chrome | Insufficient validation of untrusted input in Printing in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9980 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511776372 |
| Google–Chrome | Inappropriate implementation in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9981 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/512995705 |
| Google–Chrome | Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9982 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513001247 |
| Google–Chrome | Type Confusion in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9983 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513001309 |
| Google–Chrome | Use after free in UI in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9984 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513002543 |
| Google–Chrome | Insufficient validation of untrusted input in Media in Google Chrome on ChromeOS prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9985 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513019760 |
| Google–Chrome | Insufficient validation of untrusted input in OptimizationGuide in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9986 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513028160 |
| Google–Chrome | Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 148.0.7778.216 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9987 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513046475 |
| Google–Chrome | Use after free in WebRTC in Google Chrome on Linux prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9988 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513049286 |
| Google–Chrome | Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to bypass same origin policy via a crafted video file. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9989 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513054053 |
| Google–Chrome | Use after free in WebAppInstalls in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9990 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513128608 |
| Google–Chrome | Inappropriate implementation in Media in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9991 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513173565 |
| Google–Chrome | Use after free in Network in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9992 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513177826 |
| Google–Chrome | Use after free in Views in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted PDF file. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9993 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513208588 |
| Google–Chrome | Use after free in Core in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9994 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513235131 |
| Google–Chrome | Use after free in WebXR in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9995 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513256572 |
| Google–Chrome | Out of bounds read in WebRTC in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9996 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513268100 |
| Google–Chrome | Use after free in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9997 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513324041 |
| Google–Chrome | Integer overflow in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9998 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513337118 |
| Google–Chrome | Inappropriate implementation in ANGLE in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9999 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513364480 |
| Google–MCP Toolbox for Databases | Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to align with MCP security guidelines. However, the hardcoded `Access-Control-Allow-Origin: *` header in the SSE initialization handler was inadvertently retained. This vulnerability specifically impacts users connecting via Toolbox using SSE under specification v2024-11-05. | 2026-05-27 | not yet calculated | CVE-2026-9739 | https://github.com/googleapis/mcp-toolbox/issues/3053 https://github.com/googleapis/mcp-toolbox/pull/3054 |
| GOVCERT-LU–eml_parser | eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests. This vulnerability is fixed in 3.0.1. | 2026-05-26 | not yet calculated | CVE-2026-44844 | https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8 |
| GPAC–MP4Box | A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV). | 2026-05-27 | not yet calculated | CVE-2025-70116 | https://github.com/gpac/gpac/issues/3345 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/68/68_gf_media_map_esd_media_tools_isom_tools_c_1364 https://infosec.exchange/@sigdevel/116624563750949972 |
| grokability–snipe-it | Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1. | 2026-05-26 | not yet calculated | CVE-2026-44832 | https://github.com/grokability/snipe-it/security/advisories/GHSA-hq28-crg7-95pr https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569 |
| Hitachi Energy–MACH HiDraw | A heap-based buffer overflow vulnerability exists in XML parser functionality in the HiDraw. An authenticated malicious user with local access can exploit this vulnerability using a specially crafted XML file which may lead to memory corruption and potential arbitrary code execution. Successful exploitation could result in application crashes (denial of service) and compromise the confidentiality and integrity of the affected system. | 2026-05-26 | not yet calculated | CVE-2026-7310 | https://publisher.hitachienergy.com/preview?DocumentID=8DBD000248&LanguageCode=en&DocumentPartId=&Action=Launch |
| Hitachi Energy–RTU500 series CMU firmware | IEC 60870-5-104 used in bidirectional mode in RTU500 is vulnerable for a NULL pointer dereferencing, if a specially crafted sequence of messages is sent for a certain time, causing Denial of Service impact. Product is only affected if IEC 60870-5-104 functionality in bidirectional mode (BCI) is configured. | 2026-05-26 | not yet calculated | CVE-2026-8479 | https://publisher.hitachienergy.com/preview?DocumentID=8DBD000252&LanguageCode=en&DocumentPartId=&Action=Launch |
| IBM–Aspera HSTS for CP4I | IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19 | 2026-05-27 | not yet calculated | CVE-2026-7876 | https://www.ibm.com/support/pages/node/7274127 |
| IBM–Business Automation Workflow containers and traditional | IBM Business Automation Workflow containers and traditional may leak information about its database structure in error messages. | 2026-05-27 | not yet calculated | CVE-2026-1248 | https://www.ibm.com/support/pages/node/7271445 |
| IBM–HTTP Server | IBM HTTP Server 8.5, and 9.0 | 2026-05-26 | not yet calculated | CVE-2026-9170 | https://www.ibm.com/support/pages/node/7274065 |
| IBM–OPENBMC | IBM OPENBMC FW1110.00 through FW1110.11 is vulnerable to denial of service attacks by unauthenticated network users. | 2026-05-27 | not yet calculated | CVE-2026-7254 | https://www.ibm.com/support/pages/node/7272993 |
| inducer–relate | RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, RELATE LMS configures its Celery workers to accept and deserialize untrusted ‘pickle’ data. An attacker who can reach the message broker can execute arbitrary commands on the host server. Combined with missing network isolation in the code execution sandbox, this allows an authenticated student to achieve full Remote Code Execution (RCE) on the host system. Commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb fixes the issue. | 2026-05-27 | not yet calculated | CVE-2026-47161 | https://github.com/inducer/relate/security/advisories/GHSA-4mwh-mwv4-m252 https://github.com/inducer/relate/commit/d66ba5659b459bf1ba56b7109b5f9ecf197cbefb |
| InHand Networks–IPSec VPN | A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | 2026-05-28 | not yet calculated | CVE-2026-38707 | https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf |
| InHand Networks–WireGuard VPN | A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | 2026-05-28 | not yet calculated | CVE-2026-38704 | https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf |
| InHands Networks–Admin Access Feature | A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | 2026-05-28 | not yet calculated | CVE-2026-38702 | https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf |
| InHands Networks–ZeroTier VPN | A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | 2026-05-28 | not yet calculated | CVE-2026-38703 | https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf |
| Intermesh–groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any user_id via index.php?r=core/saveSetting. A separate client-side sink in the email module injects the email_font_size setting directly into JavaScript without escaping. By combining these two issues, any low-privileged authenticated user can overwrite an administrator’s email_font_size setting with a JavaScript payload and trigger stored XSS in the administrator’s browser when the GroupOffice web client loads views/Extjs3/modulescripts.php. This vulnerability is fixed in 26.0.25, 25.0.100, and 6.8.165. | 2026-05-29 | not yet calculated | CVE-2026-45551 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-9w92-p32g-g99p |
| iskorotkov–avro | iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before bounds-checking, or summed them with overflow-prone signed-int arithmetic. On 32-bit targets (GOARCH=386, arm, mips, wasm, etc.), the truncation paths can silently bypass byte-slice limits, select the wrong union branch, or hit the OCF negative-make panic via wrap. Three sub-issues are not 32-bit-specific: cumulative-size arithmetic overflow in arrayDecoder.Decode / mapDecoder.Decode / mapDecoderUnmarshaler.Decode (wraps at math.MaxInt64 on amd64 / arm64 and bypasses MaxSliceAllocSize / MaxMapAllocSize), math.MinInt negation in block-header handling, and make([]byte, size) with a negative size in OCF block reads – all three panic or bypass caps on any platform, giving an attacker a denial-of-service primitive there. This vulnerability is fixed in 2.33.0. | 2026-05-29 | not yet calculated | CVE-2026-46384 | https://github.com/iskorotkov/avro/security/advisories/GHSA-mc57-h6j3-3hmv |
| iskorotkov–avro | iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader’s error state inside the loop body. Reader.ReadBlockHeader returns the count as a Go int, which is 64-bit on amd64 / arm64 targets – so a producer can declare a block of up to math.MaxInt64 (~9.2 × 10¹â¸) elements followed by EOF (or any truncated payload), and the decoder will attempt that many no-op iterations before propagating the error. The realistic ceiling is “indefinite until the worker is killed externally” – a single hostile payload pins a CPU core until the process is OOM-killed, deadline-cancelled, or terminated. Remote, unauthenticated denial-of-service. This vulnerability is fixed in 2.33.0. | 2026-05-29 | not yet calculated | CVE-2026-46385 | https://github.com/iskorotkov/avro/security/advisories/GHSA-w8j3-pq8g-8m7w |
| Jason-2605 Admin Panel 4.0–Jason-2605 Admin Panel 4.0 | A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the delete.php endpoint of Jason2605 AdminPanel 4.0. | 2026-05-27 | not yet calculated | CVE-2026-30498 | https://github.com/Mehdi-Ben-Hamou/CVE-2026-30498 |
| Jenkins Project–Jenkins Active Directory Plugin | Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default. | 2026-05-27 | not yet calculated | CVE-2026-48918 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project–Jenkins Active Directory Plugin | Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation. | 2026-05-27 | not yet calculated | CVE-2026-48919 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project–Jenkins AppSpider Plugin | Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL. | 2026-05-27 | not yet calculated | CVE-2026-48923 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project–Jenkins Bitbucket OAuth Plugin | Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. | 2026-05-27 | not yet calculated | CVE-2026-48924 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project–Jenkins buildgraph-view Plugin | Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or views. | 2026-05-27 | not yet calculated | CVE-2026-48927 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project–Jenkins Credentials Binding Plugin | Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. | 2026-05-27 | not yet calculated | CVE-2026-48922 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project–Jenkins Email Extension Plugin | Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem. | 2026-05-27 | not yet calculated | CVE-2026-48920 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project–Jenkins GitHub Integration Plugin | A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows attackers to attackers to trigger a build for a pull request. | 2026-05-27 | not yet calculated | CVE-2026-48925 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project–Jenkins Job Import Plugin | Jenkins Job Import Plugin 143.v044a_2e819b_27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 2026-05-27 | not yet calculated | CVE-2026-48926 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project–Jenkins LDAP Plugin | Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals. | 2026-05-27 | not yet calculated | CVE-2026-48916 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project–Jenkins LDAP Plugin | Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation. | 2026-05-27 | not yet calculated | CVE-2026-48917 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project–Jenkins Multijob Plugin | A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds. | 2026-05-27 | not yet calculated | CVE-2026-9674 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project–Jenkins Pipeline: Groovy Libraries Plugin | Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem. | 2026-05-27 | not yet calculated | CVE-2026-48921 | Jenkins Security Advisory 2026-05-27 |
| jg-rp–liquid | Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the {% include %} and {% render %} tags. Targeted files would need to contain valid Liquid markup and be readable by the application process. This vulnerability is fixed in 2.2.0. | 2026-05-28 | not yet calculated | CVE-2026-45017 | https://github.com/jg-rp/liquid/security/advisories/GHSA-8p4x-wr7x-3788 |
| Joomla! Project–Joomla! CMS | Lack of output escaping leads to a XSS vector in the feed modules. | 2026-05-26 | not yet calculated | CVE-2026-25900 | https://developer.joomla.org/security-centre/1033-20260501-core-xss-in-feed-modules.html |
| Joomla! Project–Joomla! CMS | Lack of output escaping leads to a XSS vector in the multilingual associations component. | 2026-05-26 | not yet calculated | CVE-2026-25901 | https://developer.joomla.org/security-centre/1034-20260502-core-xss-in-com-associations.html |
| Joomla! Project–Joomla! CMS | Lack of output escaping leads to a XSS vector in the content history component. | 2026-05-26 | not yet calculated | CVE-2026-30894 | https://developer.joomla.org/security-centre/1035-20260503-core-xss-in-com-contenthistory |
| Joomla! Project–Joomla! CMS | Lack of output escaping leads to a XSS vector in the readmore links for com_content. | 2026-05-26 | not yet calculated | CVE-2026-30895 | https://developer.joomla.org/security-centre/1036-20260504-core-xss-in-readmore-links |
| Joomla! Project–Joomla! CMS | Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users. | 2026-05-26 | not yet calculated | CVE-2026-35220 | https://developer.joomla.org/security-centre/1037-20260505-core-csrf-in-user-activation-endpoint |
| Joomla! Project–Joomla! CMS | Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder. | 2026-05-26 | not yet calculated | CVE-2026-35221 | https://developer.joomla.org/security-centre/1038-20260506-core-authenticated-blind-sqli-in-com-finder.html |
| Joomla! Project–Joomla! CMS | Improperly validated order clauses lead to a SQL injection vulnerability in com_tags. | 2026-05-26 | not yet calculated | CVE-2026-35222 | https://developer.joomla.org/security-centre/1039-20260507-core-authenticated-blind-sqli-in-com-tags.html |
| Joomla! Project–Joomla! CMS | An improper access check allows unauthorized access to com_config webservice endpoints. | 2026-05-26 | not yet calculated | CVE-2026-35223 | https://developer.joomla.org/security-centre/1040-20260508-core-improper-access-check-in-com-config-webservice-endpoints.html |
| Joomla! Project–Joomla! CMS | An improper validation of user-supplied input leads to a local file inclusion vulnerability. | 2026-05-26 | not yet calculated | CVE-2026-40383 | https://developer.joomla.org/security-centre/1041-20260509-core-lfi-in-htmlview-layout-parameter.html |
| Joomla! Project–Joomla! CMS | An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability. | 2026-05-26 | not yet calculated | CVE-2026-40384 | https://developer.joomla.org/security-centre/1042-20260510-core-path-traversal-in-com-media-webservice-endpoint.html |
| Joomla! Project–Joomla! CMS | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | 2026-05-26 | not yet calculated | CVE-2026-48896 | https://developer.joomla.org/security-centre/1043-20260511-core-mfa-authentication-bypass.html |
| Joomla! Project–Joomla! CMS | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | 2026-05-26 | not yet calculated | CVE-2026-48897 | https://developer.joomla.org/security-centre/1044-20260512-core-mfa-authentication-bypass.html |
| Joomla! Project–Joomla! CMS | An improper access check allows privilege escalation through the com_users batch task. | 2026-05-26 | not yet calculated | CVE-2026-48898 | https://developer.joomla.org/security-centre/1045-20260513-core-privilege-escalation-through-com-users-batch-task.html |
| Joomla! Project–Joomla! CMS | An improper access check allows privilege escalation through the com_users batch task. | 2026-05-26 | not yet calculated | CVE-2026-48899 | https://developer.joomla.org/security-centre/1047-20260515-core-incorrect-access-control-in-sample-data-plugins.html |
| Joomla! Project–Joomla! CMS | An improper access check allowed low privileged users to edit the task types of existing scheduler tasks. | 2026-05-26 | not yet calculated | CVE-2026-48900 | https://developer.joomla.org/security-centre/1048-20260516-core-incorrect-access-control-in-com-scheduler.html |
| Joomla! Project–Joomla! CMS | The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key. | 2026-05-26 | not yet calculated | CVE-2026-48901 | https://developer.joomla.org/security-centre/1049-20260517-core-incorrect-cache-key-construction-for-inputfilter-objects.html |
| Joomla! Project–Joomla! CMS | The password and username reset features created plain http links for https connections if the “Force SSL” flag wasn’t explicitly set. | 2026-05-26 | not yet calculated | CVE-2026-48902 | https://developer.joomla.org/security-centre/1050-20260518-core-transport-encryption-downgrade-for-password-and-username-reset-links.html |
| Joomla! Project–Joomla! CMS | An improper access check allows privelege escalation through the com_users group editing webservice endpoint. | 2026-05-26 | not yet calculated | CVE-2026-48904 | https://developer.joomla.org/security-centre/1046-20260514-core-privilege-escalation-through-com-users-webservice-endpoints.html |
| Joomla! Project–Joomla! Framework Filter package | Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components. | 2026-05-26 | not yet calculated | CVE-2026-48903 | https://developer.joomla.org/security-centre/1051-20260519-framework-inadequate-content-filtering-within-the-checkattribute-filter-code.html |
| Joomla! Project–Joomla! Framework Filter package | Lack of input filtering leads to an XSS vector in the HTML filter code. | 2026-05-26 | not yet calculated | CVE-2026-48905 | https://developer.joomla.org/security-centre/1052-20260520-framework-inadequate-content-filtering-within-the-cleanattributes-filter-code.html |
| Kareadita–Kavita | Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with [AllowAnonymous], allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Since entity IDs are sequential integers, an unauthenticated attacker can trivially enumerate all content on the server. This vulnerability is fixed in 0.9.0. | 2026-05-26 | not yet calculated | CVE-2026-44775 | https://github.com/Kareadita/Kavita/security/advisories/GHSA-6gc9-6r8p-5wg2 https://github.com/Kareadita/Kavita/blob/8c686df2dbc2d0a83120e8b3f8c1269107bb815d/API/Controllers/ReaderController.cs#L116 |
| Kareadita–Kavita | Kavita is a cross platform reading server. Prior to 0.9.0, the download, size-check, and chapter metadata endpoints do not enforce library-level authorization. A low-privileged user who knows or guesses a chapterId, volumeId, or seriesId belonging to a library they are not assigned to can download the full file contents, query file sizes, and read metadata for that content. This affects /api/Download/volume-size, /api/Download/chapter-size, /api/Download/series-size, /api/Download/volume, /api/Download/chapter, /api/Download/series, and /api/Chapter. This vulnerability is fixed in 0.9.0. | 2026-05-26 | not yet calculated | CVE-2026-44776 | https://github.com/Kareadita/Kavita/security/advisories/GHSA-x3jq-95xw-gwvr |
| Kareadita–Kavita | Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2. | 2026-05-26 | not yet calculated | CVE-2026-47202 | https://github.com/Kareadita/Kavita/security/advisories/GHSA-m2v3-fcjh-hm22 https://github.com/Kareadita/Kavita/releases/tag/v0.9.0.2 |
| Kenik–KG-5230TAS-IL-3 | Kenik Camera management Panel is vulnerable to Path Traversal vulnerability. An unauthenticated attacker can send GET request with arbitrary file path and read corresponding files located on the server. The issue was fixed in version 2026-04-23 of the KG-5260xxxx-IL-(G)2 cameras. Rest of the products were fixed in version 2025-04-21. | 2026-05-25 | not yet calculated | CVE-2026-7766 | https://cert.pl/posts/2026/05/CVE-2026-7766 |
| Kovah–LinkAce | LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains an Insecure Direct Object Reference vulnerability in the authorization policy layer that allows any authenticated user to modify resources owned by other users. The affected resource types are links, lists, tags, and notes. Both the web UI and the REST API are vulnerable. The root cause is in the update() methods of all four model policies: LinkPolicy, LinkListPolicy, TagPolicy, and NotePolicy. Each delegates to an access-check method (e.g., userCanAccessLink()) that returns true for any resource with non-private visibility, regardless of who owns it. This means any registered user can edit any public or internal resource across the entire instance. The delete() methods in the same policy files correctly require ownership via $link->user->is($user), which confirms that update was intended to be owner-only. The same flaw exists in the API layer through AuthorizesUserApiActions::userCanUpdateModel(), which mirrors the broken visibility-only check instead of the ownership check used by userCanDeleteModel(). Bulk edit operations via BulkEditController are also affected. This vulnerability is fixed in 2.5.6. | 2026-05-28 | not yet calculated | CVE-2026-45342 | https://github.com/Kovah/LinkAce/security/advisories/GHSA-cj8f-h888-m57m |
| Kovah–LinkAce | LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains a stored cross-site scripting vulnerability that allows a low-privilege user to execute arbitrary JavaScript in an administrator’s browser session. This affects instances configured with SSO/OAuth authentication, which is one of the supported authentication methods in LinkAce. An attacker who sets their OAuth display name to a malicious script and then creates an API token will plant a persistent XSS payload in the audit log. When any admin navigates to /system/audit, the payload executes in the admin’s browser context. This enables session cookie theft, CSRF token exfiltration (exposed in the la-app-data meta tag), or any other action the admin can perform. This vulnerability is fixed in 2.5.6. | 2026-05-28 | not yet calculated | CVE-2026-45343 | https://github.com/Kovah/LinkAce/security/advisories/GHSA-jx4g-ph82-x9mm |
| Krajowa Izba Rozliczeniowa–Szafir SDK | Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, “Positively verified”) even when the trust status of the signer’s certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == “nondetermined”). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation. This issue was fixed in version 463. | 2026-05-25 | not yet calculated | CVE-2026-9058 | https://cert.pl/posts/2026/05/CVE-2026-9058 https://www.elektronicznypodpis.pl/ |
| kumahq–kuma | Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [“.*”] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5. | 2026-05-28 | not yet calculated | CVE-2026-45021 | https://github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2 https://github.com/kumahq/kuma/pull/16416 https://github.com/kumahq/kuma/pull/16423 https://github.com/kumahq/kuma/pull/16424 https://github.com/kumahq/kuma/pull/16425 https://github.com/kumahq/kuma/pull/16426 https://github.com/kumahq/kuma/pull/16427 https://github.com/kumahq/kuma/commit/8fefa8595d44eb68d922405702ed7a0826322907 |
| kvf-admin–kvf-admin | Insecure Permissions vulnerability in kvf-admin v1.0.0 allows a remote attacker to escalate privileges via the UserController.java component | 2026-05-27 | not yet calculated | CVE-2026-38807 | https://github.com/cagexunxi/CVE/issues/1 |
| leiweibau–Pi.Alert | Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. From 2024-06-29 to before 2026-05-07, the web application endpoint is vulnerable to SQL injection. The /pialert/php/server/devices.php route accepts requests from unauthenticated users when the action URL parameter is set to getDevicesTotals. The scansource URL parameter is then injected in a SQL query. This vulnerability is fixed in 2026-05-07. | 2026-05-27 | not yet calculated | CVE-2026-44886 | https://github.com/leiweibau/Pi.Alert/security/advisories/GHSA-m929-j7w8-334j |
| lepture–mistune | Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. | 2026-05-26 | not yet calculated | CVE-2026-44896 | https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v |
| libjxl–libjxl | Heap buffer overflow vulnerability in libjxl 0.12.0 via crafted PBM images to the jxl::extras::DecodeImagePNM function in file lib/extras/dec/pnm.cc. | 2026-05-27 | not yet calculated | CVE-2025-70103 | https://github.com/libjxl/libjxl/issues/4337 https://github.com/libjxl/libjxl/pull/4338 https://github.com/sigdevel/pocs/blob/main/res/libjxl/2025/2 https://infosec.exchange/@sigdevel/116642233929409910 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix race condition when checking rpm_on When autosuspend is triggered, driver rpm_on flag is set to indicate that a suspend/resume is already in progress. However, when a userspace application submits a command during this narrow window, amdxdna_pm_resume_get() may incorrectly skip the resume operation because the rpm_on flag is still set. This results in commands being submitted while the device has not actually resumed, causing unexpected behavior. The set_dpm() is called by suspend/resume, it relied on rpm_on flag to avoid calling into rpm suspend/resume recursivly. So to fix this, remove the use of the rpm_on flag entirely. Instead, introduce aie2_pm_set_dpm() which explicitly resumes the device before invoking set_dpm(). With this change, set_dpm() is called directly inside the suspend or resume execution path. Otherwise, aie2_pm_set_dpm() is called. | 2026-05-27 | not yet calculated | CVE-2025-71303 | https://git.kernel.org/stable/c/e7cb75b6a5127d78298e39750b4f3185eca0dafc https://git.kernel.org/stable/c/00ffe45ece80160aef446d74ded906352f21dd72 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smack: /smack/doi: accept previously used values Writing to /smack/doi a value that has ever been written there in the past disables networking for non-ambient labels. E.g. # cat /smack/doi 3 # netlabelctl -p cipso list Configured CIPSO mappings (1) DOI value : 3 mapping type : PASS_THROUGH # netlabelctl -p map list Configured NetLabel domain mappings (3) domain: “_” (IPv4) protocol: UNLABELED domain: DEFAULT (IPv4) protocol: CIPSO, DOI = 3 domain: DEFAULT (IPv6) protocol: UNLABELED # cat /smack/ambient _ # cat /proc/$$/attr/smack/current _ # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.964 ms # echo foo >/proc/$$/attr/smack/current # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.956 ms unknown option 86 # echo 4 >/smack/doi # echo 3 >/smack/doi !> [ 214.050395] smk_cipso_doi:691 cipso add rc = -17 # echo 3 >/smack/doi !> [ 249.402261] smk_cipso_doi:678 remove rc = -2 !> [ 249.402261] smk_cipso_doi:691 cipso add rc = -17 # ping -c1 10.1.95.12 !!> ping: 10.1.95.12: Address family for hostname not supported # echo _ >/proc/$$/attr/smack/current # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.617 ms This happens because Smack keeps decommissioned DOIs, fails to re-add them, and consequently refuses to add the “default” domain map: # netlabelctl -p cipso list Configured CIPSO mappings (2) DOI value : 3 mapping type : PASS_THROUGH DOI value : 4 mapping type : PASS_THROUGH # netlabelctl -p map list Configured NetLabel domain mappings (2) domain: “_” (IPv4) protocol: UNLABELED !> (no ipv4 map for default domain here) domain: DEFAULT (IPv6) protocol: UNLABELED Fix by clearing decommissioned DOI definitions and serializing concurrent DOI updates with a new lock. Also: – allow /smack/doi to live unconfigured, since adding a map (netlbl_cfg_cipsov4_map_add) may fail. CIPSO_V4_DOI_UNKNOWN(0) indicates the unconfigured DOI – add new DOI before removing the old default map, so the old map remains if the add fails (2008-02-04, Casey Schaufler) | 2026-05-27 | not yet calculated | CVE-2025-71304 | https://git.kernel.org/stable/c/eb718a3c8181ada679340db34cd61bce48e44749 https://git.kernel.org/stable/c/6ec091c5c7eeabd249a7c46813cad1e9f555f859 https://git.kernel.org/stable/c/199452f22d2f74b897fe826f81ec402b0a8461a0 https://git.kernel.org/stable/c/1c7ee23dfcd18d80770d8f90f2ab5bb1b2bfd8a3 https://git.kernel.org/stable/c/f8071500177f38cff38892bd85ac631cc6e010b2 https://git.kernel.org/stable/c/5a247a84de0ba44edbbd6be851c8a6b2aa60ff85 https://git.kernel.org/stable/c/8beebb8ad9a003f978e53b06237986588223e15e https://git.kernel.org/stable/c/33d589ed60ae433b483761987b85e0d24e54584e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/display/dp_mst: Add protection against 0 vcpi When releasing a timeslot there is a slight chance we may end up with the wrong payload mask due to overflow if the delayed_destroy_work ends up coming into play after a DP 2.1 monitor gets disconnected which causes vcpi to become 0 then we try to make the payload = ~BIT(vcpi – 1) which is a negative shift. VCPI id should never really be 0 hence skip changing the payload mask if VCPI is 0. Otherwise it leads to <7> [515.287237] xe 0000:03:00.0: [drm:drm_dp_mst_get_port_malloc [drm_display_helper]] port ffff888126ce9000 (3) <4> [515.287267] ———–[ cut here ]———– <3> [515.287268] UBSAN: shift-out-of-bounds in ../drivers/gpu/drm/display/drm_dp_mst_topology.c:4575:36 <3> [515.287271] shift exponent -1 is negative <4> [515.287275] CPU: 7 UID: 0 PID: 3108 Comm: kworker/u64:33 Tainted: G S U 6.17.0-rc6-lgci-xe-xe-3795-3e79699fa1b216e92+ #1 PREEMPT(voluntary) <4> [515.287279] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER <4> [515.287279] Hardware name: ASUS System Product Name/PRIME Z790-P WIFI, BIOS 1645 03/15/2024 <4> [515.287281] Workqueue: drm_dp_mst_wq drm_dp_delayed_destroy_work [drm_display_helper] <4> [515.287303] Call Trace: <4> [515.287304] <TASK> <4> [515.287306] dump_stack_lvl+0xc1/0xf0 <4> [515.287313] dump_stack+0x10/0x20 <4> [515.287316] __ubsan_handle_shift_out_of_bounds+0x133/0x2e0 <4> [515.287324] ? drm_atomic_get_private_obj_state+0x186/0x1d0 <4> [515.287333] drm_dp_atomic_release_time_slots.cold+0x17/0x3d [drm_display_helper] <4> [515.287355] mst_connector_atomic_check+0x159/0x180 [xe] <4> [515.287546] drm_atomic_helper_check_modeset+0x4d9/0xfa0 <4> [515.287550] ? __ww_mutex_lock.constprop.0+0x6f/0x1a60 <4> [515.287562] intel_atomic_check+0x119/0x2b80 [xe] <4> [515.287740] ? find_held_lock+0x31/0x90 <4> [515.287747] ? lock_release+0xce/0x2a0 <4> [515.287754] drm_atomic_check_only+0x6a2/0xb40 <4> [515.287758] ? drm_atomic_add_affected_connectors+0x12b/0x140 <4> [515.287765] drm_atomic_commit+0x6e/0xf0 <4> [515.287766] ? _pfx__drm_printfn_info+0x10/0x10 <4> [515.287774] drm_client_modeset_commit_atomic+0x25c/0x2b0 <4> [515.287794] drm_client_modeset_commit_locked+0x60/0x1b0 <4> [515.287795] ? mutex_lock_nested+0x1b/0x30 <4> [515.287801] drm_client_modeset_commit+0x26/0x50 <4> [515.287804] __drm_fb_helper_restore_fbdev_mode_unlocked+0xdc/0x110 <4> [515.287810] drm_fb_helper_hotplug_event+0x120/0x140 <4> [515.287814] drm_fbdev_client_hotplug+0x28/0xd0 <4> [515.287819] drm_client_hotplug+0x6c/0xf0 <4> [515.287824] drm_client_dev_hotplug+0x9e/0xd0 <4> [515.287829] drm_kms_helper_hotplug_event+0x1a/0x30 <4> [515.287834] drm_dp_delayed_destroy_work+0x3df/0x410 [drm_display_helper] <4> [515.287861] process_one_work+0x22b/0x6f0 <4> [515.287874] worker_thread+0x1e8/0x3d0 <4> [515.287879] ? __pfx_worker_thread+0x10/0x10 <4> [515.287882] kthread+0x11c/0x250 <4> [515.287886] ? __pfx_kthread+0x10/0x10 <4> [515.287890] ret_from_fork+0x2d7/0x310 <4> [515.287894] ? __pfx_kthread+0x10/0x10 <4> [515.287897] ret_from_fork_asm+0x1a/0x30 | 2026-05-27 | not yet calculated | CVE-2025-71305 | https://git.kernel.org/stable/c/95dbd525efce2a9e9e1c50ad15213de644c85ad0 https://git.kernel.org/stable/c/ac9a7c329a5610051fc476644c9b9145a5965ecb https://git.kernel.org/stable/c/3f44cdb5371faf225af37d5caba8f21ec0572469 https://git.kernel.org/stable/c/4d2ccdea18b564e3f73e3e543854acea64e6277d https://git.kernel.org/stable/c/d6afc7539ce06dadfa5b4787b3cfe79b95d8f67a https://git.kernel.org/stable/c/342ccffd9f77fc29fe1c05fd145e4d842bd2feaa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec() KASAN reported a stack-out-of-bounds access in ima_appraise_measurement from is_bprm_creds_for_exec: BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0 Read of size 1 at addr ffffc9000160f940 by task sudo/550 The buggy address belongs to stack of task sudo/550 and is located at offset 24 in frame: ima_appraise_measurement+0x0/0x16a0 This frame has 2 objects: [48, 56) ‘file’ [80, 148) ‘hash’ This is caused by using container_of on the *file pointer. This offset calculation is what triggers the stack-out-of-bounds error. In order to fix this, pass in a bprm_is_check boolean which can be set depending on how process_measurement is called. If the caller has a linux_binprm pointer and the function is BPRM_CHECK we can determine is_check and set it then. Otherwise set it to false. | 2026-05-27 | not yet calculated | CVE-2025-71306 | https://git.kernel.org/stable/c/ab3d16da982a4ebb715d487dbf9dd66e3990d935 https://git.kernel.org/stable/c/377cae9851e8559e9d8b82a78c1ac0abeb18839c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix NULL pointer dereference on panthor_fw_unplug This patch removes the MCU halt and wait for halt procedures during panthor_fw_unplug() as the MCU can be in a variety of states or the FW may not even be loaded/initialized at all, the latter of which can lead to a NULL pointer dereference. It should be safe on unplug to just disable the MCU without waiting for it to halt as it may not be able to. | 2026-05-27 | not yet calculated | CVE-2025-71307 | https://git.kernel.org/stable/c/aab8b8a42e206a399fe3a5ed4b4cbb45ff6c546c https://git.kernel.org/stable/c/920c6af98e98e6afedf6318a75bac95af8415c6c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix potential NULL pointer dereference in context cleanup aie_destroy_context() is invoked during error handling in aie2_create_context(). However, aie_destroy_context() assumes that the context’s mailbox channel pointer is non-NULL. If mailbox channel creation fails, the pointer remains NULL and calling aie_destroy_context() can lead to a NULL pointer dereference. In aie2_create_context(), replace aie_destroy_context() with a function which request firmware to remove the context created previously. | 2026-05-27 | not yet calculated | CVE-2025-71308 | https://git.kernel.org/stable/c/2611c9616cb52d3ed54a6095d72d18e645a6955a https://git.kernel.org/stable/c/97f27573837ef96b4ba42af463cc800cab615c0e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: fix deadlock in ni_read_folio_cmpr Syzbot reported a task hung in ni_readpage_cmpr (now ni_read_folio_cmpr). This is caused by a lock inversion deadlock involving the inode mutex (ni_lock) and page locks. Scenario: 1. Task A enters ntfs_read_folio() for page X. It acquires ni_lock. 2. Task A calls ni_read_folio_cmpr(), which attempts to lock all pages in the compressed frame (including page Y). 3. Concurrently, Task B (e.g., via readahead) has locked page Y and calls ntfs_read_folio(). 4. Task B waits for ni_lock (held by A). 5. Task A waits for page Y lock (held by B). -> DEADLOCK. The fix is to restructure locking: do not take ni_lock in ntfs_read_folio(). Instead, acquire ni_lock inside ni_read_folio_cmpr() ONLY AFTER all required page locks for the frame have been successfully acquired. This restores the correct lock ordering (Page Lock -> ni_lock) consistent with VFS. [almaz.alexandrovich@paragon-software.com: ni_readpage_cmpr was renamed to ni_read_folio_cmpr] | 2026-05-27 | not yet calculated | CVE-2025-71309 | https://git.kernel.org/stable/c/cfe246b318106e1691bd6c9466c739e8559d25c2 https://git.kernel.org/stable/c/e37a75bb866c29da954b51d0dd7670406246d9ee |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Initialize new folios before use KMSAN reports an uninitialized value in longest_match_std(), invoked from ntfs_compress_write(). When new folios are allocated without being marked uptodate and ni_read_frame() is skipped because the caller expects the frame to be completely overwritten, some reserved folios may remain only partially filled, leaving the rest memory uninitialized. | 2026-05-27 | not yet calculated | CVE-2025-71311 | https://git.kernel.org/stable/c/dd6c81527d097b3b0bf5a15c2fdc9657d045144c https://git.kernel.org/stable/c/5a30cc03bde169ad558695b26da6ea7e55f6194a https://git.kernel.org/stable/c/41d79f8e2a36622d148719bf7c18b46ac1264284 https://git.kernel.org/stable/c/f223ebffa185cc8da934333c5a31ff2d4f992dc9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super() In ntfs_fill_super(), the fc->fs_private pointer is set to NULL without first freeing the memory it points to. This causes the subsequent call to ntfs_fs_free() to skip freeing the ntfs_mount_options structure. This results in a kmemleak report: unreferenced object 0xff1100015378b800 (size 32): comm “mount”, pid 582, jiffies 4294890685 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 ed ff ed ff 00 04 00 00 ……………. backtrace (crc ed541d8c): __kmalloc_cache_noprof+0x424/0x5a0 __ntfs_init_fs_context+0x47/0x590 alloc_fs_context+0x5d8/0x960 __x64_sys_fsopen+0xb1/0x190 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e This issue can be reproduced using the following commands: fallocate -l 100M test.file mount test.file /tmp/test Since sbi->options is duplicated from fc->fs_private and does not directly use the memory allocated for fs_private, it is unnecessary to set fc->fs_private to NULL. Additionally, this patch simplifies the code by utilizing the helper function put_mount_options() instead of open-coding the cleanup logic. | 2026-05-27 | not yet calculated | CVE-2025-71312 | https://git.kernel.org/stable/c/dac871d833b09495198dcac81d2ebaa8db11acbc https://git.kernel.org/stable/c/f7edab0cee03a1cbe0e55a7bcab8d2d8b6b74278 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). | 2026-05-26 | not yet calculated | CVE-2026-45834 | https://git.kernel.org/stable/c/5105f3e6b2df619c635b5f6a49fac131a36c7952 https://git.kernel.org/stable/c/c88c185ae0a1067823661b220aeea613df2c127b https://git.kernel.org/stable/c/1810e42ff6716f320c7269d5850eca48b07b7427 https://git.kernel.org/stable/c/a2dcf1a61d056aef15b63c6eae9441344d624389 https://git.kernel.org/stable/c/2ff1a41a912de8517b4482e946dd951b7d80edbf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). | 2026-05-26 | not yet calculated | CVE-2026-45835 | https://git.kernel.org/stable/c/ab77c8bc30269bee15d917059a66bea48909f5f0 https://git.kernel.org/stable/c/bc3bb9f40da8e53896abc2d29c6d0c6686fe4ab9 https://git.kernel.org/stable/c/741e6024e31587b0c021b6616a9e428a4ea0b64a https://git.kernel.org/stable/c/76083fb80f5a38ac13326b2d810f66bd07771eea https://git.kernel.org/stable/c/0a120d96166301d7a95be75b52f843837dbd1219 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). | 2026-05-26 | not yet calculated | CVE-2026-45836 | https://git.kernel.org/stable/c/cf1fd517f892ded88168df878f834b625133f86d https://git.kernel.org/stable/c/58dc5e3d8768e121907608e6e196a908512fb083 https://git.kernel.org/stable/c/32bd343803d4ba47cc516f9d5f037f01b855d767 https://git.kernel.org/stable/c/a93d66907dd4d29b65c9797a93784bf61906d6d6 https://git.kernel.org/stable/c/78a88d43dab8d23aeef934ed8ce34d40e6b3d613 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in arena_vm_close on fork arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free. Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback. Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path: check_prep_vma() – returns 0 early: new_len == old_len skips VM_DONTEXPAND check prep_move_vma() – vm_start == old_addr and vm_end == old_addr + old_len so may_split is never called move_vma() copy_vma_and_data() copy_vma() vm_area_dup() – copies vm_private_data (vml pointer) vm_ops->open() – bumps vml->mmap_count vm_ops->mremap() – returns -EINVAL, rollback unmaps new VMA The refcount ensures the rollback’s arena_vm_close does not free the vml shared with the original VMA. | 2026-05-27 | not yet calculated | CVE-2026-45837 | https://git.kernel.org/stable/c/723b9fa930cc277c15ce6b9ec9feec828cfac9d7 https://git.kernel.org/stable/c/d18099f19e53250f8ad2801498b88cec29d9107a https://git.kernel.org/stable/c/201128fcc7b213d27ab77bc4e89488b41796480f https://git.kernel.org/stable/c/4fddde2a732de60bb97e3307d4eb69ac5f1d2b74 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: fix end-of-list detection in cgroup_storage_get_next_key() list_next_entry() never returns NULL — when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace. Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries. | 2026-05-27 | not yet calculated | CVE-2026-45838 | https://git.kernel.org/stable/c/b4b5a20bed82130da2f2818f04d52378952fbd0b https://git.kernel.org/stable/c/85a2f30e40f7468db732f55659bc6318874f49af https://git.kernel.org/stable/c/32ce55d424395904986f5066f8755f6cb9993377 https://git.kernel.org/stable/c/fc39753b7f92e09177777e9c648afe5aa3abb81f https://git.kernel.org/stable/c/5828b9e5b272ecff7cf5d345128d3de7324117f7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. “0:1:2” walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(“%d”), so negative values like -1 are silently accepted. The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N. When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array. A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions). The bug is reachable with CAP_BPF: BUG: unable to handle page fault for address: ffffed11818b6626 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page Oops: Oops: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full) RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354) RAX: 00000000ffffffff Call Trace: <TASK> bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321) bpf_core_apply (kernel/bpf/btf.c:9507) check_core_relo (kernel/bpf/verifier.c:19475) bpf_check (kernel/bpf/verifier.c:26031) bpf_prog_load (kernel/bpf/syscall.c:3089) __sys_bpf (kernel/bpf/syscall.c:6228) </TASK> CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing. | 2026-05-27 | not yet calculated | CVE-2026-45839 | https://git.kernel.org/stable/c/3ff85ae79e1a74baeb916b78a63d821f6d19a994 https://git.kernel.org/stable/c/36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a https://git.kernel.org/stable/c/76f2ebaf79a9ae6d0737b87f045fe769e425d78f https://git.kernel.org/stable/c/99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2 https://git.kernel.org/stable/c/1c22483a2c4bbf747787f328392ca3e68619c4dc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: openvswitch: cap upcall PID array size and pre-size vport replies The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, …) but serialize the full upcall PID array via ovs_vport_get_upcall_portids(). Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM. kernel BUG at net/openvswitch/datapath.c:2414! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1 RIP: 0010:ovs_vport_cmd_set+0x34c/0x400 Call Trace: <TASK> genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116) genl_rcv_msg (net/netlink/genetlink.c:1194) netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> Kernel panic – not syncing: Fatal exception Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent. | 2026-05-27 | not yet calculated | CVE-2026-45840 | https://git.kernel.org/stable/c/f9ef3db77a383d66847fd082c2b437d8ae4d9c63 https://git.kernel.org/stable/c/f99ac36b5d7c719d08a69fcdecce40f78a874e15 https://git.kernel.org/stable/c/fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704 https://git.kernel.org/stable/c/1d6c02b86329883aa467a3a61f8d34369db73a2f https://git.kernel.org/stable/c/2091c6aa0df6aba47deb5c8ab232b1cb60af3519 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel. Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as “should not happen”. Crash: Oops: divide error: 0000 [#1] SMP KASAN NOPTI RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: <IRQ> nf_osf_match (net/netfilter/nfnetlink_osf.c:220) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:348) nf_hook_slow (net/netfilter/core.c:622) ip_local_deliver (net/ipv4/ip_input.c:265) ip_rcv (include/linux/skbuff.h:1162) __netif_receive_skb_one_core (net/core/dev.c:6181) process_backlog (net/core/dev.c:6642) __napi_poll (net/core/dev.c:7710) net_rx_action (net/core/dev.c:7945) handle_softirqs (kernel/softirq.c:622) | 2026-05-27 | not yet calculated | CVE-2026-45841 | https://git.kernel.org/stable/c/8def8fbd23f40e945febe913d04b731012ce0082 https://git.kernel.org/stable/c/c55940895245d8ef658ab381248a28755218d625 https://git.kernel.org/stable/c/fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f https://git.kernel.org/stable/c/9a05e195618a6d474f2bcd5b6376d0ffc2f00366 https://git.kernel.org/stable/c/2195574dc6d9017d32ac346987e12659f931d932 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: slip: reject VJ receive packets on instances with no rstate array slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of ‘no receive compression’. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress). The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[…] after only comparing the packet’s slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate. The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519) Call Trace: <TASK> ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466) ppp_input (drivers/net/ppp/ppp_generic.c:2359) ppp_async_process (drivers/net/ppp/ppp_async.c:492) tasklet_action_common (kernel/softirq.c:926) handle_softirqs (kernel/softirq.c:623) run_ksoftirqd (kernel/softirq.c:1055) smpboot_thread_fn (kernel/smpboot.c:160) kthread (kernel/kthread.c:436) ret_from_fork (arch/x86/kernel/process.c:164) </TASK> Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing ‘bad’ label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet. The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work. | 2026-05-27 | not yet calculated | CVE-2026-45842 | https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1 https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301 https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152 https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: arp_tables: fix IEEE1394 ARP payload parsing Weiming Shi says: “arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices. As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa. The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().” Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394. Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394. Moreover, adjust arpt_mangle to drop the packet too as AI suggests: In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload. This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported. Based on patch from Weiming Shi <bestswngs@gmail.com>. | 2026-05-27 | not yet calculated | CVE-2026-45844 | https://git.kernel.org/stable/c/ad9973df8e0eeb123d9ec4d18828e05b7d44ff4b https://git.kernel.org/stable/c/03ea11dbefaa55c502735ee551c89ef773fe753b https://git.kernel.org/stable/c/1c55053f8ffdc060006df898fd3664e3d1bfac7b https://git.kernel.org/stable/c/ac698d81fd6619c7504cee913f1cab5285fba1b7 https://git.kernel.org/stable/c/1e8e3f449b1e73b73a843257635b9c50f0cc0f0a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix NULL pointer dereference in class dump When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl – 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference. The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478) Call Trace: <TASK> tc_fill_tclass (net/sched/sch_api.c:1966) qdisc_class_dump (net/sched/sch_api.c:2326) taprio_walk (net/sched/sch_taprio.c:2514) tc_dump_tclass_qdisc (net/sched/sch_api.c:2352) tc_dump_tclass_root (net/sched/sch_api.c:2370) tc_dump_tclass (net/sched/sch_api.c:2431) rtnl_dumpit (net/core/rtnetlink.c:6864) netlink_dump (net/netlink/af_netlink.c:2325) rtnetlink_rcv_msg (net/core/rtnetlink.c:6959) netlink_rcv_skb (net/netlink/af_netlink.c:2550) </TASK> Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks. Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc’s qlen and backlog before calling the child’s enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc’s statistics. After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc’s refcount, which was never increased. | 2026-05-27 | not yet calculated | CVE-2026-45845 | https://git.kernel.org/stable/c/ec2501e361b08b50bcb1e7b3253fc861abbda28d https://git.kernel.org/stable/c/d02e2fbf60de46678e2ea698a6a904fd21e1cc31 https://git.kernel.org/stable/c/48b26d48e76221dc90b02bf5428bab53643461ca https://git.kernel.org/stable/c/8f1ff8866cb9f655e5faea6994eb902960be8e04 https://git.kernel.org/stable/c/3d07ca5c0fae311226f737963984bd94bb159a87 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk. BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160) Call Trace: <TASK> bareudp_fill_metadata_dst (drivers/net/bareudp.c:532) do_execute_actions (net/openvswitch/actions.c:901) ovs_execute_actions (net/openvswitch/actions.c:1589) ovs_packet_cmd_execute (net/openvswitch/datapath.c:700) genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1209) netlink_rcv_skb (net/netlink/af_netlink.c:2550) </TASK> Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver. | 2026-05-27 | not yet calculated | CVE-2026-45846 | https://git.kernel.org/stable/c/a0f4e4e8e0f5e24ddd83e3d1221732621cf34636 https://git.kernel.org/stable/c/35a115a204be08f97450b0389413e218268ef4a2 https://git.kernel.org/stable/c/74a02921c48fcd35a7881956c9e5c52b86595f5d https://git.kernel.org/stable/c/638905520fc4fae6a80991563f264131545ba3df https://git.kernel.org/stable/c/aa6c6d9ee064aabfede4402fd1283424e649ca19 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: remove WARN_ON_ONCE when accessing forward path array Although unlikely, recent support for IPIP tunnels increases chances of reaching this WARN_ON_ONCE if userspace manages to build a sufficiently long forward path. Remove it. | 2026-05-27 | not yet calculated | CVE-2026-45847 | https://git.kernel.org/stable/c/548244c2f542aa0ad49453e9306e715a3877bc44 https://git.kernel.org/stable/c/dcf9b3c90e5560339649d088836529883fb509f3 https://git.kernel.org/stable/c/9464ca7a6e56ad1ebf48b2ad5c16871edfad10c6 https://git.kernel.org/stable/c/959ea349c7e2d4edf07b6838ca7e59345fe61a08 https://git.kernel.org/stable/c/50422613185d505201167e8bdd2f2700790d5db6 https://git.kernel.org/stable/c/a78d055ba7c31103ad02f8eceb0c452e154d2660 https://git.kernel.org/stable/c/008e7a7c293b30bc43e4368dac6ea3808b75a572 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix NULL sock in aa_sock_file_perm Deal with the potential that sock and sock-sk can be NULL during socket setup or teardown. This could lead to an oops. The fix for NULL pointer dereference in __unix_needs_revalidation shows this is at least possible for af_unix sockets. While the fix for af_unix sockets applies for newer mediation this is still the fall back path for older af_unix mediation and other sockets, so ensure it is covered. | 2026-05-27 | not yet calculated | CVE-2026-45848 | https://git.kernel.org/stable/c/68538ec34fcb4194c7961dc4eca6f5537fec8067 https://git.kernel.org/stable/c/5121b7283f1c46e4c06b88b1dda7b064429d77de https://git.kernel.org/stable/c/c11b7c3280d000376e27ebfed17ec7046699eab4 https://git.kernel.org/stable/c/0dc19bca22606f7a61d5988408f74e3ae0ef3486 https://git.kernel.org/stable/c/3852eb9a0392eb435c03dcb47d581bcfe6a9a95b https://git.kernel.org/stable/c/ccb66a3c6c8f51b3ed1bc003b70bb9ff99e8d835 https://git.kernel.org/stable/c/8a0ededbfcff74598f82f1d4b8ef9db28878b317 https://git.kernel.org/stable/c/00b67657535dfea56e84d11492f5c0f61d0af297 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: add missing lock protection in ocelot_port_xmit_inj() ocelot_port_xmit_inj() calls ocelot_can_inject() and ocelot_port_inject_frame() without holding the injection group lock. Both functions contain lockdep_assert_held() for the injection lock, and the correct caller felix_port_deferred_xmit() properly acquires the lock using ocelot_lock_inj_grp() before calling these functions. Add ocelot_lock_inj_grp()/ocelot_unlock_inj_grp() around the register injection path to fix the missing lock protection. The FDMA path is not affected as it uses its own locking mechanism. | 2026-05-27 | not yet calculated | CVE-2026-45849 | https://git.kernel.org/stable/c/0b217a40156f497e09dd20d3f7baec40c785f386 https://git.kernel.org/stable/c/cc1b179f778f98270bdbbb48d183b4b6427ae198 https://git.kernel.org/stable/c/7ac58d8832802ec89baa7539e13e6d58a88cce04 https://git.kernel.org/stable/c/51c32ae7fae14552d79f7139614b77c1bbd57a48 https://git.kernel.org/stable/c/63da961381e0d979459dede713001f8452364477 https://git.kernel.org/stable/c/026f6513c5880c2c89e38ad66bbec2868f978605 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipvs: skip ipv6 extension headers for csum checks Protocol checksum validation fails for IPv6 if there are extension headers before the protocol header. iph->len already contains its offset, so use it to fix the problem. | 2026-05-27 | not yet calculated | CVE-2026-45850 | https://git.kernel.org/stable/c/a3ca27762ce8476b4fbf9b2a8f5cb74c38e483e4 https://git.kernel.org/stable/c/05cfe9863ef049d98141dc2969eefde72fb07625 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: efi: Fix reservation of unaccepted memory table The reserve_unaccepted() function incorrectly calculates the size of the memblock reservation for the unaccepted memory table. It aligns the size of the table, but fails to account for cases where the table’s starting physical address (efi.unaccepted) is not page-aligned. If the table starts at an offset within a page and its end crosses into a subsequent page that the aligned size does not cover, the end of the table will not be reserved. This can lead to the table being overwritten or inaccessible, causing a kernel panic in accept_memory(). This issue was observed when starting Intel TDX VMs with specific memory sizes (e.g., > 64GB). Fix this by calculating the end address first (including the unaligned start) and then aligning it up, ensuring the entire range is covered by the reservation. | 2026-05-27 | not yet calculated | CVE-2026-45851 | https://git.kernel.org/stable/c/b7bc182ec1846be437351e44164089d988f9d0dd https://git.kernel.org/stable/c/ba6b6f1502fa55621d1db23f253d54322bdbe4e0 https://git.kernel.org/stable/c/9b18bf59977f5c5bc3b11b210520f62500a7adf3 https://git.kernel.org/stable/c/e649b5916725c68f44ebf45fb396df563c5dbaf2 https://git.kernel.org/stable/c/0862438c90487e79822d5647f854977d50381505 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Use kvfree instead of kfree in amdgpu_gmc_get_nps_memranges() amdgpu_discovery_get_nps_info() internally allocates memory for ranges using kvcalloc(), which may use vmalloc() for large allocation. Using kfree() to release vmalloc memory will lead to a memory corruption. Use kvfree() to safely handle both kmalloc and vmalloc allocations. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45853 | https://git.kernel.org/stable/c/16e7e7ad8cdc6b4c4af7f31e262f1494c1b2a55e https://git.kernel.org/stable/c/9ae85b0c1909b6c6bfd2636b04cdaf7f520bf2b5 https://git.kernel.org/stable/c/f441538893eba6347b983f2904819ca6c99da65e https://git.kernel.org/stable/c/0c44d61945c4a80775292d96460aa2f22e62f86c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: inside-secure/eip93 – unregister only available algorithm EIP93 has an options register. This register indicates which crypto algorithms are implemented in silicon. Supported algorithms are registered on this basis. Unregister algorithms on the same basis. Currently, all algorithms are unregistered, even those not supported by HW. This results in panic on platforms that don’t have all options implemented in silicon. | 2026-05-27 | not yet calculated | CVE-2026-45854 | https://git.kernel.org/stable/c/243d642ff5809811208fa1707b7ab8a6ab4b1d68 https://git.kernel.org/stable/c/4c1c5a1d720fdacea060e106c7dd79417243d121 https://git.kernel.org/stable/c/0ceeadc7b53a041d89d5843f6bf0ccb7c98b0b4f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ata: libata-scsi: avoid Non-NCQ command starvation When a non-NCQ command is issued while NCQ commands are being executed, ata_scsi_qc_issue() indicates to the SCSI layer that the command issuing should be deferred by returning SCSI_MLQUEUE_XXX_BUSY. This command deferring is correct and as mandated by the ACS specifications since NCQ and non-NCQ commands cannot be mixed. However, in the case of a host adapter using multiple submission queues, when the target device is under a constant load of NCQ commands, there are no guarantees that requeueing the non-NCQ command will be executed later and it may be deferred again repeatedly as other submission queues can constantly issue NCQ commands from different CPUs ahead of the non-NCQ command. This can lead to very long delays for the execution of non-NCQ commands, and even complete starvation for these commands in the worst case scenario. Since the block layer and the SCSI layer do not distinguish between queueable (NCQ) and non queueable (non-NCQ) commands, libata-scsi SAT implementation must ensure forward progress for non-NCQ commands in the presence of NCQ command traffic. This is similar to what SAS HBAs with a hardware/firmware based SAT implementation do. Implement such forward progress guarantee by limiting requeueing of non-NCQ commands from ata_scsi_qc_issue(): when a non-NCQ command is received and NCQ commands are in-flight, do not force a requeue of the non-NCQ command by returning SCSI_MLQUEUE_XXX_BUSY and instead return 0 to indicate that the command was accepted but hold on to the qc using the new deferred_qc field of struct ata_port. This deferred qc will be issued using the work item deferred_qc_work running the function ata_scsi_deferred_qc_work() once all in-flight commands complete, which is checked with the port qc_defer() callback return value indicating that no further delay is necessary. This check is done using the helper function ata_scsi_schedule_deferred_qc() which is called from ata_scsi_qc_complete(). This thus excludes this mechanism from all internal non-NCQ commands issued by ATA EH. When a port deferred_qc is non NULL, that is, the port has a command waiting for the device queue to drain, the issuing of all incoming commands (both NCQ and non-NCQ) is deferred using the regular busy mechanism. This simplifies the code and also avoids potential denial of service problems if a user issues too many non-NCQ commands. Finally, whenever ata EH is scheduled, regardless of the reason, a deferred qc is always requeued so that it can be retried once EH completes. This is done by calling the function ata_scsi_requeue_deferred_qc() from ata_eh_set_pending(). This avoids the need for any special processing for the deferred qc in case of NCQ error, link or device reset, or device timeout. | 2026-05-27 | not yet calculated | CVE-2026-45855 | https://git.kernel.org/stable/c/ce22aaed011206fed9cbd8c9c2d44718607f31ee https://git.kernel.org/stable/c/888cd7e40adb2ef4af1b4d3b6e2e83ad409ae8c2 https://git.kernel.org/stable/c/5d61a38a60e62750526d94663b69b7ac5c7f07a5 https://git.kernel.org/stable/c/0ea84089dbf62a92dc7889c79e6b18fc89260808 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: csiostor: Fix dereference of null pointer rn The error exit path when rn is NULL ends up deferencing the null pointer rn via the use of the macro CSIO_INC_STATS. Fix this by adding a new error return path label after the use of the macro to avoid the deference. | 2026-05-27 | not yet calculated | CVE-2026-45857 | https://git.kernel.org/stable/c/16ccbfddcb32365138c806cf572e69b42a193c5c https://git.kernel.org/stable/c/44ef9f81392de885883f73b9f5c43936a82ae9d7 https://git.kernel.org/stable/c/526ea3c0ccd495b0079db3e28fdddd51c1bf01f7 https://git.kernel.org/stable/c/25d623f0d77c11a256a54e860d00c239aa9a2583 https://git.kernel.org/stable/c/6037124dbf675fbd0a6248aaf04cf07387b8c323 https://git.kernel.org/stable/c/25ab5e97d3c5f3ed594b4a65d1cc99dc24756681 https://git.kernel.org/stable/c/3bbbab7b6949c76df64210348adbefedaabbf549 https://git.kernel.org/stable/c/1982257570b84dc33753d536dd969fd357a014e9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: don’t zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1 When allocating initialized blocks from a large unwritten extent, or when splitting an unwritten extent during end I/O and converting it to initialized, there is currently a potential issue of stale data if the extent needs to be split in the middle. 0 A B N [UUUUUUUUUUUU] U: unwritten extent [–DDDDDDDD–] D: valid data |<- ->| —-> this range needs to be initialized ext4_split_extent() first try to split this extent at B with EXT4_EXT_DATA_ENTIRE_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but ext4_split_extent_at() failed to split this extent due to temporary lack of space. It zeroout B to N and mark the entire extent from 0 to N as written. 0 A B N [WWWWWWWWWWWW] W: written extent [SSDDDDDDDDZZ] Z: zeroed, S: stale data ext4_split_extent() then try to split this extent at A with EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and left a stale written extent from 0 to A. 0 A B N [WW|WWWWWWWWWW] [SS|DDDDDDDDZZ] Fix this by pass EXT4_EXT_DATA_PARTIAL_VALID1 to ext4_split_extent_at() when splitting at B, don’t convert the entire extent to written and left it as unwritten after zeroing out B to N. The remaining work is just like the standard two-part split. ext4_split_extent() will pass the EXT4_EXT_DATA_VALID2 flag when it calls ext4_split_extent_at() for the second time, allowing it to properly handle the split. If the split is successful, it will keep extent from 0 to A as unwritten. | 2026-05-27 | not yet calculated | CVE-2026-45858 | https://git.kernel.org/stable/c/58ddae5d77b1db3a27b891c75a8fa120239ac092 https://git.kernel.org/stable/c/d17857b4fb9ba5745b59be0ef38fd532991fccbf https://git.kernel.org/stable/c/d67c8ecf3d8fda9b8ef80e6f665d84b6d6ac9d88 https://git.kernel.org/stable/c/7015fcf473796e1d2d876f241bd9e0c36f3d4eef https://git.kernel.org/stable/c/1bf6974822d1dba86cf11b5f05498581cf3488a2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers() The dw_i3c_master_i2c_xfers() function allocates memory for the xfer structure using dw_i3c_master_alloc_xfer(). If pm_runtime_resume_and_get() fails, the function returns without freeing the allocated xfer, resulting in a memory leak. Add a dw_i3c_master_free_xfer() call to the error path to ensure the allocated memory is properly freed. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45863 | https://git.kernel.org/stable/c/140a45bd4f6db7d1b30cab967d29689b946c52fa https://git.kernel.org/stable/c/8e71414e252c1cb235911008a98fd47927d3a55c https://git.kernel.org/stable/c/a2c41467ef42f69a3958493a0395ba75174710dc https://git.kernel.org/stable/c/2537089413514caaa9a5fdeeac3a34d45100f747 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: prevent infinite loops caused by the next valid being the same When processing valid within the range [valid : pos), if valid cannot be retrieved correctly, for example, if the retrieved valid value is always the same, this can trigger a potential infinite loop, similar to the hung problem reported by syzbot [1]. Adding a check for the valid value within the loop body, and terminating the loop and returning -EINVAL if the value is the same as the current value, can prevent this. [1] INFO: task syz.4.21:6056 blocked for more than 143 seconds. Call Trace: rwbase_write_lock+0x14f/0x750 kernel/locking/rwbase_rt.c:244 inode_lock include/linux/fs.h:1027 [inline] ntfs_file_write_iter+0xe6/0x870 fs/ntfs3/file.c:1284 | 2026-05-27 | not yet calculated | CVE-2026-45864 | https://git.kernel.org/stable/c/50c822fcb36768f1fb356f05b02a2248ef81936d https://git.kernel.org/stable/c/6d93239b4fc479f7c0a412dd196ec0ca2672d14a https://git.kernel.org/stable/c/71c8b966ec56e13c02388c1312910588bb49be7a https://git.kernel.org/stable/c/b97e371e5d1c13d722335d46eb8bc1a22b272a0e https://git.kernel.org/stable/c/4bf3bafb8e0635ed93e3cd4156dcbcc0fb960cb4 https://git.kernel.org/stable/c/a47a2bb9aa6455d5cee1045814a60c749309c92b https://git.kernel.org/stable/c/27b75ca4e51e3e4554dc85dbf1a0246c66106fd3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mctp i2c: initialise event handler read bytes Set a 0xff value for i2c reads of an mctp-i2c device. Otherwise reads will return “val” from the i2c bus driver. For i2c-aspeed and i2c-npcm7xx that is a stack uninitialised u8. Tested with “i2ctransfer -y 1 r10@0x34” where 0x34 is a mctp-i2c instance, now it returns all 0xff. | 2026-05-27 | not yet calculated | CVE-2026-45865 | https://git.kernel.org/stable/c/93e01e837e105299f1c259ef71f6e1ec4fe806e3 https://git.kernel.org/stable/c/11f83253244060b5de5eac787f61ae3f3e559d01 https://git.kernel.org/stable/c/fa9861e5c8af7651dddfa8d490aaada17ae33b6c https://git.kernel.org/stable/c/6ff2ebfef75fbc57d937d8fbe738b967edf2d331 https://git.kernel.org/stable/c/1eeedb310229bfee9dd4d992e5bba33fe1378a8f https://git.kernel.org/stable/c/2a14e91b6d76639dac70ea170f4384c1ee3cb48d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: serial: caif: fix use-after-free in caif_serial ldisc_close() There is a use-after-free bug in caif_serial where handle_tx() may access ser->tty after the tty has been freed. The race condition occurs between ldisc_close() and packet transmission: CPU 0 (close) CPU 1 (xmit) ————- ———— ldisc_close() tty_kref_put(ser->tty) [tty may be freed here] <– race window –> caif_xmit() handle_tx() tty = ser->tty // dangling ptr tty->ops->write() // UAF! schedule_work() ser_release() unregister_netdevice() The root cause is that tty_kref_put() is called in ldisc_close() while the network device is still active and can receive packets. Since ser and tty have a 1:1 binding relationship with consistent lifecycles (ser is allocated in ldisc_open and freed in ser_release via unregister_netdevice, and each ser binds exactly one tty), we can safely defer the tty reference release to ser_release() where the network device is unregistered. Fix this by moving tty_kref_put() from ldisc_close() to ser_release(), after unregister_netdevice(). This ensures the tty reference is held as long as the network device exists, preventing the UAF. Note: We save ser->tty before unregister_netdevice() because ser is embedded in netdev’s private data and will be freed along with netdev (needs_free_netdev = true). How to reproduce: Add mdelay(500) at the beginning of ldisc_close() to widen the race window, then run the reproducer program [1]. Note: There is a separate deadloop issue in handle_tx() when using PORT_UNKNOWN serial ports (e.g., /dev/ttyS3 in QEMU without proper serial backend). This deadloop exists even without this patch, and is likely caused by inconsistency between uart_write_room() and uart_write() in serial core. It has been addressed in a separate patch [2]. KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in handle_tx+0x5d1/0x620 Read of size 1 at addr ffff8881131e1490 by task caif_uaf_trigge/9929 Call Trace: <TASK> dump_stack_lvl+0x10e/0x1f0 print_report+0xd0/0x630 kasan_report+0xe4/0x120 handle_tx+0x5d1/0x620 dev_hard_start_xmit+0x9d/0x6c0 __dev_queue_xmit+0x6e2/0x4410 packet_xmit+0x243/0x360 packet_sendmsg+0x26cf/0x5500 __sys_sendto+0x4a3/0x520 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0xc9/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f615df2c0d7 Allocated by task 9930: Freed by task 64: Last potentially related work creation: The buggy address belongs to the object at ffff8881131e1000 which belongs to the cache kmalloc-cg-2k of size 2048 The buggy address is located 1168 bytes inside of freed 2048-byte region [ffff8881131e1000, ffff8881131e1800) The buggy address belongs to the physical page: page_owner tracks the page as allocated page last free pid 9778 tgid 9778 stack trace: Memory state around the buggy address: ffff8881131e1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881131e1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881131e1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881131e1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881131e1580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== [1]: https://gist.github.com/mrpre/f683f244544f7b11e7fa87df9e6c2eeb [2]: https://lore.kernel.org/linux-serial/20260204074327.226165-1-jiayuan.chen@linux.dev/T/#u | 2026-05-27 | not yet calculated | CVE-2026-45866 | https://git.kernel.org/stable/c/5e266ba8d330d3b8e5bc198f238cd8901826cfa1 https://git.kernel.org/stable/c/d3c75db4e0460641dbcd274b40867e252d801da1 https://git.kernel.org/stable/c/4e63d6f68544ae5269ac9735ae5b69b59b5b8725 https://git.kernel.org/stable/c/331e2b7051635780edea248dd08ae2026c126f4a https://git.kernel.org/stable/c/52731ef4438155cea782fac74e547a327ab9e7c5 https://git.kernel.org/stable/c/c8c197aaa56b25a2d54f3aa07e27e228d6c08546 https://git.kernel.org/stable/c/40962f2bf8cdba63af23aec95ad3f49b689e58e2 https://git.kernel.org/stable/c/308e7e4d0a846359685f40aade023aee7b27284c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: act8945a: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory… Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45867 | https://git.kernel.org/stable/c/f2a0777b1e5a3cee1712c4d3e9095c0df8fc8cb3 https://git.kernel.org/stable/c/0768e8525a46df103647ca5059b32320d7fd17e4 https://git.kernel.org/stable/c/d023ef9f748b2090f7a9dbdd5c622b6ad99088ea https://git.kernel.org/stable/c/697bb5dc0cb4791e244f3970b067bc1ef33be9d9 https://git.kernel.org/stable/c/76a42ba547a9b2e2337894f67a4d9247445007d5 https://git.kernel.org/stable/c/f27eb76def5c07e4d7cc468b40741f19dafc83ce https://git.kernel.org/stable/c/83c1bd466c514cb24ca6ef347c5aac76a13c4e1e https://git.kernel.org/stable/c/3291c51d4684d048dd2eb91b5b65fcfdaf72141f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: single: fix refcount leak in pcs_add_gpio_func() of_parse_phandle_with_args() returns a device_node pointer with refcount incremented in gpiospec.np. The loop iterates through all phandles but never releases the reference, causing a refcount leak on each iteration. Add of_node_put() calls to release the reference after extracting the needed arguments and on the error path when devm_kzalloc() fails. This bug was detected by our static analysis tool and verified by my code review. | 2026-05-27 | not yet calculated | CVE-2026-45868 | https://git.kernel.org/stable/c/191bfd5710d6a7f48ba4315d8d3e908dcc15243c https://git.kernel.org/stable/c/3e3b28bb0b6ddc521a4fdd1c1ba0d35017a0796b https://git.kernel.org/stable/c/456a60d06c09a92680dc35fabca68024badcc28e https://git.kernel.org/stable/c/99cc7352156c65201c675f750e0e77c4c73d93f5 https://git.kernel.org/stable/c/7814b1431848854b56717086e2b61bea3c59753d https://git.kernel.org/stable/c/e2e367e56bacb93ce5ac73f0b3297d5c83d38dd4 https://git.kernel.org/stable/c/5b9e84d27e310f22c4ba45fedbc4f5baf43dd823 https://git.kernel.org/stable/c/353353309b0f7afa407df29e455f9d15b5acc296 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: wm97xx: Fix NULL pointer dereference in power_supply_changed() In `probe()`, `request_irq()` is called before allocating/registering a `power_supply` handle. If an interrupt is fired between the call to `request_irq()` and `power_supply_register()`, the `power_supply` handle will be used uninitialized in `power_supply_changed()` in `wm97xx_bat_update()` (triggered from the interrupt handler). This will lead to a `NULL` pointer dereference since Fix this racy `NULL` pointer dereference by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Since the IRQ is the last thing requests in the `probe()` now, remove the error path for freeing it. Instead add one for unregistering the `power_supply` handle when IRQ request fails. | 2026-05-27 | not yet calculated | CVE-2026-45869 | https://git.kernel.org/stable/c/3d7b5391bb95505b3581c1fb77150c467ab92864 https://git.kernel.org/stable/c/438f9a303ea8b55162b2d5376490c2ab3ec165a0 https://git.kernel.org/stable/c/9b7d77cb046b4487e8e511e04e62b6f416ce845c https://git.kernel.org/stable/c/86183153c299e8bb1839e717286d6c6f39508a59 https://git.kernel.org/stable/c/93bdf715d33cf5ee01c58e8546c2469c71ce082a https://git.kernel.org/stable/c/c0def811ad8d642dca9b6d31a198cc39f5f90837 https://git.kernel.org/stable/c/dfaf235d5a6b60cbf115a14a656946303ad007b7 https://git.kernel.org/stable/c/39fe0eac6d755ef215026518985fcf8de9360e9e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() functions allocate memory via gssx_dec_buffer(), which calls kmemdup(). When a subsequent decode operation fails, these functions return immediately without freeing previously allocated buffers, causing memory leaks. The leak in gssx_dec_ctx() is particularly relevant because the caller (gssp_accept_sec_context_upcall) initializes several buffer length fields to non-zero values, resulting in memory allocation: struct gssx_ctx rctxh = { .exported_context_token.len = GSSX_max_output_handle_sz, .mech.len = GSS_OID_MAX_LEN, .src_name.display_name.len = GSSX_max_princ_sz, .targ_name.display_name.len = GSSX_max_princ_sz }; If, for example, gssx_dec_name() succeeds for src_name but fails for targ_name, the memory allocated for exported_context_token, mech, and src_name.display_name remains unreferenced and cannot be reclaimed. Add error handling with goto-based cleanup to free any previously allocated buffers before returning an error. | 2026-05-27 | not yet calculated | CVE-2026-45870 | https://git.kernel.org/stable/c/c81431b1b9fbd21e9a5a9211b5517b7295d18e6a https://git.kernel.org/stable/c/caf7eff432e91a9eba1c79fa545c2f54be15d62b https://git.kernel.org/stable/c/64303b92d94c0c7845a273acd8d84b796d6f1db7 https://git.kernel.org/stable/c/df10f23defff22c8d55fe6db74f6e4ce927145bf https://git.kernel.org/stable/c/b4af3806846778799cd4ab0766dc18341e777264 https://git.kernel.org/stable/c/d79b9097a6a2b91471b40755f1225364be5d85ff https://git.kernel.org/stable/c/3b56eb90feb8a3709417f5624f3871847d42bcb1 https://git.kernel.org/stable/c/3e6397b056335cc56ef0e9da36c95946a19f5118 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: st33zp24: Fix missing cleanup on get_burstcount() error get_burstcount() can return -EBUSY on timeout. When this happens, st33zp24_send() returns directly without releasing the locality acquired earlier. Use goto out_err to ensure proper cleanup when get_burstcount() fails. | 2026-05-27 | not yet calculated | CVE-2026-45871 | https://git.kernel.org/stable/c/e0ce3da82341fcd6194175f1837946b2a894c625 https://git.kernel.org/stable/c/7687133509cf66ced120b667fefd21f80bf17993 https://git.kernel.org/stable/c/1256c6dc96d1e687e6e9b63088156ed07411b00c https://git.kernel.org/stable/c/a51cff9be046e13e1c1b2fe45d5c48b582ec9b8c https://git.kernel.org/stable/c/cc09d55f519e15355de343264a22ac6682b8305e https://git.kernel.org/stable/c/ec15eb67fe9df87981b4829b901ec254273ca483 https://git.kernel.org/stable/c/4fffb77d35d038f146e6192da583dbe4971d869e https://git.kernel.org/stable/c/3e91b44c93ad2871f89fc2a98c5e4fe6ca5db3d9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix memory leak in pqi_report_phys_luns() pqi_report_phys_luns() fails to release the rpl_list buffer when encountering an unsupported data format or when the allocation for rpl_16byte_wwid_list fails. These early returns bypass the cleanup logic, leading to memory leaks. Consolidate the error handling by adding an out_free_rpl_list label and use goto statements to ensure rpl_list is consistently freed on failure. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45872 | https://git.kernel.org/stable/c/f471ecfec093e39ef8fd08978413793087daa14d https://git.kernel.org/stable/c/fdf1188cfa80f88c9f18d58cb33d57ff40e70e26 https://git.kernel.org/stable/c/d52e13122d3771f753dd73ae6512fa01f58015cb https://git.kernel.org/stable/c/e5579ebaadc7b699868dad0f591a7bf83cd647e1 https://git.kernel.org/stable/c/454570434114e4862767f506a442a0f110b639b2 https://git.kernel.org/stable/c/41b37312bd9722af77ec7817ccf22d7a4880c289 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets Userspace provides an optimized representation in case intervals are adjacent, where the end element is omitted. The existing partial overlap detection logic skips anonymous set checks on start elements for this reason. However, it is possible to add intervals that overlap to this anonymous where two start elements with the same, eg. A-B, A-C where C < B. start end A B start end A C Restore the check on overlapping start elements to report an overlap. | 2026-05-27 | not yet calculated | CVE-2026-45873 | https://git.kernel.org/stable/c/7ca5813e1b21ef300e04593f47b073ef3217aac6 https://git.kernel.org/stable/c/029e5f6a95e905b12d6bc20421be32a01e0eb311 https://git.kernel.org/stable/c/f1381ce0a1dd013610985e1c4260908163a427df https://git.kernel.org/stable/c/f1535d56fc3f6c625b7e0559c006bd0318791bb1 https://git.kernel.org/stable/c/05feaf826390fd16f1deb89dd9412def3b2a280f https://git.kernel.org/stable/c/dad14d22dff1a191612acb98facceb303d0524a2 https://git.kernel.org/stable/c/e6497e06a102870803a59570d75ed2c36d7e11b3 https://git.kernel.org/stable/c/4780ec142cbb24b794129d3080eee5cac2943ffc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: phy: freescale: imx8qm-hsio: fix NULL pointer dereference During the probe the refclk_pad pointer is set to NULL if the ‘fsl,refclk-pad-mode’ property is not defined in the devicetree node. But in imx_hsio_configure_clk_pad() this pointer is unconditionally used which could result in a NULL pointer dereference. So check the pointer before to use it. | 2026-05-27 | not yet calculated | CVE-2026-45874 | https://git.kernel.org/stable/c/a771b386cb6c6e582e7b50f8eeff3347ff887f71 https://git.kernel.org/stable/c/dd8b9ba3d9701832cfb5dcefd8b43250df28dbc2 https://git.kernel.org/stable/c/8d29e81e9cdec84d4b9acb1736550d35e86c88af https://git.kernel.org/stable/c/4dd5d4c0361af0a3fd24f45c815996abf4429770 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mfd: arizona: Fix regulator resource leak on wm5102_clear_write_sequencer() failure The wm5102_clear_write_sequencer() helper may return an error and just return, bypassing the cleanup sequence and causing regulators to remain enabled, leading to a resource leak. Change the direct return to jump to the err_reset label to properly free the resources. | 2026-05-27 | not yet calculated | CVE-2026-45875 | https://git.kernel.org/stable/c/54eafc1b0dbcf79c5f8b6dc8d9e92e56b9384c0a https://git.kernel.org/stable/c/933c5463873582baaecf5c38401ec4095b1c6269 https://git.kernel.org/stable/c/445cec7b4fbb1546836ae8e332d158e8d37d0fb6 https://git.kernel.org/stable/c/3ea01691738b0decb63ea2705d2cdf27f6f26fc0 https://git.kernel.org/stable/c/e0527c09bcf1e6beeb685a7f4177683866b8609c https://git.kernel.org/stable/c/5a4923726a165593d7601834a6fb2a10ab47b85d https://git.kernel.org/stable/c/2049820d1e635e467d795237fd40287213d92349 https://git.kernel.org/stable/c/4feb753ba6e5e5bbaba868b841a2db41c21e56fa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: arm64/gcs: Fix error handling in arch_set_shadow_stack_status() alloc_gcs() returns an error-encoded pointer on failure, which comes from do_mmap(), not NULL. The current NULL check fails to detect errors, which could lead to using an invalid GCS address. Use IS_ERR_VALUE() to properly detect errors, consistent with the check in gcs_alloc_thread_stack(). | 2026-05-27 | not yet calculated | CVE-2026-45876 | https://git.kernel.org/stable/c/c787a235deb33be6eda40beee8f561da5fd8cb8c https://git.kernel.org/stable/c/a4741114c9622346c4bbb8cc2bbd88153616ffaf https://git.kernel.org/stable/c/53c998527ffa60f9deda8974a11ad39790684159 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients During a warm reset flow, the cl->device pointer may be NULL if the reset occurs while clients are still being enumerated. Accessing cl->device->reference_count without a NULL check leads to a kernel panic. This issue was identified during multi-unit warm reboot stress clycles. Add a defensive NULL check for cl->device to ensure stability under such intensive testing conditions. KASAN: null-ptr-deref in range [0000000000000000-0000000000000007] Workqueue: ish_fw_update_wq fw_reset_work_fn Call Trace: ishtp_bus_remove_all_clients+0xbe/0x130 [intel_ishtp] ishtp_reset_handler+0x85/0x1a0 [intel_ishtp] fw_reset_work_fn+0x8a/0xc0 [intel_ish_ipc] | 2026-05-27 | not yet calculated | CVE-2026-45877 | https://git.kernel.org/stable/c/0b605e8ce60698c27a26f512968a597fd620d2e8 https://git.kernel.org/stable/c/feb4bcfd405282de60aba321f13a1272b30c5af4 https://git.kernel.org/stable/c/272dac57caa981718e7188c80c703e7bb1998054 https://git.kernel.org/stable/c/56f7db581ee73af53cd512e00a6261a025bf1d58 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: bq25980: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory… Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45879 | https://git.kernel.org/stable/c/86f93dfb23f5bf4f285c4256a7e909d222f7de56 https://git.kernel.org/stable/c/16875e3b7bc9e59bfa0acaf1e43f275a6f42a30f https://git.kernel.org/stable/c/0560a4b09c92e2ecaa883965cf6f9ca51c158ff9 https://git.kernel.org/stable/c/0de95d29d847c6217b7d5845e24a71a4aee7b359 https://git.kernel.org/stable/c/4aeaf03c17260415c2fdd55992f9ad4188d5455a https://git.kernel.org/stable/c/03d1e4ee4e6aa6d2966e883e4ca0e5be73bf1b7c https://git.kernel.org/stable/c/abea607ff2f62f4c0a5fb29f7fbdaaab163276a4 https://git.kernel.org/stable/c/5f0b1cb41906e86b64bf69f5ededb83b0d757c27 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/P2PDMA: Release per-CPU pgmap ref when vm_insert_page() fails When vm_insert_page() fails in p2pmem_alloc_mmap(), p2pmem_alloc_mmap() doesn’t invoke percpu_ref_put() to free the per-CPU ref of pgmap acquired after gen_pool_alloc_owner(), and memunmap_pages() will hang forever when trying to remove the PCI device. Fix it by adding the missed percpu_ref_put(). | 2026-05-27 | not yet calculated | CVE-2026-45880 | https://git.kernel.org/stable/c/baa42b756d183a59572f3890981a3d32b8d05d40 https://git.kernel.org/stable/c/51b7181cfbedf289ce794b6d97a1c596c309ec38 https://git.kernel.org/stable/c/e19cce88ec4c4877f4ff2469099b9cf23cc3e93e https://git.kernel.org/stable/c/a1f4dc72efc3204db95d052058d785cad7ce755f https://git.kernel.org/stable/c/6220694c52a5a04102b48109e4f24e958b559bd3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: soc: mediatek: svs: Fix memory leak in svs_enable_debug_write() In svs_enable_debug_write(), the buf allocated by memdup_user_nul() is leaked if kstrtoint() fails. Fix this by using __free(kfree) to automatically free buf, eliminating the need for explicit kfree() calls and preventing leaks. [Angelo: Added missing cleanup.h inclusion] | 2026-05-27 | not yet calculated | CVE-2026-45881 | https://git.kernel.org/stable/c/47a3e372f7d68776adb749a27c0ec9058ff1b4fd https://git.kernel.org/stable/c/06195456c4e4de3826c4ca60eca941c472f991d0 https://git.kernel.org/stable/c/a58c97828911c0b6e25d6b556789da974003efda https://git.kernel.org/stable/c/0f6498077faa9cd89bb787bcc57063494a6f0601 https://git.kernel.org/stable/c/6bb10466e0884b4a68d4a1f3f4bb87eeb471c18a https://git.kernel.org/stable/c/6259094ee806fb813ca95894c65fb80e2ec98bf1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916_bms_vm: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory… Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45882 | https://git.kernel.org/stable/c/b69bb88e20c6f8e998dff3e13a316207f49d3fa2 https://git.kernel.org/stable/c/a8b7117ae3a791c6a328674d05a06cd45d8241bd https://git.kernel.org/stable/c/17db6b3abd823c9fba3f3413c4f0f432d99d49dc https://git.kernel.org/stable/c/62914959b35e9a1e29cc0f64cb8cfc5075a5366f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iio: sca3000: Fix a resource leak in sca3000_probe() spi->irq from request_threaded_irq() not released when iio_device_register() fails. Add an return value check and jump to a common error handler when iio_device_register() fails. | 2026-05-27 | not yet calculated | CVE-2026-45883 | https://git.kernel.org/stable/c/55e13abf22c27a3b0ab5cf941dd07a2d9786736c https://git.kernel.org/stable/c/40c860ece22542178cddcf01b08644bcdbc597b3 https://git.kernel.org/stable/c/597d749c5180f3e351837e851a6131b140324e9f https://git.kernel.org/stable/c/e8e960c3d23fdb4882d70d34ce762368da0f1427 https://git.kernel.org/stable/c/103ac8e3a7f345a0966ef582b8a874ac31a92c7c https://git.kernel.org/stable/c/517d9f2b963089b3d64c23accf7920d77f5a30c8 https://git.kernel.org/stable/c/84d3c396d8ae73c24dececfcc4e544ea09311e32 https://git.kernel.org/stable/c/62b44ebc1f2c71db3ca2d4737c52e433f6f03038 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid per-cpu hold underflow in aa_get_buffer When aa_get_buffer() pulls from the per-cpu list it unconditionally decrements cache->hold. If hold reaches 0 while count is still non-zero, the unsigned decrement wraps to UINT_MAX. This keeps hold non-zero for a very long time, so aa_put_buffer() never returns buffers to the global list, which can starve other CPUs and force repeated kmalloc(aa_g_path_max) allocations. Guard the decrement so hold never underflows. | 2026-05-27 | not yet calculated | CVE-2026-45884 | https://git.kernel.org/stable/c/202824a1f89a9786c20a3d646a7c88d223abb1b2 https://git.kernel.org/stable/c/80c334acc6d0bee8605a358a33e69b4aea1ffb92 https://git.kernel.org/stable/c/4bcddd0f6b2e52b4c7b520e4d36a115caf5b7169 https://git.kernel.org/stable/c/640cf2f09575c9dc344b3f7be2498d31e3923ead |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: cpcap-battery: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory… Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45885 | https://git.kernel.org/stable/c/c549dd3de4b3f6e726d1b8386d40ccf7d3abdbe4 https://git.kernel.org/stable/c/3ff75cba1c98349a23a8f9333981deba1972cc11 https://git.kernel.org/stable/c/2ce2334be155bd8bad6377e99984246ce4dbd08c https://git.kernel.org/stable/c/cbb9b07f88a9ef6518934c41eb3e8cf840d657d5 https://git.kernel.org/stable/c/f3fbe309c9bfe1aac1e2b26543e9dc4829f3275a https://git.kernel.org/stable/c/2841bbb5a35c4449c0a0458e8e476b2a62f95147 https://git.kernel.org/stable/c/e261be6f18929f2397cd54cd583a2df624c129c1 https://git.kernel.org/stable/c/642f33e34b969eedec334738fd5df95d2dc42742 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bpf_xdp_store_bytes proto for read-only arg While making some maps in Cilium read-only from the BPF side, we noticed that the bpf_xdp_store_bytes proto is incorrect. In particular, the verifier was throwing the following error: ; ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr), &nat->address, 4, 0); 635: (79) r1 = *(u64 *)(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx() 636: (b4) w2 = 26 ; R2=26 637: (b4) w4 = 4 ; R4=4 638: (b4) w5 = 0 ; R5=0 639: (85) call bpf_xdp_store_bytes#190 write into map forbidden, value_size=6 off=0 size=4 nat comes from a BPF_F_RDONLY_PROG map, so R3 is a PTR_TO_MAP_VALUE. The verifier checks the helper’s memory access to R3 in check_mem_size_reg, as it reaches ARG_CONST_SIZE argument. The third argument has expected type ARG_PTR_TO_UNINIT_MEM, which includes the MEM_WRITE flag. The verifier thus checks for a BPF_WRITE access on R3. Given R3 points to a read-only map, the check fails. Conversely, ARG_PTR_TO_UNINIT_MEM can also lead to the helper reading from uninitialized memory. This patch simply fixes the expected argument type to match that of bpf_skb_store_bytes. | 2026-05-27 | not yet calculated | CVE-2026-45886 | https://git.kernel.org/stable/c/ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e https://git.kernel.org/stable/c/ddc34a1b85505c919026ddc82fafdada9a160b15 https://git.kernel.org/stable/c/0db169a91381a473b7974021d1c02f8da72c5775 https://git.kernel.org/stable/c/d7b87adeb0eb539b9b824b101bb14fb01e41240b https://git.kernel.org/stable/c/57f7f6a0ad04a65c8a7a067b2f56cbbf2aec9e52 https://git.kernel.org/stable/c/6557f1565d779851c4db9c488c49c05a47a6e72f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix memleak of newsk in unix_stream_connect(). When prepare_peercred() fails in unix_stream_connect(), unix_release_sock() is not called for newsk, and the memory is leaked. Let’s move prepare_peercred() before unix_create1(). | 2026-05-27 | not yet calculated | CVE-2026-45887 | https://git.kernel.org/stable/c/365996a2b14d07caa9e33d367b67ea26c09d89b4 https://git.kernel.org/stable/c/a5d95d7caba0160fb7b2b8d2bd96d5a1be861d9f https://git.kernel.org/stable/c/6884028cd7f275f8bcb854a347265cb1fb0e4bea |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid1: fix memory leak in raid1_run() raid1_run() calls setup_conf() which registers a thread via md_register_thread(). If raid1_set_limits() fails, the previously registered thread is not unregistered, resulting in a memory leak of the md_thread structure and the thread resource itself. Add md_unregister_thread() to the error path to properly cleanup the thread, which aligns with the error handling logic of other paths in this function. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45888 | https://git.kernel.org/stable/c/c94fd6e8a71efd047ff36930e840f3c25679e136 https://git.kernel.org/stable/c/ec10e3dc93994b87adf7c759a4639fe34013989a https://git.kernel.org/stable/c/b37588b0282a2b3cdda9db1d53712745ce66dea0 https://git.kernel.org/stable/c/6abc7d5dcf0ee0f85e16e41c87fbd06231f28753 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: do not account for OoO in mptcp_rcvbuf_grow() MPTCP-level OoOs are physiological when multiple subflows are active concurrently and will not cause retransmissions nor are caused by drops. Accounting for them in mptcp_rcvbuf_grow() causes the rcvbuf slowly drifting towards tcp_rmem[2]. Remove such accounting. Note that subflows will still account for TCP-level OoO when the MPTCP-level rcvbuf is propagated. This also closes a subtle and very unlikely race condition with rcvspace init; active sockets with user-space holding the msk-level socket lock, could complete such initialization in the receive callback, after that the first OoO data reaches the rcvbuf and potentially triggering a divide by zero Oops. | 2026-05-27 | not yet calculated | CVE-2026-45889 | https://git.kernel.org/stable/c/fb7bf00b04a6b48859f52035d4e745848c2b4c79 https://git.kernel.org/stable/c/400ee4854adef1e4983812a3decf6717ea020136 https://git.kernel.org/stable/c/6b329393502e5857662b851a13f947209c588587 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xen-netback: reject zero-queue configuration from guest A malicious or buggy Xen guest can write “0” to the xenbus key “multi-queue-num-queues”. The connect() function in the backend only validates the upper bound (requested_num_queues > xenvif_max_queues) but not zero, allowing requested_num_queues=0 to reach vzalloc(array_size(0, sizeof(struct xenvif_queue))), which triggers WARN_ON_ONCE(!size) in __vmalloc_node_range(). On systems with panic_on_warn=1, this allows a guest-to-host denial of service. The Xen network interface specification requires the queue count to be “greater than zero”. Add a zero check to match the validation already present in xen-blkback, which has included this guard since its multi-queue support was added. | 2026-05-27 | not yet calculated | CVE-2026-45890 | https://git.kernel.org/stable/c/2993e0f904c45f8af12917344bb1cac7ccd05a60 https://git.kernel.org/stable/c/787bfa423228c4b02ba3368128f625d579085353 https://git.kernel.org/stable/c/ce66d6786de45b7ed9cbbdc0988054bf09e58f54 https://git.kernel.org/stable/c/88b0fced1bbbfdb356a007592604008ffc93a6a1 https://git.kernel.org/stable/c/ec4859ac5c933e3315543a61adc1ca4358006a41 https://git.kernel.org/stable/c/654780dee9eae419e1648ea58462c4efe54518fa https://git.kernel.org/stable/c/d99f69ddc70fd9f4b8148add62209a1a8eb5c615 https://git.kernel.org/stable/c/6d1dc8014334c7fb25719999bca84d811e60a559 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix double free issue for tx spare buffer In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure is created for rollback. However, the tx_spare pointer in the original ring handle is incorrectly left pointing to the old backup memory. Later, if memory allocation fails in hns3_init_all_ring() during the setup, the error path attempts to free all newly allocated rings. Since tx_spare contains a stale (non-NULL) pointer from the backup, it is mistaken for a newly allocated buffer and is erroneously freed, leading to a double-free of the backup memory. The root cause is that the tx_spare field was not cleared after its value was saved in tmp_rings, leaving a dangling pointer. Fix this by setting tx_spare to NULL in the original ring structure when the creation of the new `tx_spare` fails. This ensures the error cleanup path only frees genuinely newly allocated buffers. | 2026-05-27 | not yet calculated | CVE-2026-45891 | https://git.kernel.org/stable/c/fb6a4c376d454b425555b1b0bda36e99f56ec307 https://git.kernel.org/stable/c/43015461662d41dcfb3bb95fadd8a2a42ad8eacf https://git.kernel.org/stable/c/6dc10494cfe27b6f1e9adb7e293293ae39c50b7c https://git.kernel.org/stable/c/d2c785733dfb853ea0b53984c75662a1af230a94 https://git.kernel.org/stable/c/fdbccddb7e7822016601829f95de4008e193f7bc https://git.kernel.org/stable/c/c3659273860bed0c8e573b865e3769abc51225a8 https://git.kernel.org/stable/c/6d2f142b1e4b203387a92519d9d2e34752a79dbb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: drop extent cache after doing PARTIAL_VALID1 zeroout When splitting an unwritten extent in the middle and converting it to initialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and EXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent. Assume we have an unwritten file and buffered write in the middle of it without dioread_nolock enabled, it will allocate blocks as written extent. 0 A B N [UUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUU] extent status tree [–DDDDDDDD–] D: valid data |<- ->| —-> this range needs to be initialized ext4_split_extent() first try to split this extent at B with EXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but ext4_split_extent_at() failed to split this extent due to temporary lack of space. It zeroout B to N and leave the entire extent as unwritten. 0 A B N [UUUUUUUUUUUU] on-disk extent [UUUUUUUUUUUU] extent status tree [–DDDDDDDDZZ] Z: zeroed data ext4_split_extent() then try to split this extent at A with EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and leave an written extent from A to N. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUUUUUUUUUUU] extent status tree [–DDDDDDDDZZ] Finally ext4_map_create_blocks() only insert extent A to B to the extent status tree, and leave an stale unwritten extent in the status tree. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUWWWWWWWWUU] extent status tree [–DDDDDDDDZZ] Fix this issue by always cached extent status entry after zeroing out the second part. | 2026-05-27 | not yet calculated | CVE-2026-45892 | https://git.kernel.org/stable/c/28db4bfc6f82fd20e2aadb7fc162244109a4eb31 https://git.kernel.org/stable/c/f0931a5c17005a0c4fc35bd1a001245effc3354b https://git.kernel.org/stable/c/d8ee559fccdef713f058cfe5f2c03dc9b18be3b1 https://git.kernel.org/stable/c/c2ee51d684adca7645e4aa74adca13f6750390bc https://git.kernel.org/stable/c/a1b962a821e7a52d48212ae269b45808b4411267 https://git.kernel.org/stable/c/6d882ea3b0931b43530d44149b79fcd4ffc13030 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix & Optimize table creation from possibly unaligned memory Source blob may come from userspace and might be unaligned. Try to optize the copying process by avoiding unaligned memory accesses. – Added Fixes tag – Added “Fix &” to description as this doesn’t just optimize but fixes a potential unaligned memory access [jj: remove duplicate word “convert” in comment trigger checkpatch warning] | 2026-05-27 | not yet calculated | CVE-2026-45893 | https://git.kernel.org/stable/c/47e351dfef60ab0e3285133556e1a9c7f646a969 https://git.kernel.org/stable/c/e027999049c493fb728ead5a90db76942181a935 https://git.kernel.org/stable/c/226c3b10aab23f73b03c47e7773107de56ba3a4e https://git.kernel.org/stable/c/6fc367bfd4c8886e6b1742aabbd1c0bdc310db3a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: quota: fix livelock between quotactl and freeze_super When a filesystem is frozen, quotactl_block() enters a retry loop waiting for the filesystem to thaw. It acquires s_umount, checks the freeze state, drops s_umount and uses sb_start_write() – sb_end_write() pair to wait for the unfreeze. However, this retry loop can trigger a livelock issue, specifically on kernels with preemption disabled. The mechanism is as follows: 1. freeze_super() sets SB_FREEZE_WRITE and calls sb_wait_write(). 2. sb_wait_write() calls percpu_down_write(), which initiates synchronize_rcu(). 3. Simultaneously, quotactl_block() spins in its retry loop, immediately executing the sb_start_write() – sb_end_write() pair. 4. Because the kernel is non-preemptible and the loop contains no scheduling points, quotactl_block() never yields the CPU. This prevents that CPU from reaching an RCU quiescent state. 5. synchronize_rcu() in the freezer thread waits indefinitely for the quotactl_block() CPU to report a quiescent state. 6. quotactl_block() spins indefinitely waiting for the freezer to advance, which it cannot do as it is blocked on the RCU sync. This results in a hang of the freezer process and 100% CPU usage by the quota process. While this can occur intermittently on multi-core systems, it is reliably reproducing on a node with the following script, running both the freezer and the quota toggle on the same CPU: # mkfs.ext4 -O quota /dev/sda 2g && mkdir a_mount # mount /dev/sda -o quota,usrquota,grpquota a_mount # taskset -c 3 bash -c “while true; do xfs_freeze -f a_mount; xfs_freeze -u a_mount; done” & # taskset -c 3 bash -c “while true; do quotaon a_mount; quotaoff a_mount; done” & Adding cond_resched() to the retry loop fixes the issue. It acts as an RCU quiescent state, allowing synchronize_rcu() in percpu_down_write() to complete. | 2026-05-27 | not yet calculated | CVE-2026-45895 | https://git.kernel.org/stable/c/37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82 https://git.kernel.org/stable/c/414259caf81a397563fc9baca9c0ef856c4a97cf https://git.kernel.org/stable/c/02bb1500f1479750e6557c8044f6a2d7e9d30c12 https://git.kernel.org/stable/c/53b2314b26b6640a3657cc924de63a1a8f26ac4d https://git.kernel.org/stable/c/77449e453dfc006ad738dec55374c4cbc056fd39 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: intel-dg: Fix accessing regions before setting nregions The regions array is counted by nregions, but it’s set only after accessing it: [] UBSAN: array-index-out-of-bounds in drivers/mtd/devices/mtd_intel_dg.c:750:15 [] index 0 is out of range for type ‘<unknown> [*]’ Fix it by also fixing an undesired behavior: the loop silently ignores ENOMEM and continues setting the other entries. | 2026-05-27 | not yet calculated | CVE-2026-45896 | https://git.kernel.org/stable/c/721bd22bcf45a63ebd9bd0f478ef721b45cc5383 https://git.kernel.org/stable/c/d58fca8513414b15387460b14a7a0a30405b9c9e https://git.kernel.org/stable/c/779c59274d03cc5c07237a2c845dfb71cff77705 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_counter: serialize reset with spinlock Add a global static spinlock to serialize counter fetch+reset operations, preventing concurrent dump-and-reset from underrunning values. The lock is taken before fetching the total so that two parallel resets cannot both read the same counter values and then both subtract them. A global lock is used for simplicity since resets are infrequent. If this becomes a bottleneck, it can be replaced with a per-net lock later. | 2026-05-27 | not yet calculated | CVE-2026-45897 | https://git.kernel.org/stable/c/0cdc6d5a26f2d1f7f15a43526841b679445c32e2 https://git.kernel.org/stable/c/779c60a5190c42689534172f4b49e927c9959e4e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: drop extent cache when splitting extent fails When the split extent fails, we might leave some extents still being processed and return an error directly, which will result in stale extent entries remaining in the extent status tree. So drop all of the remaining potentially stale extents if the splitting fails. | 2026-05-27 | not yet calculated | CVE-2026-45899 | https://git.kernel.org/stable/c/6e54f8dfee359bbd58086c883ea8cffd5312999d https://git.kernel.org/stable/c/337506dc652383c80839edb8d8dcdd8ff2129b4f https://git.kernel.org/stable/c/dc7c9b9d03a59a7fe483574531327e650a4b4adc https://git.kernel.org/stable/c/120c6bd7ca9d3e80a968b758cbb3fbd67570f132 https://git.kernel.org/stable/c/808f3191498f300174523c54cab101e18795ae4e https://git.kernel.org/stable/c/31bf37cf53ede8145e2bc62da803d4506da92975 https://git.kernel.org/stable/c/79b592e8f1b435796cbc2722190368e3e8ffd7a1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: caam – fix netdev memory leak in dpaa2_caam_probe When commit 0e1a4d427f58 (“crypto: caam: Unembed net_dev structure in dpaa2”) converted embedded net_device to dynamically allocated pointers, it added cleanup in dpaa2_dpseci_disable() but missed adding cleanup in dpaa2_dpseci_free() for error paths. This causes memory leaks when dpaa2_dpseci_dpio_setup() fails during probe due to DPIO devices not being ready yet. The kernel’s deferred probe mechanism handles the retry successfully, but the netdevs allocated during the failed probe attempt are never freed, resulting in kmemleak reports showing multiple leaked netdev-related allocations all traced back to dpaa2_caam_probe(). Fix this by preserving the CPU mask of allocated netdevs during setup and using it for cleanup in dpaa2_dpseci_free(). This approach ensures that only the CPUs that actually had netdevs allocated will be cleaned up, avoiding potential issues with CPU hotplug scenarios. | 2026-05-27 | not yet calculated | CVE-2026-45900 | https://git.kernel.org/stable/c/d5c6f254528caf78d5de7d9646dc21c81d351827 https://git.kernel.org/stable/c/d7decb572b55d2af33e59e9858fcee5d9ae69175 https://git.kernel.org/stable/c/e144cce29851610ce9c6eda405ce21118779aa51 https://git.kernel.org/stable/c/7d43252b3060b0ba4a192dce5dba85a3f39ffe39 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: revert commit_mutex usage in reset path It causes circular lock dependency between commit_mutex, nfnl_subsys_ipset and nlk_cb_mutex when nft reset, ipset list, and iptables-nft with ‘-m set’ rule run at the same time. Previous patches made it safe to run individual reset handlers concurrently so commit_mutex is no longer required to prevent this. | 2026-05-27 | not yet calculated | CVE-2026-45901 | https://git.kernel.org/stable/c/ee3978b6a0dcd4215cb7cedcba705a12174786a7 https://git.kernel.org/stable/c/7f261bb906bf527c4a6e2a646e2d5f3679f2a8bc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: bq256xx: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory… Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45902 | https://git.kernel.org/stable/c/81d3688c9a2158329391e08f2d0b8ba204216044 https://git.kernel.org/stable/c/74b5a88318db97d51bb40f774736553c2acd1514 https://git.kernel.org/stable/c/cb5c743936edcebc51880eeb6bf04979b5c9438b https://git.kernel.org/stable/c/83c27fdd696ac13d023ef7a0345301be93209c53 https://git.kernel.org/stable/c/4b6fb0b6124f558131e502e3ffd03e6583b3ace6 https://git.kernel.org/stable/c/8796910131a32ff29275052df768ef022929a394 https://git.kernel.org/stable/c/8005843369723d9c8975b7c4202d1b85d6125302 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix memory access flags in helper prototypes After commit 37cce22dbd51 (“bpf: verifier: Refactor helper access type tracking”), the verifier started relying on the access type flags in helper function prototypes to perform memory access optimizations. Currently, several helper functions utilizing ARG_PTR_TO_MEM lack the corresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the verifier to incorrectly assume that the buffer contents are unchanged across the helper call. Consequently, the verifier may optimize away subsequent reads based on this wrong assumption, leading to correctness issues. For bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect since the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM which correctly indicates write access to potentially uninitialized memory. Similar issues were recently addressed for specific helpers in commit ac44dcc788b9 (“bpf: Fix verifier assumptions of bpf_d_path’s output buffer”) and commit 2eb7648558a7 (“bpf: Specify access type of bpf_sysctl_get_name args”). Fix these prototypes by adding the correct memory access flags. | 2026-05-27 | not yet calculated | CVE-2026-45903 | https://git.kernel.org/stable/c/fdfe75161f6e8c41a7d3023fbb815b537107b806 https://git.kernel.org/stable/c/aa319592892068bd960c1a1c07bd621085b0c63d https://git.kernel.org/stable/c/802eef5afb1865bc5536a5302c068ba2215a1f72 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling The recent commit 1010b4c012b0 (“powerpc/eeh: Make EEH driver device hotplug safe”) restructured the EEH driver to improve synchronization with the PCI hotplug layer. However, it inadvertently moved pci_lock_rescan_remove() outside its intended scope in eeh_handle_normal_event(), leading to broken PCI error reporting and improper EEH event triggering. Specifically, eeh_handle_normal_event() acquired pci_lock_rescan_remove() before calling eeh_pe_bus_get(), but eeh_pe_bus_get() itself attempts to acquire the same lock internally, causing nested locking and disrupting normal EEH event handling paths. This patch adds a boolean parameter do_lock to _eeh_pe_bus_get(), with two public wrappers: eeh_pe_bus_get() with locking enabled. eeh_pe_bus_get_nolock() that skips locking. Callers that already hold pci_lock_rescan_remove() now use eeh_pe_bus_get_nolock() to avoid recursive lock acquisition. Additionally, pci_lock_rescan_remove() calls are restored to the correct position-after eeh_pe_bus_get() and immediately before iterating affected PEs and devices. This ensures EEH-triggered PCI removes occur under proper bus rescan locking without recursive lock contention. The eeh_pe_loc_get() function has been split into two functions: eeh_pe_loc_get(struct eeh_pe *pe) which retrieves the loc for given PE. eeh_pe_loc_get_bus(struct pci_bus *bus) which retrieves the location code for given bus. This resolves lockdep warnings such as: <snip> [ 84.964298] [ T928] ============================================ [ 84.964304] [ T928] WARNING: possible recursive locking detected [ 84.964311] [ T928] 6.18.0-rc3 #51 Not tainted [ 84.964315] [ T928] ——————————————– [ 84.964320] [ T928] eehd/928 is trying to acquire lock: [ 84.964324] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964342] [ T928] but task is already holding lock: [ 84.964347] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964357] [ T928] other info that might help us debug this: [ 84.964363] [ T928] Possible unsafe locking scenario: [ 84.964367] [ T928] CPU0 [ 84.964370] [ T928] —- [ 84.964373] [ T928] lock(pci_rescan_remove_lock); [ 84.964378] [ T928] lock(pci_rescan_remove_lock); [ 84.964383] [ T928] *** DEADLOCK *** [ 84.964388] [ T928] May be due to missing lock nesting notation [ 84.964393] [ T928] 1 lock held by eehd/928: [ 84.964397] [ T928] #0: c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964408] [ T928] stack backtrace: [ 84.964414] [ T928] CPU: 2 UID: 0 PID: 928 Comm: eehd Not tainted 6.18.0-rc3 #51 VOLUNTARY [ 84.964417] [ T928] Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_022) hv:phyp pSeries [ 84.964419] [ T928] Call Trace: [ 84.964420] [ T928] [c0000011a7157990] [c000000001705de4] dump_stack_lvl+0xc8/0x130 (unreliable) [ 84.964424] [ T928] [c0000011a71579d0] [c0000000002f66e0] print_deadlock_bug+0x430/0x440 [ 84.964428] [ T928] [c0000011a7157a70] [c0000000002fd0c0] __lock_acquire+0x1530/0x2d80 [ 84.964431] [ T928] [c0000011a7157ba0] [c0000000002fea54] lock_acquire+0x144/0x410 [ 84.964433] [ T928] [c0000011a7157cb0] [c0000011a7157cb0] __mutex_lock+0xf4/0x1050 [ 84.964436] [ T928] [c0000011a7157e00] [c000000000de21d8] pci_lock_rescan_remove+0x28/0x40 [ 84.964439] [ T928] [c0000011a7157e20] [c00000000004ed98] eeh_pe_bus_get+0x48/0xc0 [ 84.964442] [ T928] [c0000011a7157e50] [c00000 —truncated— | 2026-05-27 | not yet calculated | CVE-2026-45904 | https://git.kernel.org/stable/c/89810e2d80281d42f855fac813786758ee16e323 https://git.kernel.org/stable/c/788dd28fd49610d6047cbb15dbf1186afffdfbaf https://git.kernel.org/stable/c/f49faa4a64f8ac0e38983e606075b25dfcfc9ad4 https://git.kernel.org/stable/c/87a1f93986aa1500b85aeff16b0b71c29ea116ea https://git.kernel.org/stable/c/f8b16d5764ee1e78c1ef333017ad383ffe76fcdc https://git.kernel.org/stable/c/6e6561231c6cfc32c5631aeecc0928ff2b14265c https://git.kernel.org/stable/c/b85ee287bfe52c6b2d9b41758b5e0d08679d5b39 https://git.kernel.org/stable/c/815a8d2feb5615ae7f0b5befd206af0b0160614c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path icmp_route_lookup() performs multiple route lookups to find a suitable route for sending ICMP error messages, with special handling for XFRM (IPsec) policies. The lookup sequence is: 1. First, lookup output route for ICMP reply (dst = original src) 2. Pass through xfrm_lookup() for policy check 3. If blocked (-EPERM) or dst is not local, enter “reverse path” 4. In reverse path, call xfrm_decode_session_reverse() to get fl4_dec which reverses the original packet’s flow (saddr<->daddr swapped) 5. If fl4_dec.saddr is local (we are the original destination), use __ip_route_output_key() for output route lookup 6. If fl4_dec.saddr is NOT local (we are a forwarding node), use ip_route_input() to simulate the reverse packet’s input path 7. Finally, pass rt2 through xfrm_lookup() with XFRM_LOOKUP_ICMP flag The bug occurs in step 6: ip_route_input() is called with fl4_dec.daddr (original packet’s source) as destination. If this address becomes local between the initial check and ip_route_input() call (e.g., due to concurrent “ip addr add”), ip_route_input() returns a LOCAL route with dst.output set to ip_rt_bug. This route is then used for ICMP output, causing dst_output() to call ip_rt_bug(), triggering a WARN_ON: ————[ cut here ]———— WARNING: net/ipv4/route.c:1275 at ip_rt_bug+0x21/0x30, CPU#1 Call Trace: <TASK> ip_push_pending_frames+0x202/0x240 icmp_push_reply+0x30d/0x430 __icmp_send+0x1149/0x24f0 ip_options_compile+0xa2/0xd0 ip_rcv_finish_core+0x829/0x1950 ip_rcv+0x2d7/0x420 __netif_receive_skb_one_core+0x185/0x1f0 netif_receive_skb+0x90/0x450 tun_get_user+0x3413/0x3fb0 tun_chr_write_iter+0xe4/0x220 … Fix this by checking rt2->rt_type after ip_route_input(). If it’s RTN_LOCAL, the route cannot be used for output, so treat it as an error. The reproducer requires kernel modification to widen the race window, making it unsuitable as a selftest. It is available at: https://gist.github.com/mrpre/eae853b72ac6a750f5d45d64ddac1e81 | 2026-05-27 | not yet calculated | CVE-2026-45905 | https://git.kernel.org/stable/c/9a95ec9144eeff1fc6fbcc21b677e322c6f1430b https://git.kernel.org/stable/c/2c1f59005da9dd4b07b26984fd719e36557dc57c https://git.kernel.org/stable/c/b04061f89ffc6168e7ec3c71d0086ec3c3797228 https://git.kernel.org/stable/c/1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1 https://git.kernel.org/stable/c/423ce12d10b426709489d6b84fdaa6d2f31c5652 https://git.kernel.org/stable/c/81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: pf1550: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory… Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45906 | https://git.kernel.org/stable/c/1bdefeed904f1f17e1f73a4d8a035515f3a9fad8 https://git.kernel.org/stable/c/838767f5074700552d3f006d867caed65edc7328 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix deadlocks between devlink and netdev instance locks In the mentioned “Fixes” commit, various work tasks triggering devlink health reporter recovery were switched to use netdev_trylock to protect against concurrent tear down of the channels being recovered. But this had the side effect of introducing potential deadlocks because of incorrect lock ordering. The correct lock order is described by the init flow: probe_one -> mlx5_init_one (acquires devlink lock) -> mlx5_init_one_devl_locked -> mlx5_register_device -> mlx5_rescan_drivers_locked -…-> mlx5e_probe -> _mlx5e_probe -> register_netdev (acquires rtnl lock) -> register_netdevice (acquires netdev lock) => devlink lock -> rtnl lock -> netdev lock. But in the current recovery flow, the order is wrong: mlx5e_tx_err_cqe_work (acquires netdev lock) -> mlx5e_reporter_tx_err_cqe -> mlx5e_health_report -> devlink_health_report (acquires devlink lock => boom!) -> devlink_health_reporter_recover -> mlx5e_tx_reporter_recover -> mlx5e_tx_reporter_recover_from_ctx -> mlx5e_tx_reporter_err_cqe_recover The same pattern exists in: mlx5e_reporter_rx_timeout mlx5e_reporter_tx_ptpsq_unhealthy mlx5e_reporter_tx_timeout Fix these by moving the netdev_trylock calls from the work handlers lower in the call stack, in the respective recovery functions, where they are actually necessary. | 2026-05-27 | not yet calculated | CVE-2026-45907 | https://git.kernel.org/stable/c/4329514c61abefe4961541b128c549b017bab5ad https://git.kernel.org/stable/c/63f9d5fb4d8040077df801ca3270e2f02d55e0d9 https://git.kernel.org/stable/c/83ac0304a2d77519dae1e54c9713cbe1aedf19c9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix memory leak in amdxdna_ubuf_map The amdxdna_ubuf_map() function allocates memory for sg and internal sg table structures, but it fails to free them if subsequent operations (sg_alloc_table_from_pages or dma_map_sgtable) fail. | 2026-05-27 | not yet calculated | CVE-2026-45908 | https://git.kernel.org/stable/c/5a68d2c99c859e6e8e36fa4e32749abf6d1fb66a https://git.kernel.org/stable/c/f9f4366d2ff93b07c2571561c776bd9a708078c3 https://git.kernel.org/stable/c/84dd57fb0359500092f1101409ca32091731490d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix role switching during resume If the role change while we are suspended, the cdns3 driver switches to the new mode during resume. However, switching to host mode in this context causes a NULL pointer dereference. The host role’s start() operation registers a xhci-hcd device, but its probe is deferred while we are in the resume path. The host role’s resume() operation assumes the xhci-hcd device is already probed, which is not the case, leading to the dereference. Since the start() operation of the new role is already called, the resume operation can be skipped. So skip the resume operation for the new role if a role switch occurs during resume. Once the resume sequence is complete, the xhci-hcd device can be probed in case of host mode. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000208 Mem abort info: … Data abort info: … [0000000000000208] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 146 Comm: sh Not tainted 6.19.0-rc7-00013-g6e64f4aabfae-dirty #135 PREEMPT Hardware name: Texas Instruments J7200 EVM (DT) pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : usb_hcd_is_primary_hcd+0x0/0x1c lr : cdns_host_resume+0x24/0x5c … Call trace: usb_hcd_is_primary_hcd+0x0/0x1c (P) cdns_resume+0x6c/0xbc cdns3_controller_resume.isra.0+0xe8/0x17c cdns3_plat_resume+0x18/0x24 platform_pm_resume+0x2c/0x68 dpm_run_callback+0x90/0x248 device_resume+0x100/0x24c dpm_resume+0x190/0x2ec dpm_resume_end+0x18/0x34 suspend_devices_and_enter+0x2b0/0xa44 pm_suspend+0x16c/0x5fc state_store+0x80/0xec kobj_attr_store+0x18/0x2c sysfs_kf_write+0x7c/0x94 kernfs_fop_write_iter+0x130/0x1dc vfs_write+0x240/0x370 ksys_write+0x70/0x108 __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x10c el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0x108 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: 52800003 f9407ca5 d63f00a0 17ffffe4 (f9410401) —[ end trace 0000000000000000 ]— | 2026-05-27 | not yet calculated | CVE-2026-45911 | https://git.kernel.org/stable/c/ff02bd303d2d78051771db51119d66c0cf442f47 https://git.kernel.org/stable/c/94c742614899ff18a6b3e6f3cfbe7b9f36c865f3 https://git.kernel.org/stable/c/d637f6ec149ffd2f8257bcc261561dc2e44dbb8c https://git.kernel.org/stable/c/56289298431ed76700b9aac27a3b1d929fe61b8d https://git.kernel.org/stable/c/fc086c0ce3db0eefbbeb66a5b1e626296336e33a https://git.kernel.org/stable/c/49c99dc247ebf7361db9dbdade3dcebfffaf2c22 https://git.kernel.org/stable/c/87e4b043b98a1d269be0b812f383881abee0ca45 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: don’t cache extent during splitting extent Caching extents during the splitting process is risky, as it may result in stale extents remaining in the status tree. Moreover, in most cases, the corresponding extent block entries are likely already cached before the split happens, making caching here not particularly useful. Assume we have an unwritten extent, and then DIO writes the first half. [UUUUUUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUUUUUU] extent status tree |<- ->| —-> dio write this range First, when ext4_split_extent_at() splits this extent, it truncates the existing extent and then inserts a new one. During this process, this extent status entry may be shrunk, and calls to ext4_find_extent() and ext4_cache_extents() may occur, which could potentially insert the truncated range as a hole into the extent status tree. After the split is completed, this hole is not replaced with the correct status. [UUUUUUU|UUUUUUUU] on-disk extent U: unwritten extent [UUUUUUU|HHHHHHHH] extent status tree H: hole Then, the outer calling functions will not correct this remaining hole extent either. Finally, if we perform a delayed buffer write on this latter part, it will re-insert the delayed extent and cause an error in space accounting. In adition, if the unwritten extent cache is not shrunk during the splitting, ext4_cache_extents() also conflicts with existing extents when caching extents. In the future, we will add checks when caching extents, which will trigger a warning. Therefore, Do not cache extents that are being split. | 2026-05-27 | not yet calculated | CVE-2026-45912 | https://git.kernel.org/stable/c/8302b5b4aacdbb378f7b1216bb2ee782b5142415 https://git.kernel.org/stable/c/692103feca376ae4298c92aa8828015d20f1d87b https://git.kernel.org/stable/c/4c2d9dac4d328244f9365b0a1fa27ec802821820 https://git.kernel.org/stable/c/93b2ebbbcb2e63cfc21a1946dfe91d3aa7952036 https://git.kernel.org/stable/c/96007fd3c106aea773c1afae2d6f64cceb6da208 https://git.kernel.org/stable/c/5b1f4290453314e11cd8e15c7baa8a9b76c19b23 https://git.kernel.org/stable/c/9a2b95cdaf07785e2739199037bd9c0863ccc1be https://git.kernel.org/stable/c/8b4b19a2f96348d70bfa306ef7d4a13b0bcbea79 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: bridge: mcast: always update mdb_n_entries for vlan contexts syzbot triggered a warning[1] about the number of mdb entries in a context. It turned out that there are multiple ways to trigger that warning today (some got added during the years), the root cause of the problem is that the increase is done conditionally, and over the years these different conditions increased so there were new ways to trigger the warning, that is to do a decrease which wasn’t paired with a previous increase. For example one way to trigger it is with flush: $ ip l add br0 up type bridge vlan_filtering 1 mcast_snooping 1 $ ip l add dumdum up master br0 type dummy $ bridge mdb add dev br0 port dumdum grp 239.0.0.1 permanent vid 1 $ ip link set dev br0 down $ ip link set dev br0 type bridge mcast_vlan_snooping 1 ^^^^ this will enable snooping, but will not update mdb_n_entries because in __br_multicast_enable_port_ctx() we check !netif_running $ bridge mdb flush dev br0 ^^^ this will trigger the warning because it will delete the pg which we added above, which will try to decrease mdb_n_entries Fix the problem by removing the conditional increase and always keep the count up-to-date while the vlan exists. In order to do that we have to first initialize it on port-vlan context creation, and then always increase or decrease the value regardless of mcast options. To keep the current behaviour we have to enforce the mdb limit only if the context is port’s or if the port-vlan’s mcast snooping is enabled. [1] ————[ cut here ]———— n == 0 WARNING: net/bridge/br_multicast.c:718 at br_multicast_port_ngroups_dec_one net/bridge/br_multicast.c:718 [inline], CPU#0: syz.4.4607/22043 WARNING: net/bridge/br_multicast.c:718 at br_multicast_port_ngroups_dec net/bridge/br_multicast.c:771 [inline], CPU#0: syz.4.4607/22043 WARNING: net/bridge/br_multicast.c:718 at br_multicast_del_pg+0x1bbe/0x1e20 net/bridge/br_multicast.c:825, CPU#0: syz.4.4607/22043 Modules linked in: CPU: 0 UID: 0 PID: 22043 Comm: syz.4.4607 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 RIP: 0010:br_multicast_port_ngroups_dec_one net/bridge/br_multicast.c:718 [inline] RIP: 0010:br_multicast_port_ngroups_dec net/bridge/br_multicast.c:771 [inline] RIP: 0010:br_multicast_del_pg+0x1bbe/0x1e20 net/bridge/br_multicast.c:825 Code: 41 5f 5d e9 04 7a 48 f7 e8 3f 73 5c f7 90 0f 0b 90 e9 cf fd ff ff e8 31 73 5c f7 90 0f 0b 90 e9 16 fd ff ff e8 23 73 5c f7 90 <0f> 0b 90 e9 60 fd ff ff e8 15 73 5c f7 eb 05 e8 0e 73 5c f7 48 8b RSP: 0018:ffffc9000c207220 EFLAGS: 00010293 RAX: ffffffff8a68042d RBX: ffff88807c6f1800 RCX: ffff888066e90000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff888066e90000 R09: 000000000000000c R10: 000000000000000c R11: 0000000000000000 R12: ffff8880303ef800 R13: dffffc0000000000 R14: ffff888050eb11c4 R15: 1ffff1100a1d6238 FS: 00007fa45921b6c0(0000) GS:ffff8881256f5000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa4591f9ff8 CR3: 0000000081df2000 CR4: 00000000003526f0 Call Trace: <TASK> br_mdb_flush_pgs net/bridge/br_mdb.c:1525 [inline] br_mdb_flush net/bridge/br_mdb.c:1544 [inline] br_mdb_del_bulk+0x5e2/0xb20 net/bridge/br_mdb.c:1561 rtnl_mdb_del+0x48a/0x640 net/core/rtnetlink.c:-1 rtnetlink_rcv_msg+0x77e/0xbe0 net/core/rtnetlink.c:6967 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 ___sys_sendmsg+0x2a5/0x360 net/socke —truncated— | 2026-05-27 | not yet calculated | CVE-2026-45913 | https://git.kernel.org/stable/c/d0fdad1bdd21a358cc2c85da3681ae27b86ce6ce https://git.kernel.org/stable/c/724a405ce0309676f1e993c173382b4c4a022beb https://git.kernel.org/stable/c/fae260fc84e1eae8f590c7907e53e8768df2d986 https://git.kernel.org/stable/c/45525fdfd4cb612d7b414dd5cfa1f43892a7cd71 https://git.kernel.org/stable/c/8b769e311a86bb9d15c5658ad283b86fc8f080a2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Revert “hwmon: (ibmpex) fix use-after-free in high/low store” This reverts commit 6946c726c3f4c36f0f049e6f97e88c510b15f65d. Jean Delvare points out that the patch does not completely fix the reported problem, that it in fact introduces a (new) race condition, and that it may actually not be needed in the first place. Various AI reviews agree. Specific and relevant AI feedback: ” This reordering sets the driver data to NULL before removing the sensor attributes in the loop below. ibmpex_show_sensor() retrieves this driver data via dev_get_drvdata() but does not check if it is NULL before dereferencing it to access data->sensors[]. If a userspace process reads a sensor file (like temp1_input) while this delete function is running, could it race with the dev_set_drvdata(…, NULL) call here and crash in ibmpex_show_sensor()? Would it be safer to keep the original order where device_remove_file() is called before clearing the driver data? device_remove_file() should wait for any active sysfs callbacks to complete, which might already prevent the use-after-free this patch intends to fix. ” Revert the offending patch. If it can be shown that the originally reported alleged race condition does indeed exist, it can always be re-introduced with a complete fix. | 2026-05-27 | not yet calculated | CVE-2026-45914 | https://git.kernel.org/stable/c/05112ba67c824ab416cd54307c0b50aba9f0047a https://git.kernel.org/stable/c/efd68429f23fb4015b0ebc2392334059e06fad18 https://git.kernel.org/stable/c/f448acd86835a650f9ea83460b9ca347d3aafba5 https://git.kernel.org/stable/c/914b47c9b824d3d74f31c764163edf93302100b1 https://git.kernel.org/stable/c/14a38784e09aebc21207dc32fffa05247fc3dd64 https://git.kernel.org/stable/c/894d9c7aab68fd0c70c78b1d03c8fa589fb0f67d https://git.kernel.org/stable/c/8bde3e395a85017f12af2b0ba5c3684f5af9c006 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fat: avoid parent link count underflow in rmdir Corrupted FAT images can leave a directory inode with an incorrect i_nlink (e.g. 2 even though subdirectories exist). rmdir then unconditionally calls drop_nlink(dir) and can drive i_nlink to 0, triggering the WARN_ON in drop_nlink(). Add a sanity check in vfat_rmdir() and msdos_rmdir(): only drop the parent link count when it is at least 3, otherwise report a filesystem error. | 2026-05-27 | not yet calculated | CVE-2026-45915 | https://git.kernel.org/stable/c/7fe0de287e931e07cb96ecf1f449b2ebdb0e1115 https://git.kernel.org/stable/c/9894c79fd9466612d0514be157b5c30cd93aa645 https://git.kernel.org/stable/c/cd569b87378b9c33ae13c23d6bb9d205d66f7c4b https://git.kernel.org/stable/c/d3b7ffa90f613938128432c7b2f35b7aa4bdd86b https://git.kernel.org/stable/c/955c5d670b5ae07c78f4345e23a895638db96ce1 https://git.kernel.org/stable/c/17866f8a0822d414cb02e621cf003a7d04396ef8 https://git.kernel.org/stable/c/d0bb592fa9def2bace90ac8926c0a1d6fa8c1aa0 https://git.kernel.org/stable/c/8cafcb881364af5ef3a8b9fed4db254054033d8a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: sbs-battery: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory… Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Keep the old behavior of just printing a warning in case of any failures during the IRQ request and finishing the probe successfully. | 2026-05-27 | not yet calculated | CVE-2026-45916 | https://git.kernel.org/stable/c/ca7dd71773e4e050b0fb98768b7eae60f8d1f38b https://git.kernel.org/stable/c/f1f472b14ad56104ba228b8fbec60d5b21829913 https://git.kernel.org/stable/c/8010b745b436c3e1ca5dd960aa29fa3e0f6d8841 https://git.kernel.org/stable/c/2078830c32d1e49ac942c6f8c21f35c806ae5e94 https://git.kernel.org/stable/c/82d3eb97a976c9d56bb92b241397610e57a9c629 https://git.kernel.org/stable/c/861dda7a9074c0ff67788928165ae39d7f647491 https://git.kernel.org/stable/c/14d4dee5d8fb361bfff275832087254beab66d72 https://git.kernel.org/stable/c/8d59cf3887fbabacef53bfba473e33e8a8d9d07b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipvs: do not keep dest_dst if dev is going down There is race between the netdev notifier ip_vs_dst_event() and the code that caches dst with dev that is going down. As the FIB can be notified for the closed device after our handler finishes, it is possible valid route to be returned and cached resuling in a leaked dev reference until the dest is not removed. To prevent new dest_dst to be attached to dest just after the handler dropped the old one, add a netif_running() check to make sure the notifier handler is not currently running for device that is closing. | 2026-05-27 | not yet calculated | CVE-2026-45917 | https://git.kernel.org/stable/c/64af43033503458c46023e56d6ae7bb0f824b55f https://git.kernel.org/stable/c/bae53b3baf2ff2f45f9205c438818fc055601a54 https://git.kernel.org/stable/c/024eb0bd19f507e6e7f0c7a7e5506d66b5dc1d3e https://git.kernel.org/stable/c/8fde939b0206afc1d5846217a01a16b9bc8c7896 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp – don’t deref NULL sk_socket member after tcp_close() When deleting a peer in case of keepalive expiration, the peer is removed from the OpenVPN hashtable and is temporary inserted in a “release list” for further processing. This happens in: ovpn_peer_keepalive_work() unlock_ovpn(release_list) This processing includes detaching from the socket being used to talk to this peer, by restoring its original proto and socket ops/callbacks. In case of TCP it may happen that, while the peer is sitting in the release list, userspace decides to close the socket. This will result in a concurrent execution of: tcp_close(sk) __tcp_close(sk) sock_orphan(sk) sk_set_socket(sk, NULL) The last function call will set sk->sk_socket to NULL. When the releasing routine is resumed, ovpn_tcp_socket_detach() will attempt to dereference sk->sk_socket to restore its original ops member. This operation will crash due to sk->sk_socket being NULL. Fix this race condition by testing-and-accessing sk->sk_socket atomically under sk->sk_callback_lock. | 2026-05-27 | not yet calculated | CVE-2026-45918 | https://git.kernel.org/stable/c/f998b2c4bec487063a586695159f9a1856e81c56 https://git.kernel.org/stable/c/b9142cf4e066c825ec68752a7dcaceda700bbe26 https://git.kernel.org/stable/c/94560267d6c41b1ff3fafbab726e3f8a55a6af34 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sched/rt: Skip currently executing CPU in rto_next_cpu() CPU0 becomes overloaded when hosting a CPU-bound RT task, a non-CPU-bound RT task, and a CFS task stuck in kernel space. When other CPUs switch from RT to non-RT tasks, RT load balancing (LB) is triggered; with HAVE_RT_PUSH_IPI enabled, they send IPIs to CPU0 to drive the execution of rto_push_irq_work_func. During push_rt_task on CPU0, if next_task->prio < rq->donor->prio, resched_curr() sets NEED_RESCHED and after the push operation completes, CPU0 calls rto_next_cpu(). Since only CPU0 is overloaded in this scenario, rto_next_cpu() should ideally return -1 (no further IPI needed). However, multiple CPUs invoking tell_cpu_to_push() during LB increments rd->rto_loop_next. Even when rd->rto_cpu is set to -1, the mismatch between rd->rto_loop and rd->rto_loop_next forces rto_next_cpu() to restart its search from -1. With CPU0 remaining overloaded (satisfying rt_nr_migratory && rt_nr_total > 1), it gets reselected, causing CPU0 to queue irq_work to itself and send self-IPIs repeatedly. As long as CPU0 stays overloaded and other CPUs run pull_rt_tasks(), it falls into an infinite self-IPI loop, which triggers a CPU hardlockup due to continuous self-interrupts. The trigging scenario is as follows: cpu0 cpu1 cpu2 pull_rt_task tell_cpu_to_push <————irq_work_queue_on rto_push_irq_work_func push_rt_task resched_curr(rq) pull_rt_task rto_next_cpu tell_cpu_to_push <————————– atomic_inc(rto_loop_next) rd->rto_loop != next rto_next_cpu irq_work_queue_on rto_push_irq_work_func Fix redundant self-IPI by filtering the initiating CPU in rto_next_cpu(). This solution has been verified to effectively eliminate spurious self-IPIs and prevent CPU hardlockup scenarios. | 2026-05-27 | not yet calculated | CVE-2026-45919 | https://git.kernel.org/stable/c/d57d0746276a88ea43a2cc62b849fd8a95e32e41 https://git.kernel.org/stable/c/3b3c672a66db3de3b40f8a7057864bc1f874ede3 https://git.kernel.org/stable/c/16ca9f3117e9a294646c897daf08a5ab546c711b https://git.kernel.org/stable/c/8ad5577b2d4acfd83f03d97a0aece2d18aac5f07 https://git.kernel.org/stable/c/a6a73403733e86748421f2eeaf028c85683ef896 https://git.kernel.org/stable/c/52aeb1e07ec223caf212f036817976c98d2aa250 https://git.kernel.org/stable/c/9f25edc5a20cb52a5abbf25f0724bb4732b81801 https://git.kernel.org/stable/c/94894c9c477e53bcea052e075c53f89df3d2a33e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix dirtyclusters double decrement on fs shutdown fstests test generic/388 occasionally reproduces a warning in ext4_put_super() associated with the dirty clusters count: WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4] Tracing the failure shows that the warning fires due to an s_dirtyclusters_counter value of -1. IOW, this appears to be a spurious decrement as opposed to some sort of leak. Further tracing of the dirty cluster count deltas and an LLM scan of the resulting output identified the cause as a double decrement in the error path between ext4_mb_mark_diskspace_used() and the caller ext4_mb_new_blocks(). First, note that generic/388 is a shutdown vs. fsstress test and so produces a random set of operations and shutdown injections. In the problematic case, the shutdown triggers an error return from the ext4_handle_dirty_metadata() call(s) made from ext4_mb_mark_context(). The changed value is non-zero at this point, so ext4_mb_mark_diskspace_used() does not exit after the error bubbles up from ext4_mb_mark_context(). Instead, the former decrements both cluster counters and returns the error up to ext4_mb_new_blocks(). The latter falls into the !ar->len out path which decrements the dirty clusters counter a second time, creating the inconsistency. To avoid this problem and simplify ownership of the cluster reservation in this codepath, lift the counter reduction to a single place in the caller. This makes it more clear that ext4_mb_new_blocks() is responsible for acquiring cluster reservation (via ext4_claim_free_clusters()) in the !delalloc case as well as releasing it, regardless of whether it ends up consumed or returned due to failure. | 2026-05-27 | not yet calculated | CVE-2026-45920 | https://git.kernel.org/stable/c/523d5a4df3c649fa305c89efb552ec62a1ce9d3d https://git.kernel.org/stable/c/ca408af08544d96769c93a3d81a7f63f61129e95 https://git.kernel.org/stable/c/55576fa14771d33994c29a9ae960e07bb3f56c20 https://git.kernel.org/stable/c/dbc4e10619ed87a50e637b96f2e574df36a7a769 https://git.kernel.org/stable/c/61e372122b6d95aec940fdaea0a16f988f359897 https://git.kernel.org/stable/c/3924aea2c33df3864929c1acd178bfc29d8f005f https://git.kernel.org/stable/c/81982a11406c5da6c6e2b188028e7056e16b7128 https://git.kernel.org/stable/c/94a8cea54cd935c54fa2fba70354757c0fc245e3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse() The function mtd_parser_tplink_safeloader_parse() allocates buf via mtd_parser_tplink_safeloader_read_table(). If the allocation for parts[idx].name fails inside the loop, the code jumps to the err_free label without freeing buf, leading to a memory leak. Fix this by freeing the temporary buffer buf in the err_free label. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45921 | https://git.kernel.org/stable/c/0f5e62ea5c43146eacdc6861cb1022ffae1b79bc https://git.kernel.org/stable/c/e97f5fac8ce9a6b9ec724c97d86b0985e915fdca https://git.kernel.org/stable/c/ec121ad626c319085f6d40a52cd04e99b4554926 https://git.kernel.org/stable/c/971e9c53aed82f17a9c6a65daa4e21cc15eba5b1 https://git.kernel.org/stable/c/980ce2b02dd06a4fdf5fee38b2e14becf9cf7b8b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler The UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH) function allocates memory for the device path using kobject_get_path(). If the length of the device path exceeds the output buffer length, the function returns -ENOSPC but does not free the allocated memory, resulting in a memory leak. Add a kfree() call to the error path to ensure the allocated memory is properly freed. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45922 | https://git.kernel.org/stable/c/ee998cdbff6680891b0efd9d6ce53a388e5342c3 https://git.kernel.org/stable/c/b2bc649c18fbe8a7fd38d17266da3dcbfbcc44d2 https://git.kernel.org/stable/c/b3a10eca24fcfe913c0875e620f19596001bd6dc https://git.kernel.org/stable/c/9b9d253908478f504297ac283c514e5953ddafa6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: catc: enable basic endpoint checking catc_probe() fills three URBs with hardcoded endpoint pipes without verifying the endpoint descriptors: – usb_sndbulkpipe(usbdev, 1) and usb_rcvbulkpipe(usbdev, 1) for TX/RX – usb_rcvintpipe(usbdev, 2) for interrupt status A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes. Add a catc_usb_ep enum for endpoint numbers, replacing magic constants throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls after usb_set_interface() to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time. Similar to – commit 90b7f2961798 (“net: usb: rtl8150: enable basic endpoint checking”) which fixed the issue in rtl8150. | 2026-05-27 | not yet calculated | CVE-2026-45923 | https://git.kernel.org/stable/c/eade522d3e6ac3f3bfb51bfa5b5b4b32bd0b846f https://git.kernel.org/stable/c/ac7739b78ded519e1d9919a814da3b34120bec8c https://git.kernel.org/stable/c/163d04897e57633c5d2e69734e4e4b22bb63f50d https://git.kernel.org/stable/c/a488001a8197da4f9c413eec8f6acbff71c60145 https://git.kernel.org/stable/c/36c28b028efba0f42218d41fed12c47ce217c1f1 https://git.kernel.org/stable/c/1a42cfced8900d33d032c7ec338484855b61b8cc https://git.kernel.org/stable/c/9e7021d2aeae57c323a6f722ed7915686cdcc123 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths There are two places where ksmbd_vfs_kern_path_end_removing() needs to be called in order to balance what the corresponding successful call to ksmbd_vfs_kern_path_start_removing() has done, i.e. drop inode locks and put the taken references. Otherwise there might be potential deadlocks and unbalanced locks which are caught like: BUG: workqueue leaked lock or atomic: kworker/5:21/0x00000000/7596 last function: handle_ksmbd_work 2 locks held by kworker/5:21/7596: #0: ffff8881051ae448 (sb_writers#3){.+.+}-{0:0}, at: ksmbd_vfs_kern_path_locked+0x142/0x660 #1: ffff888130e966c0 (&type->i_mutex_dir_key#3/1){+.+.}-{4:4}, at: ksmbd_vfs_kern_path_locked+0x17d/0x660 CPU: 5 PID: 7596 Comm: kworker/5:21 Not tainted 6.1.162-00456-gc29b353f383b #138 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 Workqueue: ksmbd-io handle_ksmbd_work Call Trace: <TASK> dump_stack_lvl+0x44/0x5b process_one_work.cold+0x57/0x5c worker_thread+0x82/0x600 kthread+0x153/0x190 ret_from_fork+0x22/0x30 </TASK> Found by Linux Verification Center (linuxtesting.org). | 2026-05-27 | not yet calculated | CVE-2026-45924 | https://git.kernel.org/stable/c/8e3a3192ef78d8302916408d62813b1fddfc8972 https://git.kernel.org/stable/c/f221baa80e5959a0c08a7e34abbf2a4d3cf0e1c2 https://git.kernel.org/stable/c/cf29329a13df79c198b45dfc92577638d30b56fa https://git.kernel.org/stable/c/34d6691933682f0516259a31b39d2cebcedec0a5 https://git.kernel.org/stable/c/0c578e8065c4b08d5635a4cbc0f6321df9d20f79 https://git.kernel.org/stable/c/4c38600feb81c670edb82e49d201d3d2d00cd4c3 https://git.kernel.org/stable/c/a09dc10d1353f0e92c21eae2a79af1c2b1ddcde8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: thermal/of: Fix reference leak in thermal_of_cm_lookup() In thermal_of_cm_lookup(), tr_np is obtained via of_parse_phandle(), but never released. Use the __free(device_node) cleanup attribute to automatically release the node and fix the leak. [ rjw: Changelog edits ] | 2026-05-27 | not yet calculated | CVE-2026-45925 | https://git.kernel.org/stable/c/8af710156c53cdb392d529497ef2b3a10a1f9370 https://git.kernel.org/stable/c/8344d5da9df74fdbef676214d0c482fc822a01ca https://git.kernel.org/stable/c/025796ccd7f9f2e013e12319de26b6c021a80c1f https://git.kernel.org/stable/c/a1fe789a96fe47733c133134fd264cb7ca832395 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rust: pwm: Fix potential memory leak on init error When initializing a PWM chip using pwmchip_alloc(), the allocated device owns an initial reference that must be released on all error paths. If __pinned_init() were to fail, the allocated pwm_chip would currently leak because the error path returns without calling pwmchip_put(). | 2026-05-27 | not yet calculated | CVE-2026-45926 | https://git.kernel.org/stable/c/baa8b7097d9cc68ff85819cf683972a58c2ce32b https://git.kernel.org/stable/c/a2633dc243c35754a0c2270131d8a199c987c9bf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Require frozen map for calculating map hash Currently, bpf_map_get_info_by_fd calculates and caches the hash of the map regardless of the map’s frozen state. This leads to a TOCTOU bug where userspace can call BPF_OBJ_GET_INFO_BY_FD to cache the hash and then modify the map contents before freezing. Therefore, a trusted loader can be tricked into verifying the stale hash while loading the modified contents. Fix this by returning -EPERM if the map is not frozen when the hash is requested. This ensures the hash is only generated for the final, immutable state of the map. | 2026-05-27 | not yet calculated | CVE-2026-45927 | https://git.kernel.org/stable/c/7752d36343862323bbeea4ce3adf0ec2ed86e122 https://git.kernel.org/stable/c/f415e114b58fe02c41191e47f24bdabb438daf72 https://git.kernel.org/stable/c/a2c86aa621c22f2a7e26c654f936d65cfff0aa91 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix memory leak on codec_info allocation failure In wave5_vpu_open_enc() and wave5_vpu_open_dec(), a vpu instance is allocated via kzalloc(). If the subsequent allocation for inst->codec_info fails, the functions return -ENOMEM without freeing the previously allocated instance, causing a memory leak. Fix this by calling kfree() on the instance in this error path to ensure it is properly released. | 2026-05-27 | not yet calculated | CVE-2026-45928 | https://git.kernel.org/stable/c/52defdd4034db1a34bb48006f889d66a3629224b https://git.kernel.org/stable/c/1de71556cbd6e1d0d26fb86b9b3bb8caa0df8495 https://git.kernel.org/stable/c/32e9e45cf7e3422d21fa64535588d3572faf71c3 https://git.kernel.org/stable/c/a519e21e32398459ba357e67b541402f7295ee1b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: mctp: ensure our nlmsg responses are initialised Syed Faraz Abrar (@farazsth98) from Zellic, and Pumpkin (@u1f383) from DEVCORE Research Team working with Trend Micro Zero Day Initiative report that a RTM_GETNEIGH will return uninitalised data in the pad bytes of the ndmsg data. Ensure we’re initialising the netlink data to zero, in the link, addr and neigh response messages. | 2026-05-27 | not yet calculated | CVE-2026-45930 | https://git.kernel.org/stable/c/6fb6a97c86abb8592158088afaea0eb464cf9de1 https://git.kernel.org/stable/c/a6a9bc544b675d8b5180f2718ec985ad267b5cbf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix EEXIST abort due to non-consecutive gaps in chunk allocation I have been observing a number of systems aborting at insert_dev_extents() in btrfs_create_pending_block_groups(). The following is a sample stack trace of such an abort coming from forced chunk allocation (typically behind CONFIG_BTRFS_EXPERIMENTAL) but this can theoretically happen to any DUP chunk allocation. [81.801] ————[ cut here ]———— [81.801] BTRFS: Transaction aborted (error -17) [81.801] WARNING: fs/btrfs/block-group.c:2876 at btrfs_create_pending_block_groups+0x721/0x770 [btrfs], CPU#1: bash/319 [81.802] Modules linked in: virtio_net btrfs xor zstd_compress raid6_pq null_blk [81.803] CPU: 1 UID: 0 PID: 319 Comm: bash Kdump: loaded Not tainted 6.19.0-rc6+ #319 NONE [81.803] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014 [81.804] RIP: 0010:btrfs_create_pending_block_groups+0x723/0x770 [btrfs] [81.806] RSP: 0018:ffffa36241a6bce8 EFLAGS: 00010282 [81.806] RAX: 000000000000000d RBX: ffff8e699921e400 RCX: 0000000000000000 [81.807] RDX: 0000000002040001 RSI: 00000000ffffffef RDI: ffffffffc0608bf0 [81.807] RBP: 00000000ffffffef R08: ffff8e69830f6000 R09: 0000000000000007 [81.808] R10: ffff8e699921e5e8 R11: 0000000000000000 R12: ffff8e6999228000 [81.808] R13: ffff8e6984d82000 R14: ffff8e69966a69c0 R15: ffff8e69aa47b000 [81.809] FS: 00007fec6bdd9740(0000) GS:ffff8e6b1b379000(0000) knlGS:0000000000000000 [81.809] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [81.810] CR2: 00005604833670f0 CR3: 0000000116679000 CR4: 00000000000006f0 [81.810] Call Trace: [81.810] <TASK> [81.810] __btrfs_end_transaction+0x3e/0x2b0 [btrfs] [81.811] btrfs_force_chunk_alloc_store+0xcd/0x140 [btrfs] [81.811] kernfs_fop_write_iter+0x15f/0x240 [81.812] vfs_write+0x264/0x500 [81.812] ksys_write+0x6c/0xe0 [81.812] do_syscall_64+0x66/0x770 [81.812] entry_SYSCALL_64_after_hwframe+0x76/0x7e [81.813] RIP: 0033:0x7fec6be66197 [81.814] RSP: 002b:00007fffb159dd30 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 [81.815] RAX: ffffffffffffffda RBX: 00007fec6bdd9740 RCX: 00007fec6be66197 [81.815] RDX: 0000000000000002 RSI: 0000560483374f80 RDI: 0000000000000001 [81.816] RBP: 0000560483374f80 R08: 0000000000000000 R09: 0000000000000000 [81.816] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000002 [81.817] R13: 00007fec6bfb85c0 R14: 00007fec6bfb5ee0 R15: 00005604833729c0 [81.817] </TASK> [81.817] irq event stamp: 20039 [81.818] hardirqs last enabled at (20047): [<ffffffff99a68302>] __up_console_sem+0x52/0x60 [81.818] hardirqs last disabled at (20056): [<ffffffff99a682e7>] __up_console_sem+0x37/0x60 [81.819] softirqs last enabled at (19470): [<ffffffff999d2b46>] __irq_exit_rcu+0x96/0xc0 [81.819] softirqs last disabled at (19463): [<ffffffff999d2b46>] __irq_exit_rcu+0x96/0xc0 [81.820] —[ end trace 0000000000000000 ]— [81.820] BTRFS: error (device dm-7 state A) in btrfs_create_pending_block_groups:2876: errno=-17 Object already exists Inspecting these aborts with drgn, I observed a pattern of overlapping chunk_maps. Note how stripe 1 of the first chunk overlaps in physical address with stripe 0 of the second chunk. Physical Start Physical End Length Logical Type Stripe —————————————————————————————————- 0x0000000102500000 0x0000000142500000 1.0G 0x0000000641d00000 META|DUP 0/2 0x0000000142500000 0x0000000182500000 1.0G 0x0000000641d00000 META|DUP 1/2 0x0000000142500000 0x0000000182500000 1.0G 0x0000000601d00000 META|DUP 0/2 0x0000000182500000 0x00000001c2500000 1.0G 0x0000000601d00000 META|DUP 1/2 Now how could this possibly happen? All chunk allocation is —truncated— | 2026-05-27 | not yet calculated | CVE-2026-45934 | https://git.kernel.org/stable/c/7d4eadee7042d27fcea659fcdd738f463a7d2e70 https://git.kernel.org/stable/c/156cac365e27a82b64ae510c5f463fd81f0265b1 https://git.kernel.org/stable/c/b14c5e04bd0f722ed631845599d52d03fcae1bc1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: goldfish: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory… Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45936 | https://git.kernel.org/stable/c/589d4fe56713c6344cd9f8939f9c7621c85f0966 https://git.kernel.org/stable/c/bad8b61eb5059acd88349680e47839342dc89e94 https://git.kernel.org/stable/c/33751e28842bf5aee5ef7b2b8d5e456a069095cb https://git.kernel.org/stable/c/77ea437faa4c06362e3ecfd2d7264eaa7ac1e82c https://git.kernel.org/stable/c/4350505e82b4f972ddb788e1c712c557c38859d0 https://git.kernel.org/stable/c/8c89aade8335e26a6a7dcda18992d15f51943927 https://git.kernel.org/stable/c/0b29ffe4090a3fc7a7649de20e1eb1e53adddac7 https://git.kernel.org/stable/c/b2ce982e2e0c888dc55c888ad0e20ea04daf2e6b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: inside-secure/eip93 – fix kernel panic in driver detach During driver detach, the same hash algorithm is unregistered multiple times due to a wrong iterator. | 2026-05-27 | not yet calculated | CVE-2026-45937 | https://git.kernel.org/stable/c/7530c3595d1e23bc5938cbd44b7e8f33457fc71f https://git.kernel.org/stable/c/91c6f25075a8f8fbd7316d73e1edf281a94f78df https://git.kernel.org/stable/c/b6e32ba6d32503440a3e3e16c8d0521cbb7e0c5d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916_lbc: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory… Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45938 | https://git.kernel.org/stable/c/dbe579e620ef0f53db490ec79a8566e4ea8918ac https://git.kernel.org/stable/c/08e674e9862a2db46fb234eb7c5442455ece0131 https://git.kernel.org/stable/c/d7d31fc99d248d5f47588f50dce5c7599c991c6a https://git.kernel.org/stable/c/b7508129978ae1e2ed9b0410396abc05def9c4eb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gpib: Fix memory leak in ni_usb_init() In ni_usb_init(), if ni_usb_setup_init() fails, the function returns -EFAULT without freeing the allocated writes buffer, leading to a memory leak. Additionally, ni_usb_setup_init() returns 0 on failure, which causes ni_usb_init() to return -EFAULT, an inappropriate error code for this situation. Fix the leak by freeing writes in the error path. Modify ni_usb_setup_init() to return -EINVAL on failure and propagate this error code in ni_usb_init(). | 2026-05-27 | not yet calculated | CVE-2026-45939 | https://git.kernel.org/stable/c/9c97fcfb7a62dea893104a046d544da8ac23370b https://git.kernel.org/stable/c/c899d4b62c0757a280831e89c1f3801b597e8f38 https://git.kernel.org/stable/c/b89921eed8cf2d97250bac4be38dbcfbf048b586 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix oops when split header is enabled For GMAC4, when split header is enabled, in some rare cases, the hardware does not fill buf2 of the first descriptor with payload. Thus we cannot assume buf2 is always fully filled if it is not the last descriptor. Otherwise, the length of buf2 of the second descriptor will be calculated wrong and cause an oops: Unable to handle kernel paging request at virtual address ffff00019246bfc0 … x2 : 0000000000000040 x1 : ffff00019246bfc0 x0 : ffff00009246c000 Call trace: dcache_inval_poc+0x28/0x58 (P) dma_direct_sync_single_for_cpu+0x38/0x6c __dma_sync_single_for_cpu+0x34/0x6c stmmac_napi_poll_rx+0x8f0/0xb60 __napi_poll.constprop.0+0x30/0x144 net_rx_action+0x160/0x274 handle_softirqs+0x1b8/0x1fc … To fix this, the PL bit-field in RDES3 register is used for all descriptors, whether it is the last descriptor or not. | 2026-05-27 | not yet calculated | CVE-2026-45940 | https://git.kernel.org/stable/c/b1f23df09e7dbf4c86b6908dff7efb8cb2b7d609 https://git.kernel.org/stable/c/36f81cb7d82e9614a7058da6abdf2e3a03993df1 https://git.kernel.org/stable/c/babab1b42ed68877ef669a08384becf281ad2582 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: tpm_i2c_infineon: Fix locality leak on get_burstcount() failure get_burstcount() can return -EBUSY on timeout. When this happens, the function returns directly without releasing the locality that was acquired at the beginning of tpm_tis_i2c_send(). Use goto out_err to ensure proper cleanup when get_burstcount() fails. | 2026-05-27 | not yet calculated | CVE-2026-45941 | https://git.kernel.org/stable/c/8f124c5582d443ac9fb690db26d08cab5d6ba76e https://git.kernel.org/stable/c/c24c9c4cab11858f22f309521ba7ea5b1e7385f2 https://git.kernel.org/stable/c/1bb8f8826d0748b4b92a98fb6b6dfe52081739f5 https://git.kernel.org/stable/c/948966e546f29af04391d98b8e378e4a7670c1c1 https://git.kernel.org/stable/c/a61b8412e3eb8b71646dba867e8252d8560a1a27 https://git.kernel.org/stable/c/1a22048c1117cdfac185ba450aba67ed6b65dc87 https://git.kernel.org/stable/c/2f7a665e1323359d99c74301d1e180f5e2c40181 https://git.kernel.org/stable/c/bbd6e97c836cbeb9606d7b7e5dcf8a1d89525713 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix inline data read failure for ztailpacking pclusters Compressed folios for ztailpacking pclusters must be valid before adding these pclusters to I/O chains. Otherwise, z_erofs_decompress_pcluster() may assume they are already valid and then trigger a NULL pointer dereference. It is somewhat hard to reproduce because the inline data is in the same block as the tail of the compressed indexes, which are usually read just before. However, it may still happen if a fatal signal arrives while read_mapping_folio() is running, as shown below: erofs: (device dm-1): z_erofs_pcluster_begin: failed to get inline data -4 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 … pc : z_erofs_decompress_queue+0x4c8/0xa14 lr : z_erofs_decompress_queue+0x160/0xa14 sp : ffffffc08b3eb3a0 x29: ffffffc08b3eb570 x28: ffffffc08b3eb418 x27: 0000000000001000 x26: ffffff8086ebdbb8 x25: ffffff8086ebdbb8 x24: 0000000000000001 x23: 0000000000000008 x22: 00000000fffffffb x21: dead000000000700 x20: 00000000000015e7 x19: ffffff808babb400 x18: ffffffc089edc098 x17: 00000000c006287d x16: 00000000c006287d x15: 0000000000000004 x14: ffffff80ba8f8000 x13: 0000000000000004 x12: 00000006589a77c9 x11: 0000000000000015 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f x5 : 0000000000000040 x4 : ffffffffffffffe0 x3 : 0000000000000020 x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: z_erofs_decompress_queue+0x4c8/0xa14 z_erofs_runqueue+0x908/0x97c z_erofs_read_folio+0x128/0x228 filemap_read_folio+0x68/0x128 filemap_get_pages+0x44c/0x8b4 filemap_read+0x12c/0x5b8 generic_file_read_iter+0x4c/0x15c do_iter_readv_writev+0x188/0x1e0 vfs_iter_read+0xac/0x1a4 backing_file_read_iter+0x170/0x34c ovl_read_iter+0xf0/0x140 vfs_read+0x28c/0x344 ksys_read+0x80/0xf0 __arm64_sys_read+0x24/0x34 invoke_syscall+0x60/0x114 el0_svc_common+0x88/0xe4 do_el0_svc+0x24/0x30 el0_svc+0x40/0xa8 el0t_64_sync_handler+0x70/0xbc el0t_64_sync+0x1bc/0x1c0 Fix this by reading the inline data before allocating and adding the pclusters to the I/O chains. | 2026-05-27 | not yet calculated | CVE-2026-45943 | https://git.kernel.org/stable/c/ad07ea069f924465061cfee40ef2861bb99f4dd8 https://git.kernel.org/stable/c/5de1aa0bf3a5db0b3cbf61959da5ac61250833ed https://git.kernel.org/stable/c/92088bd9aa2a7246bba8b9648fbc64edd173cf17 https://git.kernel.org/stable/c/c134a40f86efb8d6b5a949ef70e06d5752209be5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: ab8500: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory… Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Commit 1c1f13a006ed (“power: supply: ab8500: Move to componentized binding”) introduced this issue during a refactorization. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45946 | https://git.kernel.org/stable/c/43cbb78ee047b9b12d096d40e3be265969d4c1f8 https://git.kernel.org/stable/c/551672981fe227122258a25a385a05f5c0746ad6 https://git.kernel.org/stable/c/f50433f2603def08b21a4bf2fd238687fb5cbde9 https://git.kernel.org/stable/c/847eeb6c0efcd76c7def73857cf798a4fcd8f79b https://git.kernel.org/stable/c/709db4b476e254579d9c48ec34d397a41ca0c407 https://git.kernel.org/stable/c/46dbda27b028d78087667e8280966b99cec015ca https://git.kernel.org/stable/c/c4af8a98bb52825a5331ae1d0604c0ea6956ba4b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc() In amdgpu_acpi_enumerate_xcc(), if amdgpu_acpi_dev_init() returns -ENOMEM, the function returns directly without releasing the allocated xcc_info, resulting in a memory leak. Fix this by ensuring that xcc_info is properly freed in the error paths. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45947 | https://git.kernel.org/stable/c/e87c73a80a12d337cf5f493c0956f6c2c9eafd80 https://git.kernel.org/stable/c/18a7bbd11f17a7cd4c42fd5955d3675d68c692df https://git.kernel.org/stable/c/d1370ef2ecf7d4df25e3e1e430cd191b1e7f8596 https://git.kernel.org/stable/c/7e4b612fe7a960d610c20260c9ee220bddd1b215 https://git.kernel.org/stable/c/c9be63d565789b56ca7b0197e2cb78a3671f95a8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_ext_shift_extents() In ext4_ext_shift_extents(), if the extent is NULL in the while loop, the function returns immediately without releasing the path obtained via ext4_find_extent(), leading to a memory leak. Fix this by jumping to the out label to ensure the path is properly released. | 2026-05-27 | not yet calculated | CVE-2026-45948 | https://git.kernel.org/stable/c/7e807cb8603b7664fa630a696cd891d9a03c248d https://git.kernel.org/stable/c/afc5e61e1a07b2b833bd72cbee36ecce9cd901e2 https://git.kernel.org/stable/c/1bce219ee5512cf179ba40cf114945a14a16e21f https://git.kernel.org/stable/c/4a79fde8db7eba7f1128d971ceba4e3c9ac84aec https://git.kernel.org/stable/c/2f4b1052246ca646bb17bfe0f53df2fdf9729b58 https://git.kernel.org/stable/c/12615ab4bfb69678e5d961b28bb70040299e51b1 https://git.kernel.org/stable/c/bd7b52557e4a3ccd7595fdb3a585f1257de57935 https://git.kernel.org/stable/c/ca81109d4a8f192dc1cbad4a1ee25246363c2833 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hwrng: core – use RCU and work_struct to fix race condition Currently, hwrng_fill is not cleared until the hwrng_fillfn() thread exits. Since hwrng_unregister() reads hwrng_fill outside the rng_mutex lock, a concurrent hwrng_unregister() may call kthread_stop() again on the same task. Additionally, if hwrng_unregister() is called immediately after hwrng_register(), the stopped thread may have never been executed. Thus, hwrng_fill remains dirty even after hwrng_unregister() returns. In this case, subsequent calls to hwrng_register() will fail to start new threads, and hwrng_unregister() will call kthread_stop() on the same freed task. In both cases, a use-after-free occurs: refcount_t: addition on 0; use-after-free. WARNING: … at lib/refcount.c:25 refcount_warn_saturate+0xec/0x1c0 Call Trace: kthread_stop+0x181/0x360 hwrng_unregister+0x288/0x380 virtrng_remove+0xe3/0x200 This patch fixes the race by protecting the global hwrng_fill pointer inside the rng_mutex lock, so that hwrng_fillfn() thread is stopped only once, and calls to kthread_run() and kthread_stop() are serialized with the lock held. To avoid deadlock in hwrng_fillfn() while being stopped with the lock held, we convert current_rng to RCU, so that get_current_rng() can read current_rng without holding the lock. To remove the lock from put_rng(), we also delay the actual cleanup into a work_struct. Since get_current_rng() no longer returns ERR_PTR values, the IS_ERR() checks are removed from its callers. With hwrng_fill protected by the rng_mutex lock, hwrng_fillfn() can no longer clear hwrng_fill itself. Therefore, if hwrng_fillfn() returns directly after current_rng is dropped, kthread_stop() would be called on a freed task_struct later. To fix this, hwrng_fillfn() calls schedule() now to keep the task alive until being stopped. The kthread_stop() call is also moved from hwrng_unregister() to drop_current_rng(), ensuring kthread_stop() is called on all possible paths where current_rng becomes NULL, so that the thread would not wait forever. | 2026-05-27 | not yet calculated | CVE-2026-45949 | https://git.kernel.org/stable/c/d5b7730f06994499632026c30e38e0317c4569e2 https://git.kernel.org/stable/c/dcf416eb88eafe1e3c0f920a14bdffd10bc4d259 https://git.kernel.org/stable/c/ad38f2cdfef9a2f2899c30cad269baec5bfd4a5d https://git.kernel.org/stable/c/cc2f39d6ac48e6e3cb2d6240bc0d6df839dd0828 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: starfive – Fix memory leak in starfive_aes_aead_do_one_req() The starfive_aes_aead_do_one_req() function allocates rctx->adata with kzalloc() but fails to free it if sg_copy_to_buffer() or starfive_aes_hw_init() fails, which lead to memory leaks. Since rctx->adata is unconditionally freed after the write_adata operations, ensure consistent cleanup by freeing the allocation in these earlier error paths as well. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45950 | https://git.kernel.org/stable/c/38d80307decc1132626a30e2a62af734630ecca5 https://git.kernel.org/stable/c/4869d0e4e48a5301b267d359b2561c4080791a55 https://git.kernel.org/stable/c/5f2c964a058581e1557c32d5de651c67a80438a7 https://git.kernel.org/stable/c/ccb679fdae2e62ed92fd9acb25ed809c0226fcc6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: eth: fbnic: Add validation for MTU changes Increasing the MTU beyond the HDS threshold causes the hardware to fragment packets across multiple buffers. If a single-buffer XDP program is attached, the driver will drop all multi-frag frames. While we can’t prevent a remote sender from sending non-TCP packets larger than the MTU, this will prevent users from inadvertently breaking new TCP streams. Traditionally, drivers supported XDP with MTU less than 4Kb (packet per page). Fbnic currently prevents attaching XDP when MTU is too high. But it does not prevent increasing MTU after XDP is attached. | 2026-05-27 | not yet calculated | CVE-2026-45952 | https://git.kernel.org/stable/c/d7eaa006c0444a5d4671be7efe6dbb33ef8b515e https://git.kernel.org/stable/c/03399063aa0c67fd8bdfd69467ddb849bb3b97df https://git.kernel.org/stable/c/ccd8e87748ad083047d6c8544c5809b7f96cc8df |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix IO hang with degraded array with llbitmap When llbitmap bit state is still unwritten, any new write should force rcw, as bitmap_ops->blocks_synced() is checked in handle_stripe_dirtying(). However, later the same check is missing in need_this_block(), causing stripe to deadloop during handling because handle_stripe() will decide to go to handle_stripe_fill(), meanwhile need_this_block() always return 0 and nothing is handled. | 2026-05-27 | not yet calculated | CVE-2026-45953 | https://git.kernel.org/stable/c/870b9f15867b0e70f3459ef3974b043e8b229690 https://git.kernel.org/stable/c/28ef299e7a5b81817f8ca8297c2ddff28f5da5e8 https://git.kernel.org/stable/c/cd1635d844d26471c56c0a432abdee12fc9ad735 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: au1200fb: Fix a memory leak in au1200fb_drv_probe() In au1200fb_drv_probe(), when platform_get_irq fails(), it directly returns from the function with an error code, which causes a memory leak. Replace it with a goto label to ensure proper cleanup. | 2026-05-27 | not yet calculated | CVE-2026-45954 | https://git.kernel.org/stable/c/81831d56b723bc1090ce3158feddaca88e85f939 https://git.kernel.org/stable/c/071d8fb757a8318f72c8e02898c2cf7e14e21fb6 https://git.kernel.org/stable/c/bd1ad63e11b2a568e98de536f319054d2de29f56 https://git.kernel.org/stable/c/3e5349e54113e2dce1a659c57935e18032742e56 https://git.kernel.org/stable/c/762a26818934241b8b0172a229d2cf5d87260e40 https://git.kernel.org/stable/c/3d4202ee6494c0d576cdc104b12e0834ca8136a8 https://git.kernel.org/stable/c/b024a8efee0f55d330a1cdd3eac8f79ac5acd3be https://git.kernel.org/stable/c/ce4e25198a6aaaaf36248edf8daf3d744ec8e309 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: fix percpu_ref not resurrected on suspend timeout When llbitmap_suspend_timeout() times out waiting for percpu_ref to become zero, it returns -ETIMEDOUT without resurrecting the percpu_ref. The caller (md_llbitmap_daemon_fn) then continues to the next page without calling llbitmap_resume(), leaving the percpu_ref in a killed state permanently. Fix this by resurrecting the percpu_ref before returning the error, ensuring the page control structure remains usable for subsequent operations. | 2026-05-27 | not yet calculated | CVE-2026-45955 | https://git.kernel.org/stable/c/095417d6b669c2dec39a5842ccb94df915f97f54 https://git.kernel.org/stable/c/2446d099350185caeed19ab2c0270451a97296fb https://git.kernel.org/stable/c/d119bd2e1643cc023210ff3c6f0657e4f914e71d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to obtain a struct vidi_context pointer. However, drm_dev->dev is the exynos-drm master device, and the driver_data contained therein is not the vidi component device, but a completely different device. This can lead to various bugs, ranging from null pointer dereferences and garbage value accesses to, in unlucky cases, out-of-bounds errors, use-after-free errors, and more. To resolve this issue, we need to store/delete the vidi device pointer in exynos_drm_private->vidi_dev during bind/unbind, and then read this exynos_drm_private->vidi_dev within ioctl() to obtain the correct struct vidi_context pointer. | 2026-05-27 | not yet calculated | CVE-2026-45956 | https://git.kernel.org/stable/c/2987642c5213508c6c9e718324c0d5289a92c474 https://git.kernel.org/stable/c/65d1213baffa363f2eb1117b1dc7acc573b890f8 https://git.kernel.org/stable/c/875fa28690e93ed5296c31d3344556c6bb867234 https://git.kernel.org/stable/c/21ca24ba51a2c28bcc4df9d7e5a40b0eb66ab76d https://git.kernel.org/stable/c/b5fc86d753dd4c281a943b92f0eef02d31af03d7 https://git.kernel.org/stable/c/a540f767642f75240a6c35f6a65b69e44cfcea9d https://git.kernel.org/stable/c/d3968a0d85b211e197f2f4f06268a7031079e0d0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rcu: Fix rcu_read_unlock() deadloop due to softirq Commit 5f5fa7ea89dc (“rcu: Don’t use negative nesting depth in __rcu_read_unlock()”) removes the recursion-protection code from __rcu_read_unlock(). Therefore, we could invoke the deadloop in raise_softirq_irqoff() with ftrace enabled as follows: WARNING: CPU: 0 PID: 0 at kernel/trace/trace.c:3021 __ftrace_trace_stack.constprop.0+0x172/0x180 Modules linked in: my_irq_work(O) CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.18.0-rc7-dirty #23 PREEMPT(full) Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__ftrace_trace_stack.constprop.0+0x172/0x180 RSP: 0018:ffffc900000034a8 EFLAGS: 00010002 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000000000 RDX: 0000000000000003 RSI: ffffffff826d7b87 RDI: ffffffff826e9329 RBP: 0000000000090009 R08: 0000000000000005 R09: ffffffff82afbc4c R10: 0000000000000008 R11: 0000000000011d7a R12: 0000000000000000 R13: ffff888003874100 R14: 0000000000000003 R15: ffff8880038c1054 FS: 0000000000000000(0000) GS:ffff8880fa8ea000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b31fa7f540 CR3: 00000000078f4005 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <IRQ> trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 raise_softirq_irqoff+0x6e/0xa0 rcu_read_unlock_special+0xb1/0x160 unwind_next_frame+0x203/0x9b0 __unwind_start+0x15d/0x1c0 arch_stack_walk+0x62/0xf0 stack_trace_save+0x48/0x70 __ftrace_trace_stack.constprop.0+0x144/0x180 trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 raise_softirq_irqoff+0x6e/0xa0 rcu_read_unlock_special+0xb1/0x160 unwind_next_frame+0x203/0x9b0 __unwind_start+0x15d/0x1c0 arch_stack_walk+0x62/0xf0 stack_trace_save+0x48/0x70 __ftrace_trace_stack.constprop.0+0x144/0x180 trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 raise_softirq_irqoff+0x6e/0xa0 rcu_read_unlock_special+0xb1/0x160 unwind_next_frame+0x203/0x9b0 __unwind_start+0x15d/0x1c0 arch_stack_walk+0x62/0xf0 stack_trace_save+0x48/0x70 __ftrace_trace_stack.constprop.0+0x144/0x180 trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 raise_softirq_irqoff+0x6e/0xa0 rcu_read_unlock_special+0xb1/0x160 __is_insn_slot_addr+0x54/0x70 kernel_text_address+0x48/0xc0 __kernel_text_address+0xd/0x40 unwind_get_return_address+0x1e/0x40 arch_stack_walk+0x9c/0xf0 stack_trace_save+0x48/0x70 __ftrace_trace_stack.constprop.0+0x144/0x180 trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 __raise_softirq_irqoff+0x61/0x80 __flush_smp_call_function_queue+0x115/0x420 __sysvec_call_function_single+0x17/0xb0 sysvec_call_function_single+0x8c/0xc0 </IRQ> Commit b41642c87716 (“rcu: Fix rcu_read_unlock() deadloop due to IRQ work”) fixed the infinite loop in rcu_read_unlock_special() for IRQ work by setting a flag before calling irq_work_queue_on(). We fix this issue by setting the same flag before calling raise_softirq_irqoff() and rename the flag to defer_qs_pending for more common. | 2026-05-27 | not yet calculated | CVE-2026-45957 | https://git.kernel.org/stable/c/979c708e6c9d7fc461daef2dad8b45f22e23464c https://git.kernel.org/stable/c/1f16679a5aa60238466ce339c35f5e82ece60337 https://git.kernel.org/stable/c/4a4a6e12c9c829be3f74b7206fa8640fc4e1c566 https://git.kernel.org/stable/c/c2932e16d8c354404b17123e64daa8e33191e145 https://git.kernel.org/stable/c/d41e37f26b3157b3f1d10223863519a943aa239b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: return error when node already exists in hfs_bnode_create When hfs_bnode_create() finds that a node is already hashed (which should not happen in normal operation), it currently returns the existing node without incrementing its reference count. This causes a reference count inconsistency that leads to a kernel panic when the node is later freed in hfs_bnode_put(): kernel BUG at fs/hfsplus/bnode.c:676! BUG_ON(!atomic_read(&node->refcnt)) This scenario can occur when hfs_bmap_alloc() attempts to allocate a node that is already in use (e.g., when node 0’s bitmap bit is incorrectly unset), or due to filesystem corruption. Returning an existing node from a create path is not normal operation. Fix this by returning ERR_PTR(-EEXIST) instead of the node when it’s already hashed. This properly signals the error condition to callers, which already check for IS_ERR() return values. | 2026-05-27 | not yet calculated | CVE-2026-45960 | https://git.kernel.org/stable/c/1ca428769cb4737a25bd32fb4d1573cc09eeaeef https://git.kernel.org/stable/c/507a1de58c21c95ad7c44afccaf1222d1c42246b https://git.kernel.org/stable/c/986455135b95f32c1f142068e451098fc751749e https://git.kernel.org/stable/c/7b57ada854b32310f224abd61bcfec2d5790ff0a https://git.kernel.org/stable/c/51838112d9c22502333c3085ca0c0d691e7093c6 https://git.kernel.org/stable/c/2e6ff6a6fc69cc17ed10c9cb6242935d52acd52d https://git.kernel.org/stable/c/2e9185a42e0e237c74435fd092b7c34537c62156 https://git.kernel.org/stable/c/d8a73cc46c8462a969a7516131feb3096f4c49d3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: fix memory leaks in gfs2_fill_super error path Fix two memory leaks in the gfs2_fill_super() error handling path when transitioning a filesystem to read-write mode fails. First leak: kthread objects (thread_struct, task_struct, etc.) When gfs2_freeze_lock_shared() fails after init_threads() succeeds, the created kernel threads (logd and quotad) are never destroyed. This occurs because the fail_per_node label doesn’t call gfs2_destroy_threads(). Second leak: quota bitmap buffer (8192 bytes) When gfs2_make_fs_rw() fails after gfs2_quota_init() succeeds but before other operations complete, the allocated quota bitmap is never freed. The fix moves thread cleanup to the fail_per_node label to handle all error paths uniformly. gfs2_destroy_threads() is safe to call unconditionally as it checks for NULL pointers. Quota cleanup is added in gfs2_make_fs_rw() to properly handle the withdrawal case where quota initialization succeeds but the filesystem is then withdrawn. Thread leak backtrace (gfs2_freeze_lock_shared failure): unreferenced object 0xffff88801d7bca80 (size 4480): copy_process+0x3a1/0x4670 kernel/fork.c:2422 kernel_clone+0xf3/0x6e0 kernel/fork.c:2779 kthread_create_on_node+0x100/0x150 kernel/kthread.c:478 init_threads+0xab/0x350 fs/gfs2/ops_fstype.c:611 gfs2_fill_super+0xe5c/0x1240 fs/gfs2/ops_fstype.c:1265 Quota leak backtrace (gfs2_make_fs_rw failure): unreferenced object 0xffff88812de7c000 (size 8192): gfs2_quota_init+0xe5/0x820 fs/gfs2/quota.c:1409 gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149 gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275 | 2026-05-27 | not yet calculated | CVE-2026-45961 | https://git.kernel.org/stable/c/e54229ecf49add8451d5f765a32c86ab4446e06c https://git.kernel.org/stable/c/da6f5bbc2e7902f578b503f2a4c3d8d09ca4b102 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: Validate SQE128 flag before accessing the cmd ublk_ctrl_cmd_dump() accesses (header *)sqe->cmd before IO_URING_F_SQE128 flag check. This could cause out of boundary memory access. Move the SQE128 flag check earlier in ublk_ctrl_uring_cmd() to return -EINVAL immediately if the flag is not set. | 2026-05-27 | not yet calculated | CVE-2026-45962 | https://git.kernel.org/stable/c/4b4dff498f46e9802f71bc84258bf73065f51c6a https://git.kernel.org/stable/c/31cac6acf77ece488f29fb8f79589d9298e969c8 https://git.kernel.org/stable/c/dbe8e81a2ec608f87f79a34f6444cd62f6a243bb https://git.kernel.org/stable/c/f75a5555e0049e7857eae25b60aee98b80e287ec https://git.kernel.org/stable/c/17d33ba7291100008360b5a354962db37ad80684 https://git.kernel.org/stable/c/da7e4b75e50c087d2031a92f6646eb90f7045a67 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: nau8821: Cancel delayed work on component remove Attempting to unload the driver while a jack detection work is pending would likely crash the kernel when it is eventually scheduled for execution: [ 1984.896308] BUG: unable to handle page fault for address: ffffffffc10c2a20 […] [ 1984.896388] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024 [ 1984.896396] Workqueue: events nau8821_jdet_work [snd_soc_nau8821] [ 1984.896414] RIP: 0010:__mutex_lock+0x9f/0x11d0 […] [ 1984.896504] Call Trace: [ 1984.896511] <TASK> [ 1984.896524] ? snd_soc_dapm_disable_pin+0x26/0x60 [snd_soc_core] [ 1984.896572] ? snd_soc_dapm_disable_pin+0x26/0x60 [snd_soc_core] [ 1984.896596] snd_soc_dapm_disable_pin+0x26/0x60 [snd_soc_core] [ 1984.896622] nau8821_jdet_work+0xeb/0x1e0 [snd_soc_nau8821] [ 1984.896636] process_one_work+0x211/0x590 [ 1984.896649] ? srso_return_thunk+0x5/0x5f [ 1984.896670] worker_thread+0x1cd/0x3a0 Cancel unscheduled jdet_work or wait for its execution to finish before the component driver gets removed. | 2026-05-27 | not yet calculated | CVE-2026-45963 | https://git.kernel.org/stable/c/3955767ec39dcc0358470ffe6535703e2b7fd815 https://git.kernel.org/stable/c/dbd3fd05cddfdeec1e49b0a66269881c09eebd17 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path Commit 5940d1cf9f42 (“SUNRPC: Rebalance a kref in auth_gss.c”) added a kref_get(&gss_auth->kref) call to balance the gss_put_auth() done in gss_release_msg(), but forgot to add a corresponding kref_put() on the error path when kstrdup_const() fails. If service_name is non-NULL and kstrdup_const() fails, the function jumps to err_put_pipe_version which calls put_pipe_version() and kfree(gss_msg), but never releases the gss_auth reference. This leads to a kref leak where the gss_auth structure is never freed. Add a forward declaration for gss_free_callback() and call kref_put() in the err_put_pipe_version error path to properly release the reference taken earlier. | 2026-05-27 | not yet calculated | CVE-2026-45964 | https://git.kernel.org/stable/c/3b2b6c42070ce4204936288253baf101e995c2d3 https://git.kernel.org/stable/c/b559be2ec6cdb2e9c2c36c23fbbd4690d8a5c3f7 https://git.kernel.org/stable/c/a1bc9561b617ec7e2d09e6c134d1db8fcf9ca4a6 https://git.kernel.org/stable/c/655c9ba9915f05266998dbbf4b76b3c79b8a70aa https://git.kernel.org/stable/c/e464e26b2457005c87e158570498274b9f3b90c7 https://git.kernel.org/stable/c/c20f925214249bb4fc04f7e197bea142a6438af6 https://git.kernel.org/stable/c/a2d4e9a76de0b2178001214ba5de5bf94a7354aa https://git.kernel.org/stable/c/dd2fdc3504592d85e549c523b054898a036a6afe |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix invalid deref of rawdata when export_binary is unset If the export_binary parameter is disabled on runtime, profiles that were loaded before that will still have their rawdata stored in apparmorfs, with a symbolic link to the rawdata on the policy directory. When one of those profiles are replaced, the rawdata is set to NULL, but when trying to resolve the symbolic links to rawdata for that profile, it will try to dereference profile->rawdata->name when profile->rawdata is now NULL causing an oops. Fix it by checking if rawdata is set. [ 168.653080] BUG: kernel NULL pointer dereference, address: 0000000000000088 [ 168.657420] #PF: supervisor read access in kernel mode [ 168.660619] #PF: error_code(0x0000) – not-present page [ 168.663613] PGD 0 P4D 0 [ 168.665450] Oops: Oops: 0000 [#1] SMP NOPTI [ 168.667836] CPU: 1 UID: 0 PID: 1729 Comm: ls Not tainted 6.19.0-rc7+ #3 PREEMPT(voluntary) [ 168.672308] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 168.679327] RIP: 0010:rawdata_get_link_base.isra.0+0x23/0x330 [ 168.682768] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 18 48 89 55 d0 48 85 ff 0f 84 e3 01 00 00 <48> 83 3c 25 88 00 00 00 00 0f 84 d4 01 00 00 49 89 f6 49 89 cc e8 [ 168.689818] RSP: 0018:ffffcdcb8200fb80 EFLAGS: 00010282 [ 168.690871] RAX: ffffffffaee74ec0 RBX: 0000000000000000 RCX: ffffffffb0120158 [ 168.692251] RDX: ffffcdcb8200fbe0 RSI: ffff88c187c9fa80 RDI: ffff88c186c98a80 [ 168.693593] RBP: ffffcdcb8200fbc0 R08: 0000000000000000 R09: 0000000000000000 [ 168.694941] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88c186c98a80 [ 168.696289] R13: 00007fff005aaa20 R14: 0000000000000080 R15: ffff88c188f4fce0 [ 168.697637] FS: 0000790e81c58280(0000) GS:ffff88c20a957000(0000) knlGS:0000000000000000 [ 168.699227] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 168.700349] CR2: 0000000000000088 CR3: 000000012fd3e000 CR4: 0000000000350ef0 [ 168.701696] Call Trace: [ 168.702325] <TASK> [ 168.702995] rawdata_get_link_data+0x1c/0x30 [ 168.704145] vfs_readlink+0xd4/0x160 [ 168.705152] do_readlinkat+0x114/0x180 [ 168.706214] __x64_sys_readlink+0x1e/0x30 [ 168.708653] x64_sys_call+0x1d77/0x26b0 [ 168.709525] do_syscall_64+0x81/0x500 [ 168.710348] ? do_statx+0x72/0xb0 [ 168.711109] ? putname+0x3e/0x80 [ 168.711845] ? __x64_sys_statx+0xb7/0x100 [ 168.712711] ? x64_sys_call+0x10fc/0x26b0 [ 168.713577] ? do_syscall_64+0xbf/0x500 [ 168.714412] ? do_user_addr_fault+0x1d2/0x8d0 [ 168.715404] ? irqentry_exit+0xb2/0x740 [ 168.716359] ? exc_page_fault+0x90/0x1b0 [ 168.717307] entry_SYSCALL_64_after_hwframe+0x76/0x7e | 2026-05-27 | not yet calculated | CVE-2026-45965 | https://git.kernel.org/stable/c/e6b2fc7e34d4e7ca6b8598c33a3d45d59e455d8d https://git.kernel.org/stable/c/6d8c180c825cbc73eeffaa79591f8e142dacae70 https://git.kernel.org/stable/c/3c36b87fc2a4cf88eadea8cf13923bd2b4f9a3fa https://git.kernel.org/stable/c/b25298e89a297c42eb4c4d6f081d60375b820abb https://git.kernel.org/stable/c/19f2e4055626a58842ddec3282ad4465a80c6625 https://git.kernel.org/stable/c/1d2b2b58fde9059a488bc25399e6c3d74e9b5548 https://git.kernel.org/stable/c/1432ab0774cba43e8111be39989ff226531a9bac https://git.kernel.org/stable/c/df9ac55abd18628bd8cff687ea043660532a3654 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix NULL pointer dereference in __unix_needs_revalidation When receiving file descriptors via SCM_RIGHTS, both the socket pointer and the socket’s sk pointer can be NULL during socket setup or teardown, causing NULL pointer dereferences in __unix_needs_revalidation(). This is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new __unix_needs_revalidation() function was added without proper NULL checks. The crash manifests as: BUG: kernel NULL pointer dereference, address: 0x0000000000000018 RIP: aa_file_perm+0xb7/0x3b0 (or +0xbe/0x3b0, +0xc0/0x3e0) Call Trace: apparmor_file_receive+0x42/0x80 security_file_receive+0x2e/0x50 receive_fd+0x1d/0xf0 scm_detach_fds+0xad/0x1c0 The function dereferences sock->sk->sk_family without checking if either sock or sock->sk is NULL first. Add NULL checks for both sock and sock->sk before accessing sk_family. | 2026-05-27 | not yet calculated | CVE-2026-45966 | https://git.kernel.org/stable/c/fea017a7f6abe179decf575a2d8464c74edb3964 https://git.kernel.org/stable/c/e85bc9101afc4202aa2269967ce9d3ffbecd0994 https://git.kernel.org/stable/c/e2938ad00b21340c0362562dfedd7cfec0554d67 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Return proper address for non-zero offsets in insn array The map_direct_value_addr() function of the instruction array map incorrectly adds offset to the resulting address. This is a bug, because later the resolve_pseudo_ldimm64() function adds the offset. Fix it. Corresponding selftests are added in a consequent commit. | 2026-05-27 | not yet calculated | CVE-2026-45967 | https://git.kernel.org/stable/c/73ef43202a37d779a8e665a0acae214fa59df9fb https://git.kernel.org/stable/c/e3bd7bdf5ffe49d8381e42843f6e98cd0c78a1e8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cpuidle: Skip governor when only one idle state is available On certain platforms (PowerNV systems without a power-mgt DT node), cpuidle may register only a single idle state. In cases where that single state is a polling state (state 0), the ladder governor may incorrectly treat state 1 as the first usable state and pass an out-of-bounds index. This can lead to a NULL enter callback being invoked, ultimately resulting in a system crash. [ 13.342636] cpuidle-powernv : Only Snooze is available [ 13.351854] Faulting instruction address: 0x00000000 [ 13.376489] NIP [0000000000000000] 0x0 [ 13.378351] LR [c000000001e01974] cpuidle_enter_state+0x2c4/0x668 Fix this by adding a bail-out in cpuidle_select() that returns state 0 directly when state_count <= 1, bypassing the governor and keeping the tick running. | 2026-05-27 | not yet calculated | CVE-2026-45968 | https://git.kernel.org/stable/c/a0f7e804edc82e513d1ccb7c95ed8b351522ec81 https://git.kernel.org/stable/c/5d103a38e2ae96eca57fd17161bcd29bd4622d1c https://git.kernel.org/stable/c/4da2b897283c39980d6ae09dc1560fcd937879e5 https://git.kernel.org/stable/c/5c577ac939bca486cb02069505cfe47a5312ce02 https://git.kernel.org/stable/c/8f6833d919bae915ead6c599a53e81e19b32da52 https://git.kernel.org/stable/c/63ae78336f40bcd9a44952a7c6bafb9c88a8effd https://git.kernel.org/stable/c/a0724e40a58a0e323c59707edeae5b71d15800dc https://git.kernel.org/stable/c/e5c9ffc6ae1bcdb1062527d611043681ac301aca |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Add missing check for input_ff_create_memless The ps_gamepad_create() function calls input_ff_create_memless() without verifying its return value, which can lead to incorrect behavior or potential crashes when FF effects are triggered. Add a check for the return value of input_ff_create_memless(). | 2026-05-27 | not yet calculated | CVE-2026-45969 | https://git.kernel.org/stable/c/496a345cc047a2c2d9d5a76956e1182525578bd5 https://git.kernel.org/stable/c/987dee1486e975e2baa6a5d062cfdf18bbe901c8 https://git.kernel.org/stable/c/33acf9a4d6eb1f6d01691faca96ad6b2ab0fcfc0 https://git.kernel.org/stable/c/d955aeb26e1210a018492b3b32cbdfaf017aaa25 https://git.kernel.org/stable/c/35301ca2a83d17aac2f3e8e35c696f0da2a13111 https://git.kernel.org/stable/c/45b01d85265bc1ccdd69e0a7887db4b905a778f4 https://git.kernel.org/stable/c/e6807641ac94e832988655a1c0e60ccc806b76dc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Limit bpf program signature size Practical BPF signatures are significantly smaller than KMALLOC_MAX_CACHE_SIZE Allowing larger sizes opens the door for abuse by passing excessive size values and forcing the kernel into expensive allocation paths (via kmalloc_large or vmalloc). | 2026-05-27 | not yet calculated | CVE-2026-45971 | https://git.kernel.org/stable/c/5835a077c6f5c565d525eaca9fac01572b97a9b9 https://git.kernel.org/stable/c/eb8166c79097996396468a341de258a798789d36 https://git.kernel.org/stable/c/ea1535e28bb3773fc0b3cbd1f3842b808016990c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix UMR hang in LAG error state unload During firmware reset in LAG mode, a race condition causes the driver to hang indefinitely while waiting for UMR completion during device unload. See [1]. In LAG mode the bond device is only registered on the master, so it never sees sys_error events from the slave. During firmware reset this causes UMR waits to hang forever on unload as the slave is dead but the master hasn’t entered error state yet, so UMR posts succeed but completions never arrive. Fix this by adding a sys_error notifier that gets registered before MLX5_IB_STAGE_IB_REG and stays alive until after ib_unregister_device(). This ensures error events reach the bond device throughout teardown. [1] Call Trace: __schedule+0x2bd/0x760 schedule+0x37/0xa0 schedule_preempt_disabled+0xa/0x10 __mutex_lock.isra.6+0x2b5/0x4a0 __mlx5_ib_dereg_mr+0x606/0x870 [mlx5_ib] ? __xa_erase+0x4a/0xa0 ? _cond_resched+0x15/0x30 ? wait_for_completion+0x31/0x100 ib_dereg_mr_user+0x48/0xc0 [ib_core] ? rdmacg_uncharge_hierarchy+0xa0/0x100 destroy_hw_idr_uobject+0x20/0x50 [ib_uverbs] uverbs_destroy_uobject+0x37/0x150 [ib_uverbs] __uverbs_cleanup_ufile+0xda/0x140 [ib_uverbs] uverbs_destroy_ufile_hw+0x3a/0xf0 [ib_uverbs] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] remove_client_context+0x8b/0xd0 [ib_core] disable_device+0x8c/0x130 [ib_core] __ib_unregister_device+0x10d/0x180 [ib_core] ib_unregister_device+0x21/0x30 [ib_core] __mlx5_ib_remove+0x1e4/0x1f0 [mlx5_ib] auxiliary_bus_remove+0x1e/0x30 device_release_driver_internal+0x103/0x1f0 bus_remove_device+0xf7/0x170 device_del+0x181/0x410 mlx5_rescan_drivers_locked.part.10+0xa9/0x1d0 [mlx5_core] mlx5_disable_lag+0x253/0x260 [mlx5_core] mlx5_lag_disable_change+0x89/0xc0 [mlx5_core] mlx5_eswitch_disable+0x67/0xa0 [mlx5_core] mlx5_unload+0x15/0xd0 [mlx5_core] mlx5_unload_one+0x71/0xc0 [mlx5_core] mlx5_sync_reset_reload_work+0x83/0x100 [mlx5_core] process_one_work+0x1a7/0x360 worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x116/0x130 ? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x22/0x40 | 2026-05-27 | not yet calculated | CVE-2026-45973 | https://git.kernel.org/stable/c/c8fb5c965ac7d0104872a8e4f6451f3bc6328199 https://git.kernel.org/stable/c/6d838873da9cb97551d42316967cc82bf8f8031b https://git.kernel.org/stable/c/613f5d4139b6ba801ccd93f9a28943be60d903bc https://git.kernel.org/stable/c/ebc2164a4cd4314503f1a0c8e7aaf76d7e5fa211 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found If btrfs_search_slot_for_read() returns 1, it means we did not find any key greater than or equals to the key we asked for, meaning we have reached the end of the tree and therefore the path is not valid. If this happens we need to break out of the loop and stop, instead of continuing and accessing an invalid path. | 2026-05-27 | not yet calculated | CVE-2026-45974 | https://git.kernel.org/stable/c/023545e272f369d487e6a986c1e321c6e04be1da https://git.kernel.org/stable/c/fd4913a53e3b54ad7e161847291439fe445d6356 https://git.kernel.org/stable/c/b5b8ade9da452086e78f5d519b90d3769e354853 https://git.kernel.org/stable/c/1ee1d006c9fe4d6be5527ab1c84216b80cccbe40 https://git.kernel.org/stable/c/0761447f6f51e1c7997960d8e6559337deed6729 https://git.kernel.org/stable/c/d7cf2314dd5e8661c05d076cd627eea9a7f76616 https://git.kernel.org/stable/c/b2bd557b75b760e4b9d209112bda19314bd64558 https://git.kernel.org/stable/c/ecb7c2484cfc83a93658907580035a8adf1e0a92 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: use READ_ONCE() to read struct ublksrv_ctrl_cmd struct ublksrv_ctrl_cmd is part of the io_uring_sqe, which may lie in userspace-mapped memory. It’s racy to access its fields with normal loads, as userspace may write to them concurrently. Use READ_ONCE() to copy the ublksrv_ctrl_cmd from the io_uring_sqe to the stack. Use the local copy in place of the one in the io_uring_sqe. | 2026-05-27 | not yet calculated | CVE-2026-45975 | https://git.kernel.org/stable/c/ce63eda3e6d36e2c253febee1c8421ecbd1a680e https://git.kernel.org/stable/c/ed9f54cc1e335096733aed03c2a46de3d58922ed |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix memory leak in amdgpu_ras_init() When amdgpu_nbio_ras_sw_init() fails in amdgpu_ras_init(), the function returns directly without freeing the allocated con structure, leading to a memory leak. Fix this by jumping to the release_con label to properly clean up the allocated memory before returning the error code. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45976 | https://git.kernel.org/stable/c/f8a5426652bdadd4a5cb48326d48abbdfebe8153 https://git.kernel.org/stable/c/c11cd77a18115d2cd3f4b6915c4a537b6042f950 https://git.kernel.org/stable/c/2fef8c2ac67e7c1b0409d23653300b134c63e54c https://git.kernel.org/stable/c/3f43e7812b30d6b2e850218f9bb1dae60727fcef https://git.kernel.org/stable/c/ee41e5b63c8210525c936ee637a2c8d185ce873c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fbnic: close fw_log race between users and teardown Fixes a theoretical race on fw_log between the teardown path and fw_log write functions. fw_log is written inside fbnic_fw_log_write() and can be reached from the mailbox handler fbnic_fw_msix_intr(), but fw_log is freed before IRQ/MBX teardown during cleanup, resulting in a potential data race of dereferencing a freed/null variable. Possible Interleaving Scenario: CPU0: fbnic_fw_msix_intr() // Entry fbnic_fw_log_write() if (fbnic_fw_log_ready()) // true … preempt … CPU1: fbnic_remove() // Entry fbnic_fw_log_free() vfree(log->data_start); log->data_start = NULL; CPU0: continues, walks log->entries or writes to log->data_start The initialization also has an incorrect order problem, as the fw_log is currently allocated after MBX setup during initialization. Fix the problems by adjusting the synchronization order to put initialization in place before the mailbox is enabled, and not cleared until after the mailbox has been disabled. | 2026-05-27 | not yet calculated | CVE-2026-45977 | https://git.kernel.org/stable/c/223cfef4812bdfa5ac5c1aa761cdba03cfe2c9cd https://git.kernel.org/stable/c/5f10ab3643c58a22fbaee92c4701b00fcb4a465d https://git.kernel.org/stable/c/ee5492fd88cfc079c19fbeac78e9e53b7f6c04f3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: staging: greybus: lights: avoid NULL deref gb_lights_light_config() stores channel_count before allocating the channels array. If kcalloc() fails, gb_lights_release() iterates the non-zero count and dereferences light->channels, which is NULL. Allocate channels first and only then publish channels_count so the cleanup path can’t walk a NULL pointer. | 2026-05-27 | not yet calculated | CVE-2026-45978 | https://git.kernel.org/stable/c/a118724d7641b832fa14323e2733e28ae4834552 https://git.kernel.org/stable/c/3cbe694d235d96f628ec7dc6ae4d8bdddb768699 https://git.kernel.org/stable/c/ba5022162da63059bae36c4fd84d7031f582c71f https://git.kernel.org/stable/c/65f2c608096d766540953d9b170d216aa3b5eb95 https://git.kernel.org/stable/c/01b91cb3e748032fd96bbe0043812b426a52f091 https://git.kernel.org/stable/c/06162d85f830582da6e9e5fcf9c9504d6da9ae0b https://git.kernel.org/stable/c/da46264a7016034a5bbbad034c012ef218b7d0af https://git.kernel.org/stable/c/efcffd9a6ad8d190651498d5eda53bfc7cf683a7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: clean up the amdgpu_cs_parser_bos In low memory conditions, kmalloc can fail. In such conditions unlock the mutex for a clean exit. We do not need to amdgpu_bo_list_put as it’s been handled in the amdgpu_cs_parser_fini. | 2026-05-27 | not yet calculated | CVE-2026-45979 | https://git.kernel.org/stable/c/0905a1d4a5500ecf11f1c0079098e3a351d22163 https://git.kernel.org/stable/c/f025a2b8d93358467b8e8f4b3a617e88c5f02fab |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: s390/cio: Fix device lifecycle handling in css_alloc_subchannel() `css_alloc_subchannel()` calls `device_initialize()` before setting up the DMA masks. If `dma_set_coherent_mask()` or `dma_set_mask()` fails, the error path frees the subchannel structure directly, bypassing the device model reference counting. Once `device_initialize()` has been called, the embedded struct device must be released via `put_device()`, allowing the release callback to free the container structure. Fix the error path by dropping the initial device reference with `put_device()` instead of calling `kfree()` directly. This ensures correct device lifetime handling and avoids potential use-after-free or double-free issues. | 2026-05-27 | not yet calculated | CVE-2026-45981 | https://git.kernel.org/stable/c/2b2ad7ad4a28ffdb9f94e6d979b88a5b12b71681 https://git.kernel.org/stable/c/b1d4e6fb241672850296956c4d782a69363a3807 https://git.kernel.org/stable/c/fd295a75d828c11acfcc6869c2a12cdaaf9b7722 https://git.kernel.org/stable/c/abb6e07f46a740cda4f07d1b561ae4eaa7a1df42 https://git.kernel.org/stable/c/f96c5ccf95ae5f27218c1ce2d6a3ad2d3e105424 https://git.kernel.org/stable/c/6715560527e343a387e4a0d2e6c401748e89fa55 https://git.kernel.org/stable/c/c35cfbb5341ba05ad1b4476ffc3c21cc3ff8f603 https://git.kernel.org/stable/c/f65c75b0b9b5a390bc3beadcde0a6fbc3ad118f7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch() Cover a missed execution path with a new check. | 2026-05-27 | not yet calculated | CVE-2026-45982 | https://git.kernel.org/stable/c/7d99cbe717c1b15a66559215df32312d8cf7e525 https://git.kernel.org/stable/c/f2cf475d23b8486dfa414f7ac09f918ffd3c32a5 https://git.kernel.org/stable/c/cce354524da4d10fd2c7eb835e2e4e8ab8c0ce97 https://git.kernel.org/stable/c/b24595b86920911d2b04f862422b896a0620e9ad https://git.kernel.org/stable/c/56024dbe8c76cff22f53ba81a95d9efd4d0c9c44 https://git.kernel.org/stable/c/f851e03bce968ff9b3faad1b616062e1244fd38d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: never defer requests during idmap lookup During v4 request compound arg decoding, some ops (e.g. SETATTR) can trigger idmap lookup upcalls. When those upcall responses get delayed beyond the allowed time limit, cache_check() will mark the request for deferral and cause it to be dropped. This prevents nfs4svc_encode_compoundres from being executed, and thus the session slot flag NFSD4_SLOT_INUSE never gets cleared. Subsequent client requests will fail with NFSERR_JUKEBOX, given that the slot will be marked as in-use, making the SEQUENCE op fail. Fix this by making sure that the RQ_USEDEFERRAL flag is always clear during nfs4svc_decode_compoundargs(), since no v4 request should ever be deferred. | 2026-05-27 | not yet calculated | CVE-2026-45983 | https://git.kernel.org/stable/c/b9abb760db20504240a7147f27934d900cd80b23 https://git.kernel.org/stable/c/3a72c7dedc99b321e0f267e4e999e5baf07c4593 https://git.kernel.org/stable/c/99e17b20fddac19a228d213e00f6b9e1c10daff9 https://git.kernel.org/stable/c/243f71ed873ff3feeb6f9b5cb145d63f7188b4c4 https://git.kernel.org/stable/c/063a6f22478ef929625000a2caf54667725c1dfd https://git.kernel.org/stable/c/d75ec4504a4340b033b15cad0303988b3089dd93 https://git.kernel.org/stable/c/8dff54fe88c0dcd4c55bff9fc2fa6ca968290826 https://git.kernel.org/stable/c/f9c206cdc4266caad6a9a7f46341420a10f03ccb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: don’t set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O When allocating blocks during within-EOF DIO and writeback with dioread_nolock enabled, EXT4_GET_BLOCKS_PRE_IO was set to split an existing large unwritten extent. However, EXT4_GET_BLOCKS_CONVERT was set when calling ext4_split_convert_extents(), which may potentially result in stale data issues. Assume we have an unwritten extent, and then DIO writes the second half. [UUUUUUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUUUUUU] extent status tree |<- ->| —-> dio write this range First, ext4_iomap_alloc() call ext4_map_blocks() with EXT4_GET_BLOCKS_PRE_IO, EXT4_GET_BLOCKS_UNWRIT_EXT and EXT4_GET_BLOCKS_CREATE flags set. ext4_map_blocks() find this extent and call ext4_split_convert_extents() with EXT4_GET_BLOCKS_CONVERT and the above flags set. Then, ext4_split_convert_extents() calls ext4_split_extent() with EXT4_EXT_MAY_ZEROOUT, EXT4_EXT_MARK_UNWRIT2 and EXT4_EXT_DATA_VALID2 flags set, and it calls ext4_split_extent_at() to split the second half with EXT4_EXT_DATA_VALID2, EXT4_EXT_MARK_UNWRIT1, EXT4_EXT_MAY_ZEROOUT and EXT4_EXT_MARK_UNWRIT2 flags set. However, ext4_split_extent_at() failed to insert extent since a temporary lack -ENOSPC. It zeroes out the first half but convert the entire on-disk extent to written since the EXT4_EXT_DATA_VALID2 flag set, but left the second half as unwritten in the extent status tree. [0000000000SSSSSS] data S: stale data, 0: zeroed [WWWWWWWWWWWWWWWW] on-disk extent W: written extent [WWWWWWWWWWUUUUUU] extent status tree Finally, if the DIO failed to write data to the disk, the stale data in the second half will be exposed once the cached extent entry is gone. Fix this issue by not passing EXT4_GET_BLOCKS_CONVERT when splitting an unwritten extent before submitting I/O, and make ext4_split_convert_extents() to zero out the entire extent range to zero for this case, and also mark the extent in the extent status tree for consistency. | 2026-05-27 | not yet calculated | CVE-2026-45985 | https://git.kernel.org/stable/c/77e407967cd872cd75d7e4a691908e49c8e6b4d4 https://git.kernel.org/stable/c/37555690f39f78ef69af347d9aff897e07445949 https://git.kernel.org/stable/c/67cdb7bd7442bd3cdc6d6088bbb2df9be2fe936c https://git.kernel.org/stable/c/2920ec61c98b9476781359f05b94da84e80f54d4 https://git.kernel.org/stable/c/2698731d25823267c29190cb578da9296a0c0d7b https://git.kernel.org/stable/c/716e7439a5a9b18c3ff882c2f8c834b9ced1aaec https://git.kernel.org/stable/c/feaf2a80e78f89ee8a3464126077ba8683b62791 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: ccree – fix a memory leak in cc_mac_digest() Add cc_unmap_result() if cc_map_hash_request_final() fails to prevent potential memory leak. | 2026-05-27 | not yet calculated | CVE-2026-45986 | https://git.kernel.org/stable/c/3061c9bfb3f5b3522ab174e2fa7473b24422d1c6 https://git.kernel.org/stable/c/22f1dd4ca3bfe77db52cc7df3cc353dc114aab8b https://git.kernel.org/stable/c/910f335786a0a0f0b46c3c8c19a13d25cb4454b6 https://git.kernel.org/stable/c/502440c235fe34cee02b24d7f893841f7565b3bc https://git.kernel.org/stable/c/02c64052fad03699b9c6d1df2f9b444d17e4ac50 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2 After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs fields written by the CPU from vmcb02 to the cached vmcb12. This is because the cached vmcb12 is used as the authoritative copy of some of the controls, and is the payload when saving/restoring nested state. int_state is also written by the CPU, specifically bit 0 (i.e. SVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync’d to cached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE preceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow would be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites what KVM_SET_NESTED_STATE restored in int_state). However, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an interrupt shadow would be restored into vmcb01 instead of vmcb02. This would mostly be benign for L1 (delays an interrupt), but not for L2. For L2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before a HLT that should have been in an interrupt shadow). Sync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02() to avoid this problem. With that, KVM_SET_NESTED_STATE restores the correct interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it would overwrite it with the same value. | 2026-05-27 | not yet calculated | CVE-2026-45987 | https://git.kernel.org/stable/c/1709418535a8df95532999d61b03d59975280258 https://git.kernel.org/stable/c/2f950eeb27af6885416232761700b8820cae0a61 https://git.kernel.org/stable/c/497f6af9679fc9c6ce2f438e11ed5d51b1aa8297 https://git.kernel.org/stable/c/e0377e52f3c10ee572732d11b04625b7f517a862 https://git.kernel.org/stable/c/03bee264f8ebfd39e0254c98e112d033a7aa9055 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix use-after-free in testdrv_probe() The function testdrv_probe() retrieves the device_node from the PCI device, applies an overlay, and then immediately calls of_node_put(dn). This releases the reference held by the PCI core, potentially freeing the node if the reference count drops to zero. Later, the same freed pointer ‘dn’ is passed to of_platform_default_populate(), leading to a use-after-free. The reference to pdev->dev.of_node is owned by the device model and should not be released by the driver. Remove the erroneous of_node_put() to prevent premature freeing. | 2026-05-27 | not yet calculated | CVE-2026-45989 | https://git.kernel.org/stable/c/0ba03e06f037df704d9b032e36d417633e2326bc https://git.kernel.org/stable/c/d68347b07b9801791c9eaab8f772770b52b8cd5c https://git.kernel.org/stable/c/5b6122a67a295f8a08b7c18d908a1bd974dfaec8 https://git.kernel.org/stable/c/6b2023286d2c6ed3bf964fb92e34c9c14d42eb69 https://git.kernel.org/stable/c/07fd339b2c253205794bea5d9b4b7548a4546c56 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: slub: fix data loss and overflow in krealloc() Commit 2cd8231796b5 (“mm/slub: allow to set node and align in k[v]realloc”) introduced the ability to force a reallocation if the original object does not satisfy new alignment or NUMA node, even when the object is being shrunk. This introduced two bugs in the reallocation fallback path: 1. Data loss during NUMA migration: The jump to ‘alloc_new’ happens before ‘ks’ and ‘orig_size’ are initialized. As a result, the memcpy() in the ‘alloc_new’ block would copy 0 bytes into the new allocation. 2. Buffer overflow during shrinking: When shrinking an object while forcing a new alignment, ‘new_size’ is smaller than the old size. However, the memcpy() used the old size (‘orig_size ?: ks’), leading to an out-of-bounds write. The same overflow bug exists in the kvrealloc() fallback path, where the old bucket size ksize(p) is copied into the new buffer without being bounded by the new size. A simple reproducer: // e.g. add to lkdtm as KREALLOC_SHRINK_OVERFLOW while (1) { void *p = kmalloc(128, GFP_KERNEL); p = krealloc_node_align(p, 64, 256, GFP_KERNEL, NUMA_NO_NODE); kfree(p); } demonstrates the issue: ================================================================== BUG: KFENCE: out-of-bounds write in memcpy_orig+0x68/0x130 Out-of-bounds write at 0xffff8883ad757038 (120B right of kfence-#47): memcpy_orig+0x68/0x130 krealloc_node_align_noprof+0x1c8/0x340 lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm] lkdtm_do_action+0x3a/0x60 [lkdtm] … kfence-#47: 0xffff8883ad756fc0-0xffff8883ad756fff, size=64, cache=kmalloc-64 allocated by task 316 on cpu 7 at 97.680481s (0.021813s ago): krealloc_node_align_noprof+0x19c/0x340 lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm] lkdtm_do_action+0x3a/0x60 [lkdtm] … ================================================================== Fix it by moving the old size calculation to the top of __do_krealloc() and bounding all copy lengths by the new allocation size. | 2026-05-27 | not yet calculated | CVE-2026-45990 | https://git.kernel.org/stable/c/38387ccc0fbe38d14fb4c2ad7ee1d7404e5e59fd https://git.kernel.org/stable/c/550fa6b5aabb096554536ac1e3ec96b76cbb35fd https://git.kernel.org/stable/c/082a6d03a2d685a83a332666b500ad3966349588 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path The previous fix for handling the error from setup_card() missed that an internal URB cdev->ep1_in_urb might have been already submitted beforehand. In the normal case, this URB gets killed at the disconnection, but in the error path, we didn’t do it, hence there can be a potential leak. Fix it in the error path for setup_card(), too. | 2026-05-27 | not yet calculated | CVE-2026-45992 | https://git.kernel.org/stable/c/be62c8bb03b6aec3790a943d4a7567d4d73b8be9 https://git.kernel.org/stable/c/e0fb842af7052f0ab9e709db0c59300aa4051fc0 https://git.kernel.org/stable/c/1d160e30aa42b7c41163e51366bb34432367260d https://git.kernel.org/stable/c/438ab932dc6fef5b001dfeba08a18a491edc8f7b https://git.kernel.org/stable/c/0a7b5221b5b51cc798fcfc3be00d02eade149d69 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: Add spectre boundry for syscall dispatch table The LoongArch syscall number is directly controlled by userspace, but does not have a array_index_nospec() boundry to prevent access past the syscall function pointer tables. | 2026-05-27 | not yet calculated | CVE-2026-45993 | https://git.kernel.org/stable/c/108f2cd13577a410c0ad6ea00708596d9d0dfc90 https://git.kernel.org/stable/c/07040904ad217545be096d4280ed33c02f6a3750 https://git.kernel.org/stable/c/85cbf7fb568af5358aae61925c4e66b8f5e1439d https://git.kernel.org/stable/c/bc84a109c2082dd0c4b38e8d923c046b41977533 https://git.kernel.org/stable/c/0c965d2784fbbd7f8e3b96d875c9cfdf7c00da3d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix OOB reads in command_file_write due to missing size checks The command_file_write() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to get_dot_command_size() and get_dot_command_timeout(). Since both the allocation size (count) and the header fields (command_size, data_size) are independently user-controlled, an attacker can cause get_dot_command_size() to return a value exceeding the allocation, triggering OOB reads in get_dot_command_timeout() and an out-of-bounds memcpy_toio() that leaks kernel heap memory to the service processor. Fix with two guards: reject writes smaller than sizeof(struct dot_command_header) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + command_size + data_size). This ensures all subsequent header and payload field accesses stay within the buffer. | 2026-05-27 | not yet calculated | CVE-2026-45994 | https://git.kernel.org/stable/c/a672682d39dd34e2b5ba4feb436723bed65125ff https://git.kernel.org/stable/c/aefc1a97da17d8309974690c8a03e439a91ebb1c https://git.kernel.org/stable/c/ee5737891464030a189837467df3b81a273718ad https://git.kernel.org/stable/c/d0fb4d1dc43f8d5179917a2daaa82680993d4cdf https://git.kernel.org/stable/c/0eb09f737428e482a32a2e31e5e223f2b35a71d3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_struct uaf io_free_rbuf_ring() usees a struct user_struct, which io_zcrx_ifq_free() puts it down before destroying the ring. | 2026-05-27 | not yet calculated | CVE-2026-45995 | https://git.kernel.org/stable/c/9feb88eeda6d288f93fcfb6bca563f89e316479d https://git.kernel.org/stable/c/0fcccfd87152f957fa8312b841f6efef42a05a20 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: imx: fix use-after-free on unbind The SPI subsystem frees the controller and any subsystem allocated driver data as part of deregistration (unless the allocation is device managed). Take another reference before deregistering the controller so that the driver data is not freed until the driver is done with it. | 2026-05-27 | not yet calculated | CVE-2026-45996 | https://git.kernel.org/stable/c/f99165ef067723221472ce1aff632bc74f562643 https://git.kernel.org/stable/c/385a330083f8dd47c15b02e9a83aef9234a37003 https://git.kernel.org/stable/c/132e47030b0b5e398e0da6c59df5a5dae9b52cff https://git.kernel.org/stable/c/aa9025a498036b6012769f7af36d421385386c17 https://git.kernel.org/stable/c/1c78c2002380a1fe31bfb01a3d5f29809e55a096 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails If device_add(&sdkp->disk_dev) fails, put_device() runs scsi_disk_release(), which frees the scsi_disk but leaves the gendisk referenced. The device_add_disk() error path in sd_probe() calls put_disk(gd); call put_disk(gd) here to mirror that cleanup. | 2026-05-27 | not yet calculated | CVE-2026-45997 | https://git.kernel.org/stable/c/262152ec37101f9dc524743ccdbd6c7641d14573 https://git.kernel.org/stable/c/b64b4f499801b12d0e2785447e4df6c164c608a9 https://git.kernel.org/stable/c/13e550fbfccdb311e76ec96892dfe35f0dba0657 https://git.kernel.org/stable/c/a95d38c5701431bfc826e7b18acc0785919d5c88 https://git.kernel.org/stable/c/1e111c4b3a726df1254670a5cc4868cedb946d37 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix potential UAF after skb_unshare() failure If skb_unshare() fails to unshare a packet due to allocation failure in rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread()) will be NULL’d out. This will likely cause the call to trace_rxrpc_rx_done() to oops. Fix this by moving the unsharing down to where rxrpc_input_call_event() calls rxrpc_input_call_packet(). There are a number of places prior to that where we ignore DATA packets for a variety of reasons (such as the call already being complete) for which an unshare is then avoided. And with that, rxrpc_input_packet() doesn’t need to take a pointer to the pointer to the packet, so change that to just a pointer. | 2026-05-27 | not yet calculated | CVE-2026-45998 | https://git.kernel.org/stable/c/e3bf143b1e98fb3d6d9e6825bcd683974d478e8c https://git.kernel.org/stable/c/bf20f46d94f1db38e6ffc0ca204a5fe0de01b495 https://git.kernel.org/stable/c/996b0487b3cdda4c91811dbb1c9564626bc840bd https://git.kernel.org/stable/c/8fde6296c4d4da2be7ab761305ab7f232b94eefd https://git.kernel.org/stable/c/1f2740150f904bfa60e4bad74d65add3ccb5e7f8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix conn-level packet handling to unshare RESPONSE packets The security operations that verify the RESPONSE packets decrypt bits of it in place – however, the sk_buff may be shared with a packet sniffer, which would lead to the sniffer seeing an apparently corrupt packet (actually decrypted). Fix this by handing a copy of the packet off to the specific security handler if the packet was cloned. | 2026-05-27 | not yet calculated | CVE-2026-46000 | https://git.kernel.org/stable/c/c0428a22daf69714dc042b67ea759956b74c74e5 https://git.kernel.org/stable/c/98a2046d155f73f6cf5d2c493c5e09b4963e2e12 https://git.kernel.org/stable/c/ca71ac2de389b01eecdc48bfafbdf073ec232044 https://git.kernel.org/stable/c/d9b93a0f57ca5f6831bfaa34014b6cd705564a00 https://git.kernel.org/stable/c/24481a7f573305706054c59e275371f8d0fe919f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data() Fix two bugs in pt5161l_read_block_data(): 1. Buffer overrun: The local buffer rbuf is declared as u8 rbuf[24], but i2c_smbus_read_block_data() can return up to I2C_SMBUS_BLOCK_MAX (32) bytes. The i2c-core copies the data into the caller’s buffer before the return value can be checked, so the post-read length validation does not prevent a stack overrun if a device returns more than 24 bytes. Resize the buffer to I2C_SMBUS_BLOCK_MAX. 2. Unexpected positive return on length mismatch: When all three retries are exhausted because the device returns data with an unexpected length, i2c_smbus_read_block_data() returns a positive byte count. The function returns this directly, and callers treat any non-negative return as success, processing stale or incomplete buffer contents. Return -EIO when retries are exhausted with a positive return value, preserving the negative error code on I2C failure. | 2026-05-27 | not yet calculated | CVE-2026-46001 | https://git.kernel.org/stable/c/7eccabff1c9ec15e4b6fe186d5c147b13a9cdb4e https://git.kernel.org/stable/c/95d48e37a1304d6148406c799479c0fb505aefa7 https://git.kernel.org/stable/c/a11aa9c5fd9dfe62be7cfec1f2a7546afb77254c https://git.kernel.org/stable/c/24c73e93d6a756e1b8626bb259d2e07c5b89b370 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is zero or i_dtime is set, treating them as deleted. However, the case of i_nlink == 0 with a non-zero mode and zero dtime slips through. Since ext2 has no orphan list, such a combination can only result from filesystem corruption – a legitimate inode deletion always sets either i_dtime or clears i_mode before freeing the inode. A crafted image can exploit this gap to present such an inode to the VFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via ext2_unlink(), ext2_rename() and ext2_rmdir(): WARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 CPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1 Call Trace: <TASK> inode_dec_link_count include/linux/fs.h:2518 [inline] ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295 vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477 do_unlinkat+0x53e/0x730 fs/namei.c:4541 __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587 do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> WARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 CPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1 Call Trace: <TASK> inode_dec_link_count include/linux/fs.h:2518 [inline] ext2_rename+0x35e/0x850 fs/ext2/namei.c:374 vfs_rename+0xf2f/0x2060 fs/namei.c:5021 do_renameat2+0xbe2/0xd50 fs/namei.c:5178 __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223 do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> WARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 CPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1 Call Trace: <TASK> inode_dec_link_count include/linux/fs.h:2518 [inline] ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311 vfs_rmdir+0x204/0x690 fs/namei.c:4348 do_rmdir+0x372/0x3e0 fs/namei.c:4407 __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577 do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Extend the existing i_nlink == 0 check to also catch this case, reporting the corruption via ext2_error() and returning -EFSCORRUPTED. This rejects the inode at load time and prevents it from reaching any of the namei.c paths. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2026-05-27 | not yet calculated | CVE-2026-46002 | https://git.kernel.org/stable/c/32e0b925572686399243834ec99e2a9d85c62eae https://git.kernel.org/stable/c/d3af04a43db86379df7438bf8bade71685b8a239 https://git.kernel.org/stable/c/2dde6377ab2e46bb80cf066c659ef016f3ad7a9b https://git.kernel.org/stable/c/470264bbec499e276a89a6431144ae58f411ea4d https://git.kernel.org/stable/c/25947cc5b2374cd5bf627fe3141496444260d04f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the total number of nodes Currently, the nameserver doesn’t limit the number of nodes it handles. This can be an attack vector if a malicious client starts registering random nodes, leading to memory exhaustion. Hence, limit the maximum number of nodes to 64. Note that, limit of 64 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased. | 2026-05-27 | not yet calculated | CVE-2026-46003 | https://git.kernel.org/stable/c/4c46413661431aa60fb134cd4ecdf8beaa39f824 https://git.kernel.org/stable/c/4665a29c08e1b36bc9db4814f9dde3d23e8fd1b0 https://git.kernel.org/stable/c/5cf6d5e5e3b804a44692fbf548a5179442e2e923 https://git.kernel.org/stable/c/8022876894d09ae485b499058c3357da683bcc5d https://git.kernel.org/stable/c/27d5e84e810b0849d08b9aec68e48570461ce313 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: Handle probe errors properly The probe procedure of setup_card() in caiaq driver doesn’t treat the error cases gracefully, e.g. the error from snd_card_register() calls snd_card_free() but continues. This would lead to a UAF for the further calls like snd_usb_caiaq_control_init(), as Berk suggested in another patch in the link below. However, the problem is not only that; in general, this function drops the all error handlings (as it’s a void function) although its caller can propagate an error to snd_probe(), which eventually calls snd_card_free() as a proper error path. That said, we should treat each error case in setup_card(), and just return the error code promptly, which is then handled later as a fatal error in snd_probe(). This patch achieves it by changing the setup_card() to return an error code. Also, the superfluous snd_card_free() call is removed, too. Note that card->private_free can be set still safely at returning an error. All called functions in card_free() have checks of the unassigned resources or NULL checks. | 2026-05-27 | not yet calculated | CVE-2026-46004 | https://git.kernel.org/stable/c/f537e3ad69609f6924a4db6b4a7f6561f5288bdd https://git.kernel.org/stable/c/6251e3e256337a30160ef59ab1580dde4d1acd28 https://git.kernel.org/stable/c/e59ecd4ee3a450db6cb4e4ecaa3efdd593f80056 https://git.kernel.org/stable/c/096dd8519cf2f768e9e14f224b627f7aaee1a9c5 https://git.kernel.org/stable/c/28abd224db4a49560b452115bca3672a20e45b2f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix a resource leak in xfs_alloc_buftarg() In the error path, call fs_put_dax() to drop the DAX device reference. | 2026-05-27 | not yet calculated | CVE-2026-46005 | https://git.kernel.org/stable/c/82fb9da6477d08bdab954dc7bc081a41f2f9cae6 https://git.kernel.org/stable/c/28a6c132b8c6e5eeefa889c4fb43d65b12989d48 https://git.kernel.org/stable/c/5c293a1e1ef0f838772d20ae8afae4cbd87cd3f9 https://git.kernel.org/stable/c/5804cb507233ed767a83ac70527b2f6c4566ec75 https://git.kernel.org/stable/c/29a7b2614357393b176ef06ba5bc3ff5afc8df69 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (powerz) Avoid cacheline sharing for DMA buffer Depending on the architecture the transfer buffer may share a cacheline with the following mutex. As the buffer may be used for DMA, that is problematic. Use the high-level DMA helpers to make sure that cacheline sharing can not happen. Also drop the comment, as the helpers are documentation enough. https://sashiko.dev/#/message/20260408175814.934BFC19421%40smtp.kernel.org | 2026-05-27 | not yet calculated | CVE-2026-46007 | https://git.kernel.org/stable/c/270e5c576a6e30f6b337fa91d35b44c241297533 https://git.kernel.org/stable/c/1869da3efe703b016b23d4885f3fe6c1751959c6 https://git.kernel.org/stable/c/2fa2273016a0483217404cfe330967c4ac6832a9 https://git.kernel.org/stable/c/3023c050af3600bf451153335dea5e073c9a3088 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix damos_walk() vs kdamond_fn() exit race When kdamond_fn() main loop is finished, the function cancels remaining damos_walk() request and unset the damon_ctx->kdamond so that API callers and API functions themselves can show the context is terminated. damos_walk() adds the caller’s request to the queue first. After that, it shows if the kdamond of the damon_ctx is still running (damon_ctx->kdamond is set). Only if the kdamond is running, damos_walk() starts waiting for the kdamond’s handling of the newly added request. The damos_walk() requests registration and damon_ctx->kdamond unset are protected by different mutexes, though. Hence, damos_walk() could race with damon_ctx->kdamond unset, and result in deadlocks. For example, let’s suppose kdamond successfully finished the damow_walk() request cancelling. Right after that, damos_walk() is called for the context. It registers the new request, and shows the context is still running, because damon_ctx->kdamond unset is not yet done. Hence the damos_walk() caller starts waiting for the handling of the request. However, the kdamond is already on the termination steps, so it never handles the new request. As a result, the damos_walk() caller thread infinitely waits. Fix this by introducing another damon_ctx field, namely walk_control_obsolete. It is protected by the damon_ctx->walk_control_lock, which protects damos_walk() request registration. Initialize (unset) it in kdamond_fn() before letting damon_start() returns and set it just before the cancelling of the remaining damos_walk() request is executed. damos_walk() reads the obsolete field under the lock and avoids adding a new request. After this change, only requests that are guaranteed to be handled or cancelled are registered. Hence the after-registration DAMON context termination check is no longer needed. Remove it together. The issue is found by sashiko [1]. | 2026-05-27 | not yet calculated | CVE-2026-46008 | https://git.kernel.org/stable/c/0ba956a239ba6e3fae8555d3660e22e675be63b5 https://git.kernel.org/stable/c/33c3f6c2b48cd84b441dba1ee3e62290e53930f4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown epf_ntb_epc_destroy() duplicates the teardown that the caller is supposed to do later. This leads to an oops when .allow_link fails or when .drop_link is performed. Remove the helper. Also drop pci_epc_put(). EPC device refcounting is tied to configfs EPC group lifetime, and pci_epc_put() in the .drop_link path is sufficient. | 2026-05-27 | not yet calculated | CVE-2026-46009 | https://git.kernel.org/stable/c/72099f015d3c77bf2eb703d1aab113bd7a60915a https://git.kernel.org/stable/c/756ca5e7ed22d9045bb4de4c981f9149278d5cd3 https://git.kernel.org/stable/c/65fc57c8b8f0b31be62be291cb1bb01755cec85d https://git.kernel.org/stable/c/e813c95e4c8edd31599081e6356e20ada30e266d https://git.kernel.org/stable/c/3446beddba450c8d6f9aca2f028712ac527fead3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix memory leaks in rxkad_verify_response() Fix rxkad_verify_response() to free the ticket and the server key under all circumstances by initialising the ticket pointer to NULL and then making all paths through the function after the first allocation has been done go through a single common epilogue that just releases everything – where all the releases skip on a NULL pointer. | 2026-05-27 | not yet calculated | CVE-2026-46012 | https://git.kernel.org/stable/c/c4b8f32e73eafd4a5076be890c7c8506ec04567c https://git.kernel.org/stable/c/852b9d64cea421336579b2de3d1338dfa677e2dd https://git.kernel.org/stable/c/861b9a0a1823bf064a7b810d29502a9ef043f40f https://git.kernel.org/stable/c/c91f33fb8356dedc82bc56ce210f1a5dbee62a52 https://git.kernel.org/stable/c/34f61a07e0cdefaecd3ec03bb5fb22215643678f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/memfd_luo: fix physical address conversion in put_folios cleanup In memfd_luo_retrieve_folios()’s put_folios cleanup path: 1. kho_restore_folio() expects a phys_addr_t (physical address) but receives a raw PFN (pfolio->pfn). This causes kho_restore_page() to check the wrong physical address (pfn << PAGE_SHIFT instead of the actual physical address). 2. This loop lacks the !pfolio->pfn check that exists in the main retrieval loop and memfd_luo_discard_folios(), which could incorrectly process sparse file holes where pfn=0. Fix by converting PFN to physical address with PFN_PHYS() and adding the !pfolio->pfn check, matching the pattern used elsewhere in this file. This issue was identified by the AI review. https://sashiko.dev/#/patchset/20260323110747.193569-1-duanchenghao@kylinos.cn | 2026-05-27 | not yet calculated | CVE-2026-46013 | https://git.kernel.org/stable/c/bd0d6bde286a2b8e3ae7975b0dcc2d43875d5fc9 https://git.kernel.org/stable/c/3538f90ab89aaf302782b4b073a0aae66904cd67 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Add missing save/restore handling of LBR MSRs MSR_IA32_DEBUGCTLMSR and LBR MSRs are currently not enumerated by KVM_GET_MSR_INDEX_LIST, and LBR MSRs cannot be set with KVM_SET_MSRS. So save/restore is completely broken. Fix it by adding the MSRs to msrs_to_save_base, and allowing writes to LBR MSRs from userspace only (as they are read-only MSRs) if LBR virtualization is enabled. Additionally, to correctly restore L1’s LBRs while L2 is running, make sure the LBRs are copied from the captured VMCB01 save area in svm_copy_vmrun_state(). Note, for VMX, this also fixes a flaw where MSR_IA32_DEBUGCTLMSR isn’t reported as an MSR to save/restore. Note #2, over-reporting MSR_IA32_LASTxxx on Intel is ok, as KVM already handles unsupported reads and writes thanks to commit b5e2fec0ebc3 (“KVM: Ignore DEBUGCTL MSRs with no effect”) (kvm_do_msr_access() will morph the unsupported userspace write into a nop). [sean: guard with lbrv checks, massage changelog] | 2026-05-27 | not yet calculated | CVE-2026-46014 | https://git.kernel.org/stable/c/2b922a42b531a82d7881add14a7698dcdc5e1f0a https://git.kernel.org/stable/c/13a89ada5dcfc2539514c83ba5a2c61157f1ec6c https://git.kernel.org/stable/c/3700f0788da6acf73b2df56690f4b201aa4aefd2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: remoteproc: xlnx: Only access buffer information if IPI is buffered In the receive callback check if message is NULL to prevent possibility of crash by NULL pointer dereferencing. | 2026-05-27 | not yet calculated | CVE-2026-46016 | https://git.kernel.org/stable/c/5d1451cb2cf6f3d9884d76035a1460aa9bb4b053 https://git.kernel.org/stable/c/7ddbf21116770b7011f2bb0a6056b7604b24c497 https://git.kernel.org/stable/c/06d0bed2552fd0dae27d374d4492a2b672e24eed https://git.kernel.org/stable/c/8242579859a78c801bb626e9aa4823aca93e28e7 https://git.kernel.org/stable/c/38dd6ccfdfbbe865569a52fe1ba9fa1478f672e6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm: fix deferred split queue races during migration migrate_folio_move() records the deferred split queue state from src and replays it on dst. Replaying it after remove_migration_ptes(src, dst, 0) makes dst visible before it is requeued, so a concurrent rmap-removal path can mark dst partially mapped and trip the WARN in deferred_split_folio(). Move the requeue before remove_migration_ptes() so dst is back on the deferred split queue before it becomes visible again. Because migration still holds dst locked at that point, teach deferred_split_scan() to requeue a folio when folio_trylock() fails. Otherwise a fully mapped underused folio can be dequeued by the shrinker and silently lost from split_queue. [ziy@nvidia.com: move the comment] | 2026-05-27 | not yet calculated | CVE-2026-46017 | https://git.kernel.org/stable/c/cbf75cf212ee6e499abc1757fb4b5ae6d70ed0aa https://git.kernel.org/stable/c/3bac01168982ec3e3bf87efdc1807c7933590a85 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES parse_uac2_sample_rate_range() caps the number of enumerated rates at MAX_NR_RATES, but it only breaks out of the current rate loop. A malformed UAC2 RANGE response with additional triplets continues parsing the remaining triplets and repeatedly prints “invalid uac2 rates” while probe still holds register_mutex. Stop the whole parse once the cap is reached and return the number of rates collected so far. | 2026-05-27 | not yet calculated | CVE-2026-46018 | https://git.kernel.org/stable/c/ab5ba9fd138758ddc50222264ff246b31e397abf https://git.kernel.org/stable/c/ba036305323814ec1f8655313b2fa6a0f7048716 https://git.kernel.org/stable/c/4d7893a137eadb6163ea4298bf67d74b811d76ef https://git.kernel.org/stable/c/a0b78639ef09b2e77974a3de3b1c07f6de3c5e56 https://git.kernel.org/stable/c/3c318f97dcc50b2e0556a1813bd6958678e881fd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-aes – Fix 3-page memory leak in atmel_aes_buff_cleanup atmel_aes_buff_init() allocates 4 pages using __get_free_pages() with ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only the first page using free_page(), leaking the remaining 3 pages. Use free_pages() with ATMEL_AES_BUFFER_ORDER to fix the memory leak. | 2026-05-27 | not yet calculated | CVE-2026-46019 | https://git.kernel.org/stable/c/b63f1e2f0e319ad3fe4a58eb3db4fd50cc98baca https://git.kernel.org/stable/c/65b3589d39d05699c3850202f8333e5361033ea3 https://git.kernel.org/stable/c/61516b4a5b2647dc3f8f67b5dffaf038be997511 https://git.kernel.org/stable/c/230ad8a78fe67266b1ba4685da1abdd61471c5b8 https://git.kernel.org/stable/c/3fcfff4ed35f963380a68741bcd52742baff7f76 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp Patch series “mm/damon/core: validate damos_quota_goal->nid”. node_mem[cg]_{used,free}_bp DAMOS quota goals receive the node id. The node id is used for si_meminfo_node() and NODE_DATA() without proper validation. As a result, privileged users can trigger an out of bounds memory access using DAMON_SYSFS. Fix the issues. The issue was originally reported [1] with a fix by another author. The original author announced [2] that they will stop working including the fix that was still in the review stage. Hence I’m restarting this. This patch (of 2): Users can set damos_quota_goal->nid with arbitrary value for node_mem_{used,free}_bp. But DAMON core is using those for si_meminfo_node() without the validation of the value. This can result in out of bounds memory access. The issue can actually triggered using DAMON user-space tool (damo), like below. $ sudo ./damo start –damos_action stat –damos_quota_goal node_mem_used_bp 50% -1 –damos_quota_interval 1s $ sudo dmesg […] [ 65.565986] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098 Fix this issue by adding the validation of the given node. If an invalid node id is given, it returns 0% for used memory ratio, and 100% for free memory ratio. | 2026-05-27 | not yet calculated | CVE-2026-46020 | https://git.kernel.org/stable/c/b09958e235f2b9cd3898b85a8529172afa80d212 https://git.kernel.org/stable/c/bcad74078708f2330a45b55358ebc38f8f4b1127 https://git.kernel.org/stable/c/40250b2dded0604a112be605f3828700d80ad7c2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone governor cleanup issues If thermal_zone_device_register_with_trips() fails after adding a thermal governor to the thermal zone being registered, the governor is not removed from it as appropriate which may lead to a memory leak. In turn, thermal_zone_device_unregister() calls thermal_set_governor() without acquiring the thermal zone lock beforehand which may race with a governor update via sysfs and may lead to a use-after-free in that case. Address these issues by adding two thermal_set_governor() calls, one to thermal_release() to remove the governor from the given thermal zone, and one to the thermal zone registration error path to cover failures preceding the thermal zone device registration. | 2026-05-27 | not yet calculated | CVE-2026-46021 | https://git.kernel.org/stable/c/37a430a2d4e66ec8238da6c7f7e48809bf265e13 https://git.kernel.org/stable/c/f412e541d25a3dfaf3d53e012ade6ff03cae8a45 https://git.kernel.org/stable/c/75f8f3c3e09122270986de9d7aa347d701676761 https://git.kernel.org/stable/c/64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06 https://git.kernel.org/stable/c/41ff66baf81c6541f4f985dd7eac4494d03d9440 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read when the queue reader or writer index from hardware exceeds REMOTE_QUEUE_SIZE (60). A compromised service processor can trigger this by writing an out-of-range value to the reader or writer MMIO register before asserting an interrupt. Since writer is re-read from hardware on every loop iteration, it can also be set to an out-of-range value after the loop has already started. The root cause is that get_queue_reader() and get_queue_writer() return raw readl() values that are passed directly into get_queue_entry(), which computes: queue_begin + reader * sizeof(struct remote_input) with no bounds check. This unchecked MMIO address is then passed to memcpy_fromio(), reading 8 bytes from unintended device registers. For sufficiently large values the address falls outside the PCI BAR mapping entirely, triggering a machine check exception. Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of the loop body, before any call to get_queue_entry(). On an out-of-range value, reset the reader register to 0 via set_queue_reader() before breaking, so that normal queue operation can resume if the corrupted hardware state is transient. | 2026-05-27 | not yet calculated | CVE-2026-46022 | https://git.kernel.org/stable/c/fc7e9a74e32299d7e93e178ca482a0b59ef1595b https://git.kernel.org/stable/c/07c4f18b303106e6b24492c12b95d48a4b985841 https://git.kernel.org/stable/c/22a16d3eafee92a165c756081587c95850127107 https://git.kernel.org/stable/c/1ca75f6b74ec7f685464e5745ecfcf3a76d284e9 https://git.kernel.org/stable/c/4b6e6ead556734bdc14024c5f837132b1e7a4b84 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm mirror: fix integer overflow in create_dirty_log() The argument count calculation in create_dirty_log() performs `*args_used = 2 + param_count` before validating against argc. When a user provides a param_count close to UINT_MAX via the device mapper table string, this unsigned addition wraps around to a small value, causing the subsequent `argc < *args_used` check to be bypassed. The overflowed param_count is then passed as argc to dm_dirty_log_create(), where it can cause out-of-bounds reads on the argv array. Fix by comparing param_count against argc – 2 before performing the addition, following the same pattern used by parse_features() in the same file. Since argc >= 2 is already guaranteed, the subtraction is safe. | 2026-05-27 | not yet calculated | CVE-2026-46023 | https://git.kernel.org/stable/c/35f6b3281efd44d19110574663bc17a610bc73b9 https://git.kernel.org/stable/c/47dad9eea75d33212d3d2cea10e7ed6a1bfc0713 https://git.kernel.org/stable/c/87c99a50e0fdc68a5b9b52a94d49452cd3ff02ca https://git.kernel.org/stable/c/17a08791d428885d00e510864283a7b839792368 https://git.kernel.org/stable/c/4c788c6f921b22f9b6c3f316c4a071c05683e7de |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix damon_call() vs kdamond_fn() exit race Patch series “mm/damon/core: fix damon_call()/damos_walk() vs kdmond exit race”. damon_call() and damos_walk() can leak memory and/or deadlock when they race with kdamond terminations. Fix those. This patch (of 2); When kdamond_fn() main loop is finished, the function cancels all remaining damon_call() requests and unset the damon_ctx->kdamond so that API callers and API functions themselves can know the context is terminated. damon_call() adds the caller’s request to the queue first. After that, it shows if the kdamond of the damon_ctx is still running (damon_ctx->kdamond is set). Only if the kdamond is running, damon_call() starts waiting for the kdamond’s handling of the newly added request. The damon_call() requests registration and damon_ctx->kdamond unset are protected by different mutexes, though. Hence, damon_call() could race with damon_ctx->kdamond unset, and result in deadlocks. For example, let’s suppose kdamond successfully finished the damon_call() requests cancelling. Right after that, damon_call() is called for the context. It registers the new request, and shows the context is still running, because damon_ctx->kdamond unset is not yet done. Hence the damon_call() caller starts waiting for the handling of the request. However, the kdamond is already on the termination steps, so it never handles the new request. As a result, the damon_call() caller threads infinitely waits. Fix this by introducing another damon_ctx field, namely call_controls_obsolete. It is protected by the damon_ctx->call_controls_lock, which protects damon_call() requests registration. Initialize (unset) it in kdamond_fn() before letting damon_start() returns and set it just before the cancelling of remaining damon_call() requests is executed. damon_call() reads the obsolete field under the lock and avoids adding a new request. After this change, only requests that are guaranteed to be handled or cancelled are registered. Hence the after-registration DAMON context termination check is no longer needed. Remove it together. Note that the deadlock will not happen when damon_call() is called for repeat mode request. In tis case, damon_call() returns instead of waiting for the handling when the request registration succeeds and it shows the kdamond is running. However, if the request also has dealloc_on_cancel, the request memory would be leaked. The issue is found by sashiko [1]. | 2026-05-27 | not yet calculated | CVE-2026-46025 | https://git.kernel.org/stable/c/2691332ad88b57179c38653e2cd613d5820a52cf https://git.kernel.org/stable/c/e6a053a6f4b5048746c49432a5cc5b79fe4695fe https://git.kernel.org/stable/c/55da81663b9642dd046b26dd6f1baddbcf337c1e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the maximum number of lookups Current code does no bound checking on the number of lookups a client can perform. Though the code restricts the lookups to local clients, there is still a possibility of a malicious local client sending a flood of NEW_LOOKUP messages over the same socket. Fix this issue by limiting the maximum number of lookups to 64 globally. Since the nameserver allows only atmost one local observer, this global lookup count will ensure that the lookups stay within the limit. Note that, limit of 64 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased. | 2026-05-27 | not yet calculated | CVE-2026-46026 | https://git.kernel.org/stable/c/0dbec101a7076e9b1e4bd1876f7cf07c56ff4ce3 https://git.kernel.org/stable/c/76adf8f69b0bb3ab20be7c58f5d555027332d113 https://git.kernel.org/stable/c/20855cef7e659ef84ac73251256fa530819b2346 https://git.kernel.org/stable/c/2b930bc77e00cb27e1d6e1d497b3b596283465ef https://git.kernel.org/stable/c/5640227d9a21c6a8be249a10677b832e7f40dc55 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead – snapshot IV for async AEAD requests AF_ALG AEAD AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the original request has fully completed, which can lead to inconsistent IV handling. Snapshot the IV into per-request storage when preparing the AEAD request, so in-flight operations no longer depend on mutable socket state. | 2026-05-27 | not yet calculated | CVE-2026-46028 | https://git.kernel.org/stable/c/08ea39a556ecd39b33c2b4888861001c6706a62e https://git.kernel.org/stable/c/a920cabdb0b7cf1f4e11a20524253ae5bd09092b https://git.kernel.org/stable/c/fa0fcec9b49d58e71df7ede91ecd86855f608e85 https://git.kernel.org/stable/c/c2138c9bd02af19e0b407376140cd5435b0d81da https://git.kernel.org/stable/c/46fdb39e83227b5d39f7c934a0947ea913f13c18 https://git.kernel.org/stable/c/ebc235675f24b0e3f8bc92b8419471d42f837d8f https://git.kernel.org/stable/c/3d72f8c6490dc79210b64270740cb2a8619361a4 https://git.kernel.org/stable/c/5aa58c3a572b3e3b6c786953339f7978b845cc52 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: EDAC/versalnet: Fix device_node leak in mc_probe() of_parse_phandle() returns a device_node reference that must be released with of_node_put(). The original code never freed r5_core_node on any exit path, causing a memory leak. Fix this by using the automatic cleanup attribute __free(device_node) which ensures of_node_put() is called when the variable goes out of scope. | 2026-05-27 | not yet calculated | CVE-2026-46030 | https://git.kernel.org/stable/c/b6e61356ad24987be40bf25369d22dd8dd00a513 https://git.kernel.org/stable/c/17e136993b2b5111d1ee1c57bbd188ae0bb0e128 https://git.kernel.org/stable/c/5c709b376460ff322580c41600e31c02f7cc0307 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT If loading L1’s CR3 fails on a nested #VMEXIT, nested_svm_vmexit() returns an error code that is ignored by most callers, and continues to run L1 with corrupted state. A sane recovery is not possible in this case, and HW behavior is to cause a shutdown. Inject a triple fault instead, and do not return early from nested_svm_vmexit(). Continue cleaning up the vCPU state (e.g. clear pending exceptions), to handle the failure as gracefully as possible. From the APM: Upon #VMEXIT, the processor performs the following actions in order to return to the host execution context: … if (illegal host state loaded, or exception while loading host state) shutdown else execute first host instruction following the VMRUN Remove the return value of nested_svm_vmexit(), which is mostly unchecked anyway. | 2026-05-27 | not yet calculated | CVE-2026-46032 | https://git.kernel.org/stable/c/9a738cf170a4a2332ea3a15e23ec65b5757fe4a1 https://git.kernel.org/stable/c/5d291ef0585ed880ed4dd71ea1a5965e0a65fb53 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn – reject short ahash digests during instance creation authencesn requires either a zero authsize or an authsize of at least 4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of high-order sequence number data at the end of the authenticated data. While crypto_authenc_esn_setauthsize() already rejects explicit non-zero authsizes in the range 1..3, crypto_authenc_esn_create() still copied auth->digestsize into inst->alg.maxauthsize without validating it. The AEAD core then initialized the tfm’s default authsize from that value. As a result, selecting an ahash with digest size 1..3, such as cbcmac(cipher_null), exposed authencesn instances whose default authsize was invalid even though setauthsize() would have rejected the same value. AF_ALG could then trigger the ESN tail handling with a too-short tag and hit an out-of-bounds access. Reject authencesn instances whose ahash digest size is in the invalid non-zero range 1..3 so that no tfm can inherit an unsupported default authsize. | 2026-05-27 | not yet calculated | CVE-2026-46033 | https://git.kernel.org/stable/c/b69933e97efea238ebbfcf70c2b1be1cd03f13e3 https://git.kernel.org/stable/c/67f1f0933cc3d78dde222842bcad2778ec7a0b88 https://git.kernel.org/stable/c/b42821c15445f93daea3e76ada682b2b7181c476 https://git.kernel.org/stable/c/9aff81e8217e9de2929084b03b3c7f81988c112b https://git.kernel.org/stable/c/5db6ef9847717329f12c5ea8aba7e9f588a980c0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vfio/cdx: Fix NULL pointer dereference in interrupt trigger path Add validation to ensure MSI is configured before accessing cdx_irqs array in vfio_cdx_set_msi_trigger(). Without this check, userspace can trigger a NULL pointer dereference by calling VFIO_DEVICE_SET_IRQS with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags before ever setting up interrupts via VFIO_IRQ_SET_DATA_EVENTFD. The vfio_cdx_msi_enable() function allocates the cdx_irqs array and sets config_msi to 1 only when called through the EVENTFD path. The trigger loop (for DATA_BOOL/DATA_NONE) assumed this had already been done, but there was no enforcement of this call ordering. This matches the protection used in the PCI VFIO driver where vfio_pci_set_msi_trigger() checks irq_is() before the trigger loop. | 2026-05-27 | not yet calculated | CVE-2026-46034 | https://git.kernel.org/stable/c/51bf7638f33aece41cb3f4cbeb942cc52950e329 https://git.kernel.org/stable/c/5d6c349c9823eb819fed8b537b088cf38126018c https://git.kernel.org/stable/c/338a736aaf15e8ba3635ce20b29af5b8fc15e66a https://git.kernel.org/stable/c/5ea5880764cbb164afb17a62e76ca75dc371409d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP On UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that unconditionally succeeds even when the lock is already held. As a result, alloc_frozen_pages_nolock() called from NMI context can re-enter rmqueue() and acquire the zone lock that the interrupted context is already holding, corrupting the freelists. With CONFIG_DEBUG_SPINLOCK on UP, the following BUG is triggered with the slub_kunit test module: BUG: spinlock trylock failure on UP on CPU#0, kunit_try_catch/243 […] Call Trace: <NMI> dump_stack_lvl+0x3f/0x60 do_raw_spin_trylock+0x41/0x50 _raw_spin_trylock+0x24/0x50 rmqueue.isra.0+0x2a9/0xa70 get_page_from_freelist+0xeb/0x450 alloc_frozen_pages_nolock_noprof+0x111/0x1e0 allocate_slab+0x42a/0x500 ___slab_alloc+0xa7/0x4c0 kmalloc_nolock_noprof+0x164/0x310 […] </NMI> Fix this by returning NULL early when invoked from NMI on a UP kernel. | 2026-05-27 | not yet calculated | CVE-2026-46035 | https://git.kernel.org/stable/c/05b4ed8bef30bba4f559c8d835e2dd20c48cf8a4 https://git.kernel.org/stable/c/a6d57efeaae3f3b3656514f600eac96be713d90e https://git.kernel.org/stable/c/620b46ed6ae17c8438d889c8c0cfddab36a1476c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Free the node during ctrl_cmd_bye() A node sends the BYE packet when it is about to go down. So the nameserver should advertise the removal of the node to all remote and local observers and free the node finally. But currently, the nameserver doesn’t free the node memory even after processing the BYE packet. This causes the node memory to leak. Hence, remove the node from Xarray list and free the node memory during both success and failure case of ctrl_cmd_bye(). | 2026-05-27 | not yet calculated | CVE-2026-46038 | https://git.kernel.org/stable/c/ff78ed177a66763085e3214d6fbe13ca8f0b3f11 https://git.kernel.org/stable/c/65932f5102bb5377db36c8a4f0c28179a1967a9a https://git.kernel.org/stable/c/154fc7fe3f62c46891c3c4302f4b5b5391c932e6 https://git.kernel.org/stable/c/076e4b162d6caba12c229e7f262df5b6881162b0 https://git.kernel.org/stable/c/68efba36446a7774ea5b971257ade049272a07ac |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(), the error path calls inotify_remove_from_idr() but does not call dec_inotify_watches() to undo the preceding inc_inotify_watches(). This leaks a watch count, and repeated failures can exhaust the max_user_watches limit with -ENOSPC even when no watches are active. Prior to commit 1cce1eea0aff (“inotify: Convert to using per-namespace limits”), the watch count was incremented after fsnotify_add_mark_locked() succeeded, so this path was not affected. The conversion moved inc_inotify_watches() before the mark insertion without adding the corresponding rollback. Add the missing dec_inotify_watches() call in the error path. | 2026-05-27 | not yet calculated | CVE-2026-46040 | https://git.kernel.org/stable/c/8bcc1cd237ab5ccfdd102869fa031c541943cf40 https://git.kernel.org/stable/c/73ddc8518a32baff6bc17afda4ee1ebae5b4ed12 https://git.kernel.org/stable/c/fdaa42ca370d056428e5e171247c8fdce8dff36a https://git.kernel.org/stable/c/9e48844f708eb48bae4e79cb21edc097c966306d https://git.kernel.org/stable/c/6a320935fa4293e9e599ec9f85dc9eb3be7029f8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames() hdlc_append() calls usleep_range() to wait for circular buffer space, but it is called with tx_producer_lock (a spinlock) held via hdlc_tx_frames() -> hdlc_append_tx_frame()/hdlc_append_tx_u8()/etc. Sleeping while holding a spinlock is illegal and can trigger “BUG: scheduling while atomic”. Fix this by moving the buffer-space wait out of hdlc_append() and into hdlc_tx_frames(), before the spinlock is acquired. The new flow: 1. Pre-calculate the worst-case encoded frame length. 2. Wait (with sleep) outside the lock until enough space is available, kicking the TX consumer work to drain the buffer. 3. Acquire the spinlock, re-verify space, and write the entire frame atomically. This ensures that sleeping only happens without any lock held, and that frames are either fully enqueued or not written at all. This bug is found by CodeQL static analysis tool (interprocedural sleep-in-atomic query) and my code review. | 2026-05-27 | not yet calculated | CVE-2026-46041 | https://git.kernel.org/stable/c/9f2b87bcdfed55145acbf932dc12f2c057145cad https://git.kernel.org/stable/c/b2801647c203a38e013802e9e9616b5bfac64968 https://git.kernel.org/stable/c/51667fe2d9294d66e0228b9f51d1f01b6680a641 https://git.kernel.org/stable/c/6b526dca0966f2370835765019a54319b78fca8d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix memory leaks in weighted_interleave_auto_store() weighted_interleave_auto_store() fetches old_wi_state inside the if (!input) block only. This causes two memory leaks: 1. When a user writes “false” and the current mode is already manual, the function returns early without freeing the freshly allocated new_wi_state. 2. When a user writes “true”, old_wi_state stays NULL because the fetch is skipped entirely. The old state is then overwritten by rcu_assign_pointer() but never freed, since the cleanup path is gated on old_wi_state being non-NULL. A user can trigger this repeatedly by writing “1” in a loop. Fix both leaks by moving the old_wi_state fetch before the input check, making it unconditional. This also allows a unified early return for both “true” and “false” when the requested mode matches the current mode. Reviewed by: Donet Tom <donettom@linux.ibm.com> | 2026-05-27 | not yet calculated | CVE-2026-46042 | https://git.kernel.org/stable/c/c42a7efb9060d89b72708ffaf255d0002c2164a7 https://git.kernel.org/stable/c/39caa9ca863f96b3d00447c5aa200cabda489856 https://git.kernel.org/stable/c/6fae274ce0e3109cbbc4c18b354eaace1f0af7d7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi:ssif: Clean up kthread on errors If an error occurs after the ssif kthread is created, but before the main IPMI code starts the ssif interface, the ssif kthread will not be stopped. So make sure the kthread is stopped on an error condition if it is running. | 2026-05-27 | not yet calculated | CVE-2026-46044 | https://git.kernel.org/stable/c/858bc8b9edb6eaf0522900128bb9053e2df6b0f6 https://git.kernel.org/stable/c/800febc637d1c1974b1e899dea8a07e115d60766 https://git.kernel.org/stable/c/75c486cb1bcaa1a3ec3a6438498176a3a4998ae4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: skip reading rdevs that are not in_sync When reading bitmap pages from member disks, the code iterates through all rdevs and attempts to read from the first available one. However, it only checks for raid_disk assignment and Faulty flag, missing the In_sync flag check. This can cause bitmap data to be read from spare disks that are still being rebuilt and don’t have valid bitmap information yet. Reading stale or uninitialized bitmap data from such disks can lead to incorrect dirty bit tracking, potentially causing data corruption during recovery or normal operation. Add the In_sync flag check to ensure bitmap pages are only read from fully synchronized member disks that have valid bitmap data. | 2026-05-27 | not yet calculated | CVE-2026-46045 | https://git.kernel.org/stable/c/98623c7e2a51eab1833c8628d33fa9c6ef3ce325 https://git.kernel.org/stable/c/3115fa2f62970d98f2a639145fb8e2767db8bbf9 https://git.kernel.org/stable/c/7701e68b5072faa03a8f30b4081dc16df9092381 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() The commit c8e008b60492 (“ext4: ignore xattrs past end”) introduced a refcount leak in when block_csum is false. ext4_xattr_inode_dec_ref_all() calls ext4_get_inode_loc() to get iloc.bh, but never releases it with brelse(). | 2026-05-27 | not yet calculated | CVE-2026-46046 | https://git.kernel.org/stable/c/1bc1107a3a403a6d440673ed6666f7b07ef868a8 https://git.kernel.org/stable/c/097227f1ffe1a85bc3c359f81c71e3d40e06e920 https://git.kernel.org/stable/c/1e6b0a69bf2c9c819255c7566e4355536d81d9cf https://git.kernel.org/stable/c/f072906688933bf47fabbaf63560be03357c8298 https://git.kernel.org/stable/c/77d059519382bd66283e6a4e83ee186e87e7708f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Fix use-after-free in driver remove() In the remove callback, if a packet arrives after destroy_workqueue() is called, but before sock_release(), the qrtr_ns_data_ready() callback will try to queue the work, causing use-after-free issue. Fix this issue by saving the default ‘sk_data_ready’ callback during qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at the start of remove(). This ensures that even if a packet arrives after destroy_workqueue(), the work struct will not be dereferenced. Note that it is also required to ensure that the RX threads are completed before destroying the workqueue, because the threads could be using the qrtr_ns_data_ready() callback. | 2026-05-27 | not yet calculated | CVE-2026-46047 | https://git.kernel.org/stable/c/0f313eb6a8f6dffa491373cf3afab979fa1c02f4 https://git.kernel.org/stable/c/db3c60ec772de30acae92d560dfcc5258e58dbe8 https://git.kernel.org/stable/c/2e127ceb1c415e246076d8e09e23e443a7a2038f https://git.kernel.org/stable/c/f96779e916576e81430ebb326baff6e433fef8ae https://git.kernel.org/stable/c/7809fea20c9404bfcfa6112ec08d1fe1d3520beb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix usb_dev refcount leak on probe failure create_card() takes a reference on the USB device with usb_get_dev() and stores the matching usb_put_dev() in card_free(), which is installed as the snd_card’s ->private_free destructor. However, ->private_free is only assigned near the end of init_card(), after several failure points (usb_set_interface(), EP type checks, usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its timeout). When any of those fail, init_card() returns an error to snd_probe(), which calls snd_card_free(card). Because ->private_free is still NULL, card_free() never runs, the usb_get_dev() reference is not dropped, and the struct usb_device leaks along with its descriptor allocations and device_private. syzbot reproduces this with a malformed UAC3 device whose only valid altsetting is 0; init_card()’s usb_set_interface(usb_dev, 0, 1) call fails with -EIO and triggers the leak. Move the ->private_free assignment into create_card(), immediately after usb_get_dev(), so that every error path reaching snd_card_free() balances the reference. card_free()’s callees (snd_usb_caiaq_input_free, free_urbs, kfree) already tolerate the partially-initialized state because the chip private area is zero-initialized by snd_card_new(). | 2026-05-27 | not yet calculated | CVE-2026-46048 | https://git.kernel.org/stable/c/50c6a1f05973f56d23280c9d7645a7a5734e0907 https://git.kernel.org/stable/c/da3b8fd6a202d94fef11a443abc9171c52426a1c https://git.kernel.org/stable/c/6153878c5255bb69b7d0868105ca078ef13cbcf8 https://git.kernel.org/stable/c/21ca595aafa40d3ac70eab1f4cb62cc00ca21657 https://git.kernel.org/stable/c/7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Add fallback to default RSR for S/PDIF spdif_passthru_playback_get_resources() uses atc->pll_rate as the RSR for the MSR calculation loop. However, pll_rate is only updated in atc_pll_init() and not in hw_pll_init(), so it remains 0 after the card init. When spdif_passthru_playback_setup() skips atc_pll_init() for 32000 Hz, (rsr * desc.msr) always becomes 0, causing the loop to spin indefinitely. Add fallback to use atc->rsr when atc->pll_rate is 0. This reflects the hardware state, since hw_card_init() already configures the PLL to the default RSR. | 2026-05-27 | not yet calculated | CVE-2026-46049 | https://git.kernel.org/stable/c/25ded535ee261161bcf19dafd525c542e606559d https://git.kernel.org/stable/c/30f9494c6f2b53a78822cfb653ffbb1d092d44c8 https://git.kernel.org/stable/c/09496158f6ebba8830593f8972035c02f97124c1 https://git.kernel.org/stable/c/95b1ee8442cabbde83b2848e7c6100df90f3a00d https://git.kernel.org/stable/c/7d61662197ecdc458e33e475b6ada7f6da61d364 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix deadlock with check operation and nowait requests When an array check is running it will raise the barrier at which point normal requests will become blocked and increment the nr_pending value to signal there is work pending inside of wait_barrier(). NOWAIT requests do not block and so will return immediately with an error, and additionally do not increment nr_pending in wait_barrier(). Upstream change commit 43806c3d5b9b (“raid10: cleanup memleak at raid10_make_request”) added a call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit this condition. raid_end_bio_io() eventually calls allow_barrier() and it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even though the corresponding increment on nr_pending didn’t happen in the NOWAIT case. This can be easily seen by starting a check operation while an application is doing nowait IO on the same array. This results in a deadlocked state due to nr_pending value underflowing and so the md resync thread gets stuck waiting for nr_pending to == 0. Output of r10conf state of the array when we hit this condition: crash> struct r10conf barrier = 1, nr_pending = { counter = -41 }, nr_waiting = 15, nr_queued = 0, Example of md_sync thread stuck waiting on raise_barrier() and other requests stuck in wait_barrier(): md1_resync [<0>] raise_barrier+0xce/0x1c0 [<0>] raid10_sync_request+0x1ca/0x1ed0 [<0>] md_do_sync+0x779/0x1110 [<0>] md_thread+0x90/0x160 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30 kworker/u1040:2+flush-253:4 [<0>] wait_barrier+0x1de/0x220 [<0>] regular_request_wait+0x30/0x180 [<0>] raid10_make_request+0x261/0x1000 [<0>] md_handle_request+0x13b/0x230 [<0>] __submit_bio+0x107/0x1f0 [<0>] submit_bio_noacct_nocheck+0x16f/0x390 [<0>] ext4_io_submit+0x24/0x40 [<0>] ext4_do_writepages+0x254/0xc80 [<0>] ext4_writepages+0x84/0x120 [<0>] do_writepages+0x7a/0x260 [<0>] __writeback_single_inode+0x3d/0x300 [<0>] writeback_sb_inodes+0x1dd/0x470 [<0>] __writeback_inodes_wb+0x4c/0xe0 [<0>] wb_writeback+0x18b/0x2d0 [<0>] wb_workfn+0x2a1/0x400 [<0>] process_one_work+0x149/0x330 [<0>] worker_thread+0x2d2/0x410 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30 | 2026-05-27 | not yet calculated | CVE-2026-46050 | https://git.kernel.org/stable/c/965d6162dd88cc7cc193cf7f5bfc132d8bbf0523 https://git.kernel.org/stable/c/42fe37c90184cd1568838b84b488934c3671c963 https://git.kernel.org/stable/c/cac2106bb9a2180b288079b49ed626414fb5bc45 https://git.kernel.org/stable/c/1cdff2937c618f81058422bbdc4974a3e7ec9379 https://git.kernel.org/stable/c/7d96f3120a7fb7210d21b520c5b6f495da6ba436 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix soft lockup in retry_aligned_read() When retry_aligned_read() encounters an overlapped stripe, it releases the stripe via raid5_release_stripe() which puts it on the lockless released_stripes llist. In the next raid5d loop iteration, release_stripe_list() drains the stripe onto handle_list (since STRIPE_HANDLE is set by the original IO), but retry_aligned_read() runs before handle_active_stripes() and removes the stripe from handle_list via find_get_stripe() -> list_del_init(). This prevents handle_stripe() from ever processing the stripe to resolve the overlap, causing an infinite loop and soft lockup. Fix this by using __release_stripe() with temp_inactive_list instead of raid5_release_stripe() in the failure path, so the stripe does not go through the released_stripes llist. This allows raid5d to break out of its loop, and the overlap will be resolved when the stripe is eventually processed by handle_stripe(). | 2026-05-27 | not yet calculated | CVE-2026-46051 | https://git.kernel.org/stable/c/09880592f5a9dc73377d6eb5ac123537b5f8df49 https://git.kernel.org/stable/c/80fc6ca2cbde018d52e13f305edcd643911bd94b https://git.kernel.org/stable/c/1985cb3247e87ff6b8ca4bc5f9626f4f51024507 https://git.kernel.org/stable/c/883cc33b7af1c448663287f069ef9dfea001e90f https://git.kernel.org/stable/c/7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork() hook_cred_transfer() only copies the Landlock security blob when the source credential has a domain. This is inconsistent with landlock_restrict_self() which can set LOG_SUBDOMAINS_OFF on a credential without creating a domain (via the ruleset_fd=-1 path): the field is committed but not preserved across fork() because the child’s prepare_creds() calls hook_cred_transfer() which skips the copy when domain is NULL. This breaks the documented use case where a process mutes subdomain logs before forking sandboxed children: the children lose the muting and their domains produce unexpected audit records. Fix this by unconditionally copying the Landlock credential blob. | 2026-05-27 | not yet calculated | CVE-2026-46057 | https://git.kernel.org/stable/c/2fcde49092aac55d5beef43fdd3633217672f7d1 https://git.kernel.org/stable/c/1c513b8a00df13d231021e74ad92babb3fedf64a https://git.kernel.org/stable/c/874c8f83826c95c62c21d9edfe9ef43e5c346724 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Always use NextRIP as vmcb02’s NextRIP after first L2 VMRUN For guests with NRIPS disabled, L1 does not provide NextRIP when running an L2 with an injected soft interrupt, instead it advances the current RIP before running it. KVM uses the current RIP as the NextRIP in vmcb02 to emulate a CPU without NRIPS. However, after L2 runs the first time, NextRIP will be updated by the CPU and/or KVM, and the current RIP is no longer the correct value to use in vmcb02. Hence, after save/restore, use the current RIP if and only if a nested run is pending, otherwise use NextRIP. Give soft_int_next_rip the same treatment, as it’s the same logic, just for a narrower use case. [sean: give soft_int_next_rip the same treatment] | 2026-05-27 | not yet calculated | CVE-2026-46059 | https://git.kernel.org/stable/c/3428ed1529a1af4cce5aff6c5bd2fcc39ad726bb https://git.kernel.org/stable/c/69fe1411a5ce678b4da6489b5d2282b4e1d13acf https://git.kernel.org/stable/c/8d397582f6b5e9fbcf09781c7c934b4910e94a50 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: qat – fix IRQ cleanup on 6xxx probe failure When adf_dev_up() partially completes and then fails, the IRQ handlers registered during adf_isr_resource_alloc() are not detached before the MSI-X vectors are released. Since the device is enabled with pcim_enable_device(), calling pci_alloc_irq_vectors() internally registers pcim_msi_release() as a devres action. On probe failure, devres runs pcim_msi_release() which calls pci_free_irq_vectors(), tearing down the MSI-X vectors while IRQ handlers (for example ‘qat0-bundle0’) are still attached. This causes remove_proc_entry() warnings: [ 22.163964] remove_proc_entry: removing non-empty directory ‘irq/143’, leaking at least ‘qat0-bundle0’ Moving the devm_add_action_or_reset() before adf_dev_up() does not solve the problem since devres runs in LIFO order and pcim_msi_release(), registered later inside adf_dev_up(), would still fire before adf_device_down(). Fix by calling adf_dev_down() explicitly when adf_dev_up() fails, to properly free IRQ handlers before devres releases the MSI-X vectors. | 2026-05-27 | not yet calculated | CVE-2026-46060 | https://git.kernel.org/stable/c/27f561bf894e46bdc2d6209c50884adad79d8277 https://git.kernel.org/stable/c/7cd651f1357dcc477e6483c3a4706836b46bdc92 https://git.kernel.org/stable/c/95aed2af87ec43fa7624cc81dd13d37824ad4972 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: jbd2: fix deadlock in jbd2_journal_cancel_revoke() Commit f76d4c28a46a (“fs/jbd2: use sleeping version of __find_get_block()”) changed jbd2_journal_cancel_revoke() to use __find_get_block_nonatomic() which holds the folio lock instead of i_private_lock. This breaks the lock ordering (folio -> buffer) and causes an ABBA deadlock when the filesystem blocksize < pagesize: T1 T2 ext4_mkdir() ext4_init_new_dir() ext4_append() ext4_getblk() lock_buffer() <- A sync_blockdev() blkdev_writepages() writeback_iter() writeback_get_folio() folio_lock() <- B ext4_journal_get_create_access() jbd2_journal_cancel_revoke() __find_get_block_nonatomic() folio_lock() <- B block_write_full_folio() lock_buffer() <- A This can occasionally cause generic/013 to hang. Fix by only calling __find_get_block_nonatomic() when the passed buffer_head doesn’t belong to the bdev, which is the only case that we need to look up its bdev alias. Otherwise, the lookup is redundant since the found buffer_head is equal to the one we passed in. | 2026-05-27 | not yet calculated | CVE-2026-46061 | https://git.kernel.org/stable/c/dff07cc98fdf6af57a7c054dc09b2050a9d5c287 https://git.kernel.org/stable/c/2b2fee890250ab647a601124471a334bb01a0790 https://git.kernel.org/stable/c/bbd943d6a2d566428324b516a37f98328dfb802d https://git.kernel.org/stable/c/981fcc5674e67158d24d23e841523eccba19d0e7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/shstk: Prevent deadlock during shstk sigreturn During sigreturn the shadow stack signal frame is popped. The kernel does this by reading the shadow stack using normal read accesses. When it can’t assume the memory is shadow stack, it takes extra steps to makes sure it is reading actual shadow stack memory and not other normal readable memory. It does this by holding the mmap read lock while doing the access and checking the flags of the VMA. Unfortunately that is not safe. If the read of the shadow stack sigframe hits a page fault, the fault handler will try to recursively grab another mmap read lock. This normally works ok, but if a writer on another CPU is also waiting, the second read lock could fail and cause a deadlock. Fix this by not holding mmap lock during the read access to userspace. Instead use mmap_lock_speculate_…() to watch for changes between dropping mmap lock and the userspace access. Retry if anything grabbed an mmap write lock in between and could have changed the VMA. These mmap_lock_speculate_…() helpers use mm::mm_lock_seq, which is only available when PER_VMA_LOCK is configured. So make X86_USER_SHADOW_STACK depend on it. On x86, PER_VMA_LOCK is a default configuration for SMP kernels. So drop support for the other configs under the assumption that the !SMP shadow stack user base does not exist. Currently there is a check that skips the lookup work when the SSP can be assumed to be on a shadow stack. While reorganizing the function, remove the optimization to make the tricky code flows more common, such that issues like this cannot escape detection for so long. | 2026-05-27 | not yet calculated | CVE-2026-46063 | https://git.kernel.org/stable/c/e2c2b044458cbf22da05264fa707308e8d4f86f9 https://git.kernel.org/stable/c/d042d69b417515959e49021fef008c9b04a99bd5 https://git.kernel.org/stable/c/4f3374c990fb2adec06d20fd6d780927811c9aa0 https://git.kernel.org/stable/c/3d29db827502067626062f5c74dd502d14ab15bc https://git.kernel.org/stable/c/9874b2917b9fbc30956fee209d3c4aa47201c64e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix heap over-read in ibmasm_send_i2o_message() The ibmasm_send_i2o_message() function uses get_dot_command_size() to compute the byte count for memcpy_toio(), but this value is derived from user-controlled fields in the dot_command_header (command_size: u8, data_size: u16) and is never validated against the actual allocation size. A root user can write a small buffer with inflated header fields, causing memcpy_toio() to read up to ~65 KB past the end of the allocation into adjacent kernel heap, which is then forwarded to the service processor over MMIO. Silently clamping the copy size is not sufficient: if the header fields claim a larger size than the buffer, the SP receives a dot command whose own header is inconsistent with the I2O message length, which can cause the SP to desynchronize. Reject such commands outright by returning failure. Validate command_size before calling get_mfa_inbound() to avoid leaking an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware frame from the controller’s free pool, and returning without a corresponding set_mfa_inbound() call would permanently exhaust it. Additionally, clamp command_size to I2O_COMMAND_SIZE before the memcpy_toio() so the MMIO write stays within the I2O message frame, consistent with the clamping already performed by outgoing_message_size() for the header field. | 2026-05-27 | not yet calculated | CVE-2026-46064 | https://git.kernel.org/stable/c/fd19eb1c75047a4ed4e855f56cafd704dc3914e0 https://git.kernel.org/stable/c/fe31722b0194ff76bf8b461e8bf97a2081147787 https://git.kernel.org/stable/c/c1c2417c60dbdca5ebb00462f21ee71c2d7f7083 https://git.kernel.org/stable/c/9e8f6c9d4ecddda2f28baa1678340286cff3969c https://git.kernel.org/stable/c/9aad71144fa3682cca3837a06c8623016790e7ec |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix num_ops off-by-one when crypto allocation fails move_dirty_folio_in_page_array() may fail if the file is encrypted, the dirty folio is not the first in the batch, and it fails to allocate a bounce buffer to hold the ciphertext. When that happens, ceph_process_folio_batch() simply redirties the folio and flushes the current batch — it can retry that folio in a future batch. However, if this failed folio is not contiguous with the last folio that did make it into the batch, then ceph_process_folio_batch() has already incremented `ceph_wbc->num_ops`; because it doesn’t follow through and add the discontiguous folio to the array, ceph_submit_write() — which expects that `ceph_wbc->num_ops` accurately reflects the number of contiguous ranges (and therefore the required number of “write extent” ops) in the writeback — will panic the kernel: BUG_ON(ceph_wbc->op_idx + 1 != req->r_num_ops); This issue can be reproduced on affected kernels by writing to fscrypt-enabled CephFS file(s) with a 4KiB-written/4KiB-skipped/repeat pattern (total filesize should not matter) and gradually increasing the system’s memory pressure until a bounce buffer allocation fails. Fix this crash by decrementing `ceph_wbc->num_ops` back to the correct value when move_dirty_folio_in_page_array() fails, but the folio already started counting a new (i.e. still-empty) extent. The defect corrected by this patch has existed since 2022 (see first `Fixes:`), but another bug blocked multi-folio encrypted writeback until recently (see second `Fixes:`). The second commit made it into 6.18.16, 6.19.6, and 7.0-rc1, unmasking the panic in those versions. This patch therefore fixes a regression (panic) introduced by cac190c7674f. | 2026-05-27 | not yet calculated | CVE-2026-46066 | https://git.kernel.org/stable/c/6200f41d6fcf2ac7e24866431e381cbc914560e4 https://git.kernel.org/stable/c/ba12c1e578890f6337a415b7dedf476c6d455105 https://git.kernel.org/stable/c/a0d9555bf9eaeba34fe6b6bb86f442fe08ba3842 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp Users can set damos_quota_goal->nid with arbitrary value for node_memcg_{used,free}_bp. But DAMON core is using those for NODE-DATA() without a validation of the value. This can result in out of bounds memory access. The issue can actually triggered using DAMON user-space tool (damo), like below. $ sudo mkdir /sys/fs/cgroup/foo $ sudo ./damo start –damos_action stat –damos_quota_interval 1s –damos_quota_goal node_memcg_used_bp 50% -1 /foo $ sudo dmseg […] [ 524.181426] Unable to handle kernel paging request at virtual address 0000000000002c00 Fix this issue by adding the validation of the given node id. If an invalid node id is given, it returns 0% for used memory ratio, and 100% for free memory ratio. | 2026-05-27 | not yet calculated | CVE-2026-46067 | https://git.kernel.org/stable/c/da10db73ada26345244ea5dc52f974692bd05f66 https://git.kernel.org/stable/c/a34dac6482e53e2c76944f25b1489b9b7da3a6e6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: nx – fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx The bounce buffers are allocated with __get_free_pages() using BOUNCE_BUFFER_ORDER (order 2 = 4 pages), but both the allocation error path and nx842_crypto_free_ctx() release the buffers with free_page(). Use free_pages() with the matching order instead. | 2026-05-27 | not yet calculated | CVE-2026-46068 | https://git.kernel.org/stable/c/f17a4850d1ce7c11cba8b1830b9bfedfede878bb https://git.kernel.org/stable/c/910bb34b801d39794e656f7d48414844b2bd354e https://git.kernel.org/stable/c/5c07962fed66e1238fad7635fa150570bd38b4c5 https://git.kernel.org/stable/c/80fd99d7c30ea889662d21f1b44d8fea4c83138d https://git.kernel.org/stable/c/adb3faf2db1a66d0f015b44ac909a32dfc7f2f9c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() The mwifiex_adapter_cleanup() function uses timer_delete() (non-synchronous) for the wakeup_timer before the adapter structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If the wakeup_timer callback (wakeup_timer_fn) is executing when mwifiex_adapter_cleanup() is called, the callback will continue to access adapter fields (adapter->hw_status, adapter->if_ops.card_reset, etc.) which may be freed by mwifiex_free_adapter() called later in the mwifiex_remove_card() path. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning. | 2026-05-27 | not yet calculated | CVE-2026-46069 | https://git.kernel.org/stable/c/11869ce402d95519d49b25a2a97741f68d69d103 https://git.kernel.org/stable/c/63fe3389b3e092d6c0eeea9fc0318e7918b16618 https://git.kernel.org/stable/c/4e179a60a60c0a5aea245e8e67768343c0f070b8 https://git.kernel.org/stable/c/030abbae49cf9fd1fba7aa08e15ec81efbeb78cf https://git.kernel.org/stable/c/ae5e95d4157481693be2317e3ffcd84e36010cbb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12 svm_copy_lbrs() always marks VMCB_LBR dirty in the destination VMCB. However, nested_svm_vmexit() uses it to copy LBRs to vmcb12, and clearing clean bits in vmcb12 is not architecturally defined. Move vmcb_mark_dirty() to callers and drop it for vmcb12. This also facilitates incoming refactoring that does not pass the entire VMCB to svm_copy_lbrs(). | 2026-05-27 | not yet calculated | CVE-2026-46071 | https://git.kernel.org/stable/c/a3f0981a5a0e0bd51ad74cc7d9eed32294b24002 https://git.kernel.org/stable/c/9efe23568806d1cd06f7d146f9b3037b8d585a9f https://git.kernel.org/stable/c/b53ab5167a81537777ac780bbd93d32613aa3bda |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: add buffer boundary checks to run_unpack() run_unpack() checks `run_buf < run_last` at the top of the while loop but then reads size_size and offset_size bytes via run_unpack_s64() without verifying they fit within the remaining buffer. A crafted NTFS image with truncated run data in an MFT attribute triggers an OOB heap read of up to 15 bytes when the filesystem is mounted. Add boundary checks before each run_unpack_s64() call to ensure the declared field size does not exceed the remaining buffer. Found by fuzzing with a source-patched harness (LibAFL + QEMU). | 2026-05-27 | not yet calculated | CVE-2026-46072 | https://git.kernel.org/stable/c/bf7ac4a1d3bfc6e56e54635c3d331a68170d37c9 https://git.kernel.org/stable/c/e64f7dfcaff79e7dfff9121a382dd77f9b462f62 https://git.kernel.org/stable/c/d3012690a7065d9ca86521a525ad11e8af491d45 https://git.kernel.org/stable/c/41aadf5cb482793a24e05aa136224e179a778586 https://git.kernel.org/stable/c/b62567bca47408e6739dee75f02a2113548af875 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt wait_for_completion_interruptible_timeout() returns -ERESTARTSYS when interrupted. This needs to abort the URB and return an error. No data has been received from the device so any reads from the transfer buffer are invalid. The original code tests !ret, which only catches the timeout case (0). On signal delivery (-ERESTARTSYS), !ret is false so the function skips usb_kill_urb() and falls through to read from the unfilled transfer buffer. Fix by capturing the return value into a long (matching the function return type) and handling signal (negative) and timeout (zero) cases with separate checks that both call usb_kill_urb() before returning. | 2026-05-27 | not yet calculated | CVE-2026-46073 | https://git.kernel.org/stable/c/8b51277eec433d4e724b273a5a5c64e8acfbe405 https://git.kernel.org/stable/c/b6cb07f02253bdefd2339e57eaa1428a7b28cd0f https://git.kernel.org/stable/c/d64458784036f5818e22781254b6be299d52a19c https://git.kernel.org/stable/c/b66437cb20a2d9ef201f40b675569f8ea7787c9f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix memory leaks on probe failures Make sure to deregister the controller, disable pins, and kill and free the RX URB on probe failures to mirror disconnect and avoid memory leaks and use-after-free. Also add an explicit URB kill on disconnect for symmetry (even if that is not strictly required as USB core would have stopped it in the current setup). | 2026-05-27 | not yet calculated | CVE-2026-46074 | https://git.kernel.org/stable/c/5c6518633702d7f7b1153e9d8e042af847f11ef3 https://git.kernel.org/stable/c/ff8a7996dc8bf433efe2126ffdaee5b374a89e30 https://git.kernel.org/stable/c/9bee2faf9e21c796d0d222c9d84a98f41bd303a0 https://git.kernel.org/stable/c/b99e3ddb91b499d920e63a2daff8880be68cfe9e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-sha204a – Fix potential UAF and memory leak in remove path Unregister the hwrng to prevent new ->read() calls and flush the Atmel I2C workqueue before teardown to prevent a potential UAF if a queued callback runs while the device is being removed. Drop the early return to ensure sysfs entries are removed and ->hwrng.priv is freed, preventing a memory leak. | 2026-05-27 | not yet calculated | CVE-2026-46075 | https://git.kernel.org/stable/c/c5a45d14234bf26e28a89e3a5dcc08336595cf11 https://git.kernel.org/stable/c/775c00d87c385b758da9504cf053acea00e2ed40 https://git.kernel.org/stable/c/1193c12126d39bf986a5a9214827b73707b193ab https://git.kernel.org/stable/c/31901371ccd16b42d2f167b1018ba9ae8bd5a6c7 https://git.kernel.org/stable/c/bab1adf3b87e4bfac92c4f5963c63db434d561c1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-tdes – fix DMA sync direction Before DMA output is consumed by the CPU, ->dma_addr_out must be synced with dma_sync_single_for_cpu() instead of dma_sync_single_for_device(). Using the wrong direction can return stale cache data on non-coherent platforms. | 2026-05-27 | not yet calculated | CVE-2026-46077 | https://git.kernel.org/stable/c/5281e6e2302362f6b75b70cbfe4098d2a25dafd9 https://git.kernel.org/stable/c/12a0adfe498cd5d87e6365d7ca5f6b3eed79e523 https://git.kernel.org/stable/c/863d11b3927703ad95077c81a8a6489c5c7872f7 https://git.kernel.org/stable/c/b5f5df801d161ba244f391519cbff2f4e5c6edc2 https://git.kernel.org/stable/c/c8a9a647532f5c2a04180352693215e24e9dba03 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rbd: fix null-ptr-deref when device_add_disk() fails do_rbd_add() publishes the device with device_add() before calling device_add_disk(). If device_add_disk() fails after device_add() succeeds, the error path calls rbd_free_disk() directly and then later falls through to rbd_dev_device_release(), which calls rbd_free_disk() again. This double teardown can leave blk-mq cleanup operating on invalid state and trigger a null-ptr-deref in __blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set(). Fix this by following the normal remove ordering: call device_del() before rbd_dev_device_release() when device_add_disk() fails after device_add(). That keeps the teardown sequence consistent and avoids re-entering disk cleanup through the wrong path. The bug was first flagged by an experimental analysis tool we are developing for kernel memory-management bugs while analyzing v6.13-rc1. The tool is still under development and is not yet publicly available. We reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64 guest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer confines failslab injections to the __add_disk() range and injects fail-nth while mapping an RBD image through /sys/bus/rbd/add_single_major. On the unpatched kernel, fail-nth=4 reliably triggered the fault: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240 Code: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00 RSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246 RAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4 RBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b R10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000 R13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004 FS: 00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0 PKRU: 55555554 Call Trace: <TASK> blk_mq_free_tag_set+0x77/0x460 do_rbd_add+0x1446/0x2b80 ? __pfx_do_rbd_add+0x10/0x10 ? lock_acquire+0x18c/0x300 ? find_held_lock+0x2b/0x80 ? sysfs_file_kobj+0xb6/0x1b0 ? __pfx_sysfs_kf_write+0x10/0x10 kernfs_fop_write_iter+0x2f4/0x4a0 vfs_write+0x98e/0x1000 ? expand_files+0x51f/0x850 ? __pfx_vfs_write+0x10/0x10 ksys_write+0xf2/0x1d0 ? __pfx_ksys_write+0x10/0x10 do_syscall_64+0x115/0x690 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0fbea15907 Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 RSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907 RDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001 RBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141 R10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058 R13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004 </TASK> With this fix applied, rerunning the reproducer over fail-nth=1..256 yields no KASAN reports. [ idryomov: rename err_out_device_del -> err_out_device ] | 2026-05-27 | not yet calculated | CVE-2026-46079 | https://git.kernel.org/stable/c/2f4809a879f0750c7790bbeeae86c9505797a06f https://git.kernel.org/stable/c/564cd8f4aeb9a938e470c5c91922fd02e4d41acc https://git.kernel.org/stable/c/ad0126ffcba8777109852979eaaa6dca6703abdb https://git.kernel.org/stable/c/059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e https://git.kernel.org/stable/c/d1fef92e414433ca7b89abf85cb0df42b8d475eb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: split transactions in dio completion to avoid credit exhaustion During ocfs2 dio operations, JBD2 may report warnings via following call trace: ocfs2_dio_end_io_write ocfs2_mark_extent_written ocfs2_change_extent_flag ocfs2_split_extent ocfs2_try_to_merge_extent ocfs2_extend_rotate_transaction ocfs2_extend_trans jbd2__journal_restart start_this_handle output: JBD2: kworker/6:2 wants too many credits credits:5450 rsv_credits:0 max:5449 To prevent exceeding the credits limit, modify ocfs2_dio_end_io_write() to handle extents in a batch of transaction. Additionally, relocate ocfs2_del_inode_from_orphan(). The orphan inode should only be removed from the orphan list after the extent tree update is complete. This ensures that if a crash occurs in the middle of extent tree updates, we won’t leave stale blocks beyond EOF. This patch also changes the logic for updating the inode size and removing orphan, making it similar to ext4_dio_write_end_io(). Both operations are performed only when everything looks good. Finally, thanks to Jans and Joseph for providing the bug fix prototype and suggestions. | 2026-05-27 | not yet calculated | CVE-2026-46080 | https://git.kernel.org/stable/c/886f97fa59d0bbfa9859fb1a66dd9e014b522d89 https://git.kernel.org/stable/c/ea5bb1d20da756e4f41a48dad42b2e7d6e73f71e https://git.kernel.org/stable/c/3c636a3edca9c3f180b3079f94fe7e115730d9c6 https://git.kernel.org/stable/c/069c3fb310e9336cf48cfdf8748a32c29fd0193d https://git.kernel.org/stable/c/d647c5b2fbf81560818dacade360abc8c00a9665 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 INVLPGA should cause a #UD when EFER.SVME is not set. Add a check to properly inject #UD when EFER.SVME=0. [sean: tag for stable@] | 2026-05-27 | not yet calculated | CVE-2026-46082 | https://git.kernel.org/stable/c/3ac9d4241d205f5d0df06358349ca718ebb0fa12 https://git.kernel.org/stable/c/643125b66ffc1147c66616b749475ba9efb15971 https://git.kernel.org/stable/c/c15392ed9e49c1a16b4d3a3ccf1b3bf2318a6c28 https://git.kernel.org/stable/c/ee24928ecd85db4b68ed111e91fef36af0ca37b0 https://git.kernel.org/stable/c/d99df02ff427f461102230f9c5b90a6c64ee8e23 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: fix resource leaks on device setup failure Make sure to call controller cleanup() if spi_setup() fails while registering a device to avoid leaking any resources allocated by setup(). | 2026-05-27 | not yet calculated | CVE-2026-46083 | https://git.kernel.org/stable/c/a2c817c629430fbbd54273525b472dac96e2c8fd https://git.kernel.org/stable/c/1e774294b2f944f59e03a04eb438768a4b93c3ce https://git.kernel.org/stable/c/11baa8b24bcb07ae2048f2566a220021d766abe0 https://git.kernel.org/stable/c/dbcead54b12468d9aa54c0e1f0042d838ec3b0ae https://git.kernel.org/stable/c/db357034f7e0cf23f233f414a8508312dfe8fbbe |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mana_ib: Disable RX steering on RSS QP destroy When an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss() destroys the RX WQ objects but does not disable vPort RX steering in firmware. This leaves stale steering configuration that still points to the destroyed RX objects. If traffic continues to arrive (e.g. peer VM is still transmitting) and the VF interface is subsequently brought up (mana_open), the firmware may deliver completions using stale CQ IDs from the old RX objects. These CQ IDs can be reused by the ethernet driver for new TX CQs, causing RX completions to land on TX CQs: WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false) WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails) Fix this by disabling vPort RX steering before destroying RX WQ objects. Note that mana_fence_rqs() cannot be used here because the fence completion is delivered on the CQ, which is polled by user-mode (e.g. DPDK) and not visible to the kernel driver. Refactor the disable logic into a shared mana_disable_vport_rx() in mana_en, exported for use by mana_ib, replacing the duplicate code. The ethernet driver’s mana_dealloc_queues() is also updated to call this common function. | 2026-05-27 | not yet calculated | CVE-2026-46084 | https://git.kernel.org/stable/c/6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f https://git.kernel.org/stable/c/f1ccc4d500a0b87a5599343fc2f798048836e184 https://git.kernel.org/stable/c/8ba804869382ce307f2a15f5f6f2adfd791f41dc https://git.kernel.org/stable/c/3be5ed233de03b00ae868cfc06e95331d8d9007c https://git.kernel.org/stable/c/dbeb256e8dd87233d891b170c0b32a6466467036 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: bridge: use a stable FDB dst snapshot in RCU readers Local FDB entries can be rewritten in place by `fdb_delete_local()`, which updates `f->dst` to another port or to `NULL` while keeping the entry alive. Several bridge RCU readers inspect `f->dst`, including `br_fdb_fillbuf()` through the `brforward_read()` sysfs path. These readers currently load `f->dst` multiple times and can therefore observe inconsistent values across the check and later dereference. In `br_fdb_fillbuf()`, this means a concurrent local-FDB update can change `f->dst` after the NULL check and before the `port_no` dereference, leading to a NULL-ptr-deref. Fix this by taking a single `READ_ONCE()` snapshot of `f->dst` in each affected RCU reader and using that snapshot for the rest of the access sequence. Also publish the in-place `f->dst` updates in `fdb_delete_local()` with `WRITE_ONCE()` so the readers and writer use matching access patterns. | 2026-05-27 | not yet calculated | CVE-2026-46086 | https://git.kernel.org/stable/c/0b9e4bbfb7c949151e3acd44ed4aa33614d2e110 https://git.kernel.org/stable/c/81af4137a30c4c2dc694dea8cacb180bd66000ef https://git.kernel.org/stable/c/5424e678f9b304e148cf5dcc047cffc7a56a3bb5 https://git.kernel.org/stable/c/9a2d9d4e657b23dc21f24cf139e3aeff0b61341f https://git.kernel.org/stable/c/df4601653201de21b487c3e7fffd464790cab808 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/stat: fix memory leak on damon_start() failure in damon_stat_start() Destroy the DAMON context and reset the global pointer when damon_start() fails. Otherwise, the context allocated by damon_stat_build_ctx() is leaked, and the stale damon_stat_context pointer will be overwritten on the next enable attempt, making the old allocation permanently unreachable. | 2026-05-27 | not yet calculated | CVE-2026-46087 | https://git.kernel.org/stable/c/8a62c58411cbd748d7aeab0e5b0963e33ff47a7a https://git.kernel.org/stable/c/50bc1d7e0f3bb6932c8dc5da0907eead0790176b https://git.kernel.org/stable/c/e04ed278d25bf15769800bf6e35c6737f137186f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() snd_ctl_elem_init_enum_names() advances pointer p through the names buffer while decrementing buf_len. If buf_len reaches zero but items remain, the next iteration calls strnlen(p, 0). While strnlen(p, 0) returns 0 and would hit the existing name_len == 0 error path, CONFIG_FORTIFY_SOURCE’s fortified strnlen() first checks maxlen against __builtin_dynamic_object_size(). When Clang loses track of p’s object size inside the loop, this triggers a BRK exception panic before the return value is examined. Add a buf_len == 0 guard at the loop entry to prevent calling fortified strnlen() on an exhausted buffer. Found by kernel fuzz testing through Xiaomi Smartphone. | 2026-05-27 | not yet calculated | CVE-2026-46088 | https://git.kernel.org/stable/c/1fbe46d2b72754d8bd580e13e59ccb5d3d0e8cb0 https://git.kernel.org/stable/c/8ba0214c3dd32b8ec652947e3f2bc5b8f6e6be9e https://git.kernel.org/stable/c/654c818a69c21d2bea4e8fd9eae7da865df9a5c8 https://git.kernel.org/stable/c/82012fd3e78a14360fbc2f1a7491589896704f97 https://git.kernel.org/stable/c/e0da8a8cac74f4b9f577979d131f0d2b88a84487 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: zram: do not forget to endio for partial discard requests As reported by Qu Wenruo and Avinesh Kumar, the following getconf PAGESIZE 65536 blkdiscard -p 4k /dev/zram0 takes literally forever to complete. zram doesn’t support partial discards and just returns immediately w/o doing any discard work in such cases. The problem is that we forget to endio on our way out, so blkdiscard sleeps forever in submit_bio_wait(). Fix this by jumping to end_bio label, which does bio_endio(). | 2026-05-27 | not yet calculated | CVE-2026-46089 | https://git.kernel.org/stable/c/2d1f18efccdb8b29552399d024c36b705447e975 https://git.kernel.org/stable/c/35d3300f6357cfaa72db2721dc2b345b19bac5df https://git.kernel.org/stable/c/a02363f71a79b755daa78a70d6b217f9c13c8c85 https://git.kernel.org/stable/c/68ce397e8236088fc53b9532d383a722288c8194 https://git.kernel.org/stable/c/e3668b371329ea036ff022ce8ecc82f8befcf003 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: rc: igorplugusb: heed coherency rules In a control request, the USB request structure can be subject to DMA on some HCs. Hence it must obey the rules for DMA coherency. Allocate it separately. | 2026-05-27 | not yet calculated | CVE-2026-46091 | https://git.kernel.org/stable/c/18d6a7c9e4e63c57157e9a57dd9bf3cd38e4c45a https://git.kernel.org/stable/c/0be8fcd9005e3d3b5a61fe34b070a9663adbb4dc https://git.kernel.org/stable/c/0adac0ee2c42027d80bac02ea9b576a88f8955d3 https://git.kernel.org/stable/c/a62ca67e3c72fb297dc7c86495ba8f7329d7f150 https://git.kernel.org/stable/c/eac69475b01fe1e861dfe3960b57fa95671c132e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: check for PCI upstream bridge existence pci_upstream_bridge() returns NULL if the device is on a root bus. If 8821CE is installed in the system with such a PCI topology, the probing routine will crash. This has probably been unnoticed as 8821CE is mostly supplied in laptops where there is a PCI-to-PCI bridge located upstream from the device. However the card might be installed on a system with different configuration. Check if the bridge does exist for the specific workaround to be applied. Found by Linux Verification Center (linuxtesting.org) with Svace static analysis tool. | 2026-05-27 | not yet calculated | CVE-2026-46092 | https://git.kernel.org/stable/c/eb101d2abdcccb514ca4fccd3b278dd8267374f6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access The bounds check for the next xattr entry in check_xattrs() uses (void *)next >= end, which allows next to point within sizeof(u32) bytes of end. On the next loop iteration, IS_LAST_ENTRY() reads 4 bytes via *(__u32 *)(entry), which can overrun the valid xattr region. For example, if next lands at end – 1, the check passes since next < end, but IS_LAST_ENTRY() reads 4 bytes starting at end – 1, accessing 3 bytes beyond the valid region. Fix this by changing the check to (void *)next + sizeof(u32) > end, ensuring there is always enough space for the IS_LAST_ENTRY() read on the subsequent iteration. | 2026-05-27 | not yet calculated | CVE-2026-46094 | https://git.kernel.org/stable/c/ab6da97bc310db35d4e4ef5354bc3ff626b0698c https://git.kernel.org/stable/c/5a5314d2387633a272a04d1bd8727f99058e4e68 https://git.kernel.org/stable/c/537e065977022aa22f2c2503e8accaf16622e0fd https://git.kernel.org/stable/c/520986722dbf869c122252123fc161c7302eab7d https://git.kernel.org/stable/c/eceafc31ea7b42c984ece10d79d505c0bb6615d5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: raise barrier before state machine transition Move the barrier raise operation before calling llbitmap_state_machine() in both llbitmap_start_write() and llbitmap_start_discard(). This ensures the barrier is in place before any state transitions occur, preventing potential race conditions where the state machine could complete before the barrier is properly raised. | 2026-05-27 | not yet calculated | CVE-2026-46095 | https://git.kernel.org/stable/c/9142f00a9287ca38152717e3e88a033a27774e7f https://git.kernel.org/stable/c/9701d51dd378380ba05293fa391e8ba01065ae8d https://git.kernel.org/stable/c/ef4ca3d4bf09716cff9ba00eb0351deadc8417ab |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public() tpm2_read_public() calls tpm_buf_init() but fails to call tpm_buf_destroy() on two exit paths, leaking a page allocation: 1. When name_size() returns an error (unrecognized hash algorithm), the function returns directly without destroying the buffer. 2. On the success path, the buffer is never destroyed before returning. All other error paths in the function correctly call tpm_buf_destroy() before returning. Fix both by adding the missing tpm_buf_destroy() calls. | 2026-05-27 | not yet calculated | CVE-2026-46096 | https://git.kernel.org/stable/c/f8775d9d9062da662cc861f9ff7722a65896d4cd https://git.kernel.org/stable/c/2f434be87e256fd58254f60ddf5d7d58e775ca0b https://git.kernel.org/stable/c/f0f75a3d98b7959a8677b6363e23190f3018636b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Input: edt-ft5x06 – fix use-after-free in debugfs teardown The commit 68743c500c6e (“Input: edt-ft5x06 – use per-client debugfs directory”) removed the manual debugfs teardown, relying on the I2C core to handle it. However, this creates a window where debugfs files are still accessible after edt_ft5x06_ts_teardown_debugfs() frees tsdata->raw_buffer. To prevent a use-after-free, protect the freeing of raw_buffer with the device mutex and set raw_buffer to NULL. The debugfs read function already checks if raw_buffer is NULL under the same mutex, so this safely avoids the use-after-free. | 2026-05-27 | not yet calculated | CVE-2026-46097 | https://git.kernel.org/stable/c/a516d43886623e3cca5fa3446bed8fc7c7982be2 https://git.kernel.org/stable/c/9f6c5e7b747d40e1c65cbfcb975857d25154c075 https://git.kernel.org/stable/c/f5f9e07060519e2287e99019a6de1eb3ebb65c37 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: caif: clear client service pointer on teardown `caif_connect()` can tear down an existing client after remote shutdown by calling `caif_disconnect_client()` followed by `caif_free_client()`. `caif_free_client()` releases the service layer referenced by `adap_layer->dn`, but leaves that pointer stale. When the socket is later destroyed, `caif_sock_destructor()` calls `caif_free_client()` again and dereferences the freed service pointer. Clear the client/service links before releasing the service object so repeated teardown becomes harmless. | 2026-05-27 | not yet calculated | CVE-2026-46098 | https://git.kernel.org/stable/c/914c6456fcfc21a3d553945dff62fd1621d6155d https://git.kernel.org/stable/c/3ac6db584d9d420267bb8413115707eeec76d9cf https://git.kernel.org/stable/c/63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9 https://git.kernel.org/stable/c/a4b191ddc12c55ddb62feb096536f819f384d6f1 https://git.kernel.org/stable/c/f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: reject zero shift in nft_bitwise Reject zero shift operands for nft_bitwise left and right shift expressions during initialization. The carry propagation logic computes the carry from the adjacent 32-bit word using BITS_PER_TYPE(u32) – shift. A zero shift operand turns this into a 32-bit shift, which is undefined behaviour. Reject zero shift operands in the control plane, alongside the existing check for values greater than or equal to 32, so malformed rules never reach the packet path. | 2026-05-27 | not yet calculated | CVE-2026-46101 | https://git.kernel.org/stable/c/bffef0acec9c3b837a785248a893137fb7f26c95 https://git.kernel.org/stable/c/ca24f1243ad1a4d12d6a23876bbbe3ed02099853 https://git.kernel.org/stable/c/6f820139d16a4c9865a145d4a9cf9c92cc632c14 https://git.kernel.org/stable/c/f370205974f171a5868c13ff30d7642fed46e47b https://git.kernel.org/stable/c/fe11e5c40817b84abaa5d83bfb6586d8412bfd07 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: ucan: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the control message buffer lifetime so that it is released on driver unbind. | 2026-05-27 | not yet calculated | CVE-2026-46103 | https://git.kernel.org/stable/c/4b7d07747400cfd7eff1ba7b8b5a7c8d5a58f705 https://git.kernel.org/stable/c/10b7b676b78a7bd888d19729b459aad7fc1f428b https://git.kernel.org/stable/c/c524c124e3094d2de12235a513854c03d06a2b58 https://git.kernel.org/stable/c/c0d3ccc6929e4509076df8f30a4fb1dc5018b0ae https://git.kernel.org/stable/c/fed4626501c871890da287bec62a96e52da1af89 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: selinux: use sk blob accessor in socket permission helpers SELinux socket state lives in the composite LSM socket blob. sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero. In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks. Use selinux_sock() instead of accessing sk->sk_security directly. | 2026-05-28 | not yet calculated | CVE-2026-46104 | https://git.kernel.org/stable/c/d350fef4bc2467fe1bce15f7a20fe60e01ce41ad https://git.kernel.org/stable/c/7eca71f57f194c1638ebb7f4097d6be8fd04c101 https://git.kernel.org/stable/c/032e70aff025d7c519af9ab791cd084380619263 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: eventfs: Hold eventfs_mutex and SRCU when remount walks events Commit 340f0c7067a9 (“eventfs: Update all the eventfs_inodes from the events descriptor”) had eventfs_set_attrs() recurse through ei->children on remount. The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong: – list_for_each_entry over ei->children races with the list_del_rcu() in eventfs_remove_rec() — LIST_POISON1 deref, same shape as d2603279c7d6. – eventfs_inodes are freed via call_srcu(&eventfs_srcu, …). rcu_read_lock() does not extend an SRCU grace period, so ti->private can be reclaimed under the walk. – The writes to ei->attr race with eventfs_set_attr(), which holds eventfs_mutex. Reproducer: while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done & while :; do echo “p:kp submit_bio” > /sys/kernel/tracing/kprobe_events echo > /sys/kernel/tracing/kprobe_events done Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn’t sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract. Comment in tracefs_drop_inode() said “RCU cycle” — it is SRCU. | 2026-05-28 | not yet calculated | CVE-2026-46106 | https://git.kernel.org/stable/c/ae9cd0b46b1890040006a2fc5e905c5d6053fd02 https://git.kernel.org/stable/c/44e64d8a432837308f4dda3ffe819f1ec092a0ba https://git.kernel.org/stable/c/52b109f1b875b912d4ab2c5fdd8c322d47119d9b https://git.kernel.org/stable/c/ed2ad73bcb0a7a6cc934097d4853b6d5124c317e https://git.kernel.org/stable/c/07004a8c4b572171934390148ee48c4175c77eed |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi:si: Return state to normal if message allocation fails There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state. | 2026-05-28 | not yet calculated | CVE-2026-46108 | https://git.kernel.org/stable/c/ce905b65e649eee378a0f37e8219f1d70efb3007 https://git.kernel.org/stable/c/88881dc1da86064f479378bc9d0a4956c3d0bb12 https://git.kernel.org/stable/c/bc13fce9eeec88c4950924754c3347c6dc66ff4c https://git.kernel.org/stable/c/ba60140d4133231b49185ac8bf6e54f318d3134e https://git.kernel.org/stable/c/09dd798270ff582d7309f285d4aaf5dbebae01cb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: ulpi: fix memory leak on ulpi_register() error paths Commit 01af542392b5 (“usb: ulpi: fix double free in ulpi_register_interface() error path”) removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails. But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked. Add kfree(ulpi) on both error paths to properly clean up the allocation. | 2026-05-28 | not yet calculated | CVE-2026-46109 | https://git.kernel.org/stable/c/b0c0d44adb55c66663886cb6e30ee92cbb0f5385 https://git.kernel.org/stable/c/be2c1d825f54277472c87019e82013ac534ddc4c https://git.kernel.org/stable/c/2a71e01b2cf9b4329ff67102c1bea7448c2a2d2d https://git.kernel.org/stable/c/f30ccfc2985590b33a23a3d8bed7ca16c0af551b https://git.kernel.org/stable/c/0b9fcab1b8608d429e5f239afb197de928d4de7d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle() commit 6d3789d347a7 (“papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()”), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list. Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list. Kernel attempted to write user page (0) – exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on write at 0x00000000 Faulting instruction address: 0xc0000000001b44a0 Oops: Kernel access of bad area, sig: 11 [#1] … Call Trace: papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable) sys_ioctl+0x528/0x1064 system_call_exception+0x128/0x360 system_call_vectored_common+0x15c/0x2ec Now, the error handling with FD_PREPARE’s file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist. This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list. | 2026-05-28 | not yet calculated | CVE-2026-46118 | https://git.kernel.org/stable/c/735439394dde8462f9b50566727fbe333beaadaf https://git.kernel.org/stable/c/cf51bec1560f8bf115d1476f60335f9d90e110b0 https://git.kernel.org/stable/c/1b9f7aafa44f5ce852c00509104d10fd9eb0f402 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock Patch series “mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path”. Reads of ‘memcg_path’ and ‘path’ files in DAMON sysfs interface could race with their writes, results in use-after-free. Fix those. This patch (of 2): damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file. It can also be indirectly read, for the parameters {on,off}line committing to DAMON. The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read. But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer. As a result, the readers could read the already freed buffer (user-after-free). Note that the user-reads don’t race when the same open file is used by the writer, due to kernfs’s open file locking. Nonetheless, doing the reads and writes with separate open files would be common. Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock. | 2026-05-28 | not yet calculated | CVE-2026-46121 | https://git.kernel.org/stable/c/b1e9f2d5870776347edef927f9bb3ea19b8e3abb https://git.kernel.org/stable/c/c88802d0e8edd14b6cd2daf3000f99adbc4c85c5 https://git.kernel.org/stable/c/eafd6f5372d29b0dd213799b92c2c9c7ad31d7da https://git.kernel.org/stable/c/baecc45ad60e621ef14d6c1e7f41ef36bbfdf910 https://git.kernel.org/stable/c/1e68eb96e8beb1abefd12dd22c5637795d8a877e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: b43: enforce bounds check on firmware key index in b43_rx() The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read. Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index. | 2026-05-28 | not yet calculated | CVE-2026-46122 | https://git.kernel.org/stable/c/c3d7b90dc95020cd9282c4630e402fe224f7644e https://git.kernel.org/stable/c/1e9e55cf66f0fa4799f4d86ef3aaba8e606b5c14 https://git.kernel.org/stable/c/d7029879bafdac2006c67553807d122283dc6cbf https://git.kernel.org/stable/c/219ba67e69e49681e48c822d6eaafb5def032f34 https://git.kernel.org/stable/c/1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound. First there is a double i– on the first failure path due to the while loop having a i–, remove it. Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i–. | 2026-05-28 | not yet calculated | CVE-2026-46126 | https://git.kernel.org/stable/c/8f23eb6c50f1a4bf32fc4d62cfb9fc39e8e586cf https://git.kernel.org/stable/c/bb9cb36eaefa4dcb7c0d9f7a01e5c739abdd53a8 https://git.kernel.org/stable/c/9a05a6798177e44dfbe18393be2c1ebb89ab06fd https://git.kernel.org/stable/c/34ecf795692ee57c393109f4a24ccc313091e137 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/ocrdma: Don’t NULL deref uctx on errors in ocrdma_copy_pd_uresp() Sashiko points out that pd->uctx isn’t initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn’t NULL. | 2026-05-28 | not yet calculated | CVE-2026-46127 | https://git.kernel.org/stable/c/e01a957561f663d3b68d2fd233a4502e3367efcd https://git.kernel.org/stable/c/75fc130664ae324e7b2f9ad3630e0f175e9ca6c8 https://git.kernel.org/stable/c/8832626a483439e207734e027afff322ccdf726e https://git.kernel.org/stable/c/ec44c00a4fe1327efa35083f98b39c01cb535a51 https://git.kernel.org/stable/c/34fbf48cf3b410d2a6e8c586fa952a36331ca5ba |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi: Check event message buffer response for bad data The event message buffer response data size got checked later when processing, but check it right after the response comes back. It appears some BMCs may return an empty message instead of an error when fetching events. There are apparently some new BMCs that make this error, so we need to compensate. | 2026-05-28 | not yet calculated | CVE-2026-46128 | https://git.kernel.org/stable/c/2418e4b21fb1355504d095da5d5f0a210564a43d https://git.kernel.org/stable/c/7f7ada72c07a83b46045ddfeee526bd9e2e3c8f0 https://git.kernel.org/stable/c/42432b579a594b66ac32e5e7b7c26e6bc578ec89 https://git.kernel.org/stable/c/24269264c3d59a49eb09b10af2c75b14f2931482 https://git.kernel.org/stable/c/36920f30e78e69df01f9691c470b6f3ba8aebf98 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm-verity-fec: fix reading parity bytes split across blocks (take 3) fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks. This assumption is false. Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example. In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes. Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed. On the 16th call (i=15), the alignment will be 4080 bytes into the first block. Only 16 bytes remain in that block, but 17 parity bytes will be needed. The code reads out-of-bounds from the parity block buffer. Fortunately this doesn’t normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn’t be allocated due to low memory. For example with block_size=4096 only the following cases are affected: fec_roots=17: nbufs in [1, 3, 5, 15] fec_roots=19: nbufs in [1, 229] fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195] fec_roots=23: nbufs in [1, 89] Regardless, fix it by refactoring how the parity blocks are read. | 2026-05-28 | not yet calculated | CVE-2026-46130 | https://git.kernel.org/stable/c/3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb https://git.kernel.org/stable/c/430a05cb926f6bdf53e81460a2c3a553257f3f61 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: check for nEPT/nNPT in slow flush hypercalls Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself. | 2026-05-28 | not yet calculated | CVE-2026-46131 | https://git.kernel.org/stable/c/971f17f5d91045404e3914029ea57c3da90179a4 https://git.kernel.org/stable/c/45fc766bc756ff1d66f8ca026a9c4f7f764adfae https://git.kernel.org/stable/c/d6f4e217d663ede5becc2fd6cb612c749677387b https://git.kernel.org/stable/c/4c7f8436b19a2a3acc0cb6b6e3becd6796ae5c57 https://git.kernel.org/stable/c/464af6fc2b1dcc74005b7f58ee3812b17777efee |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation: struct ifla_vf_broadcast vf_broadcast; The struct contains a single fixed 32-byte field: /* include/uapi/linux/if_link.h */ struct ifla_vf_broadcast { __u8 broadcast[32]; }; The function then copies dev->broadcast into it using dev->addr_len as the length: memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via: nla_put(skb, IFLA_VF_BROADCAST, sizeof(vf_broadcast), &vf_broadcast) leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable. The other vf_* structs in the same function are explicitly zeroed for exactly this reason – see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added. Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced. Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function. | 2026-05-28 | not yet calculated | CVE-2026-46132 | https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00 https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8 https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5 https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011 https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex. This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()). Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue. | 2026-05-28 | not yet calculated | CVE-2026-46134 | https://git.kernel.org/stable/c/23ae72e8c2f1c1d1da8cbd479320ddcfcc9c7435 https://git.kernel.org/stable/c/3b13d5883a097f538fccbab1c61c95546d29621f https://git.kernel.org/stable/c/525cb7ba6661074c1c5cc3772bccc6afab6791ef |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix a potential clc buffer length underflow The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC. This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure. | 2026-05-28 | not yet calculated | CVE-2026-46136 | https://git.kernel.org/stable/c/e451c325b000b9a0081fd93bc6d103d6943d4b55 https://git.kernel.org/stable/c/90cc573fd2f46ddbc2c329e7814b5ba3deb7b939 https://git.kernel.org/stable/c/0aa63d33742b805d1a218d18d12b983cce4b2f7b https://git.kernel.org/stable/c/a0111847f0b4f6023f6dd320114697514e024ba3 https://git.kernel.org/stable/c/5373f8b19e568b5c217832b9bbef165bd2b2df14 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: use kzalloc to zero-initialize security descriptor buffer Commit 62e7dd0a39c2d (“smb: common: change the data type of num_aces to le16”) split struct smb_acl’s __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1]. When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()’ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data. When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with “ndr_pull_security_descriptor failed: Range Error”, causing chmod to fail with EINVAL. Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized. [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428 | 2026-05-28 | not yet calculated | CVE-2026-46139 | https://git.kernel.org/stable/c/4c3ed344a970aad51388ac3b0145b98318f0e21f https://git.kernel.org/stable/c/941a1e6eb35440336913afc88a82103291956d5d https://git.kernel.org/stable/c/be1ef9512a3f5a755895c24f31b334342f4aa15b https://git.kernel.org/stable/c/9bdb2ca31368b7671949dfb94a5d57ffccd01edd https://git.kernel.org/stable/c/5e489c6c47a2ac15edbaca153b9348e42c1eacab |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: validate WMT event SKB length before struct access btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom. Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them. | 2026-05-28 | not yet calculated | CVE-2026-46140 | https://git.kernel.org/stable/c/c411cf1bfde951cfa821809cf4020ba177f76e0c https://git.kernel.org/stable/c/624fb79dadc1b65757986a9d0fdde5c0cf3fe179 https://git.kernel.org/stable/c/70d37a8b9229e394cc17ddad47e90b81d80fcd09 https://git.kernel.org/stable/c/634a4408c0615c523cf7531790f4f14a422b9206 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/xive: fix kmemleak caused by incorrect chip_data lookup The kmemleak reports the following memory leak: Unreferenced object 0xc0000002a7fbc640 (size 64): comm “kworker/8:1”, pid 540, jiffies 4294937872 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00 ……………. 00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00 ……………. backtrace (crc 177d48f6): __kmalloc_cache_noprof+0x520/0x730 xive_irq_alloc_data.constprop.0+0x40/0xe0 xive_irq_domain_alloc+0xd0/0x1b0 irq_domain_alloc_irqs_parent+0x44/0x6c pseries_irq_domain_alloc+0x1cc/0x354 irq_domain_alloc_irqs_parent+0x44/0x6c msi_domain_alloc+0xb0/0x220 irq_domain_alloc_irqs_locked+0x138/0x4d0 __irq_domain_alloc_irqs+0x8c/0xfc __msi_domain_alloc_irqs+0x214/0x4d8 msi_domain_alloc_irqs_all_locked+0x70/0xf8 pci_msi_setup_msi_irqs+0x60/0x78 __pci_enable_msix_range+0x54c/0x98c pci_alloc_irq_vectors_affinity+0x16c/0x1d4 nvme_pci_enable+0xac/0x9c0 [nvme] nvme_probe+0x340/0x764 [nvme] This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data. When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (“powerpc/xive: Untangle xive from child interrupt controller drivers”), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain. This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above. Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data(). | 2026-05-28 | not yet calculated | CVE-2026-46141 | https://git.kernel.org/stable/c/2546fb8c9acc8c7512ed4339ce2a982cb7407065 https://git.kernel.org/stable/c/e66ed135cdf23a318e9727dca48f98f7f6142f78 https://git.kernel.org/stable/c/6771c54728c278bf1e4bfdab4fddbbb186e33498 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: libwx: fix VF illegal register access Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang. When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn). | 2026-05-28 | not yet calculated | CVE-2026-46142 | https://git.kernel.org/stable/c/d3bd8040497968f6f5470018724ef7b0df92f707 https://git.kernel.org/stable/c/f6e656f7cea16b638675a2ab7d7e4cf2516c5eb0 https://git.kernel.org/stable/c/33c5bb50b9c40e8451e6aec4487a31d794b98d92 https://git.kernel.org/stable/c/68a007a701bc06fa426507c551ef12514f2e721d https://git.kernel.org/stable/c/694de316f607fe2473d52ca0707e3918e72c1562 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens As prepare can be called mulitple times, this can result in multiple graph opens for playback path. This will result in a memory leaks, fix this by adding a check before opening. | 2026-05-28 | not yet calculated | CVE-2026-46143 | https://git.kernel.org/stable/c/3141d8b00cad6d3331953c79060ccc3a0262311b https://git.kernel.org/stable/c/c91b7bcc70346d07f57ef03d1b9a338324e213de https://git.kernel.org/stable/c/7cab9f2ad51c858263da836baebad050a1bc7914 https://git.kernel.org/stable/c/b97493f0f42ab9d882a62466782e1900e481a9d6 https://git.kernel.org/stable/c/69acc488aaf39d0ddf6c3cf0e47c1873d39919a2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up. | 2026-05-28 | not yet calculated | CVE-2026-46144 | https://git.kernel.org/stable/c/190e570cc0fc7f57eacf80d2b854ba54b4dfad6b https://git.kernel.org/stable/c/726af85ea4af750b2f75095e24e3cd99797344cb https://git.kernel.org/stable/c/ab64c63b460bbd0521480bf90d5695783f5e66bc https://git.kernel.org/stable/c/30e8a2f33815d8f51b8f8b829c07af16c671cc27 https://git.kernel.org/stable/c/6aaa978c6b6218cfac15fe1dab17c76fe229ce3f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor. Add a proper size check to abort the loop for plugging the hole. | 2026-05-28 | not yet calculated | CVE-2026-46146 | https://git.kernel.org/stable/c/e0e3dcf48189603f3865f1a0b799b3b42baae96d https://git.kernel.org/stable/c/4e0ee232ebe3df04874125d7c7f3e6c25ea5483d https://git.kernel.org/stable/c/be09b47ed8677d76962e3240c145502e2ad9f3c8 https://git.kernel.org/stable/c/fa5b19ce69067874b1413f3c2027563bae8c2cb3 https://git.kernel.org/stable/c/6e7247d8f5fefeceb0bb9cc80a5388a636b219cd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu() Two bugs exist in the vCPU initialisation path: 1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup path jumps to ‘unlock’ without calling unpin_host_vcpu() or unpin_host_sve_state(), permanently leaking pin references on the host vCPU and SVE state pages. Extract a register_hyp_vcpu() helper that performs the checks and the store. When register_hyp_vcpu() returns an error, call unpin_host_vcpu() and unpin_host_sve_state() inline before falling through to the existing ‘unlock’ label. 2. register_hyp_vcpu() publishes the new vCPU pointer into ‘hyp_vm->vcpus[]’ with a bare store, allowing a concurrent caller of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU object. Ensure the store uses smp_store_release() and the load uses smp_load_acquire(). While ‘vm_table_lock’ currently serialises the store and the load, these barriers ensure the reader sees the fully initialised ‘hyp_vcpu’ object even if there were a lockless path or if the lock’s own ordering guarantees were insufficient for nested object initialization. | 2026-05-28 | not yet calculated | CVE-2026-46147 | https://git.kernel.org/stable/c/7d3c27b54253cda91dc4d2c1bfc109c490837ab9 https://git.kernel.org/stable/c/6d69c0ed978f7f0efd053fc98390f25ab77c1aea https://git.kernel.org/stable/c/73b9c1e5da84cd69b1a86e374e450817cd051371 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: microchip-core-qspi: control built-in cs manually The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware – set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO. This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled. Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use. As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn’t need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low. | 2026-05-28 | not yet calculated | CVE-2026-46148 | https://git.kernel.org/stable/c/998f43196d732f20f9b71eb6ebd973736c9fa911 https://git.kernel.org/stable/c/ee3c99aa102212ad59dc2c19595515c4a6729307 https://git.kernel.org/stable/c/7672749e1496215e8683ce57cf323119033954cf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: usblp: fix heap leak in IEEE 1284 device ID via short response usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know. usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap. That stale data is then exposed: – via the ieee1284_id sysfs attribute (sprintf(“%s”, buf+2), truncated at the first NUL in the stale heap), and – via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full claimed length regardless of NULs, up to 1021 bytes of uninitialized heap, with the leak size chosen by the device. Fix this up by just zapping the buffer with zeros before each request sent to the device. | 2026-05-28 | not yet calculated | CVE-2026-46151 | https://git.kernel.org/stable/c/6e29c32a27218f2dcd4a4e9b0b3c5e7728640698 https://git.kernel.org/stable/c/6d8142141c942c0d8e79343cffda9c44bb1f3f4f https://git.kernel.org/stable/c/8247f52d822180e94ccbfdab91613af386a4e34d https://git.kernel.org/stable/c/522d17e93a85575256894212d10e5a1fa6f36529 https://git.kernel.org/stable/c/7a400c6fe3617e31e690e3f7ca37bb335e0498f3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: 8021q: delete cleared egress QoS mappings vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory. Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period. | 2026-05-28 | not yet calculated | CVE-2026-46153 | https://git.kernel.org/stable/c/a52e122c9e4d56ad9a03b32c915a199276d989c3 https://git.kernel.org/stable/c/7dddc74af369478ba7f9bc136d0fc1dc4570cb66 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the “device” is from “base+PCI_DEVICE_ID”, “base” is from “pdev->devfn+1”. This is wrong when my platform inserts a discrete GPU: lspci -tv -[0000:00]-+-00.0 Loongson Technology LLC Hyper Transport Bridge Controller … +-06.0 Loongson Technology LLC LG100 GPU +-06.2 Loongson Technology LLC Device 7a37 … Add a default switch case to fix the panic as below: Kernel ade access[#1]: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4 pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0 a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002 a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001 t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000 t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0 t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8 s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000 s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000 ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210 ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210 CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 00000004 (PPLV0 +PIE -PWE) EUEN: 00000000 (-FPE -SXE -ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1) BADV: 7fffffffffffff00 PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV) Modules linked in: Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____)) Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007 0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff 900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08 0000000000000000 0000000000000000 0000000000000006 90000001002fb778 90000001000530b8 90000000027af000 0000000000000000 9000000100054000 9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001 90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000 0000000000000006 90000000027af000 0000000000000030 90000000027af000 900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560 7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030 … Call Trace: [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210 [<9000000000eebc08>] pci_fixup_device+0x108/0x280 [<9000000000ebb70c>] pci_setup_device+0x24c/0x690 [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140 [<9000000000ebc684>] pci_scan_slot+0xc4/0x280 [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0 [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420 [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440 [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0 [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0 [<90000000010e200c>] device_for_each_child+0x6c/0xe0 [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70 [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0 [<90000000010e200c>] device_for_each_child+0x6c/0xe0 [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70 [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0 [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280 [<900000000189c028>] acpi_scan_init+0x194/0x310 [<900000000189bc6c>] acpi_init+0xcc/0x140 [<9000000000220cdc>] do_one_initcall+0x4c/0x310 [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4 [<900000000184326c>] kernel_init+0x28/0x13c [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4 | 2026-05-28 | not yet calculated | CVE-2026-46156 | https://git.kernel.org/stable/c/07d190e4ec689d6478f7f5e36099fb9bf457e7c5 https://git.kernel.org/stable/c/2cb19b06c09983727573bbe7d7430cbad480a714 https://git.kernel.org/stable/c/9e1aed63a5552958ef2a9bfd699a3f990e52a77f https://git.kernel.org/stable/c/81fef1c278436e6bd68ee4ca05a0acb96e256561 https://git.kernel.org/stable/c/8dfa2f8780e486d05b9a0ffce70b8f5fbd62053e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: always decrease sk refcount When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end. Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new ‘exit’ label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak. While at it, drop the ‘!msk’ check which cannot happen because it is never reset, and explicitly mark the remaining one as “unlikely”. | 2026-05-28 | not yet calculated | CVE-2026-46158 | https://git.kernel.org/stable/c/acd3d3562315c99f3c0db16f0fcc5f0306638982 https://git.kernel.org/stable/c/25e37407442b8766ec2cf52fb4e31b5c3d3aeeae https://git.kernel.org/stable/c/9634cb35af17019baec21ca648516ce376fa10e6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count. When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace. Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data. | 2026-05-28 | not yet calculated | CVE-2026-46159 | https://git.kernel.org/stable/c/f5ee467b56764964027c361641f64953fc0f8f9a https://git.kernel.org/stable/c/4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3 https://git.kernel.org/stable/c/5d12e0ab009ade48c1bff9324fd9bea2c773d088 https://git.kernel.org/stable/c/d09d67d5de577cedae3de9497dff217e0ac8b641 https://git.kernel.org/stable/c/973e57c726c1f8e77259d1c8e519519f1e9aea77 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix missing last_unlink_trans update when removing a directory When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it’s holding a file descriptor on it. Example scenario: mkdir /mnt/dir1 mkdir /mnt/dir1/dir2 mkdir /mnt/dir3 sync -f /mnt # Do some change to the directory and fsync it. chmod 700 /mnt/dir1 xfs_io -c fsync /mnt/dir1 # Move dir2 out of dir1 so that dir1 becomes empty. mv /mnt/dir1/dir2 /mnt/dir3/ open fd on /mnt/dir1 call rmdir(2) on path “/mnt/dir1” fsync fd <trigger power failure> When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following: [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650 [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm [445771.627912] BTRFS info (device dm-0): start tree-log replay [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5 [445771.629453] memcg:ffff89f400351b00 [445771.629892] aops:btree_aops [btrfs] ino:1 [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8 [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00 [445771.635029] page dumped because: eb page dump [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5 [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087 [445771.638094] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 [445771.638097] inode generation 3 transid 9 size 16 nbytes 16384 [445771.638098] block group 0 mode 40755 links 1 uid 0 gid 0 [445771.638100] rdev 0 sequence 2 flags 0x0 [445771.638102] atime 1775744884.0 [445771.660056] ctime 1775744885.645502983 [445771.660058] mtime 1775744885.645502983 [445771.660060] otime 1775744884.0 [445771.660062] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 [445771.660064] index 0 name_len 2 [445771.660066] item 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34 [445771.660068] location key (259 1 0) type 2 [445771.660070] transid 9 data_len 0 name_len 4 [445771.660075] item 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34 [445771.660076] location key (257 1 0) type 2 [445771.660077] transid 9 data_len 0 name_len 4 [445771.660078] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 [445771.660079] location key (257 1 0) type 2 [445771.660080] transid 9 data_len 0 name_len 4 [445771.660081] item 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34 [445771.660082] location key (259 1 0) type 2 [445771.660083] transid 9 data_len 0 name_len 4 [445771.660084] item 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160 [445771.660086] inode generation 9 transid 9 size 8 nbytes 0 [445771.660087] block group 0 mode 40777 links 1 uid 0 gid 0 [445771.660088] rdev 0 sequence 2 flags 0x0 [445771.660089] atime 1775744885.641174097 [445771.660090] ctime 1775744885.645502983 [445771.660091] mtime 1775744885.645502983 [445771.660105] otime 1775744885.641174097 [445771.660106] item 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14 [445771.660107] index 2 name_len 4 [445771.660108] item 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34 [445771.660109] location key (2 —truncated— | 2026-05-28 | not yet calculated | CVE-2026-46160 | https://git.kernel.org/stable/c/cc3c0a0f965754ce230d93ba44ee5b34fbe6138a https://git.kernel.org/stable/c/aa9c3ecaf7337df3a689318584f879b5339ede0f https://git.kernel.org/stable/c/fb388eb58c1ba047ccabc33901839acfecadcf49 https://git.kernel.org/stable/c/36fcc2c7517f8a86379154c9793f867592aa8b7e https://git.kernel.org/stable/c/999757231c49376cd1a37308d2c8c4c9932571e1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix divide-by-zero in setup_geo() with zero far_copies setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the “improved” far set layout selected, ‘geo->far_set_size = disks / fc’ triggers a divide-by-zero. Validate nc and fc immediately after extraction, returning -1 if either is zero. | 2026-05-28 | not yet calculated | CVE-2026-46161 | https://git.kernel.org/stable/c/4af2e558e6fdfb972c61350653fd55d1f62b60a5 https://git.kernel.org/stable/c/9d8e03b9a2b1e8ce5c198bf3a409a629f4d02cda https://git.kernel.org/stable/c/913d556e4bd1b56ed822815655b82c7bb54edc51 https://git.kernel.org/stable/c/f9ddb621b2325eb69c95692958daf2bab4dea2c4 https://git.kernel.org/stable/c/9aa6d860b0930e2f72795665c42c44252a558a0c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ice: fix double free in ice_sf_eth_activate() error path When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev). The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free. Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit(). | 2026-05-28 | not yet calculated | CVE-2026-46162 | https://git.kernel.org/stable/c/2ca30340b5028ddc3f17086a538feeff06167b1b https://git.kernel.org/stable/c/121d1f253aed515cd85748f68c664a6cb756e8ad https://git.kernel.org/stable/c/d0c6a4816609f145ffcc74e64baa214c571c17c6 https://git.kernel.org/stable/c/9aab1c3d7299285e2569cbc0ed5892d631a241b2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: b43legacy: enforce bounds check on firmware key index in RX path Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[]. Make the check enforcing by dropping the frame for invalid indices. | 2026-05-28 | not yet calculated | CVE-2026-46163 | https://git.kernel.org/stable/c/1baaeb6adecb9691748c0253dab6ddd19a2b4e9e https://git.kernel.org/stable/c/6ee946077607d7783ae6709a899213fc4fe08f35 https://git.kernel.org/stable/c/9d1bc155802943e92c57a5fb923d23edfbf0b525 https://git.kernel.org/stable/c/fdd4e51979f42ca8b1ab7e6176b607e1caabf2a5 https://git.kernel.org/stable/c/a035766f970bde2d4298346a31a80685be5c0205 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: openvswitch: vport: fix self-deadlock on release of tunnel ports vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period. So, either in an RCU call or after the synchronize_net(). The rtnl_delete_link() must happen under RTNL and so can’t be executed in RCU context. Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here. However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone. In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal. Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released. | 2026-05-28 | not yet calculated | CVE-2026-46165 | https://git.kernel.org/stable/c/c741433f6c8dcdecd1d9549d89053761fd1ea413 https://git.kernel.org/stable/c/6522d59fb7de55ce0f0f285d962243ddffebb01f https://git.kernel.org/stable/c/3df75fff46b1517eb479d8e6b8e3500763715dd0 https://git.kernel.org/stable/c/366c482965c673565ecb8bcfb15d5548f13a6a10 https://git.kernel.org/stable/c/aa69918bd418e700309fdd08509dba324fb24296 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. Ideally that short command should be detected and error out, but many printers are known to send “incorrect” responses back so we can’t just do that. statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl. usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller. Fix this all by just zapping out the memory buffer when allocated at probe time. If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no “leak” of information happening. | 2026-05-28 | not yet calculated | CVE-2026-46167 | https://git.kernel.org/stable/c/d06d937b0a4cdb8867f04275c8100a8b943da31a https://git.kernel.org/stable/c/a502b997668401a6821501fc98b7f9220f9b6ff2 https://git.kernel.org/stable/c/762a6ccf391db0d629e590a803a3a2231e17dd3f https://git.kernel.org/stable/c/6b0e7438e31c74b01514d31ff35c1e688c4baaba https://git.kernel.org/stable/c/b38e53cbfb9d84732e5984fbd73e128d592415c5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix scheduling with atomic in timestamp sockopt Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep. Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic. | 2026-05-28 | not yet calculated | CVE-2026-46168 | https://git.kernel.org/stable/c/ebeb70e29e37cfce899309cc2665a3bfe960ed94 https://git.kernel.org/stable/c/b157dab93a7af44a84e78cf0cb311dde475cff5b https://git.kernel.org/stable/c/8a005fe451c73fd2b3d1faa5643c11e6bd07acfc https://git.kernel.org/stable/c/7eb513b42721bee4b96da69f6188d5a7783f210d https://git.kernel.org/stable/c/b5c52908d52c6c8eb8933264aa6087a0600fd892 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value by validating catalog record size Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn’t validate that the on-disk record size matches the expected size for the record type being read. When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed: HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26 HFSPLUS_BREC_READ: WARNING – entrylength (26) < rec_len (520) – PARTIAL READ! hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn’t check if it’s less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized. This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold(). Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field: – Fixed size for folder and file records – Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn’t match expected For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don’t zero-initialize the entry structure. Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed. | 2026-05-28 | not yet calculated | CVE-2026-46169 | https://git.kernel.org/stable/c/61a790974ff7e533acbceca06c7d02f22bf96d4d https://git.kernel.org/stable/c/c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a https://git.kernel.org/stable/c/a420904450962a562ad053a41a53a27755021b48 https://git.kernel.org/stable/c/93e8d613f1a01b6637f387cc93f184cf7fb881d6 https://git.kernel.org/stable/c/b6b592275aeff184aa82fcf6abccd833fb71b393 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: free sk if last When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end. If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put(). But that’s not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on “itself”. | 2026-05-28 | not yet calculated | CVE-2026-46170 | https://git.kernel.org/stable/c/b74ad20198652b6b39a761c277ba65ae82b1e107 https://git.kernel.org/stable/c/8143a224785ceaf2b0856e08d4498916f38228fb https://git.kernel.org/stable/c/b7b9a461569734d33d3259d58d2507adfac107ed |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: riscv: kvm: fix vector context allocation leak When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning. | 2026-05-28 | not yet calculated | CVE-2026-46171 | https://git.kernel.org/stable/c/bd62c0f61bc722a097417401030c596cea8e21aa https://git.kernel.org/stable/c/1d57ab45ec5c0e22789de793bcf2a31ad6fb7d98 https://git.kernel.org/stable/c/b7c958d7c1eb1cb9b2be7b5ee4129fcd66cec978 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route. If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries. Release the dst before jumping to the drop path. | 2026-05-28 | not yet calculated | CVE-2026-46172 | https://git.kernel.org/stable/c/c2efc4956981066df2fef1cc77391b523db6d8e4 https://git.kernel.org/stable/c/554c9b090c8ac5b1c5c507f4badf8d5d0c9c6e13 https://git.kernel.org/stable/c/9d5047782f9bd2829e529df69209bf3232eb561f https://git.kernel.org/stable/c/6a5eec0a2a0e99ec9743cf8f1c4082178811d90a https://git.kernel.org/stable/c/bc0fcb9823cd0894934cf968b525c575833d7078 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Don’t allow pointer operations on unconfigured streams When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not | 2026-05-28 | not yet calculated | CVE-2026-46179 | https://git.kernel.org/stable/c/327a64241f30c74b6f35537eb9e1fc6c3cbe060b https://git.kernel.org/stable/c/98ed1383f597f8a45b6cb816bb20b96d46eeceda https://git.kernel.org/stable/c/0f0c0c1397a42aacaacae828206ee1b921623952 https://git.kernel.org/stable/c/4f42dd01f5217465f23a763e27b3984e114d0972 https://git.kernel.org/stable/c/c5b6285aae050ff1c3ea824ca3d88ac4be1e69c8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put(). | 2026-05-28 | not yet calculated | CVE-2026-46180 | https://git.kernel.org/stable/c/ed4168d1a50fef5be8eca947fbbf05a28507d265 https://git.kernel.org/stable/c/d16827cb1d3936f7627d0da6044483f743ebde03 https://git.kernel.org/stable/c/658d2e46c2e9a8eb9b80c5e803ce3c89885b3366 https://git.kernel.org/stable/c/908b92231e1ded53e43fcfad5e0704d83e1b803c https://git.kernel.org/stable/c/c623b63580880cc742255eaed3d79804c1b91143 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user(). This patch fixes that by initializing the whole struct to 0. | 2026-05-28 | not yet calculated | CVE-2026-46182 | https://git.kernel.org/stable/c/0479b6e9f999cc1cbad7d9f09f574fc387e605d5 https://git.kernel.org/stable/c/f88f8e4485b437e0a2f96a7ff1f88aa22d925659 https://git.kernel.org/stable/c/cefeed44296261173a806bef988b26bc565da4be |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs ‘path’ file. It can also be indirectly read, for the parameters {on,off}line committing to DAMON. The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read. But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer. As a result, the readers could read the already freed buffer (user-after-free). Note that the user-reads don’t race when the same open file is used by the writer, due to kernfs’s open file locking. Nonetheless, doing the reads and writes with separate open files would be common. Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock. | 2026-05-28 | not yet calculated | CVE-2026-46183 | https://git.kernel.org/stable/c/a34ca3e33da4b924c66bcca3729bf68ec5936910 https://git.kernel.org/stable/c/cf3b71421ca00807328c6d9cd242f9de3b77a4bf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sound: ua101: fix division by zero at probe Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete(). USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash. | 2026-05-28 | not yet calculated | CVE-2026-46184 | https://git.kernel.org/stable/c/6162e8212e88c39492d981b248b5e37002486c66 https://git.kernel.org/stable/c/593dd7e6c890d8e4ca21b3e2f796b7cb8e8da983 https://git.kernel.org/stable/c/0ff2b713f406e9ecadb406014d74e7a020ac12b1 https://git.kernel.org/stable/c/f1862dbf09080254c52175a448290c784dd7d3de https://git.kernel.org/stable/c/d1f73f169c1014463b5060e3f60813e13ddc7b87 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: virtio_bt: validate rx pkt_type header length virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type. After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core. After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path. Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log. | 2026-05-28 | not yet calculated | CVE-2026-46186 | https://git.kernel.org/stable/c/1e1e509b6fd2a42421745bbcd98bd16daad20904 https://git.kernel.org/stable/c/2c1143564c71e7497b42d8360a8379ccbb011d3c https://git.kernel.org/stable/c/3485c7236c59c8c34a41af1c4b52982437554e79 https://git.kernel.org/stable/c/f743eab6486965f276c7e3f1700895f014fdc6db https://git.kernel.org/stable/c/daf23014e5d975e72ea9c02b5160d3fcf070ea47 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: fix kthread lifetime race between self-exit and external-stop RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur. However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again. Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed. | 2026-05-28 | not yet calculated | CVE-2026-46187 | https://git.kernel.org/stable/c/95fcb436586dc3c2983537d557ac05bbc6a027f3 https://git.kernel.org/stable/c/16d9f674c619838bdeae42abc0929c9c5477ea1f https://git.kernel.org/stable/c/4f9a4ae8d2c198f01611ea376034c326ef43ab56 https://git.kernel.org/stable/c/4f4c9b13c485abd0a2d2c97f9db339d1dd8e147f https://git.kernel.org/stable/c/db57a1aa54ff68669781976e4edb045e09e2b65b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: octeon_ep_vf: add NULL check for napi_build_skb() napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference. Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure. | 2026-05-28 | not yet calculated | CVE-2026-46188 | https://git.kernel.org/stable/c/60246cdd4c515ea7d920cddf48932efcb990773e https://git.kernel.org/stable/c/b0f4711b426a06fb4c4be85c36b9f5588d5140d3 https://git.kernel.org/stable/c/6fef6640bbf360e254cc0174365ed30ce3a07572 https://git.kernel.org/stable/c/dd66b42854705e4e4ee7f14d260f86c578bed3e3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free. | 2026-05-28 | not yet calculated | CVE-2026-46189 | https://git.kernel.org/stable/c/ecc36a82ecfcfdf3c6606d209f22ec5543c410e0 https://git.kernel.org/stable/c/45d25e3ec17900bf5a9d6876ff16ceee31c4c0e0 https://git.kernel.org/stable/c/0c63333ff97bd1275294fd12840a0efe9d7a4c59 https://git.kernel.org/stable/c/935ee27d0904aa944cbcc979094c20e5ef62eead https://git.kernel.org/stable/c/e38e86995df27f1f854063dab1f0c6a513db3faf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fbcon: Avoid OOB font access if console rotation fails Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example. Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer. v2: – fix typos in commit message | 2026-05-28 | not yet calculated | CVE-2026-46191 | https://git.kernel.org/stable/c/594973a2e54924d8ba31c9faac669fc1ba6fcb80 https://git.kernel.org/stable/c/ab6c34b9829d5de03f1d08a47a2253729a6e7e27 https://git.kernel.org/stable/c/7105d9f1387d63b15c9a860674fc92c959181f2f https://git.kernel.org/stable/c/b44cc78ff46b96e72d333a3be6aaaa0a14797263 https://git.kernel.org/stable/c/e4ef723d8975a2694cc90733a6b888a5e2841842 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: microchip-core-qspi: don’t attempt to transmit during emulated read-only dual/quad operations The core will deal with reads by creating clock cycles itself, there’s no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn’t have a dedicated master-out line like MOSI in regular SPI. I’m not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data. | 2026-05-28 | not yet calculated | CVE-2026-46192 | https://git.kernel.org/stable/c/ec9d0ddbde6003c303fa5e1d5cd48952852984d8 https://git.kernel.org/stable/c/67184f361ab4d9fac6d2b8d5fed6649d496038a4 https://git.kernel.org/stable/c/eb56deaabf127e8985fc91fa6c97bf8a3b062844 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: ah: account for ESN high bits in async callbacks AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent. With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift: ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24 ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36 Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot. Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine. | 2026-05-28 | not yet calculated | CVE-2026-46193 | https://git.kernel.org/stable/c/0555d4f526232b3c9e3afbcd490c0c0793aefec6 https://git.kernel.org/stable/c/729899a2aa8bda7844be0cdcd3b470f11b912eda https://git.kernel.org/stable/c/7db99a09b3bc87268287bc7ab5f2e7f382b5ad87 https://git.kernel.org/stable/c/2ffaa7a94f9a4d22724364a1821735a0231d9f8d https://git.kernel.org/stable/c/ec54093e6a8f87e800bb6aa15eb7fc1e33faa524 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix node_cnt race between extent node destroy and writeback f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows: drop inode writeback – iput – f2fs_drop_inode // I_SYNC set – f2fs_destroy_extent_node – __destroy_extent_node – while (node_cnt) { write_lock(&et->lock) __free_extent_tree write_unlock(&et->lock) – __writeback_single_inode – f2fs_outplace_write_data – f2fs_update_read_extent_cache – __update_extent_tree_range // FI_NO_EXTENT not set, // insert new extent node } // node_cnt == 0, exit while – f2fs_bug_on(node_cnt) // node_cnt > 0 Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected. This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree. | 2026-05-28 | not yet calculated | CVE-2026-46194 | https://git.kernel.org/stable/c/42dd1c91f993431d0b399502479d00e6ad1bca71 https://git.kernel.org/stable/c/ab1eaf9d5c99042f5b0243bf67a06283a4c0757f https://git.kernel.org/stable/c/b0e4395870eb3441ddc959f6710b5f6ca61aff26 https://git.kernel.org/stable/c/0559a0e962aacbb47519e26ee663be04b72dcb92 https://git.kernel.org/stable/c/ed78aeebef05212ef7dca93bd931e4eff67c113f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem’s ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them. For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state. Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration. | 2026-05-28 | not yet calculated | CVE-2026-46196 | https://git.kernel.org/stable/c/247ed8a969f981bfba3112fd4bb441eaa6cef59c https://git.kernel.org/stable/c/7bcadb3c2bc1cf60690e931aadd35fb7bd646a49 https://git.kernel.org/stable/c/2c5b8eeea006eb694c81631cd5713d494b80be90 https://git.kernel.org/stable/c/342829e042ac00f3d68d442ea92873fb6683f494 https://git.kernel.org/stable/c/fad217e16fded7f3c09f8637b0f6a224d58b5f2e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: fix controller deregistration Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind. | 2026-05-28 | not yet calculated | CVE-2026-46200 | https://git.kernel.org/stable/c/a3669f678d0ee8b686d3eea4c0ed9817c9374945 https://git.kernel.org/stable/c/28f28a0f4e327f792c230493a0ea00389ff68ff5 https://git.kernel.org/stable/c/7fea80d93bfd34051b2ac1cec07766c87d8d28be https://git.kernel.org/stable/c/0f997fdae819a8c2cc83bd4ff7d935ad76c727c9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: run inactivity autodim from workqueues The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts: * appletb_inactivity_timer() is a struct timer_list callback, so it runs in softirq context. Every expiry triggers BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591 Call Trace: <IRQ> __might_resched __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq * reset_inactivity_timer() is called from appletb_kbd_hid_event() and appletb_kbd_inp_event(). On real USB hardware these run in softirq/IRQ context (URB completion and input-event dispatch). When the Touch Bar has already been dimmed or turned off, the reset path calls backlight_device_set_brightness() directly to restore brightness, producing the same warning. Both call sites hit the same mutex_lock()-from-atomic bug. Fix them together by moving the blocking work onto the system workqueue: * Convert the inactivity timer from struct timer_list to struct delayed_work; the callback (appletb_inactivity_work) now runs in process context where mutex_lock() is legal. * Add a dedicated struct work_struct restore_brightness_work and have reset_inactivity_timer() schedule it instead of calling backlight_device_set_brightness() directly. Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop. The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes. The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as “reset the inactivity timer”. | 2026-05-28 | not yet calculated | CVE-2026-46202 | https://git.kernel.org/stable/c/5c0830323689ef15224f0025276176988861b3b0 https://git.kernel.org/stable/c/2473a334c292af257ef68e33bc7760f4a8251812 https://git.kernel.org/stable/c/1654e53349d4e657b331de354313461f401f5063 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: cadence-quadspi: fix unclocked access on unbind Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access. This issue was flagged by Sashiko when reviewing a controller deregistration fix. | 2026-05-28 | not yet calculated | CVE-2026-46203 | https://git.kernel.org/stable/c/d67a5311818b3e6481a1e4293c9337ebfee73111 https://git.kernel.org/stable/c/233db2cb14db8b1935dda52a6affd97276462b82 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix empty payload in tap skb for non-linear buffers For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized. Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb(). While touching this code, let’s also check the return value of skb_copy_datagram_iter(), even though it’s unlikely to fail. | 2026-05-28 | not yet calculated | CVE-2026-46207 | https://git.kernel.org/stable/c/06747f52ab157591cec7e5623a759473b66ef6f6 https://git.kernel.org/stable/c/52da6a74ca3de0fcda60301096b71534b3b18641 https://git.kernel.org/stable/c/378b131a25bd1a5ee27ca199fe486c299d5350c5 https://git.kernel.org/stable/c/3a3e3d90cbc79600544536723911657730759af3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not. Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call. Add the missing NULL check for kmemdup() and return ret instead of 0. Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret. Patchwork: https://patchwork.freedesktop.org/patch/714478/ | 2026-05-28 | not yet calculated | CVE-2026-46211 | https://git.kernel.org/stable/c/697e1a9559f6962f999cc4c748c2ffffcc0a7a7a https://git.kernel.org/stable/c/c57c861956b89f2e2528e6384d51e2dedd915809 https://git.kernel.org/stable/c/b079e85c91f446f29e808d8291189e897f1884ff https://git.kernel.org/stable/c/47cbfe2608314b833ad61a65827d8fb363bc2d2d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: fix UAF in inactivity-timer cleanup path Commit 38224c472a03 (“HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe”) added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows. Window A — put_device() before timer_delete_sync(): put_device(&kbd->backlight_dev->dev); timer_delete_sync(&kbd->inactivity_timer); The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock). If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory. Window B — backlight cleanup before hid_hw_stop(): if (kbd->backlight_dev) { timer_delete_sync(…); put_device(…); } hid_hw_close(hdev); hid_hw_stop(hdev); Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late “.event” callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference. That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer. The freshly re-armed timer can then fire on the about-to-be-freed backlight_device. Both windows produce the same KASAN slab-use-after-free: BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0 Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0 Call Trace: <IRQ> __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq handle_softirqs Allocated by task N: devm_backlight_device_register appletb_bl_probe Freed by task M: (concurrent hid_appletb_bl unbind path) Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that 1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup, guaranteeing no further .event callback can fire and re-arm the timer, and 2) inside the “if (kbd->backlight_dev)” block, timer_delete_sync() runs before put_device(), so the softirq is drained before the final reference is dropped. | 2026-05-28 | not yet calculated | CVE-2026-46213 | https://git.kernel.org/stable/c/59a79938ca5541fe55d675304116b7ea684afef0 https://git.kernel.org/stable/c/93d989e47bc316c793a69c6a332e053c90e29f02 https://git.kernel.org/stable/c/4db2af929279c799b5653a39eb0795c72baffca4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix accept queue count leak on transport mismatch virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog. After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections. Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport. | 2026-05-28 | not yet calculated | CVE-2026-46214 | https://git.kernel.org/stable/c/65c484726e74013a2ec7ba67a34d87760ae8f390 https://git.kernel.org/stable/c/29371f3cc83e2a92265b4768014a30b80234112f https://git.kernel.org/stable/c/e9edf9893cf26d060705c910a9b62d8cc96ed56a https://git.kernel.org/stable/c/6d3275fc4ed968938e1d556c344798046776668d https://git.kernel.org/stable/c/52bcb57a4e8a0865a76c587c2451906342ae1b2d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status() When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL. In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to >->uc.gsc being evaluated as an invalid memory address. Fix that by introducing a NULL check on media_gt and bailing out early if so. While at it, also drop the NULL check for gsc, since it can’t be NULL if media_gt is not NULL. v2: – Get address for gsc only after checking that gt is not NULL. (Shuicheng) – Drop the NULL check for gsc. (Shuicheng) v3: – Add “Fixes” and “Cc: <stable…>” tags. (Matt) (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1) | 2026-05-28 | not yet calculated | CVE-2026-46216 | https://git.kernel.org/stable/c/d8ab4b47edf4578dbfbe5e95817107a514fa34cc https://git.kernel.org/stable/c/60a1e131a811b68703da58fd805ab359b704ab03 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn4: Avoid overflow on msg bound check As pointed out by SDL, the previous condition may be vulnerable to overflow. (cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885) | 2026-05-28 | not yet calculated | CVE-2026-46217 | https://git.kernel.org/stable/c/5bb5faff4837b1d98fd655cf8bd7b5d4da0fc4dc https://git.kernel.org/stable/c/73043d296787bf187d89ffb5c5dcf5bdc3db7885 https://git.kernel.org/stable/c/271cd5429513ff9b364a9bf8903e5b65b687eb25 https://git.kernel.org/stable/c/30d12ee310a6024ff4c7b9eafdbbeab2db450d4a https://git.kernel.org/stable/c/65bce27ea6192320448c30267ffc17ffa094e713 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: fix use-after-free on unbind The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free. | 2026-05-28 | not yet calculated | CVE-2026-46219 | https://git.kernel.org/stable/c/bb6b50f709c5a01906ff72a07fdc070bb3357188 https://git.kernel.org/stable/c/ee52da0dd83ebcd89ecbbe2660c57b15a25489f2 https://git.kernel.org/stable/c/6c3e413919a12627d04a31a4a5fccb9fc129bb02 https://git.kernel.org/stable/c/bbcd6dd8e9f264440eaf6167382bf404911c1c46 https://git.kernel.org/stable/c/706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned. These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread. Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel. A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace. The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it. (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e) | 2026-05-28 | not yet calculated | CVE-2026-46220 | https://git.kernel.org/stable/c/4f7ca00fa91daf0795ec6b3b130c5ebba1f155fe https://git.kernel.org/stable/c/d331fb241a4602253976ddd65144a8ba2b05665d https://git.kernel.org/stable/c/0b91ea46bb68abf98a082bf239092253bbd6aaa2 https://git.kernel.org/stable/c/a4fd82fb0757c180bf622907397c528b89a827b2 https://git.kernel.org/stable/c/78d2e624fa073c14970aa097adcf3ea31c157a66 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: EDAC/versalnet: Fix device name memory leak The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory. Use a stack-local char array instead of using kzalloc() for name. | 2026-05-28 | not yet calculated | CVE-2026-46221 | https://git.kernel.org/stable/c/24d2912962d087ebff7c4984f8ac34a5f23c8dbf https://git.kernel.org/stable/c/b16033c8774f5fb4c0cb9b445a1dfc68f499ae6a https://git.kernel.org/stable/c/8cf5dd235eff6008cb04c3d8064d2acfa90616f1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads The pads missed checks for connected devices which may a null dereference when the stream is enabled. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace: rkcif_interface_enable_streams+0x48/0xf0 v4l2_subdev_enable_streams+0x26c/0x3f0 rkcif_stream_start_streaming+0x140/0x278 vb2_start_streaming+0x74/0x188 vb2_core_streamon+0xe0/0x1d8 vb2_ioctl_streamon+0x60/0xa8 v4l_streamon+0x2c/0x40 __video_do_ioctl+0x34c/0x400 video_usercopy+0x2d0/0x800 video_ioctl2+0x20/0x60 v4l2_ioctl+0x48/0x78 | 2026-05-28 | not yet calculated | CVE-2026-46222 | https://git.kernel.org/stable/c/318142640590342bfec7aa06d0bdcd0ddbf953d0 https://git.kernel.org/stable/c/8e3c751259dc2d1325838eff26f41032523c7b57 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem’s ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup. [1] d245698d727a (“cgroup: Defer task cgroup unlink until after the task is done switching out”) [2] a72f73c4dd9b (“cgroup: Don’t expose dead tasks in cgroup”) [3] 1b164b876c36 (“cgroup: Wait for dying tasks to leave on rmdir”) [4] 4c56a8ac6869 (“cgroup: Fix cgroup_drain_dying() testing the wrong condition”) [5] 13e786b64bd3 (“cgroup: Increment nr_dying_subsys_* from rmdir context”) [1] moved task cset unlink from do_exit() to finish_task_switch() so a task’s cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait’s condition; [5] made nr_dying_subsys_* visible synchronously. The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can’t free because PID 1 is the reaper and it’s stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug. The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir’s user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained. Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that. cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup’s csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger. This seems like the right approach and I don’t see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead. v2: Pin cgrp across the deferred destroy work with explicit cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1 wasn’t actually broken (ordered cgroup_offline_wq + queue_work order in cgroup_task_dead() saved it) but the explicit ref removes the dependency on those non-obvious invariants. Also note the pre-existing cgroup_apply_control_disable() race in the description; a follow-up will defer kill_css_finish() there. | 2026-05-28 | not yet calculated | CVE-2026-46223 | https://git.kernel.org/stable/c/33fa2e6b1507a0a377a151a8826438bedad1d0b0 https://git.kernel.org/stable/c/93618edf753838a727dbff63c7c291dee22d656b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error. xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed. Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning. v2: Add comments to explain the free logic. (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9) | 2026-05-28 | not yet calculated | CVE-2026-46224 | https://git.kernel.org/stable/c/f9ad21b90162baf1d78f8036ff3813c3ec1ac88e https://git.kernel.org/stable/c/8fa8c2a22585fcb31dc605b91a67bbcca223fdd7 https://git.kernel.org/stable/c/93a528f67ce5095bcab46a69839eca97f43dd352 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: rspi: fix controller deregistration Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind. | 2026-05-28 | not yet calculated | CVE-2026-46225 | https://git.kernel.org/stable/c/77defd64b405b680db73d767313fce770d368368 https://git.kernel.org/stable/c/c5090db1b31de3ef4db0cda7e822ab49cb572292 https://git.kernel.org/stable/c/aee76c1dd189562c6678313caec12761f78a9ef3 https://git.kernel.org/stable/c/fee6abd9845c3edd217b0e429d09f764f9a5690e https://git.kernel.org/stable/c/9944fa6726afb1e6eb7e2212764e7da0c97f2dcc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: fsl: fix controller deregistration Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind. | 2026-05-28 | not yet calculated | CVE-2026-46226 | https://git.kernel.org/stable/c/562d954a144950ec2aa6a874ae657cb3fa31fe53 https://git.kernel.org/stable/c/e888308222375ac28bae69134dae288178718a96 https://git.kernel.org/stable/c/ca3195c7b88362d7c81efe685948663a9f9db0e6 https://git.kernel.org/stable/c/5750743a39c9d46ac9fcf57ffe000956da4942cf https://git.kernel.org/stable/c/9b7abfed4c3754062d1f3ffd452e65a38667f586 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the controller and driver data lifetime so that they are released on driver unbind. Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree. | 2026-05-28 | not yet calculated | CVE-2026-46228 | https://git.kernel.org/stable/c/4422fc2411cbbdf5104a914e0596bb483faea254 https://git.kernel.org/stable/c/108a64b27a52f781c4f3751641e3dd65c7dd2fb5 https://git.kernel.org/stable/c/abe572f630bc1f0e77041012ab075869036ede4f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels. The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers. This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake. | 2026-05-28 | not yet calculated | CVE-2026-46229 | https://git.kernel.org/stable/c/1db431380879fd9d28b763a88a0c0431be5be8df https://git.kernel.org/stable/c/32b153658f017ad2f5bf8aab479e8d16ac95bc3a https://git.kernel.org/stable/c/77d0b5d11387071770246fd0185a69fa28e8e109 https://git.kernel.org/stable/c/047d44d8d29a6a1a5757256837aa9dd78e3cd0b5 https://git.kernel.org/stable/c/ad52d61d82181dbdb7f05826de38352d5e550cc2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: put backbone reference on failed claim hash insert When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object. | 2026-05-28 | not yet calculated | CVE-2026-46231 | https://git.kernel.org/stable/c/65419eb4259a26a3cd3f56fa0e3b3c113bf8c256 https://git.kernel.org/stable/c/fd0ca034c1e71ca7613cde9dd892836b2c2831bd https://git.kernel.org/stable/c/0baf4b659cdc7305cf685b5a5d60f9e3816ab5d0 https://git.kernel.org/stable/c/7cccf4eb4f96d3c3af91a00b7a9caa652439542e https://git.kernel.org/stable/c/ba9d20ee9076dac32c371116bacbe72480eb356c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: only purge non-released claims When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence. To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of. | 2026-05-28 | not yet calculated | CVE-2026-46233 | https://git.kernel.org/stable/c/7b8fbcee3184d848b5aee085ca16d0cf05c9b641 https://git.kernel.org/stable/c/7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe https://git.kernel.org/stable/c/b65365d2b1e6095c538d49baeb140dd1c166c1b3 https://git.kernel.org/stable/c/ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d https://git.kernel.org/stable/c/cf6b604011591865ae39ac82de8978c1120d17af |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vsock: fix buffer size clamping order In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint. This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size. Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size. | 2026-05-28 | not yet calculated | CVE-2026-46234 | https://git.kernel.org/stable/c/a998a7e250bf976539e05a00ec64a81292afecaa https://git.kernel.org/stable/c/310da27932dd0afe7ce7456dfe1f0814c3301f41 https://git.kernel.org/stable/c/2602f7bb5818e92315feeaeb71d8ce4d5c9ab160 https://git.kernel.org/stable/c/0b68881501460c3761f196469e1e503218c5e536 https://git.kernel.org/stable/c/d114bfdc9b76bf93b881e195b7ec957c14227bab |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: saa7164: add ioremap return checks and cleanups Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV. This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures. | 2026-05-28 | not yet calculated | CVE-2026-46235 | https://git.kernel.org/stable/c/3ce8f3057c51bb0a66aa3fab0862be74e9f88684 https://git.kernel.org/stable/c/a9b83f46e52cf1239d780920d1a7a3e415f7b5d9 https://git.kernel.org/stable/c/6047dc542fa404b5c187cc2c7906aaaaec6d11ed https://git.kernel.org/stable/c/6c22a6d8e4c1507bba504aeebe80476144a373eb https://git.kernel.org/stable/c/d51c60a498e83c9a79884c8e420f97e3885c9583 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: rc: xbox_remote: heed DMA restrictions The buffer for IO must not be part of the device structure because that violates the DMA coherency rules. | 2026-05-28 | not yet calculated | CVE-2026-46236 | https://git.kernel.org/stable/c/0cc9251833bf02c8c7863404157c94dab5928fcf https://git.kernel.org/stable/c/48a668c22e8f92637bc496e84d1cf06900f74a5c https://git.kernel.org/stable/c/63a960b39de9c51f29ca19aa5067934f865c0bc7 https://git.kernel.org/stable/c/0bd8ac88ec5f74cd0f4b8cfc54f4cc0827007249 https://git.kernel.org/stable/c/e280d1e5e3f2595bbb43fe6e1bce00c59a43c0ff |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks. Change these cases from ‘return’ to ‘ret = … break’ pattern to ensure pm_runtime_put() is always called before function exit. | 2026-05-28 | not yet calculated | CVE-2026-46239 | https://git.kernel.org/stable/c/6b03ecf75bda5900b8e661eb75656f631b598bc2 https://git.kernel.org/stable/c/f11ae9c04f8368a3b5a0280ef595198dace1c983 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: fix use-after-free on registration failure Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak. This issue was flagged by Sashiko when reviewing a controller deregistration fix. | 2026-05-28 | not yet calculated | CVE-2026-46241 | https://git.kernel.org/stable/c/8b49b6aadd0c622ca7d68b4a53ae10362e221cf3 https://git.kernel.org/stable/c/336d9ad7560b3baba17af06727a888040ee93390 https://git.kernel.org/stable/c/5c77f11b9b5f1ad5a704dad875260c44016ede10 https://git.kernel.org/stable/c/f62c060272b9d7423b1650b844e8e4e7b8f9f925 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file UAF ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free(). For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()’s “*pprev = next” scribbles into freed kmalloc-192 memory. In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() — reinitializing f_lock and f_ep — while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache. Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs. If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side’s ep_clear_and_put() drops it. The bailed epi’s share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there. A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays. | 2026-05-30 | not yet calculated | CVE-2026-46242 | https://git.kernel.org/stable/c/ef4ca02e95363e78977ca04340d44fe3b4b2b81f https://git.kernel.org/stable/c/ced39b6a8062bac5c18a1c3df85634107eb8664a https://git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This vulnerability is fixed in 2.28.2. | 2026-05-28 | not yet calculated | CVE-2026-41897 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j7v9-f46r-2rp4 https://github.com/mantisbt/mantisbt/commit/c885af13f0b8596714ffe11df757c09f35fbd8f4 https://mantisbt.org/bugs/view.php?id=37013 |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This vulnerability is fixed in 2.28.2. | 2026-05-28 | not yet calculated | CVE-2026-41897 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j7v9-f46r-2rp4 https://github.com/mantisbt/mantisbt/commit/c885af13f0b8596714ffe11df757c09f35fbd8f4 https://mantisbt.org/bugs/view.php?id=37013 |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users – bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2. | 2026-05-28 | not yet calculated | CVE-2026-42070 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6 https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435 https://mantisbt.org/bugs/view.php?id=37089 https://mantisbt.org/bugs/view.php?id=37093 |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT’s file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. This vulnerability is fixed in 2.28.2. | 2026-05-28 | not yet calculated | CVE-2026-42071 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8 https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071 https://mantisbt.org/bugs/view.php?id=27039 https://mantisbt.org/bugs/view.php?id=36985 https://mantisbt.org/bugs/view.php?id=37092 |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. This vulnerability is fixed in 2.28.2. | 2026-05-28 | not yet calculated | CVE-2026-44655 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-7mqj-8gj2-cg59 https://github.com/mantisbt/mantisbt/commit/5cb4b469295889f5d2b01677c9bf82c143e0fdaa |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. This vulnerability is fixed in 2.28.2. | 2026-05-28 | not yet calculated | CVE-2026-44657 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-p6fr-rxq7-xcg8 https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3 https://github.com/mantisbt/mantisbt/commit/26647b2e68ba30b9d7987d4e03d7a16416684bc2 https://mantisbt.org/bugs/view.php?id=37020 |
| mapfish–mapfish-print | mapfish-print is a component of MapFish for printing templated cartographic maps. From 3.23.0 to before 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, the attacker can execute arbitrary code in Dynamic table without being authenticated. This vulnerability is fixed in 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3. | 2026-05-28 | not yet calculated | CVE-2026-44672 | https://github.com/mapfish/mapfish-print/security/advisories/GHSA-q7m6-wpvf-mvwx |
| markmhendrickson–neotoma | Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the hosted Inspector and related API surface reachable without credentials. This vulnerability is fixed in 0.11.1. | 2026-05-29 | not yet calculated | CVE-2026-45577 | https://github.com/markmhendrickson/neotoma/security/advisories/GHSA-5cvp-p7p4-mcx9 https://github.com/markmhendrickson/neotoma/releases/tag/v0.11.1 |
| Mennekes–Amtron | The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoint. | 2026-05-28 | not yet calculated | CVE-2026-8979 | https://cyberdanube.com/security-research/multiple-vulnerabilities-in-mennekes-amtron-series/ |
| Mennekes–Amtron | The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to privilege escalation. An authenticated low-privileged user can change the passwords of the admin (operator) and manufacturer accounts via crafted POST requests. | 2026-05-28 | not yet calculated | CVE-2026-8980 | https://cyberdanube.com/security-research/multiple-vulnerabilities-in-mennekes-amtron-series/ |
| mermaid-js–mermaid | Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates. mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram). This vulnerability is fixed in 10.9.6 and 11.15.0. | 2026-05-29 | not yet calculated | CVE-2026-41150 | https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6 https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 |
| mermaid-js–mermaid | Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid’s default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options. The injected CSS exploits stylis’s & (scope reference) handling. :not(&) escapes the #mermaid-xxx automatic scoping, applying styles to all page elements. Global at-rules (@font-face, @keyframes, @counter-style) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS :has() selectors. This vulnerability is fixed in 10.9.6 and 11.15.0. | 2026-05-29 | not yet calculated | CVE-2026-41159 | https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aahttps://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76 https://github.com/mermaid-js/mermaid/releases/tag/mermaid@11.15.0 https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 |
| MIK–Crypt::ScryptKDF | Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available. The random_bytes function fell back to using the built-in rand() function when none of the Perl modules Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure were available. | 2026-05-26 | not yet calculated | CVE-2026-8647 | https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/changes https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/diff/MIK/Crypt-ScryptKDF-0.010#lib/Crypt/ScryptKDF.pm |
| MIK–CryptX | CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers. The gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify and eax_decrypt_verify XS routines copied the caller-supplied authentication tag into a fixed 144-byte stack buffer (MAXBLOCKSIZE) without checking the supplied length. A longer tag overwrites the stack past the buffer. Version 0.088 added the clamp to gcm_decrypt_verify, and 0.088_001 added it to the other three. Any caller of an affected helper that forwards an attacker-controlled tag longer than the buffer can trigger the overflow. | 2026-05-28 | not yet calculated | CVE-2026-41565 | https://github.com/DCIT/perl-CryptX/commit/57e69e541b0718ca8724c2f61514322a2d859bc1.patch https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf43b2ee1586f4a230492ccf1642.patch https://metacpan.org/release/MIK/CryptX-0.088_001 |
| misp–cti-transmute | A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert names were rendered in the notification bell dropdown using innerHTML without adequate sanitization. An attacker able to create or influence a convert name that is included in a notification could inject arbitrary JavaScript, which would execute in the browser of an authenticated user when they opened the notification panel. Successful exploitation could allow the attacker to perform actions in the victim’s session or access information available to the application in the browser context. The issue was remediated by constructing notification elements through DOM methods and assigning notification message content via textContent instead of innerHTML. This vulnerability was only present on a development branch. | 2026-05-28 | not yet calculated | CVE-2026-9806 | https://github.com/MISP/cti-transmute/commit/cf42409badc27b13d9bb644b9175aa7f27e11259 |
| mlflow–mlflow/mlflow | A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `–serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0. | 2026-05-25 | not yet calculated | CVE-2026-2651 | https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dc https://github.com/mlflow/mlflow/commit/d7290811d8f3c95366d80109424edc1fb1ad966f |
| Mozilla–Firefox for iOS | Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain names (IDNs) incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portions of the displayed domain, causing attacker-controlled sites to appear as trusted origins. This vulnerability was fixed in Firefox for iOS 151.1. | 2026-05-25 | not yet calculated | CVE-2026-9078 | https://bugzilla.mozilla.org/show_bug.cgi?id=2029371 https://www.mozilla.org/security/advisories/mfsa2026-52/ |
| nanomq–nanomq | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In 0.24.8 and earlier, quic_stream_recv can dereference a null substream pointer when a substream is in reopen state. The code finishes the AIO with error but does not return before locking c->mtx. | 2026-05-29 | not yet calculated | CVE-2026-45151 | https://github.com/nanomq/nanomq/security/advisories/GHSA-9qhf-wgp4-p7w5 |
| NEC Platforms, Ltd.–Aterm MR51FN | An OS Command Injection vulnerability exists in Aterm. If a malicious third person gains administrator access to the product’s web console, they may be able to execute arbitrary OS commands via adjacent network. | 2026-05-25 | not yet calculated | CVE-2026-8652 | https://jpn.nec.com/security-info/secinfo/nv26-003_en.html |
| NEC Platforms, Ltd.–Aterm WX1800HP | A cross-site scripting vulnerability exists in Aterm. Arbitrary scripts may be executed in the web browser of a user accessing the web management interface via adjacent network. | 2026-05-25 | not yet calculated | CVE-2026-6059 | https://jpn.nec.com/security-info/secinfo/nv26-002_en.html |
| Netis–AC1200 Router | Netis AC1200 Router NC21 V4.0.1.4296 contains a hard-coded root credential stored in /etc/shadow.sample. The password for the root account is set to the trivially weak value root, allowing an attacker with access to the device to authenticate as root and gain full control of the underlying operating system. | 2026-05-27 | not yet calculated | CVE-2026-36538 | http://netis-system.com https://github.com/sir3ns/cve-disclosure/blob/main/CVE-2026-36538/readme.md |
| Netis–AC1200 Router | Netis AC1200 Router NC21 V4.0.1.4296 exposes a CGI endpoint /cgi-bin/skk_get.cgi that returns the entire router configuration as a JSON response with no authentication required. Any attacker on the LAN can send a single HTTP GET request and instantly retrieve administrator credentials, WiFi passwords, PPPoE credentials, DDNS credentials, and a full map of all connected devices. | 2026-05-27 | not yet calculated | CVE-2026-36539 | https://github.com/sir3ns/cve-disclosure/blob/main/CVE-2026-36539/readme.md |
| Netis–AC1200 Router | Netis AC1200 Router NC21 V4.0.1.4296 is vulnerable to unauthenticated command injection via the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying OS shell without sanitization. An attacker can inject arbitrary shell commands by wrapping them in backticks (`) and encoding them in base64. Because the endpoint requires no authentication, any device on the LAN can achieve full Remote Code Execution on the router’s operating system with a single HTTP POST request. | 2026-05-27 | not yet calculated | CVE-2026-36540 | http://netis-system.com https://github.com/sir3ns/cve-disclosure/blob/main/CVE-2026-36540/readme.md |
| NEZUMI–Text::LineFold | Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters. Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the entire string, not just the segment. A side effect of this is that the full input can be duplicated for each segment. Besides being incorrect, this can lead to unexpected resource consumption and possible denial of service. Note that Text::LineFold is part of the Unicode-LineBreak distribution, which may have a higher version number than the module. | 2026-05-30 | not yet calculated | CVE-2026-8594 | https://metacpan.org/release/NEZUMI/Unicode-LineBreak-2019.001/source/lib/Text/LineFold.pm#L407-415 https://security.metacpan.org/patches/U/Unicode-LineBreak/2019.001/CVE-2026-8594-r1.patch https://github.com/hatukanezumi/Unicode-LineBreak/pull/6 |
| Northern.Tech–Mender Client 5 | Northern.tech Mender Client 5 before 5.0.4 allows a Cryptographic signature verification bypass. | 2026-05-27 | not yet calculated | CVE-2025-67903 | https://northern.tech https://mender.io/blog/cve-2025-67903-signature-verification-bypass-in-mender-client |
| Northern.Tech–Mender Enterprise | Northern.tech Mender Enterprise Server before 4.1.1 has Incorrect Access Control. | 2026-05-27 | not yet calculated | CVE-2026-33552 | https://Northern.tech https://mender.io/blog/cve-2026-49009-cve-2026-33552-input-sanitization-and-access-control-issues-in-mender-server |
| Northern.Tech–Mender Server | Northern.tech Mender Server v4.1.0, v4.0.1 and below, and fixed in v4.1.1 and v4.0.2 allows Directory Traversal. | 2026-05-27 | not yet calculated | CVE-2026-49009 | https://northern.tech https://mender.io/blog/cve-2026-49009-cve-2026-33552-input-sanitization-and-access-control-issues-in-mender-server |
| nrwl–nx-console | Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version. | 2026-05-27 | not yet calculated | CVE-2026-48027 | https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w https://github.com/nrwl/nx-console/issues/3139 https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised |
| OALDERS–HTTP::Daemon | HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file() opens its string argument with Perl’s 2-arg open(). The 2-arg form interprets magic prefixes: ‘| cmd’ and ‘cmd |’ open a pipe to a subprocess, ‘> path’ and ‘>> path’ open the path for write or append. Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form (‘cmd |’) also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths. | 2026-05-27 | not yet calculated | CVE-2026-8450 | https://github.com/libwww-perl/HTTP-Daemon/pull/89 https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes |
| oban-bg–oban_web | Missing Authorization vulnerability in oban-bg oban_web (‘Elixir.Oban.Web.Jobs.DetailComponent’ modules) allows unauthorized job worker substitution. The handle_event(“save-job”, …) handler in ‘Elixir.Oban.Web.Jobs.DetailComponent’ does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller’s privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job’s worker field with any other existing Oban.Worker module in the application. On the job’s next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one. This issue affects oban_web: from 2.12.0 before 2.12.5. | 2026-05-26 | not yet calculated | CVE-2026-48592 | https://github.com/oban-bg/oban_web/security/advisories/GHSA-389x-rgxr-8m33 https://cna.erlef.org/cves/CVE-2026-48592.html https://osv.dev/vulnerability/EEF-CVE-2026-48592 https://github.com/oban-bg/oban_web/commit/ab3c5d1d3eba06c62045f16f2cd7781c7752e248 |
| oban-bg–oban_web | Uncontrolled Resource Consumption vulnerability in oban-bg oban_web (‘Elixir.Oban.Web.CronExpr’ modules) allows memory exhaustion via unbounded cron range expansion. An attacker with access to schedule cron jobs can submit a malicious cron expression such as “0 0 1-100000000 * *”. When a user with dashboard access views the cron job list, ‘Elixir.Oban.Web.CronExpr’:describe/1 is called to render the expression. parse_range/1 parses both range endpoints via Integer.parse/1 with no bounds check, and the downstream helpers expand_dom_parts/1 and expand_dow_parts/1 materialise the range eagerly via Enum.to_list/1, causing allocation of ~2.4 GB and stalling or crashing the BEAM node. A sibling helper extract_dom_values already validates range bounds, but the expansion helpers do not. This issue affects oban_web: from 2.12.0 before 2.12.5. | 2026-05-26 | not yet calculated | CVE-2026-48593 | https://github.com/oban-bg/oban_web/security/advisories/GHSA-6xh2-93p9-vqh4 https://cna.erlef.org/cves/CVE-2026-48593.html https://osv.dev/vulnerability/EEF-CVE-2026-48593 https://github.com/oban-bg/oban_web/commit/9998b7e284e02fdd4645dd6231760038e63b584d |
| OnlyOffice–DocSpace | An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions (User or Guest) to retrieve sensitive information, such as the Owner’s unique identifier (ID) and profile information, which should only be accessible to administrators. | 2026-05-26 | not yet calculated | CVE-2026-38587 | https://github.com/ONLYOFFICE/DocSpace/blob/master/CHANGELOG.md#security |
| OpenRapid–RapidCMS v1.3.1 | OpenRapid RapidCMS v1.3.1 was discovered to contain an authentication bypass in the /template/default/menu.php component. This vulnerability is exploited via injecting a crafted SQL payload into the name cookie parameter. | 2026-05-27 | not yet calculated | CVE-2026-38930 | http://openrapid.com http://rapidcms.com https://moworn.github.io/post/cve-2026-38930/ |
| openreplay–openreplay | OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch. ProjectAuthorizer.__call__ (OSS api/auth/auth_project.py:14-38 and EE ee/api/auth/auth_project.py:14-46) only runs projects.is_authorized(project_id, tenant_id, user_id) + projects.get_project(tenant_id, project_id) when self.project_identifier == “projectId” (camelCase). For EE multi-tenant, feature-flag queries only filter on project_id, never tenant_id. Any authenticated user in tenant A can read/update/delete feature-flag rows belonging to tenant B by iterating the sequential integer project_id + feature_flag_id. OSS is single-tenant by design ({“errors”:[“tenants already registered”]} on second signup) so there’s no cross-tenant impact This vulnerability is fixed in 1.26.0. | 2026-05-28 | not yet calculated | CVE-2026-45297 | https://github.com/openreplay/openreplay/security/advisories/GHSA-5m23-rcj4-cgjx |
| OpenSolution–QuickCMS | QuickCMS allows a user’s session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable. | 2026-05-29 | not yet calculated | CVE-2026-33384 | https://cert.pl/posts/2026/05/CVE-2026-33384/ https://opensolution.org/home.html |
| OpenSolution–QuickCMS | QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a user accesses the plugin page, the malicious content is automatically fetched, rendered, and executed. This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable. | 2026-05-29 | not yet calculated | CVE-2026-33386 | https://cert.pl/posts/2026/05/CVE-2026-33384/ https://opensolution.org/home.html |
| OpenStack–Neutron | In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected. | 2026-05-28 | not yet calculated | CVE-2026-49299 | https://bugs.launchpad.net/bugs/2150132 https://review.opendev.org/c/openstack/neutron/+/989099 https://www.openwall.com/lists/oss-security/2026/05/28/8 |
| OpenStack–Swift | In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0. | 2026-05-27 | not yet calculated | CVE-2026-49017 | https://bugs.launchpad.net/bugs/2152205 https://review.opendev.org/c/openstack/swift/+/987957 https://review.opendev.org/c/openstack/swift/+/988093 |
| OpenVPN Inc–OpenVPN Connect | Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel | 2026-05-26 | not yet calculated | CVE-2026-9560 | https://openvpn.net/connect-docs/macos-release-notes.html |
| OutSystems–Lifetime | OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application. This issue was fixed in OutSystems Lifetime version 11.28.2.3955 | 2026-05-25 | not yet calculated | CVE-2026-40127 | https://cert.pl/en/posts/2026/05/CVE-2026-40126/ https://www.outsystems.com/downloads/ScreenDetails?ReleaseId=22953&MajorVersion=11&ComponentName=LifeTime |
| Pboot–CMS v3.2.11 | PbootCMS v.3.2.11 contains a code injection vulnerability in its site configuration functionality | 2026-05-26 | not yet calculated | CVE-2026-36239 | http://pbootcms.com http://hunan.com https://github.com/TazmiDev/CVE-2026-36239 |
| picoclaw–ExecTool | picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/tools/shell.go). The guardCommand() function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete. | 2026-05-27 | not yet calculated | CVE-2026-36045 | https://github.com/sipeed/picoclaw/releases/tag/v0.1.2 https://gist.github.com/NucleiAv/41899be6266a9813840301577792ed68 |
| PMQS–IO::Compress | IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises ‘Undefined subroutine &main::unpackValueQ’ and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool. | 2026-05-27 | not yet calculated | CVE-2026-48961 | https://github.com/pmqs/IO-Compress/commit/33c89d03d6e746ed2ead4f2f6570d47864c61bc7.patch https://metacpan.org/release/PMQS/IO-Compress-2.220/changes |
| PMQS–IO::Compress | IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process’s privilege. | 2026-05-27 | not yet calculated | CVE-2026-48962 | https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch https://metacpan.org/release/PMQS/IO-Compress-2.220/changes |
| PMQS–IO::Uncompress::Unzip | IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError. | 2026-05-27 | not yet calculated | CVE-2025-15649 | https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8.patch https://github.com/pmqs/IO-Compress/issues/65 https://metacpan.org/release/PMQS/IO-Compress-2.215/changes |
| PMQS–IO::Uncompress::Unzip | IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry’s compressed size, up to the non-Zip64 4 GiB cap. | 2026-05-27 | not yet calculated | CVE-2026-48959 | https://github.com/pmqs/IO-Compress/commit/68db44076f4c1a86a2ffe53a958eac6cabaf72e2.patch https://metacpan.org/release/PMQS/IO-Compress-2.220/changes |
| portainer–portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, The Docker plugin management endpoints (/plugins/*) were not registered with a handler, so standard users with endpoint access could call privileged plugin operations – including installing and enabling plugins – directly against the underlying Docker daemon. The vulnerability is exposed when a non-admin Portainer user (Standard User role, or any role granted endpoint-level access) has been given access to a Docker endpoint via Portainer RBAC. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0. | 2026-05-28 | not yet calculated | CVE-2026-44848 | https://github.com/portainer/portainer/security/advisories/GHSA-rrmm-9v76-h3p4 |
| portainer–portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt (Seccomp / AppArmor), and bind mounts. These restrictions are enforced on the standard container creation path, but several of them are not applied on the Docker Swarm service API. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0. | 2026-05-28 | not yet calculated | CVE-2026-44849 | https://github.com/portainer/portainer/security/advisories/GHSA-5fxq-qcf3-244w |
| portainer–portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer supports deploying stacks from Git repositories. When a Git-backed stack is created or updated, Portainer clones the repository using go-git v5, which translates Git blob entries with mode 0o120000 (symlink) into real OS symlinks on the host filesystem via os.Symlink. The only entry blocked from becoming a symlink is .gitmodules; every other path is created as a symlink without validation. Portainer’s GET /api/stacks/{id}/file endpoint then reads the stack entry point with os.ReadFile, which follows OS symlinks transparently. A repository containing docker-compose.yml as a symlink to an arbitrary filesystem path causes the symlink target’s contents to be returned verbatim in the HTTP response. Any authenticated user with rights to create or update a Git-backed stack – the default configuration in Portainer CE – can read arbitrary files accessible to the Portainer process. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0. | 2026-05-28 | not yet calculated | CVE-2026-44881 | https://github.com/portainer/portainer/security/advisories/GHSA-rpgq-m5fp-32wr |
| portainer–portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer’s authentication middleware accepts JWT bearer tokens passed as the ?token=<JWT> URL query parameter on any authenticated API endpoint, in addition to the standard Authorization: Bearer header. URLs are recorded in reverse-proxy access logs, browser history, and HTTP Referer headers on outbound navigation, so any JWT passed this way can be harvested by anyone with access to those logs or by an external site the user subsequently visits. A leaked token grants the full privileges of the user it was issued to, until the token expires (default 8 hours, configurable). The ?token= parameter was used by Portainer’s browser-based container attach, exec, and pod shell features, so any user with exec or attach rights on a container was exposed – not only administrators. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0. | 2026-05-28 | not yet calculated | CVE-2026-44883 | https://github.com/portainer/portainer/security/advisories/GHSA-jvp4-q659-95mj |
| portainer–portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8 and 2.39.1, a missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read. This vulnerability is fixed in 2.33.8 and 2.39.1. | 2026-05-28 | not yet calculated | CVE-2026-44884 | https://github.com/portainer/portainer/security/advisories/GHSA-cqpq-2fgr-8mvc |
| Portainer–Portainer Community Edition | Insecure default settings of Portainer CE grant regular (non-admin) users privileges that allow host filesystem access and host-level code execution. An authenticated non-administrative user with endpoint access can exploit these settings to read host files or obtain root equivalent access on the host. | 2026-05-28 | not yet calculated | CVE-2026-33590 | https://intwave.com/blog/2026/02/26/improving-portainer-security.html https://github.com/portainer/portainer/commit/ac8fa7672e732b44b970c9eaf928eddd2c68796c https://github.com/portainer/portainer/commit/3e2fdb1891e81a8e4c5c8beb60e45f07c8ecae52 |
| pretix–pretix | When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download. One remaining API endpoint, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc. | 2026-05-27 | not yet calculated | CVE-2026-9712 | https://pretix.eu/about/en/blog/20260527-release-2026-4-2/ |
| prometheus–prometheus | Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server’s legacy web UI (enabled via the command-line flag –enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. This vulnerability is fixed in 3.5.3 and 3.11.3. | 2026-05-26 | not yet calculated | CVE-2026-44903 | https://github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28 https://github.com/prometheus/prometheus/commit/38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7d |
| py-pdf–pypdf | pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. This vulnerability is fixed in 6.12.0. | 2026-05-28 | not yet calculated | CVE-2026-48155 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-cj93-chg6-vgv8 https://github.com/py-pdf/pypdf/pull/3790 https://github.com/py-pdf/pypdf/releases/tag/6.12.0 |
| py-pdf–pypdf | pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0. | 2026-05-28 | not yet calculated | CVE-2026-48156 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-248m-82v9-q6g6 https://github.com/py-pdf/pypdf/pull/3791 https://github.com/py-pdf/pypdf/releases/tag/6.12.0 |
| py-pdf–pypdf | pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. This vulnerability is fixed in 6.12.1. | 2026-05-28 | not yet calculated | CVE-2026-48735 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjqc-6w8f-h24c https://github.com/py-pdf/pypdf/pull/3796 https://github.com/py-pdf/pypdf/releases/tag/6.12.1 |
| QOS.CH Sarl–logback | Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from classes in the java.lang and java.util packages that are not explicitly blocked. Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions. This issue affects logback: through 1.5.32 inclusive. | 2026-05-28 | not yet calculated | CVE-2026-9828 | https://logback.qos.ch/news.html#1.5.33 |
| rabbitmq–rabbitmq-server | RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, RabbitMQ’s MQTT plugin allows for topic-level authorization using regular expressions with variable substitution. Administrators can create patterns such as ^{client_id}-sensors$ to restrict user access to topics that include their client ID. However, the client_id is provided by the user in the MQTT CONNECT packet and is inserted into the regex pattern without escaping special regex characters. This flaw enables an authenticated MQTT user to inject regex operators to bypass authorization. This vulnerability is fixed in 4.2.4 and 4.3.0. | 2026-05-27 | not yet calculated | CVE-2026-44838 | https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-x866-xp2g-cx8v |
| rabbitmq–rabbitmq-server | RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13. | 2026-05-27 | not yet calculated | CVE-2026-44839 | https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-fh5r-jpm3-fjwp https://github.com/rabbitmq/rabbitmq-server/commit/7f54319279d1ece161ae0b4cdc6f0e58a4045eb5 |
| randombit–botan | Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which prohibits indefinite length encodings. This vulnerability is fixed in 3.12.0. | 2026-05-27 | not yet calculated | CVE-2026-44378 | https://github.com/randombit/botan/security/advisories/GHSA-7q2v-3g27-6g3j |
| Raynet–Rvia | Command injection in Raynet rvia 12.6.4392.49-amd64.deb allows adversaries to execute commands via getconfig, and upload through the URL argument, and oracle through the -o flag The Supplier’s perspective is that this is caused by Argument Injection in the find command query in rvia 12.6.4392.49. This in an arbitrary code execution flaw caused by an incorrectly constructed find command. The application actively searches for a Java executable by using search criteria that is not properly terminated or sanitized. By constructing a crafted directory path that satisfies the malformed search criteria, an attacker can trick the application into executing arbitrary Java code. This differs from standard PATH manipulation because it stems from the application’s internal search logic. Specifically, a local attacker can create a crafted directory structure and path that satisfies an improperly terminated find query used by the application to locate a Java runtime. | 2026-05-27 | not yet calculated | CVE-2025-69600 | https://support.raynet.de/hc/en-us/articles/19518792826132-RVY200865-RayVentory-12-6 https://github.com/Wise-Security/CVE-2025-69600 |
| Raynet–Rvia | Command injection in Raynet rvia version 12.6 Update 8 and previous versions allows adversaries to execute arbitrary code via a crafted path that matches the improperly terminated search criteria of rvia’s Java search using the find command. | 2026-05-27 | not yet calculated | CVE-2026-38945 | https://support.raynet.de/ https://github.com/Wise-Security/CVE-2026-38945 |
| Remote Spark (https://www.remotespark.com/)–SparkView | Path traversal vulnerability in Remote Spark (https://www.Remotespark.Com/) SparkView allows reading and writing arbitrary files in all directories as root. This leads to RCE. The affected component is the RDP drive redirection. Depending on implementation, the vulnerability can be exploited by an unauthenticated attacker. This issue affects SparkView: before build 1127. | 2026-05-29 | not yet calculated | CVE-2026-8326 | https://www.remotespark.com/view/new.html |
| Responsive File Manager–Responsive File Manager | An issue in Responsive File Manager Responsive File Manager Version 9.14.0 allows a remote attacker to execute arbitrary code via the force_download.php component | 2026-05-28 | not yet calculated | CVE-2026-37266 | https://www.responsivefilemanager.com/ https://csacyber.com/blog/responsive-filemanager-version-9-14-0-multiple-vulnerabilities-cve-2026-37266 |
| Rocket.Chat–Rocket.Chat | The Rocket.Chat DDP method autoTranslate.translateMessage in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8, and <7.10.12 accepts a client-supplied IMessage object and passes it directly to translateMessage() without checking Meteor.userId() or verifying room membership. Any authenticated DDP user can read the content of any message by ID from any room (private channels, DMs, E2EE rooms) by calling this method. | 2026-05-28 | not yet calculated | CVE-2026-32995 | https://hackerone.com/reports/3734326 https://github.com/RocketChat/Rocket.Chat/pull/40528 |
| RRWO–Mojolicious::Plugin::Statsd | Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Version 0.06 changes the module from being a statsd client to using a separate statsd client. It defaults to using a version of Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720). | 2026-05-26 | not yet calculated | CVE-2026-46740 | https://metacpan.org/release/RRWO/Mojolicious-Plugin-Statsd-0.06/changes https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd/commit/f049156982a2c0b8050f173e24a04a29ddd64853.patch https://www.cve.org/CVERecord?id=CVE-2026-46720 |
| RRWO–Plack::Middleware::Security::Common | Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /pathrnHTTP/1.1rnHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers. | 2026-05-28 | not yet calculated | CVE-2026-9658 | https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes |
| Rust Project–Cargo | Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink. | 2026-05-25 | not yet calculated | CVE-2026-5223 | https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8 https://blog.rust-lang.org/2026/05/25/cve-2026-5223/ https://github.com/rust-lang/cargo/pull/17031 |
| Rust–Cargo | Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack. | 2026-05-25 | not yet calculated | CVE-2026-5222 | https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s https://blog.rust-lang.org/2026/05/25/cve-2026-5222/ https://github.com/rust-lang/cargo/pull/17031 |
| rustfs–rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, RustFS suffers from sensitive information leakage in log outputs. When the server is run with RUST_LOG=debug sensitive credentials including SessionToken (JWT), SecretAccessKey, and full JWT claims are printed in plaintext to the server logs. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-28 | not yet calculated | CVE-2026-45040 | https://github.com/rustfs/rustfs/security/advisories/GHSA-8cm2-h255-v749 |
| rustfs–rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses it in production via parse_license() to “verify” license tokens. Because the key is embedded in every published source release and binary, anyone who can read the repository or extract it from the binary can mint arbitrary license tokens (any subject, any expiration). When the license Cargo feature is enabled, this defeats the entire license-enforcement mechanism. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-28 | not yet calculated | CVE-2026-45041 | https://github.com/rustfs/rustfs/security/advisories/GHSA-923g-jp7v-f97f |
| rustfs–rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject permission on the source bucket and PutObject on the destination bucket independently, but does not enforce any policy constraints on whether the destination bucket permits the specified copy source. This enables unauthorized cross-bucket data movement. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-28 | not yet calculated | CVE-2026-45042 | https://github.com/rustfs/rustfs/security/advisories/GHSA-wfxj-ph3v-7mjf |
| rustfs–rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user (minioadmin). The endpoint accepts attacker-controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This enables privilege escalation to full administrative access using a persistent, attacker-defined credential. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-29 | not yet calculated | CVE-2026-45043 | https://github.com/rustfs/rustfs/security/advisories/GHSA-566f-q62r-wcr8 |
| rustfs–rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any unauthenticated HTTP client to invoke profiling handlers without credentials. On supported builds (e.g., glibc), the handler invokes a fixed 60-second CPU profiling operation (dump_cpu_pprof_for(Duration::from_secs(60))). This may result in significant CPU resource consumption per request and can potentially lead to denial of service when abused. Additionally, the handler returns the server’s absolute filesystem path in the response body, resulting in information disclosure. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-28 | not yet calculated | CVE-2026-45044 | https://github.com/rustfs/rustfs/security/advisories/GHSA-8784-9m7f-c6p6 |
| rustfs–rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener’s ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * on responses, including preflight responses and error responses. This creates a permissive cross-domain policy with untrusted origins. A browser visiting an attacker-controlled page can issue credentialed cross-origin requests to a reachable RustFS deployment and read the response when the victim browser has ambient credentials for the RustFS origin, such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-28 | not yet calculated | CVE-2026-46685 | https://github.com/rustfs/rustfs/security/advisories/GHSA-x5xv-223c-8vm7 |
| rustfs–rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the RustFS console endpoint GET /rustfs/console/license returns parsed license metadata without requiring authentication. The endpoint is registered on the console listener and returns JSON containing license information such as the license subject and expiration timestamp. Any client that can reach the console listener can query this endpoint without credentials. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-28 | not yet calculated | CVE-2026-47136 | https://github.com/rustfs/rustfs/security/advisories/GHSA-xp32-gxq2-3v52 |
| SailingLab–AppLock | SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android’s secure authentication APIs. By navigating cascading interface flows – insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents – an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation. | 2026-05-26 | not yet calculated | CVE-2025-68708 | https://play.google.com/store/apps/details?id=com.alpha.applock https://github.com/actuator/com.alpha.applock https://github.com/actuator/com.alpha.applock/blob/main/CVE-2025-68708 |
| SailingLab–Applock | SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker to trigger arbitrary JavaScript execution via BrowserMainActivity, which accepts VIEW intents with javascript: URIs. This unsafe navigation path results in script execution and may allow UI spoofing or privilege escalation. | 2026-05-26 | not yet calculated | CVE-2025-68709 | https://play.google.com/store/apps/details?id=com.alpha.applock https://github.com/actuator/com.alpha.applock https://github.com/actuator/com.alpha.applock/blob/main/CVE-2025-68709 |
| SHAY–perl | Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time. | 2026-05-25 | not yet calculated | CVE-2026-8376 | https://github.com/Perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c.patch |
| SillyTavern–SillyTavern | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, when fetch(url) throws, the code sends: res.status(500).send(‘Error occurred while trying to proxy to: ‘ + url + ‘ ‘ + error). The url value is attacker-controlled (req.params.url) and is not HTML-escaped before rendering. This vulnerability is fixed in 1.18.0. | 2026-05-29 | not yet calculated | CVE-2026-44651 | https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-xc4x-2452-5gc9 |
| SillyTavern–SillyTavern | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, corsProxyMiddleware forwards req.params.url directly into fetch(url, …). It only blocks circular requests to its own host and does not enforce destination allowlist or private/loopback restrictions, enabling SSRF. This vulnerability is fixed in 1.18.0. | 2026-05-29 | not yet calculated | CVE-2026-44652 | https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-ccfq-2454-f5xw |
| Slican–CCT-1668 | In Slican telephone exchanges it is possible to manage the control panel remotely. An unauthenticated attacker can connect to the modem via a telephone with a specific caller ID. This allows them to bypass admin authentication and gain full access to the service protocol and configuration panel. This vulnerability is independent of the telephone exchanges configuration. If remote access is disabled, calling with this caller ID will temporarily enable it. This issue was fixed in versions below: – IPL-256: version 6.61.0040 – IPM-032: version 6.61.0040 – CCT-1668: version 6.56.0430 – MAC-6400: version 6.56.0430 – CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: – CCT-1668 (CCT1CPU) – MAC-6400 – CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading. | 2026-05-27 | not yet calculated | CVE-2026-35090 | https://cert.pl/posts/2026/05/CVE-2026-35087 |
| Slican–IPx | Slican telephone exchanges allow administrative protocol authentication bypass. An attacker can bypass the need to enter login credentials by executing the appropriate command. This issue was fixed in versions below: – NCP: version 1.24.0250 – IPx series: version 6.61.0040 – CCT-1668: version 6.56.0430 – MAC-6400: version 6.56.0430 – CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: – CCT-1668 (CCT1CPU) – MAC-6400 – CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading. | 2026-05-27 | not yet calculated | CVE-2026-35087 | https://cert.pl/posts/2026/05/CVE-2026-35087 |
| Slican–IPx | In Slican telephone exchanges secure key is generated in a predictable manner using properties of the telephone exchange which can be obtained without authentication. An unauthenticated attacker can deduce the secure key and obtain admin credentials. This issue was fixed in versions below: – IPx series: version 6.61.0040 – CCT-1668: version 6.56.0430 – MAC-6400: version 6.56.0430 – CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: – CCT-1668 (CCT1CPU) – MAC-6400 – CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading. | 2026-05-27 | not yet calculated | CVE-2026-35089 | https://cert.pl/posts/2026/05/CVE-2026-35087 |
| SMSGate–Sms-Core | An issue in SMSGate sms-core<=2.1.13.6 allows a remote attacker to execute arbitrary code via the Cmpp7FDeliverRequestMessageCodec.java component | 2026-05-28 | not yet calculated | CVE-2026-37579 | https://github.com/wudijun/jun.github.io/blob/main/SMSGate%20deserialization%20vulnerability.md |
| SourceBans–Material Admin | An issue in SourceBans Material Admin before v.1.1.6 (3ecd95e) allows attackers to manipulate arbitrary user data in the web app via a crafted XAJAX call. | 2026-05-28 | not yet calculated | CVE-2026-30760 | https://gist.github.com/ng-dst/ca6663a4107fd39eaba1be2cb1d52b51 https://github.com/SB-MaterialAdmin/Web https://github.com/SB-MaterialAdmin/Web/issues/374 https://gist.github.com/ng-dst/450b698433f628990921f1e5ab46ff8c |
| SourceBans–Material Admin | An arbitrary file upload vulnerability in the pages/admin.uploadmapimg.php component of SourceBans Material Admin v1.1.6 allows attackers to execute arbitrary code via uploading a crafted image file. | 2026-05-28 | not yet calculated | CVE-2026-30761 | https://gist.github.com/ng-dst/ca6663a4107fd39eaba1be2cb1d52b51 https://github.com/SB-MaterialAdmin/Web https://github.com/SB-MaterialAdmin/Web/issues/374 https://gist.github.com/ng-dst/254163056c2d8a2f55259dcb79531b31 |
| SourceCodester–Doctor Appointment System 1.0 | SourceCodester Doctor Appointment System 1.0 is vulnerable to Cross Site Scripting (XSS) due to improper handling of user supplied input in the user registration functionality in register.php. | 2026-05-29 | not yet calculated | CVE-2026-36324 | https://www.sourcecodester.com/php/18453/doctor-appointment-system-using-php-and-mysql-source-code.html https://github.com/adhiyaksactf/MyCVE-Disclosures/blob/main/rems-DoctorAppointmentSystem/CVE-2026-36324/README.md |
| SpSoft–AppLock | SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android’s biometric mechanisms, the lock is implemented with a custom overlay that fails to consistently enforce authentication. By navigating cascading interface flows – insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents – an attacker can exit the lock interface without re-authentication and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation. | 2026-05-27 | not yet calculated | CVE-2025-68712 | https://play.google.com/store/apps/details?id=com.sp.protector.free https://github.com/actuator/com.sp.protector.free https://github.com/actuator/com.sp.protector.free/blob/main/CVE-2025-68712 |
| StrongDM–StrongDM Desktop Application | StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:Users<username>.sdmstate.kv. The file is protected only by default user-level NTFS permissions. Exploitation requires local read access to the affected user’s profile directory and additional deployment and execution conditions on the target host. The condition was reported through coordinated disclosure by Hope Walker (SpecterOps). | 2026-05-29 | not yet calculated | CVE-2026-4387 | StrongDM Security Advisory |
| Suprema–BioStar 2 (server) | Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement. | 2026-05-29 | not yet calculated | CVE-2026-9508 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-supremas-biostar |
| Suprema–BioStar 2 (server) | An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST requests to the ‘/api/migration’ endpoint. This request triggers a failure that halts critical processes, leaving the system offline until the services or server are manually restarted. As a result, access control readers cease to function, and potential failures may occur in third-party integrations. Since the exploit requires no privileges or user interaction and is trivial to automate, the impact on availability is high, and the effect extends to interconnected systems. | 2026-05-29 | not yet calculated | CVE-2026-9509 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-supremas-biostar |
| Tasmota–Tasmota | Buffer Overflow vulnerability in arendst Tasmota v.15.3.0.3 and before allows a remote attacker to execute arbitrary code via the tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino, fetch_jpg() function. | 2026-05-27 | not yet calculated | CVE-2026-38422 | https://github.com/arendst/Tasmota https://github.com/arendst/Tasmota/blob/development/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino https://github.com/sermikr0/CVE-2026-38422 |
| Tasmota–Tasmota | Buffer Overflow vulnerability in arendst Tasmota v.15.3.0.3 and before allows a remote attacker to execute arbitrary code via the xdrv_10_scripter.ino, fetch_jpg(), jpg_task.boundary[40], strcpy() function. | 2026-05-27 | not yet calculated | CVE-2026-38426 | https://github.com/arendst/Tasmota/blob/c207cc2/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino https://github.com/sermikr0/CVE-2026-38426 |
| Tasmota–Tasmota | An issue in fetch_jpg() in xdrv_10_scripter.ino in Tasmota through 15.3.0.3 allows a remote attacker to cause heap buffer overflow. The Content-Length from a JPEG stream is stored in a uint16_t variable; values above 65535 wrap around, causing allocation of a smaller buffer than the data actually read. | 2026-05-27 | not yet calculated | CVE-2026-38427 | https://github.com/arendst/Tasmota/blob/c207cc2/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino https://github.com/sermikr0/CVE-2026-38427 |
| tassos.gr–Novarain/Tassos Framework (plg_system_nrframework) | The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites. | 2026-05-27 | not yet calculated | CVE-2026-48906 | https://tassos.gr |
| tauri-apps–tauri | Tauri is a framework for building binaries for all major desktop platforms. From 2.0 to 2.11.0, a flaw in Tauri’s is_local_url() function causes it to incorrectly classify remote URLs as trusted local origins on Windows and Android. On these systems, Tauri maps custom URI scheme protocols to http://<scheme>.localhost/ because those platforms’ WebView implementations cannot serve custom URI schemes directly. The issue is that Tauri’s check to see if the origin is local, only checks the first subdomain of the URL. An attacker can abuse this by hosting a page on a domain whose subdomain matches the custom scheme of the application. This vulnerability is fixed in 2.10.3. | 2026-05-27 | not yet calculated | CVE-2026-42184 | https://github.com/tauri-apps/tauri/security/advisories/GHSA-7gmj-67g7-phm9 |
| th30d4y–OpenLearnX | OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. This vulnerability is fixed in 2.0.4. | 2026-05-27 | not yet calculated | CVE-2026-44720 | https://github.com/th30d4y/OpenLearnX/security/advisories/GHSA-223g-f5mq-gw33 |
| Tigera–Calico | In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001. | 2026-05-28 | not yet calculated | CVE-2026-41184 | https://github.com/projectcalico/calico/pull/12502 https://github.com/projectcalico/calico/pull/12527 https://github.com/projectcalico/calico/pull/12526 https://www.tigera.io/security-bulletins/tta-2026-001/ |
| Tigera–Calico | When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map (stdinData) at INFO level to /var/log/calico/cni/cni.log on every CNI ADD and DEL invocation – once per pod scheduled or terminated on the node. When the cluster is deployed using token-based Kubernetes authentication, this log entry contains the ServiceAccount token, client key, and certificate authority in plaintext. Any principal with read access to /var/log/calico/cni/cni.log on a node can read these logs and extract the credentials, which grant cluster-wide Calico networking admin privileges. | 2026-05-28 | not yet calculated | CVE-2026-41185 | https://github.com/projectcalico/calico/pull/12502 https://github.com/projectcalico/calico/pull/12527 https://github.com/projectcalico/calico/pull/12526 https://www.tigera.io/security-bulletins/tta-2026-002/ |
| Tigera–Calico | When calicoctl is invoked with –log-level=info or –log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster – inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream – CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl – can extract these credentials with zero Kubernetes privilege. calicoctl’s default log level is panic, so this issue only triggers when verbose logging is explicitly enabled. | 2026-05-28 | not yet calculated | CVE-2026-6720 | https://github.com/projectcalico/calico/pull/12535 https://github.com/projectcalico/calico/pull/12536 https://github.com/projectcalico/calico/pull/12537 https://www.tigera.io/security-bulletins/tta-2026-003/ |
| TP-Link Systems Inc.–Archer BE7200 V1 | An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can leverage the browser’s developer console by supplying a crafted input that is passed to backend system commands without adequate sanitization. Successful exploitation enables execution of arbitrary commands with elevated privileges on the device, which may allow the attacker to start unauthorized services, modify system configuration, or otherwise fully compromise the router’s operating environment. | 2026-05-27 | not yet calculated | CVE-2026-5509 | https://www.tp-link.com/en/support/download/archer-be450/#Firmware https://www.tp-link.com/jp/support/download/archer-be450/#Firmware https://www.tp-link.com/jp/support/download/archer-be7200/#Firmware https://www.tp-link.com/us/support/faq/5102/ |
| TP-Link Systems Inc.–Archer C64 v1.0 | Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH. Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability. | 2026-05-28 | not yet calculated | CVE-2026-8697 | https://www.tp-link.com/en/support/download/archer-c64/v1/#Firmware https://www.tp-link.com/us/support/faq/5105/ |
| TP-Link Systems Inc.–Tapo L535E v1.0, v3.0 | TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization. An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization. An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization. D100C is the chime delivered with your Tapo camera, and it is delivered with the following Tapo products: D130, D210, D235, D225, TD21, TDB21 and TD25 | 2026-05-28 | not yet calculated | CVE-2026-34126 | https://www.tp-link.com/us/support/download/tapo-l535e/#Firmware-Release-Notes https://www.tp-link.com/en/support/download/tapo-l535e/v3/#Firmware-Release-Notes https://www.tp-link.com/jp/support/download/tapo-p300/#Firmware-Release-Notes https://www.tp-link.com/en/support/download/tapo-p300/#Firmware-Release-Notes https://www.tp-link.com/jp/support/download/tapo-l535e/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/5106/ |
| TP-Link Systems Inc.–TL-SG108PE v5 | A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link’s TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration, which may be stored and executed in the administrator’s browser when the affected interface is viewed. Successful exploitation may allow session cookie theft, unauthorized configuration changes, or access to sensitive information exposed through the management interface. | 2026-05-29 | not yet calculated | CVE-2026-34127 | https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware https://www.tp-link.com/us/support/faq/5110/ |
| traccar–traccar | Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into mediaManager.createFileStream(…). Unlike the generic mutation path in BaseObjectResource.update and the explicit device mutation handler updateAccumulators, this route never invokes permissionsService.checkEdit(getUserId(), Device.class, false, false). The skipped guard is exactly where Traccar enforces readonly and deviceReadonly restrictions for non-admin users. An unauthorized user can replace a device’s stored image file under the server media directory. This allows modification of UI-visible device media and any downstream workflows that rely on the persisted image, despite other device update paths correctly rejecting the same identity. This vulnerability is fixed in 6.13.0. | 2026-05-26 | not yet calculated | CVE-2026-44314 | https://github.com/traccar/traccar/security/advisories/GHSA-33v4-5x2g-7mjm |
| TriliumNext–Trilium | Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Prior to 0.102.2, a malicious ZIP archive imported with safe import enabled achieves RCE via #docName path traversal and XSS by combining a payload note (type: code, mime: text/plain) containing raw HTML/JS and a trigger note (type: doc or type: launcher) with a #docName label that uses ../ path traversal to point at the payload note’s API endpoint. The desktop client Electron renderer runs with nodeIntegration enabled, so an RCE is triggered once the payload is executed. This vulnerability is fixed in 0.102.2. | 2026-05-29 | not yet calculated | CVE-2026-45668 | https://github.com/TriliumNext/Trilium/security/advisories/GHSA-9jjc-cccq-f6rh |
| ultrajson–ultrajson | UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1. | 2026-05-27 | not yet calculated | CVE-2026-44660 | https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9 https://github.com/ultrajson/ultrajson/releases/tag/5.12.1 |
| Unknown–Eupago Gateway For Woocommerce | The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant’s payment gateway credentials, and for applicable payment methods, to redirect refunded funds to an attacker-controlled bank account. | 2026-05-28 | not yet calculated | CVE-2026-7862 | https://wpscan.com/vulnerability/b4ce2a06-b435-4b77-851f-4406f2a91ca6/ |
| Unknown–EventPress | The EventPress WordPress theme before 22.2 does not sanitize or escape the ‘id’ parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users. | 2026-05-27 | not yet calculated | CVE-2026-6268 | https://wpscan.com/vulnerability/77192aeb-8e4b-4057-b5d7-2b95da634edd/ |
| uzy–ssm-mall–uzy-ssm-mall | SQL Injection vulnerability in uzy-ssm-mall v1.1.0 allows a remote attacker to obtain sensitive information via the ProductMapper.xml and /OrderUtil.java components | 2026-05-27 | not yet calculated | CVE-2026-38808 | https://github.com/cagexunxi/CVE/issues/3 |
| Veeam–Backup and Replication | This vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation. | 2026-05-28 | not yet calculated | CVE-2026-32996 | https://www.veeam.com/kb4852 |
| Veeam–Backup and Replication | A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup & Replication server. | 2026-05-28 | not yet calculated | CVE-2026-32997 | https://www.veeam.com/kb4852 |
| Veeam–Service Provider Console | This vulnerability in Veeam Service Provider Console allows for remote code execution. | 2026-05-28 | not yet calculated | CVE-2026-32998 | https://www.veeam.com/kb4853 |
| verbb–formie | Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is fixed in 2.2.21 and 3.1.26. | 2026-05-29 | not yet calculated | CVE-2026-47266 | https://github.com/verbb/formie/security/advisories/GHSA-pgxq-p76c-x9cg https://github.com/verbb/formie/releases/tag/2.2.21 https://github.com/verbb/formie/releases/tag/3.1.26 |
| View Concept–Kidsview | A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner’s account by interacting with application’s push notification. This issue was fixed in version 4.4.3 | 2026-05-28 | not yet calculated | CVE-2026-8990 | https://cert.pl/posts/2026/05/CVE-2026-8990 https://kidsview.pl/ |
| vllm-project–vllm-project/vllm | vllm-project/vllm version 0.14.1 contains a vulnerability where the `trust_remote_code=True` parameter is hardcoded in two model implementation files (`vllm/model_executor/models/nemotron_vl.py` and `vllm/model_executor/models/kimi_k25.py`). This bypasses the user’s explicit `–trust-remote-code=False` setting, enabling remote code execution via malicious HuggingFace model repositories. This issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, as it affects separate code paths in model implementation files. Deployments loading NemotronVL or KimiK25 models are particularly impacted. | 2026-05-28 | not yet calculated | CVE-2026-4944 | https://huntr.com/bounties/97f706f7-a852-49b2-a4eb-76811e611daf |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host. | 2026-05-29 | not yet calculated | CVE-2025-41265 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41265 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host. | 2026-05-29 | not yet calculated | CVE-2025-41266 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41266 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host. | 2026-05-29 | not yet calculated | CVE-2025-41267 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41267 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Administration WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to delete arbitrary files on the Host machines. | 2026-05-29 | not yet calculated | CVE-2025-41268 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41268 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | 2026-05-29 | not yet calculated | CVE-2025-41269 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41269 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | 2026-05-29 | not yet calculated | CVE-2025-41270 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41270 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to read arbitrary files from the device. | 2026-05-29 | not yet calculated | CVE-2025-41271 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41271 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | 2026-05-29 | not yet calculated | CVE-2025-41272 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41272 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-288: Authentication Bypass Using an Alternate Path or Channel in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to bypass authentication of the Console web application and perform actions as an authenticated user. | 2026-05-29 | not yet calculated | CVE-2025-41273 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41273 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | 2026-05-29 | not yet calculated | CVE-2025-41274 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41274 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | 2026-05-29 | not yet calculated | CVE-2025-41275 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41275 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | 2026-05-29 | not yet calculated | CVE-2025-41276 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41276 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | 2026-05-29 | not yet calculated | CVE-2025-41277 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41277 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-125: Out-of-bounds Read in Waterfall WF-500 RX Host in version 7.10.0.0 R2601141040 that allows attackers with access to the TX Host to execute code on the RX Host. | 2026-05-29 | not yet calculated | CVE-2025-41278 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41278 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) in the Administration WebUI in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 RX Host. | 2026-05-29 | not yet calculated | CVE-2025-41279 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41279 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-23: Relative Path Traversal (Zip Slip) in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured and file compression is enabled. | 2026-05-29 | not yet calculated | CVE-2025-41280 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41280 |
| Waterfall–WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured. | 2026-05-29 | not yet calculated | CVE-2025-41281 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41281 |
| Webmin–Webmin | Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi. | 2026-05-27 | not yet calculated | CVE-2026-49103 | https://github.com/webmin/webmin/commit/cf432879a14568c4bb44cd2f9e5a9bd0e168edc1 https://github.com/webmin/webmin/compare/2.630…2.640 |
| WWBN–AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST[‘updateFile’] as a relative path under updatedb/ and passes it to PHP’s file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process. | 2026-05-29 | not yet calculated | CVE-2026-45731 | https://github.com/WWBN/AVideo/security/advisories/GHSA-3mjv-375j-6h92 |
| WWBN–AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open – including private user-profile photos that the application’s normal serving wrappers gate behind ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image content under sibling-app directories reachable via .. traversal. The endpoint requires no authentication. | 2026-05-29 | not yet calculated | CVE-2026-46337 | https://github.com/WWBN/AVideo/security/advisories/GHSA-w4qq-74h6-58wq |
| WWBN–AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user’s wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record. This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled. | 2026-05-29 | not yet calculated | CVE-2026-47696 | https://github.com/WWBN/AVideo/security/advisories/GHSA-9392-pj54-qqf8 |
| XCharge–C6 | A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device’s management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device. | 2026-05-28 | not yet calculated | CVE-2026-9037 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08 |
| XCharge–C6 | A stack-based buffer overflow vulnerability in the charging controller’s signal-processing logic allows an attacker with physical access to the charging interface to supply message fields that exceed expected bounds. Because the input is not sufficiently validated, memory corruption may occur, which can lead to execution of unauthorized code with elevated privileges. | 2026-05-28 | not yet calculated | CVE-2026-9038 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08 |
| XCharge–C6 | A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access. | 2026-05-28 | not yet calculated | CVE-2026-9039 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08 |
| xyproto–algernon | Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua’s LState is explicitly not goroutine-safe, concurrent requests race on the shared state causing Lua VM corruption. The Go race detector confirms this immediately under modest concurrency (ab -n 1000 -c 100). This vulnerability is fixed in 1.17.6. | 2026-05-26 | not yet calculated | CVE-2026-43981 | https://github.com/xyproto/algernon/security/advisories/GHSA-rr2f-4wrm-h6rg https://github.com/xyproto/algernon/issues/172 |
| xyproto–algernon | Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This vulnerability is fixed in 1.17.6. | 2026-05-26 | not yet calculated | CVE-2026-43982 | https://github.com/xyproto/algernon/security/advisories/GHSA-2j2c-pv62-mmcp https://github.com/xyproto/algernon/issues/172 |
| yhirose–cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the server has called Server::set_trusted_proxies() with a non-empty trusted-proxy list, an attacker can send an HTTP request that includes an X-Forwarded-For header whose value parses to no valid IP segments. The code path then executes get_client_ip(), which calls front() on an empty std::vector-undefined behavior in C++. On typical implementations this manifests as abnormal process termination (denial of service). With Sanitizers enabled, you get an explicit runtime diagnostic. This vulnerability is fixed in 0.44.0. | 2026-05-29 | not yet calculated | CVE-2026-46527 | https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-hg3g-vrg8-578g |
| yoda-digital–mcp-gitlab-server | GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural defect is that the SSE server stands up a stateful, mutation-capable RPC endpoint that is backed by the operator’s GITLAB_PERSONAL_ACCESS_TOKEN without any inbound credential check, then advertises itself to every cross-origin browser context via the wildcard CORS header. The httpServer.listen(port) call at line 97 also passes no host argument, so the bind defaults to 0.0.0.0 and exposes the auth-less surface on every interface. This vulnerability is fixed in 0.6.0. | 2026-05-26 | not yet calculated | CVE-2026-44895 | https://github.com/yoda-digital/mcp-gitlab-server/security/advisories/GHSA-8jr5-6gvj-rfpf |
| YVES–Sereal::Decoder | Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input. In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag’s own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path). | 2026-05-31 | not yet calculated | CVE-2026-8796 | https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf37a3ff43461e0aa78198a7a3.patch https://metacpan.org/release/YVES/Sereal-Decoder-5.005/changes |