High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10-Strike–Strike Network Inventory Explorer Pro | 10-Strike Network Inventory Explorer Pro 9.31 contains a buffer overflow vulnerability in the text file import functionality that allows remote code execution. Attackers can craft a malicious text file with carefully constructed payload to trigger a reverse shell and execute arbitrary code on the target system. | 2026-01-15 | 9.8 | CVE-2021-47772 | ExploitDB-50472 Vendor Homepage |
| 10-Strike–Strike Network Inventory Explorer Pro | 10-Strike Network Inventory Explorer Pro 9.31 contains an unquoted service path vulnerability in the srvInventoryWebServer service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path segments to achieve privilege escalation and execute code with system-level permissions. | 2026-01-15 | 7.8 | CVE-2021-47767 | ExploitDB-50494 Vendor Homepage |
| 4Homepages–4images | 4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. Attackers can save malicious code in the template and execute arbitrary commands by accessing a specific categories.php endpoint with a crafted cat_id parameter. | 2026-01-13 | 8.8 | CVE-2022-50806 | ExploitDB-51147 Official 4images Software Download Page VulnCheck Advisory: 4images 1.9 – Remote Command Execution (RCE) |
| ABB–ABB Ability OPTIMAX | Incorrect Implementation of Authentication Algorithm vulnerability in ABB ABB Ability OPTIMAX.This issue affects ABB Ability OPTIMAX: 6.1, 6.2, from 6.3.0 before 6.3.1-251120, from 6.4.0 before 6.4.1-251120. | 2026-01-16 | 8.1 | CVE-2025-14510 | https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A1331&LanguageCode=en&DocumentPartId=&Action=Launch |
| Acer–Acer Backup Manager Module | Acer Backup Manager 3.0.0.99 contains an unquoted service path vulnerability in the NTI IScheduleSvc service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:Program Files (x86)NTIAcer Backup Manager to inject malicious executables that would run with elevated LocalSystem privileges. | 2026-01-16 | 7.8 | CVE-2021-47826 | ExploitDB-49889 Acer Official Homepage VulnCheck Advisory: Acer Backup Manager Module 3.0.0.99 – ‘IScheduleSvc.exe’ Unquoted Service Path |
| Acer–Acer Updater Service | Acer Updater Service 1.2.3500.0 contains an unquoted service path vulnerability that allows local users to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:Program FilesAcerAcer Updater to inject malicious executables that will run with LocalSystem permissions during service startup. | 2026-01-16 | 7.8 | CVE-2021-47825 | ExploitDB-49890 Acer Official Homepage VulnCheck Advisory: Acer Updater Service 1.2.3500.0 – ‘UpdaterService.exe’ Unquoted Service Path |
| Acer–ePowerSvc | Acer ePowerSvc 6.0.3008.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-16 | 7.8 | CVE-2021-47823 | ExploitDB-49900 Acer Official Homepage VulnCheck Advisory: ePowerSvc 6.0.3008.0 – ‘ePowerSvc.exe’ Unquoted Service Path |
| Adobe–Bridge | Bridge versions 15.1.2, 16.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21283 | https://helpx.adobe.com/security/products/bridge/apsb26-07.html |
| Adobe–Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21267 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe–Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21268 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe–Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21271 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe–Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could leverage this vulnerability to manipulate or inject malicious data into files on the system. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21272 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe–Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could leverage this vulnerability to bypass security measures and execute unauthorized code. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21274 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe–Illustrator | Illustrator versions 29.8.3, 30.0 and earlier are affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. If the application uses a search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21280 | https://helpx.adobe.com/security/products/illustrator/apsb26-03.html |
| Adobe–InCopy | InCopy versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21281 | https://helpx.adobe.com/security/products/incopy/apsb26-04.html |
| Adobe–InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21275 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe–InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21276 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe–InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21277 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe–InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21304 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe–Substance3D – Designer | Substance3D – Designer versions 15.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21307 | https://helpx.adobe.com/security/products/substance3d_designer/apsb26-13.html |
| Adobe–Substance3D – Modeler | Substance3D – Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21298 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe–Substance3D – Modeler | Substance3D – Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21299 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe–Substance3D – Painter | Substance3D – Painter versions 11.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21305 | https://helpx.adobe.com/security/products/substance3d_painter/apsb26-10.html |
| Adobe–Substance3D – Sampler | Substance3D – Sampler versions 5.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21306 | https://helpx.adobe.com/security/products/substance3d-sampler/apsb26-11.html |
| Adobe–Substance3D – Stager | Substance3D – Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21287 | https://helpx.adobe.com/security/products/substance3d_stager/apsb26-09.html |
| Advantech–IoTSuite and IoT Edge Products | Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet. | 2026-01-12 | 10 | CVE-2025-52694 | https://www.csa.gov.sg/alerts-and-advisories/alerts/alerts-al-2026-001/ |
| agentfront–enclave | Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network. This breaks enclave-vm’s core security guarantee of isolating untrusted code. This vulnerability is fixed in 2.7.0. | 2026-01-13 | 10 | CVE-2026-22686 | https://github.com/agentfront/enclave/security/advisories/GHSA-7qm7-455j-5p63 https://github.com/agentfront/enclave/commit/ed8bc438b2cd6e6f0b5f2de321e5be6f0169b5a1 |
| ahmadgb–GeekyBot Generate AI Content Without Prompt, Chatbot and Lead Generation | The GeekyBot – Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Chat History page. | 2026-01-14 | 7.2 | CVE-2025-15266 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b30e84db-c73f-4df2-9c88-c37a7e14c95b?source=cve https://wordpress.org/plugins/geeky-bot/ |
| Aimeos–Aimeos Laravel ecommerce platform | Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api ‘sort’ parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint. | 2026-01-15 | 8.2 | CVE-2021-47763 | ExploitDB-50538 Vendor Homepage Aimeos Laravel E-Commerce Package |
| Aimone-Video-Converter–AimOne Video Converter | AimOne Video Converter 2.04 Build 103 contains a buffer overflow vulnerability in its registration form that causes application crashes. Attackers can generate a 7000-byte payload to trigger the denial of service and potentially exploit the software’s registration mechanism. | 2026-01-13 | 9.8 | CVE-2023-54328 | ExploitDB-51196 AimOne Video Converter Software Informer Page Archived AimOne Software Website Vulnerability Reproduction Repository VulnCheck Advisory: AimOne Video Converter 2.04 Build 103 Buffer Overflow in Registration Form |
| Aiven-Open–bigquery-connector-for-apache-kafka | Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiven’s Google BigQuery Kafka Connect Sink connector requires Google Cloud credential configurations for authentication to BigQuery services. During connector configuration, users can supply credential JSON files that are processed by Google authentication libraries. The service fails to validate externally-sourced credential configurations before passing them to the authentication libraries. An attacker can exploit this by providing a malicious credential configuration containing crafted credential_source.file paths or credential_source.url endpoints, resulting in arbitrary file reads or SSRF attacks. | 2026-01-16 | 7.7 | CVE-2026-23529 | https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/security/advisories/GHSA-3mg8-2g53-5gj4 https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/commit/20ea3921c6fe72d605a033c1943b20f49eaba981 https://docs.cloud.google.com/support/bulletins#gcp-2025-005 https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/releases/tag/v2.11.0 |
| ajseidl–AJS Footnotes | The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘note_list_class’ and ‘popup_display_effect_in’ parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to update plugin settings and inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 7.2 | CVE-2025-15378 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4da167e0-c1cf-496f-9b14-35fc70386be1?source=cve https://plugins.trac.wordpress.org/browser/ajs-footnotes/tags/1.0/ajs_footnotes.php?marks=138,271,303#L138 |
| Algo Solutions–Algo 8028 | Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. Attackers can exploit the insecure ‘source’ parameter by injecting commands that are executed with root privileges, enabling remote code execution through a crafted POST request. | 2026-01-13 | 8.8 | CVE-2022-50909 | ExploitDB-50960 Algo Solutions Official Homepage Algo 8028 Firmware Downloads VulnCheck Advisory: Algo 8028 Control Panel – Remote Code Execution (RCE) (Authenticated) |
| Altium–Altium 365 | A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post. Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post. | 2026-01-15 | 9 | CVE-2026-1009 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium–Altium Enterprise Server | A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions. | 2026-01-15 | 8 | CVE-2026-1010 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium–Altium Live | A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile. | 2026-01-15 | 7.6 | CVE-2026-1008 | https://www.altium.com/platform/security-compliance/security-advisories |
| Ametys–Ametys CMS | Ametys CMS v4.4.1 contains a persistent cross-site scripting vulnerability in the link directory’s input fields for external links. Attackers can inject malicious script code in link text and descriptions to execute persistent attacks that compromise user sessions and manipulate application modules. | 2026-01-13 | 7.2 | CVE-2022-50937 | ExploitDB-50692 Vulnerability Lab Advisory Official Ametys CMS Homepage VulnCheck Advisory: Ametys CMS v4.4.1 – Cross Site Scripting (XSS) |
| amitmerchant1990–Markdownify | Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47837 | ExploitDB-49835 Markdownify GitHub Repository Proof of Concept Video VulnCheck Advisory: Markdownify 1.2.0 – Persistent Cross-Site Scripting |
| anomalyco–opencode | OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user’s privileges. This vulnerability is fixed in 1.0.216. | 2026-01-12 | 8.8 | CVE-2026-22812 | https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh |
| appsmithorg–appsmith | Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker’s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93. | 2026-01-12 | 9.7 | CVE-2026-22794 | https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633 |
| AVEVA–Process Optimization | The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution under OS system privileges of “taoimr” service, potentially resulting in complete compromise of the model application server. | 2026-01-16 | 10 | CVE-2025-61937 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA–Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Standard User) to tamper with queries in Captive Historian and achieve code execution under SQL Server administrative privileges, potentially resulting in complete compromise of the SQL Server. | 2026-01-16 | 8.4 | CVE-2025-61943 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA–Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (OS standard user) to tamper with TCL Macro scripts and escalate privileges to OS system, potentially resulting in complete compromise of the model application server. | 2026-01-16 | 8.8 | CVE-2025-64691 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA–Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to tamper with Process Optimization project files, embed code, and escalate their privileges to the identity of a victim user who subsequently interacts with the project files. | 2026-01-16 | 8.1 | CVE-2025-64729 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA–Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to trick Process Optimization services into loading arbitrary code and escalate privileges to OS System, potentially resulting in complete compromise of the Model Application Server. | 2026-01-16 | 8.8 | CVE-2025-65118 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA–Process Optimization | The Process Optimization application suite leverages connection channels/protocols that by-default are not encrypted and could become subject to hijacking or data leakage in certain man-in-the-middle or passive inspection scenarios. | 2026-01-16 | 7.1 | CVE-2025-64769 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA–Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Designer User) to embed OLE objects into graphics, and escalate their privileges to the identity of a victim user who subsequently interacts with the graphical elements. | 2026-01-16 | 7.4 | CVE-2025-65117 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| Bdtask–Isshue Shopping Cart | Isshue Shopping Cart 3.5 contains a persistent cross-site scripting vulnerability in title input fields across stock, customer, and invoice modules. Attackers with privileged user accounts can inject malicious scripts that execute on preview, potentially enabling session hijacking and persistent phishing attacks. | 2026-01-15 | 7.2 | CVE-2021-47769 | ExploitDB-50490 Vulnerability-Lab Disclosure Official Product Homepage |
| Beehive Forum–Beehive Forum | Beehive Forum 1.5.2 contains a host header injection vulnerability in the forgot password functionality that allows attackers to manipulate password reset requests. Attackers can inject a malicious host header to intercept password reset tokens and change victim account passwords without direct authentication. | 2026-01-13 | 7.5 | CVE-2022-50910 | ExploitDB-50923 Beehive Forum Official Website Beehive Forum SourceForge Project Proof of Concept Imgur VulnCheck Advisory: Beehive Forum – Account Takeover |
| Brother–Brother BRAgent | Brother BRAgent 1.38 contains an unquoted service path vulnerability in the WBA_Agent_Client service running with LocalSystem privileges. Attackers can exploit the unquoted path in C:Program Files (x86)BrotherBRAgent to inject and execute malicious code with elevated system permissions. | 2026-01-15 | 7.8 | CVE-2020-36928 | ExploitDB-50010 BRAgent Webpage VulnCheck Advisory: Brother BRAgent 1.38 – ‘WBA_Agent_Client’ Unquoted Service Path |
| Canon Inc.–Satera LBP670C Series | Buffer overflow in print job processing by WSD on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14231 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.–Satera LBP670C Series | Buffer overflow in XML processing of XPS file in Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14232 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.–Satera LBP670C Series | Invalid free in CPCA file deletion processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14233 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.–Satera LBP670C Series | Buffer overflow in CPCA list processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14234 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.–Satera LBP670C Series | Buffer overflow in XPS font fpgm data processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14235 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.–Satera LBP670C Series | Buffer overflow in Address Book attribute tag processing on Small Office Multifunction Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14236 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.–Satera LBP670C Series | Buffer overflow in XPS font parse processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14237 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| checkpoint–Hramony SASE | A local user can trigger Harmony SASE Windows client to write or delete files outside the intended certificate working directory. | 2026-01-14 | 7.5 | CVE-2025-9142 | https://support.checkpoint.com/results/sk/sk184557 |
| clevo–HotKey Clipboard | Clevo HotKey Clipboard 2.1.0.6 contains an unquoted service path vulnerability in the HKClipSvc service that allows local non-privileged users to potentially execute code with system privileges. Attackers can exploit the misconfigured service path to inject and execute arbitrary code by placing malicious executables in specific file system locations. | 2026-01-13 | 8.4 | CVE-2023-53984 | ExploitDB-51206 Archived Vendor Homepage VulnCheck Advisory: HotKey Clipboard 2.1.0.6 – Privilege Escalation Unquoted Service Path |
| Cmder–Cmder Console Emulator | Cmder Console Emulator 1.3.18 contains a buffer overflow vulnerability that allows attackers to trigger a denial of service condition through a maliciously crafted .cmd file. Attackers can create a specially constructed .cmd file with repeated characters to overwhelm the console emulator’s buffer and crash the application. | 2026-01-15 | 9.8 | CVE-2021-47781 | ExploitDB-50401 Cmder GitHub Repository |
| Cobbr–Covenant | Covenant 0.1.3 – 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the target system. | 2026-01-13 | 9.8 | CVE-2020-36911 | ExploitDB-51141 Vendor Homepage Covenant GitHub Repository Archived Researcher Blog Exploit Repository Archived Maintainer Patch Announcement VulnCheck Advisory: Covenant 0.5 – Remote Code Execution (RCE) |
| Cobiansoft–Cobian Backup | Cobian Backup 0.9 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CobianReflectorService to inject malicious code that will execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50923 | ExploitDB-50810 Vendor Homepage Software Download Page VulnCheck Advisory: Cobian Backup 0.9 – Unquoted Service Path |
| code-projects–Online Music Site | A security flaw has been discovered in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Administrator/PHP/AdminUpdateUser.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-12 | 7.3 | CVE-2026-0852 | VDB-340447 | code-projects Online Music Site AdminUpdateUser.php sql injection VDB-340447 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734136 | code-projects ONLINE MUSIC SITE V1.0 SQL injection https://github.com/Learner636/CVE-smbmit/issues/2 https://code-projects.org/ |
| Connectify Inc–Connectify Hotspot | Connectify Hotspot 2018 contains an unquoted service path vulnerability in its ConnectifyService executable that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program Files (x86)ConnectifyConnectifyService.exe’ to inject malicious executables and escalate privileges. | 2026-01-13 | 8.4 | CVE-2022-50929 | ExploitDB-50764 Official Vendor Homepage VulnCheck Advisory: Connectify Hotspot 2018 ‘ConnectifyService’ – Unquoted Service Path |
| ConnectWise–PSA | In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed. | 2026-01-16 | 8.7 | CVE-2026-0695 | https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix |
| Contpaqi–CONTPAQ AdminPAQ | CONTPAQi AdminPAQ 14.0.0 contains an unquoted service path vulnerability in the AppKeyLicenseServer service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject malicious code in the service binary path, potentially executing arbitrary code with elevated system privileges during service startup. | 2026-01-13 | 8.4 | CVE-2022-50938 | ExploitDB-50690 CONTPAQi Official Software Download Page VulnCheck Advisory: CONTPAQi® AdminPAQ 14.0.0 – Unquoted Service Path |
| Cooler Master Technology Inc.–Cooler Master MasterPlus | CoolerMaster MasterPlus 1.8.5 contains an unquoted service path vulnerability in the MPService that allows local attackers to execute code with elevated system privileges. Attackers can drop a malicious executable in the service path and trigger code execution during service startup or system reboot. | 2026-01-13 | 8.4 | CVE-2022-50808 | ExploitDB-51159 CoolerMaster MasterPlus Official Homepage VulnCheck Advisory: CoolerMaster MasterPlus 1.8.5 – ‘MPService’ Unquoted Service Path |
| cotonti.com–Cotonti Siena | Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel’s site title parameter. Attackers can inject malicious JavaScript code through the ‘maintitle’ parameter to execute scripts when administrators view the page. | 2026-01-15 | 7.2 | CVE-2021-47808 | ExploitDB-50016 Vendor Homepage Software Download VulnCheck Advisory: Cotonti Siena 0.9.19 – ‘maintitle’ Stored Cross-Site Scripting |
| croixhaug–Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-14 | 7.5 | CVE-2025-12166 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5214a399-21a4-4573-9840-1d5043781bc0?source=cve https://plugins.trac.wordpress.org/changeset/3408539/ |
| Cyberfox–Cyberfox Web Browser | Cyberfox Web Browser 52.9.1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the search bar with excessive data. Attackers can generate a 9,000,000 byte payload and paste it into the search bar to trigger an application crash. | 2026-01-15 | 7.5 | CVE-2021-47784 | ExploitDB-50336 Archived Cyberfox Web Browser Homepage |
| D-Link–DIR-823X | A weakness has been identified in D-Link DIR-823X 250416. Affected by this issue is the function sub_412E7C of the file /goform/set_wifidog_settings. Executing a manipulation of the argument wd_enable can lead to command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-18 | 7.3 | CVE-2026-1125 | VDB-341717 | D-Link DIR-823X set_wifidog_settings sub_412E7C command injection VDB-341717 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734966 | D-Link DIR-823X Router V250416 Command Execution https://github.com/DavCloudz/cve/blob/main/D-link/DIR_823X/DIR-823X%20V250416%20Command%20Execution%20Vulnerability.md https://www.dlink.com/ |
| danny-avila–LibreChat | LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat’s MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2. | 2026-01-12 | 9.1 | CVE-2026-22252 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f https://github.com/danny-avila/LibreChat/commit/211b39f3113d4e6ecab84be0a83f4e9c9dea127f |
| daschmi–GetContentFromURL | The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the ‘url’ parameter of the [gcfu] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-01-14 | 7.2 | CVE-2025-14613 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b83db6c7-09af-4707-a96b-ee551f27e3b7?source=cve https://plugins.trac.wordpress.org/browser/getcontentfromurl/trunk/classes/shortcode.class.php#L20 https://plugins.trac.wordpress.org/browser/getcontentfromurl/tags/1.0/classes/shortcode.class.php#L20 |
| dashboardbuilder–DASHBOARD BUILDER WordPress plugin for Charts and Graphs | The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output. | 2026-01-14 | 7.1 | CVE-2025-14615 | https://www.wordfence.com/threat-intel/vulnerabilities/id/106b31ed-d509-4551-a134-02193ab22fe1?source=cve https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder-admin.php#L158 https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder-admin.php#L158 https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder.php#L51 https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder.php#L51 |
| Dell–SupportAssist OS Recovery | Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-01-13 | 7.5 | CVE-2025-46685 | https://www.dell.com/support/kbdoc/en-us/000401506/dsa-2025-456 |
| Delta Electronics–DIAView | Delta Electronics DIAView has multiple vulnerabilities. | 2026-01-16 | 9.8 | CVE-2025-62581 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00001_DIAView%20Multiple%20Vulnerabilities%20(CVE-2025-62581,%20CVE-2025-62582).pdf |
| Delta Electronics–DIAView | Delta Electronics DIAView has multiple vulnerabilities. | 2026-01-16 | 9.8 | CVE-2025-62582 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00001_DIAView%20Multiple%20Vulnerabilities%20(CVE-2025-62581,%20CVE-2025-62582).pdf |
| Delta Electronics–DIAView | Delta Electronics DIAView has Command Injection vulnerability. | 2026-01-16 | 7.8 | CVE-2026-0975 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00002_DIAView%20-Exposed%20Dangerous%20Method%20Remote%20Code%20Execution%20(CVE-2026-0975).pdf |
| denoland–deno | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6. | 2026-01-15 | 8.1 | CVE-2026-22864 | https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6 https://github.com/denoland/deno/releases/tag/v2.5.6 |
| Denver–Smart Wifi Camera | Denver SHC-150 Smart Wifi Camera contains a hardcoded telnet credential vulnerability that allows unauthenticated attackers to access a Linux shell. Attackers can connect to port 23 using the default credential to execute arbitrary commands on the camera’s operating system. | 2026-01-15 | 9.8 | CVE-2021-47796 | ExploitDB-50160 Official Product Homepage VulnCheck Advisory: Denver Smart Wifi Camera SHC-150 – ‘Telnet’ Remote Code Execution (RCE) |
| dfir-iris–iris-web | Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file’s file_local_name field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which removes the target file without path validation. This vulnerability is fixed in 2.4.24. | 2026-01-12 | 9.6 | CVE-2026-22783 | https://github.com/dfir-iris/iris-web/security/advisories/GHSA-qhqj-8qw6-wp8v https://github.com/dfir-iris/iris-web/commit/57c1b80494bac187893aebc6d9df1ce6e56485b7 |
| dharashah–Chikitsa Patient Management System | Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability in the backup restoration functionality. Authenticated attackers can upload a modified backup zip file with a malicious PHP shell to execute arbitrary system commands on the server. | 2026-01-15 | 8.8 | CVE-2021-47757 | ExploitDB-50572 Product Webpage Product GitHub Repository Product Sourceforge Page |
| dharashah–Chikitsa Patient Management System | Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious PHP plugins through the module upload functionality. Authenticated attackers can generate and upload a ZIP plugin with a PHP backdoor that enables arbitrary command execution on the server through a weaponized PHP script. | 2026-01-15 | 8.8 | CVE-2021-47758 | ExploitDB-50571 Product Webpage Product GitHub Repository Product Sourceforge Page |
| Diskboss–DiskBoss Service | DiskBoss Service 12.2.18 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path locations to gain system-level access during service startup. | 2026-01-16 | 7.8 | CVE-2021-47822 | ExploitDB-49899 Official Vendor Homepage VulnCheck Advisory: DiskBoss Service 12.2.18 – ‘diskbsa.exe’ Unquoted Service Path |
| Diskpulse–DiskPulse | DiskPulse Enterprise 13.6.14 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program FilesDisk Pulse Enterprisebindiskpls.exe’ to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2020-36927 | ExploitDB-50012 Vendor Homepage VulnCheck Advisory: DiskPulse 13.6.14 – Unquoted Service Path |
| Disksavvy–Disk Savvy | Disk Savvy 13.6.14 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in service binaries to inject malicious executables that will be run with elevated LocalSystem privileges. | 2026-01-15 | 7.8 | CVE-2021-47805 | ExploitDB-50024 Vendor Homepage VulnCheck Advisory: Disk Savvy 13.6.14 – ‘Multiple’ Unquoted Service Path |
| Disksorter–Disk Sorter Enterprise | Disk Sorter Enterprise 13.6.12 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program FilesDisk Sorter Enterprisebindisksrs.exe’ to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47809 | ExploitDB-50014 Vendor Homepage VulnCheck Advisory: Disk Sorter Enterprise 13.6.12 – ‘Disk Sorter Enterprise’ Unquoted Service Path |
| Disksorter–Disk Sorter Server | Disk Sorter Server 13.6.12 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program FilesDisk Sorter Serverbindisksrs.exe’ to inject malicious executables and escalate privileges. | 2026-01-16 | 7.8 | CVE-2021-47847 | ExploitDB-50013 Vendor Homepage VulnCheck Advisory: Disk Sorter Server 13.6.12 – ‘Disk Sorter Server’ Unquoted Service Path |
| divisupreme–Supreme Modules Lite Divi Theme, Extra Theme and Divi Builder | The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2026-01-15 | 8.8 | CVE-2025-13062 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1819f2eb-51ef-4ba4-9137-ab64710fa6c8?source=cve https://plugins.trac.wordpress.org/changeset/3423427/supreme-modules-for-divi |
| docmost–docmost | Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename. This vulnerability is fixed in 0.24.0. | 2026-01-15 | 7.1 | CVE-2026-22249 | https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg https://github.com/docmost/docmost/pull/1753 https://github.com/docmost/docmost/commit/c3b350d943108552e20654580005cd6f6c78ab05 https://github.com/docmost/docmost/releases/tag/v0.24.0 |
| Dolibarr–CRM | Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation. | 2026-01-15 | 7.2 | CVE-2021-47779 | ExploitDB-50432 Official Dolibarr Vendor Homepage Dolibarr GitHub Repository VulnCheck Advisory: Dolibarr ERP-CRM 14.0.2 – Stored Cross-Site Scripting (XSS) / Privilege Escalation |
| donknap–dpanel | DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2. | 2026-01-15 | 8.1 | CVE-2025-66292 | https://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119 https://github.com/donknap/dpanel/releases/tag/v1.9.2 |
| Dupscout–Dup Scout | Dup Scout 13.5.28 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program FilesDup Scout Serverbindupscts.exe’ to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47806 | ExploitDB-50025 Vendor Homepage VulnCheck Advisory: Dup Scout 13.5.28 – ‘Multiple’ Unquoted Service Path |
| dupterminator–DupTerminator | DupTerminator 1.4.5639.37199 contains a denial of service vulnerability that allows attackers to crash the application by inputting a long character string in the Excluded text box. Attackers can generate a payload of 8000 repeated characters to trigger the application to stop working on Windows 10. | 2026-01-16 | 7.5 | CVE-2021-47818 | ExploitDB-49917 DupTerminator Project Homepage VulnCheck Advisory: DupTerminator 1.4.5639.37199 – Denial of Service |
| dvcrn–Markright | Markright 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to embed malicious payloads in markdown files. Attackers can upload specially crafted markdown files that execute arbitrary JavaScript when opened, potentially enabling remote code execution on the victim’s system. | 2026-01-16 | 7.2 | CVE-2021-47838 | ExploitDB-49834 Markright GitHub Repository Proof of Concept Video VulnCheck Advisory: Markright 1.0 – Persistent Cross-Site Scripting |
| Dynojet–Dynojet Power Core | Dynojet Power Core 2.3.0 contains an unquoted service path vulnerability in the DJ.UpdateService that allows local authenticated users to potentially execute code with elevated privileges. Attackers can exploit the unquoted binary path by placing malicious executables in the service’s file path to gain Local System access. | 2026-01-15 | 7.8 | CVE-2021-47773 | ExploitDB-50466 Official Vendor Homepage |
| E107–e107 CMS | e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager’s remote URL upload functionality (image.php) where the upload_caption parameter is not properly sanitized. An attacker with administrative privileges can use directory traversal sequences (../../../) in the upload_caption field to overwrite critical system files outside the intended upload directory. This can lead to complete compromise of the web application by overwriting configuration files, executable scripts, or other critical system components. The vulnerability was discovered by Hubert Wojciechowski and affects the image.php component in the admin interface. | 2026-01-13 | 7.2 | CVE-2022-50939 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 – Upload Restriction Bypass with Path Traversal File Override |
| e107–e107 CMS | e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code through the URL parameter that gets executed when users click outside the comment field after typing content. The second vulnerability involves an upload restriction bypass for authenticated administrators, allowing them to upload SVG files containing malicious code through the media manager’s remote URL upload feature. This results in stored XSS when the uploaded SVG files are accessed. These vulnerabilities were discovered by Hubert Wojciechowski and affect the news.php and image.php components of the CMS. | 2026-01-13 | 9.8 | CVE-2022-50905 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 – Reflected XSS via Comment Flow |
| e107–e107 CMS | e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code execution through the Media Manager import feature. | 2026-01-13 | 7.2 | CVE-2022-50907 | ExploitDB-50910 Official e107 CMS Vendor Homepage e107 CMS Download Page VulnCheck Advisory: e107 CMS v3.2.1 – Admin Upload Restriction Bypass + RCE |
| e107–e107 CMS | e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. Attackers can exploit the upload mechanism by manipulating the upload URL parameter to overwrite existing files like top.php in the web application directory. | 2026-01-13 | 7.2 | CVE-2022-50916 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 – Upload restriction bypass (Authenticated [Admin])+ Server file override |
| EaseUS–EaseUS Data Recovery | EaseUS Data Recovery 15.1.0.0 contains an unquoted service path vulnerability in the EaseUS UPDATE SERVICE executable. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges. | 2026-01-13 | 8.4 | CVE-2022-50914 | ExploitDB-50886 EaseUS Official Homepage VulnCheck Advisory: EaseUS Data Recovery – ‘ensserver.exe’ Unquoted Service Path |
| Elastic–Kibana | External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads. | 2026-01-14 | 8.6 | CVE-2026-0532 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524 |
| Emerson–Emerson PAC Machine Edition | Emerson PAC Machine Edition 9.80 contains an unquoted service path vulnerability in the TrapiServer service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50930 | ExploitDB-50745 Emerson Official Homepage Software Download Link VulnCheck Advisory: Emerson PAC Machine Edition 9.80 Build 8695 – ‘TrapiServer’ Unquoted Service Path |
| En–Kingdia CD Extractor | Kingdia CD Extractor 3.0.2 contains a buffer overflow vulnerability in the registration name field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload exceeding 256 bytes to overwrite Structured Exception Handler and gain remote code execution through a bind shell. | 2026-01-15 | 9.8 | CVE-2021-47774 | ExploitDB-50470 Software Download Page |
| envoyproxy–gateway | Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy’s credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2. | 2026-01-12 | 8.8 | CVE-2026-22771 | https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22 |
| Epic Games–Epic Games Store | A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges. | 2026-01-15 | 8.8 | CVE-2025-61973 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2279 |
| Explorerplusplus–Explorer32++ | Explorer32++ 1.3.5.531 contains a buffer overflow vulnerability in Structured Exception Handler (SEH) records that allows attackers to execute arbitrary code. Attackers can exploit the vulnerability by providing a long file name argument over 396 characters to corrupt the SEH chain and potentially execute malicious code. | 2026-01-13 | 9.8 | CVE-2023-54334 | ExploitDB-51077 Archived Explorer++ Website VulnCheck Advisory: Explorer32++ 1.3.5.531 – Buffer overflow |
| Extplorer–eXtplorer | eXtplorer 2.1.14 contains an authentication bypass vulnerability that allows attackers to login without a password by manipulating the login request. Attackers can exploit this flaw to upload malicious PHP files and execute remote commands on the vulnerable file management system. | 2026-01-13 | 9.8 | CVE-2023-54335 | ExploitDB-51067 Official eXtplorer Product Homepage VulnCheck Advisory: eXtplorer<= 2.1.14 – Authentication Bypass & Remote Code Execution (RCE) |
| FeMiner–wms | A security vulnerability has been detected in FeMiner wms up to 9cad1f1b179a98b9547fd003c23b07c7594775fa. Affected by this vulnerability is an unknown functionality of the file /src/chkuser.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 7.3 | CVE-2026-1059 | VDB-341628 | FeMiner wms chkuser.php sql injection VDB-341628 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731236 | GitHub WMS (Warehouse Management System) V1.0 SQL Injection https://github.com/wangchaoxing/CVE/issues/1 |
| FmeAddons–Registration & Login with Mobile Phone Number for WooCommerce | The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password. | 2026-01-17 | 9.8 | CVE-2025-10484 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6aef6fbb-be8c-49e1-ada5-7b4aa8b2ff72?source=cve https://woocommerce.com/products/registration-login-with-mobile-phone-number/ |
| Fortinet–FortiFone | An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in Fortinet FortiFone 7.0.0 through 7.0.1, FortiFone 3.0.13 through 3.0.23 allows an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS requests. | 2026-01-13 | 9.3 | CVE-2025-47855 | https://fortiguard.fortinet.com/psirt/FG-IR-25-260 |
| Fortinet–FortiSIEM | An improper neutralization of special elements used in an os command (‘os command injection’) vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.1.0 through 7.1.8, FortiSIEM 7.0.0 through 7.0.4, FortiSIEM 6.7.0 through 6.7.10 may allow an attacker to execute unauthorized code or commands via crafted TCP requests. | 2026-01-13 | 9.4 | CVE-2025-64155 | https://fortiguard.fortinet.com/psirt/FG-IR-25-772 |
| Fortinet–FortiSwitchManager | A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4.0 through 6.4.16, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows attacker to execute unauthorized code or commands via specially crafted packets | 2026-01-13 | 7.4 | CVE-2025-25249 | https://fortiguard.fortinet.com/psirt/FG-IR-25-084 |
| Freeter–Freeter | Freeter 1.2.1 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads in custom widget titles and files. Attackers can craft malicious files with embedded scripts that execute when victims interact with the application, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47835 | ExploitDB-49833 Official Freeter Product Homepage Proof of Concept Video VulnCheck Advisory: Freeter 1.2.1 – Persistent Cross-Site Scripting |
| Gearboxcomputers–WifiHotSpot | WifiHotSpot 1.0.0.0 contains an unquoted service path vulnerability in its WifiHotSpotService.exe that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-16 | 7.8 | CVE-2021-47833 | ExploitDB-49845 WiFi Hotspot Product Page VulnCheck Advisory: WifiHotSpot 1.0.0.0 – ‘WifiHotSpotService.exe’ Unquoted Service Path |
| getarcaneapp–arcane | Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0. | 2026-01-15 | 9.1 | CVE-2026-23520 | https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8 https://github.com/getarcaneapp/arcane/pull/1468 https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4 https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0 |
| Getgrav–GravCMS | GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system command execution. | 2026-01-15 | 7.5 | CVE-2021-47812 | ExploitDB-49973 Official Grav CMS Homepage VulnCheck Advisory: GravCMS 1.10.7 – Arbitrary YAML Write/Update (Unauthenticated) (2) |
| Getoutline–Outline | Outline 1.6.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the OutlineService executable to inject malicious code that will be executed with LocalSystem permissions. | 2026-01-13 | 8.4 | CVE-2023-54331 | ExploitDB-51128 Official Outline Product Homepage VulnCheck Advisory: Outline 1.6.0 – Unquoted Service Path |
| Github–Sandboxie Plus | Sandboxie Plus 0.7.4 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-16 | 7.8 | CVE-2021-47832 | ExploitDB-49842 Sandboxie Plus GitHub Repository VulnCheck Advisory: Sandboxie Plus 0.7.4 – ‘SbieSvc’ Unquoted Service Path |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality. | 2026-01-14 | 7.7 | CVE-2025-11224 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #573223 HackerOne Bug Bounty Report #3277291 |
| glpi-project–glpi | GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, …). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3. | 2026-01-15 | 7.5 | CVE-2025-64516 | https://github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46 https://github.com/glpi-project/glpi/commit/51412a89d3174cfe22967b051d527febdbceab3c https://github.com/glpi-project/glpi/commit/ee7ee28e0645198311c0a9e0c4e4b712b8788e27 https://github.com/glpi-project/glpi/releases/tag/10.0.21 https://github.com/glpi-project/glpi/releases/tag/11.0.3 |
| glpi-project–glpi | GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3. | 2026-01-15 | 7.5 | CVE-2025-66417 | https://github.com/glpi-project/glpi/security/advisories/GHSA-p467-682w-9cc9 |
| Gotac–Police Statistics Database System | Police Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality. | 2026-01-16 | 9.8 | CVE-2026-1019 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| Gotac–Police Statistics Database System | Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-16 | 9.8 | CVE-2026-1021 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| Gotac–Police Statistics Database System | Police Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing Unauthenticated remote attacker to exploit Absolute Path Traversal to download arbitrary system files. | 2026-01-16 | 7.5 | CVE-2026-1018 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| Gotac–Statistics Database System | Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | 2026-01-16 | 7.5 | CVE-2026-1022 | https://www.twcert.org.tw/tw/cp-132-10639-813ad-1.html https://www.twcert.org.tw/en/cp-139-10640-0fd0b-2.html |
| Gotac–Statistics Database System | Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly exploit a specific functionality to query database contents. | 2026-01-16 | 7.5 | CVE-2026-1023 | https://www.twcert.org.tw/tw/cp-132-10639-813ad-1.html https://www.twcert.org.tw/en/cp-139-10640-0fd0b-2.html |
| Grocerycrud–Grocery crud | Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to the ajax_list endpoint to potentially extract or modify database information. | 2026-01-15 | 8.2 | CVE-2021-47811 | ExploitDB-49985 Vendor Homepage Software Download Page VulnCheck Advisory: Grocery crud 1.6.4 – ‘order_by’ SQL Injection |
| h3js–h3 | H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for “chunked”, but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5. | 2026-01-15 | 8.9 | CVE-2026-23527 | https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097 |
| HCL Software–MyXalytics | HCL MyXalytics v6.7 is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk | 2026-01-16 | 7.4 | CVE-2025-59870 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128115 |
| Hewlett Packard Enterprise (HPE)–ArubaOS (AOS) | Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system. Successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete arbitrary files within the affected system and potentially result in denial-of-service conditions on affected devices. | 2026-01-13 | 8.2 | CVE-2025-37168 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–ArubaOS (AOS) | A stack overflow vulnerability exists in the AOS-10 web-based management interface of a Mobility Gateway. Successful exploitation could allow an authenticated malicious actor to execute arbitrary code as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37169 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–ArubaOS (AOS) | Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37170 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–ArubaOS (AOS) | Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37171 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–ArubaOS (AOS) | Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37172 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–ArubaOS (AOS) | An improper input handling vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor with valid credentials to trigger unintended behavior on the affected system. | 2026-01-13 | 7.2 | CVE-2025-37173 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–ArubaOS (AOS) | Authenticated arbitrary file write vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to create or modify arbitrary files and execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37174 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–ArubaOS (AOS) | Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files as a privilege user and execute arbitrary commands on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37175 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | 2026-01-14 | 7.2 | CVE-2025-37181 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | 2026-01-14 | 7.2 | CVE-2025-37182 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | 2026-01-14 | 7.2 | CVE-2025-37183 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–Instant On | A vulnerability in the router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor could gain knowledge of internal network configuration details through inspecting impacted packets. | 2026-01-13 | 7.5 | CVE-2025-37165 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04988en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–Instant On | A vulnerability affecting HPE Networking Instant On Access Points has been identified where a device processing a specially crafted packet could enter a non-responsive state, in some cases requiring a hard reset to re-establish services. A malicious actor could leverage this vulnerability to conduct a Denial-of-Service attack on a target network. | 2026-01-13 | 7.5 | CVE-2025-37166 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04988en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–Virtual Intranet Access (VIA) | A local privilege-escalation vulnerability has been discovered in the HPE Aruba Networking Virtual Intranet Access (VIA) client. Successful exploitation of this vulnerability could allow a local attacker to achieve arbitrary code execution with root privileges. | 2026-01-13 | 7.8 | CVE-2025-37186 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04994en_us&docLocale=en_US |
| Hikvision–DS-96xxxNI-Hx | There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision NVR/DVR/CVR/IPC models. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device. | 2026-01-13 | 8.8 | CVE-2025-66177 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products/ |
| Hikvision–DS-K1T331 | There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision Access Control Products. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device. | 2026-01-13 | 8.8 | CVE-2025-66176 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products/ |
| honojs–hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4. | 2026-01-13 | 8.2 | CVE-2026-22817 | https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4 https://github.com/honojs/hono/commit/cc0aa7ae327ed84cc391d29086dec2a3e44e7a1f |
| honojs–hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values. This vulnerability is fixed in 4.11.4. | 2026-01-13 | 8.2 | CVE-2026-22818 | https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4 https://github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134 |
| Httpdebugger–HTTPDebuggerPro | HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables and gain elevated access to the system. | 2026-01-15 | 7.8 | CVE-2021-47762 | ExploitDB-50545 Official Product Homepage |
| Huawei–HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8 | CVE-2025-68955 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei–HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8 | CVE-2025-68956 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei–HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8.4 | CVE-2025-68957 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei–HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8 | CVE-2025-68958 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei–HarmonyOS | Multi-thread race condition vulnerability in the video framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8.4 | CVE-2025-68960 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei–HarmonyOS | Double free vulnerability in the multi-mode input module. Impact: Successful exploitation of this vulnerability may affect the input function. | 2026-01-14 | 7.8 | CVE-2025-68968 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| I-Funbox–iFunbox | iFunbox 4.2 contains an unquoted service path vulnerability in the Apple Mobile Device Service that allows local attackers to execute code with elevated privileges. Attackers can insert a malicious executable into the unquoted service path to run with LocalSystem privileges when the service restarts. | 2026-01-15 | 7.8 | CVE-2021-47803 | ExploitDB-50040 iFunbox Official Homepage VulnCheck Advisory: iFunbox 4.2 – ‘Apple Mobile Device Service’ Unquoted Service Path |
| ilwebmaster21–WOW21 | WOW21 5.0.1.9 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50921 | ExploitDB-50818 Archived Product Homepage VulnCheck Advisory: WOW21 5.0.1.9 – ‘Service WOW21_Service’ Unquoted Service Path |
| ImpressCMS–ImpressCMS | ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server. | 2026-01-13 | 9.8 | CVE-2022-50912 | ExploitDB-50890 Official ImpressCMS Homepage ImpressCMS GitHub Repository VulnCheck Advisory: ImpressCMS 1.4.4 – Unrestricted File Upload |
| Inbit–Inbit Messenger | Inbit Messenger 4.6.0 – 4.9.0 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by exploiting a stack overflow in the messenger’s protocol. Attackers can send specially crafted XML packets to port 10883 with a malicious payload to trigger the vulnerability and execute commands with system privileges. | 2026-01-13 | 9.8 | CVE-2023-54329 | ExploitDB-51127 Archived Software Download Page Exploit Write-Up VulnCheck Advisory: Inbit Messenger 4.9.0 – Unauthenticated Remote Command Execution (RCE) |
| Inbit–Inbit Messenger | Inbit Messenger versions 4.6.0 to 4.9.0 contain a remote stack-based buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code by sending malformed network packets. Attackers can craft a specially designed payload targeting the messenger’s network handler to overwrite the Structured Exception Handler (SEH) and execute shellcode on vulnerable Windows systems. | 2026-01-13 | 9.8 | CVE-2023-54330 | ExploitDB-51126 Archived Software Download Page Exploit Write-Up VulnCheck Advisory: Inbit Messenger 4.9.0 – Unauthenticated Remote SEH Overflow |
| Infonetsoftware–Mediconta | Mediconta 3.7.27 contains an unquoted service path vulnerability in the servermedicontservice that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:Program Files (x86)medicont3 to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2023-54336 | ExploitDB-51064 Vendor Homepage VulnCheck Advisory: Mediconta 3.7.27 – ‘servermedicontservice’ Unquoted Service Path |
| Insyde Software–InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12050 | https://www.insyde.com/security-pledge/sa-2025010/ |
| Insyde Software–InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12051 | https://www.insyde.com/security-pledge/sa-2025010/ |
| Insyde Software–InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12052 | https://www.insyde.com/security-pledge/sa-2025010/ |
| Insyde Software–InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12053 | https://www.insyde.com/security-pledge/sa-2025010/ |
| InternationalColorConsortium–iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Prior to 2.3.1.2, There is a heap-based buffer overflow in SIccCalcOp::Describe() at IccProfLib/IccMpeCalc.cpp. This vulnerability affects users of the iccDEV library who process ICC color profiles. The vulnerability is fixed in 2.3.1.2. | 2026-01-13 | 8.8 | CVE-2026-22861 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-vr49-3vf8-7j5h https://github.com/InternationalColorConsortium/iccDEV/pull/475 https://github.com/InternationalColorConsortium/iccDEV/pull/476 https://github.com/InternationalColorConsortium/iccDEV/commit/fa9a364c01fc2e59eb2291e1f9b1c1359b7d5329 |
| ITEC–TCQ | ITeC ITeCProteccioAppServer contains an unquoted service path vulnerability that allows local attackers to execute code with elevated system privileges. Attackers can insert a malicious executable in the service path to gain elevated access during service restart or system reboot. | 2026-01-13 | 8.4 | CVE-2022-50913 | ExploitDB-50902 Vendor Homepage VulnCheck Advisory: TCQ – ‘ITeCProteccioAppServer.exe’ Unquoted Service Path |
| itsourcecode–Society Management System | A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-01-18 | 7.3 | CVE-2026-1119 | VDB-341711 | itsourcecode Society Management System delete_activity.php sql injection VDB-341711 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734290 | itsourcecode Society Management System V1.0 SQL injection https://github.com/AriazzzZ/CVE/issues/1 https://itsourcecode.com/ |
| IVT Corp–Bluetooth Application BlueSoleilCS | BlueSoleilCS 5.4.277 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in ‘C:Program FilesIVT CorporationBlueSoleilBlueSoleilCS.exe’ to inject malicious executables and escalate privileges. | 2026-01-13 | 8.4 | CVE-2022-50928 | ExploitDB-50761 Archived IVT Corporation Website VulnCheck Advisory: Bluetooth Application 5.4.277 – ‘BlueSoleilCS’ Unquoted Service Path |
| jeroenpeters1986–Name Directory | The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name_directory_name’ and ‘name_directory_description’ parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 7.2 | CVE-2025-15283 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3c9de67e-24f7-4c4a-b187-405597b838c3?source=cve https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/shortcode.php?marks=38,41,69#L38 https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/admin.php?marks=927-928#L927 |
| jokkedk–Webgrind | Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, such as using payload ‘0%27%26calc.exe%26%27’ to execute commands on the target system. | 2026-01-13 | 9.8 | CVE-2023-54339 | ExploitDB-51074 Webgrind GitHub Repository VulnCheck Advisory: Webgrind 1.1 – Remote Command Execution (RCE) via dataFile Parameter |
| jotron–StudyMD | StudyMD 0.3.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47842 | ExploitDB-49832 StudyMD GitHub Repository Proof of Concept Video VulnCheck Advisory: StudyMD 0.3.2 – Persistent Cross-Site Scripting |
| Juniper Networks–Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the Juniper DHCP service (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a DHCP client in one subnet to exhaust the address pools of other subnets, leading to a Denial of Service (DoS) on the downstream DHCP server. By default, the DHCP relay agent inserts its own Option 82 information when forwarding client requests, optionally replacing any Option 82 information provided by the client. When a specific DHCP DISCOVER is received in ‘forward-only’ mode with Option 82, the device should drop the message unless ‘trust-option82’ is configured. Instead, the DHCP relay forwards these packets to the DHCP server unmodified, which uses up addresses in the DHCP server’s address pool, ultimately leading to address pool exhaustion. This issue affects Junos OS: * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S12, * all versions of 22.2, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S2, * from 24.4 before 24.4R2, * from 25.2 before 25.2R1-S1, 25.2R2. Junos OS Evolved: * all versions before 21.4R3-S12-EVO, * all versions of 22.2-EVO, * from 22.4 before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S2-EVO, * from 24.4 before 24.4R2-EVO, * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. | 2026-01-15 | 7.4 | CVE-2025-59960 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103149 |
| Juniper Networks–Junos OS | A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). When an affected device receives a BGP update with a set of specific optional transitive attributes over an established peering session, rpd will crash and restart when attempting to advertise the received information to another peer. This issue can only happen if one or both of the BGP peers of the receiving session are non-4-byte-AS capable as determined from the advertised capabilities during BGP session establishment. Junos OS and Junos OS Evolved default behavior is 4-byte-AS capable unless this has been specifically disabled by configuring: [ protocols bgp … disable-4byte-as ] Established BGP sessions can be checked by executing: show bgp neighbor <IP address> | match “4 byte AS” This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. | 2026-01-15 | 7.5 | CVE-2025-60003 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103166 |
| Juniper Networks–Junos OS | A Loop with Unreachable Exit Condition (‘Infinite Loop’) vulnerability in the SIP application layer gateway (ALG) of Juniper Networks Junos OS on SRX Series and MX Series with MX-SPC3 or MS-MPC allows an unauthenticated network-based attacker sending specific SIP messages over TCP to crash the flow management process, leading to a Denial of Service (DoS). On SRX Series, and MX Series with MX-SPC3 or MS-MPC service cards, receipt of multiple SIP messages causes the SIP headers to be parsed incorrectly, eventually causing a continuous loop and leading to a watchdog timer expiration, crashing the flowd process on SRX Series and MX Series with MX-SPC3, or mspmand process on MX Series with MS-MPC. This issue only occurs over TCP. SIP messages sent over UDP cannot trigger this issue. This issue affects Junos OS on SRX Series and MX Series with MX-SPC3 and MS-MPC: * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S1, 25.2R2. | 2026-01-15 | 7.5 | CVE-2026-21905 | https://supportportal.juniper.net/JSA106004 https://kb.juniper.net/JSA106004 |
| Juniper Networks–Junos OS | An Improper Handling of Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated network-based attacker sending a specific ICMP packet through a GRE tunnel to cause the PFE to crash and restart. When PowerMode IPsec (PMI) and GRE performance acceleration are enabled and the device receives a specific ICMP packet, a crash occurs in the SRX PFE, resulting in traffic loss. PMI is enabled by default, and GRE performance acceleration can be enabled by running the configuration command shown below. PMI is a mode of operation that provides IPsec performance improvements using Vector Packet Processing. Note that PMI with GRE performance acceleration is only supported on specific SRX platforms. This issue affects Junos OS on the SRX Series: * all versions before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S1, 25.2R2. | 2026-01-15 | 7.5 | CVE-2026-21906 | https://supportportal.juniper.net/JSA106005 https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-powermode-ipsec-vpn.html https://kb.juniper.net/JSA106005 |
| Juniper Networks–Junos OS | A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that could allow an authenticated, network-adjacent attacker flapping a port to crash the dot1xd process, leading to a Denial of Service (DoS), or potentially execute arbitrary code within the context of the process running as root. The issue is specific to the processing of a change in authorization (CoA) when a port bounce occurs. A pointer is freed but was then referenced later in the same code path. Successful exploitation is outside the attacker’s direct control due to the specific timing of the two events required to execute the vulnerable code path. This issue affects systems with 802.1X authentication port-based network access control (PNAC) enabled. This issue affects: Junos OS: * from 23.2R2-S1 before 23.2R2-S5, * from 23.4R2 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S2, 25.2R2; Junos OS Evolved: * from 23.2R2-S1 before 23.2R2-S5-EVO, * from 23.4R2 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S3-EVO, * from 24.4 before 24.4R2-S1-EVO, * from 25.2 before 25.2R1-S2-EVO, 25.2R2-EVO. | 2026-01-15 | 7.1 | CVE-2026-21908 | https://supportportal.juniper.net/JSA106007 https://kb.juniper.net/JSA106007 |
| Juniper Networks–Junos OS | An Incorrect Initialization of Resource vulnerability in the Internal Device Manager (IDM) of Juniper Networks Junos OS on EX4000 models allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On EX4000 models with 48 ports (EX4000-48T, EX4000-48P, EX4000-48MP) a high volume of traffic destined to the device will cause an FXPC crash and restart, which leads to a complete service outage until the device has automatically restarted. The following reboot reason can be seen in the output of ‘show chassis routing-engine’ and as a log message: reason=0x4000002 reason_string=0x4000002:watchdog + panic with core dump This issue affects Junos OS on EX4000-48T, EX4000-48P and EX4000-48MP: * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R1-S2, 25.2R2. This issue does not affect versions before 24.4R1 as the first Junos OS version for the EX4000 models was 24.4R1. | 2026-01-15 | 7.5 | CVE-2026-21913 | https://supportportal.juniper.net/JSA106014 https://kb.juniper.net/JSA106014 |
| Juniper Networks–Junos OS | An Improper Locking vulnerability in the GTP plugin of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (Dos). If an SRX Series device receives a specifically malformed GPRS Tunnelling Protocol (GTP) Modify Bearer Request message, a lock is acquired and never released. This results in other threads not being able to acquire a lock themselves, causing a watchdog timeout leading to FPC crash and restart. This issue leads to a complete traffic outage until the device has automatically recovered. This issue affects Junos OS on SRX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R1-S1, 25.2R2. | 2026-01-15 | 7.5 | CVE-2026-21914 | https://supportportal.juniper.net/JSA106015 https://kb.juniper.net/JSA106015 |
| Juniper Networks–Junos OS | An Improper Validation of Syntactic Correctness of Input vulnerability in the Web-Filtering module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX device configured for UTM Web-Filtering receives a specifically malformed SSL packet, this will cause an FPC crash and restart. This issue affects Junos OS on SRX Series: * 23.2 versions from 23.2R2-S2 before 23.2R2-S5, * 23.4 versions from 23.4R2-S1 before 23.4R2-S5, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R1-S3, 24.4R2. Earlier versions of Junos are also affected, but no fix is available. | 2026-01-15 | 7.5 | CVE-2026-21917 | https://supportportal.juniper.net/JSA105996 https://kb.juniper.net/JSA105996 |
| Juniper Networks–Junos OS | A Double Free vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX and MX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On all SRX and MX Series platforms, when during TCP session establishment a specific sequence of packets is encountered a double free happens. This causes flowd to crash and the respective FPC to restart. This issue affects Junos OS on SRX and MX Series: * all versions before 22.4R3-S7, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2. | 2026-01-15 | 7.5 | CVE-2026-21918 | https://supportportal.juniper.net/JSA106018 https://kb.juniper.net/JSA106018 |
| Juniper Networks–Junos OS | An Unchecked Return Value vulnerability in the DNS module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX Series device configured for DNS processing, receives a specifically formatted DNS request flowd will crash and restart, which causes a service interruption until the process has recovered. This issue affects Junos OS on SRX Series: * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R2. This issue does not affect Junos OS versions before 23.4R1. | 2026-01-15 | 7.5 | CVE-2026-21920 | https://supportportal.juniper.net/JSA106020 https://kb.juniper.net/JSA106020 |
| kalyan02–NanoCMS | NanoCMS 0.4 contains an authenticated file upload vulnerability that allows remote code execution through unvalidated page content creation. Authenticated attackers can upload PHP files with arbitrary code to the server’s pages directory by exploiting the page creation mechanism without proper input sanitization. | 2026-01-13 | 8.8 | CVE-2022-50898 | ExploitDB-50997 NanoCMS GitHub Repository NanoCMS Exploit Archive VulnCheck Advisory: NanoCMS 0.4 – Remote Code Execution (RCE) (Authenticated) |
| kraftplugins–Demo Importer Plus | The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0. | 2026-01-17 | 7.5 | CVE-2025-14478 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b2971aa0-8287-4142-bd04-7aec1ed92e7b?source=cve https://plugins.trac.wordpress.org/browser/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php#L88 https://plugins.trac.wordpress.org/browser/demo-importer-plus/tags/2.0.6/inc/importers/class-demo-importer-plus-sites-helper.php#L88 https://plugins.trac.wordpress.org/changeset/3439643/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php |
| KYOCERA Document Solutions–Kyocera Command Center RX | Kyocera Command Center RX ECOSYS M2035dn contains a directory traversal vulnerability that allows unauthenticated attackers to read sensitive system files by manipulating file paths under the /js/ path. Attackers can exploit the issue by sending requests like /js/../../../../…/etc/passwd%00.jpg (null-byte appended traversal) to access critical files such as /etc/passwd and /etc/shadow. | 2026-01-13 | 7.5 | CVE-2022-50932 | ExploitDB-50738 Kyocera Command Center RX Official Product Page VulnCheck Advisory: Kyocera Command Center RX ECOSYS M2035dn – Directory Traversal File Disclosure (Unauthenticated) |
| LabRedesCefetRJ–WeGIA | WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly sanitize or encode user-supplied input via the id_memorando GET parameter before reflecting it into the HTML source (likely inside a <script> block or an attribute). This allows unauthenticated attackers to inject arbitrary JavaScript or HTML into the context of the user’s browser session. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 9.1 | CVE-2026-23722 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7hh-6qj7-mcqf |
| LabRedesCefetRJ–WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 7.2 | CVE-2026-23723 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xfmp-2hf9-gfjp https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| Laravel–Laravel Valet | Laravel Valet versions 1.1.4 to 2.0.3 contain a local privilege escalation vulnerability that allows users to modify the valet command with root privileges. Attackers can edit the symlinked valet command to execute arbitrary code with root permissions without additional authentication. | 2026-01-15 | 8.4 | CVE-2021-47756 | ExploitDB-50591 Laravel Valet Official Documentation VulnCheck Advisory: Laravel Valet 2.0.3 – Local Privilege Escalation (macOS) |
| Leawo–Leawo Prof. Media | Leawo Prof. Media 11.0.0.1 contains a denial of service vulnerability that allows attackers to crash the application by supplying an oversized payload in the activation keycode field. Attackers can generate a 6000-byte buffer of repeated characters to trigger an application crash when pasted into the registration interface. | 2026-01-15 | 7.5 | CVE-2021-47797 | ExploitDB-50153 Vendor Homepage VulnCheck Advisory: Leawo Prof. Media 11.0.0.1 – Denial of Service (DoS) (PoC) |
| lemonldap-ng–LemonLDAP::NG | In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication. | 2026-01-16 | 7.2 | CVE-2025-31510 | https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3341 |
| Lenovo–ThinkPlus FU100 | A vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint. | 2026-01-14 | 7.8 | CVE-2025-13455 | https://iknow.lenovo.com.cn/detail/436983 |
| Levelprograms–Kmaleon | Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the ‘tipocomb’ parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques to potentially extract or manipulate database information. | 2026-01-15 | 7.1 | CVE-2021-47766 | ExploitDB-50499 Archived Kmaleon Software Product Page |
| Litexmedia–Audio Conversion Wizard | Audio Conversion Wizard v2.01 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory with a specially crafted registration code. Attackers can generate a payload that overwrites the application’s memory stack, potentially enabling remote code execution through a carefully constructed input buffer. | 2026-01-13 | 9.8 | CVE-2022-50922 | ExploitDB-50811 Audio Wizard Product Webpage VulnCheck Advisory: Audio Conversion Wizard v2.01 – Buffer Overflow |
| Litexmedia–YouTube Video Grabber | YouTube Video Grabber, now referred to as YouTube Downloader, 1.9.9.1 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the Structured Exception Handler. Attackers can craft a malicious payload of 712 bytes with SEH manipulation to trigger a bind shell connection on a specified local port. | 2026-01-15 | 8.4 | CVE-2021-47775 | ExploitDB-50471 Product Webpage |
| Macro-Expert–Macro Expert | Macro Expert 4.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the improperly configured service path to inject malicious executables that will be run with LocalSystem permissions during service startup. | 2026-01-15 | 7.8 | CVE-2021-47780 | ExploitDB-50431 Macro Expert Official Website VulnCheck Advisory: Macro Expert 4.7 – Unquoted Service Path |
| Mailhog–Mailhog | Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation. | 2026-01-13 | 7.2 | CVE-2022-50908 | ExploitDB-50971 MailHog GitHub Repository Shodan Search Results for MailHog VulnCheck Advisory: Mailhog 1.0.1 – Stored Cross-Site Scripting (XSS) |
| Malavida–Cain & Abel | Cain & Abel 4.9.56 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions. | 2026-01-13 | 8.4 | CVE-2022-50933 | ExploitDB-50728 Official Software Download Page VulnCheck Advisory: Cain & Abel 4.9.56 – Unquoted Service Path |
| MCPJam–inspector | MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch. | 2026-01-16 | 9.8 | CVE-2026-23744 | https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6 https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a |
| MegaTKC–Aero CMS | Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially compromise the system. | 2026-01-13 | 8.2 | CVE-2022-50895 | ExploitDB-51022 Archived AeroCMS GitHub Repository Vulnerability Research Repository VulnCheck Advisory: Aero CMS 0.0.1 – SQL Injection |
| Merit LILIN–DH032 | Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device. | 2026-01-12 | 8.8 | CVE-2026-0854 | https://www.twcert.org.tw/tw/cp-132-10624-6599c-1.html https://www.twcert.org.tw/en/cp-139-10623-4f523-2.html |
| Merit LILIN–P2 | Certain IP Camera models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device. | 2026-01-12 | 8.8 | CVE-2026-0855 | https://www.twcert.org.tw/tw/cp-132-10625-fac5c-1.html https://www.twcert.org.tw/en/cp-139-10626-afbe2-2.html |
| metagauss–RegistrationMagic Custom Registration Forms, User Registration, Payment, and User Login | The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the ‘add_menu’ function is accessible via the ‘rm_user_exists’ AJAX action and allows arbitrary updates to the ‘admin_order’ setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin’s menu generation logic, and when the admin menu is subsequently built, the plugin adds ‘manage_options’ capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user. | 2026-01-17 | 9.8 | CVE-2025-15403 | https://www.wordfence.com/threat-intel/vulnerabilities/id/68dd9f6f-ccee-4a27-bd21-2fb32b92cc62?source=cve https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/controllers/class_rm_options_controller.php#L562 https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/class_rm_admin.php#L487 https://plugins.trac.wordpress.org/changeset/3440797/custom-registration-form-builder-with-submission-manager#file2 |
| Microsoft–Azure Connected Machine Agent | Stack-based buffer overflow in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-21224 | Azure Connected Machine Agent Elevation of Privilege Vulnerability |
| Microsoft–Azure Core shared client library for Python | Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network. | 2026-01-13 | 7.5 | CVE-2026-21226 | Azure Core shared client library for Python Remote Code Execution Vulnerability |
| Microsoft–Microsoft 365 Apps for Enterprise | Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2026-01-13 | 8.4 | CVE-2026-20944 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft–Microsoft 365 Apps for Enterprise | Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally. | 2026-01-13 | 7.8 | CVE-2026-20949 | Microsoft Excel Security Feature Bypass Vulnerability |
| Microsoft–Microsoft 365 Apps for Enterprise | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20956 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft–Microsoft Office 2019 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-01-13 | 8.4 | CVE-2026-20952 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft–Microsoft Office 2019 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-01-13 | 8.4 | CVE-2026-20953 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft–Microsoft Office 2019 | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20946 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft–Microsoft Power Apps | Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network. | 2026-01-16 | 8 | CVE-2026-20960 | Microsoft Power Apps Remote Code Execution Vulnerability |
| Microsoft–Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of special elements used in an sql command (‘sql injection’) in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2026-01-13 | 8.8 | CVE-2026-20947 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| Microsoft–Microsoft SharePoint Enterprise Server 2016 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2026-01-13 | 8.8 | CVE-2026-20963 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft–Microsoft SharePoint Enterprise Server 2016 | Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20948 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft–Microsoft SharePoint Enterprise Server 2016 | Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20951 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| Microsoft–Microsoft SharePoint Server 2019 | Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7 | CVE-2026-20943 | Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
| Microsoft–Microsoft SQL Server 2022 (GDR) | Missing authentication for critical function in SQL Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.2 | CVE-2026-20803 | Microsoft SQL Server Elevation of Privilege Vulnerability |
| Microsoft–Office Online Server | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20950 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft–Office Online Server | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20955 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft–Office Online Server | Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20957 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper input validation in Windows Server Update Service allows an unauthorized attacker to execute code over a network. | 2026-01-13 | 8.1 | CVE-2026-20856 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability |
| Microsoft–Windows 10 Version 1809 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2026-01-13 | 8.8 | CVE-2026-20868 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| Microsoft–Windows 10 Version 1809 | External control of file name or path in Windows Telephony Service allows an authorized attacker to elevate privileges over an adjacent network. | 2026-01-13 | 8 | CVE-2026-20931 | Windows Telephony Service Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Incorrect privilege assignment in Windows Hello allows an unauthorized attacker to perform tampering locally. | 2026-01-13 | 7.7 | CVE-2026-20804 | Windows Hello Tampering Vulnerability |
| Microsoft–Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows Kernel Memory allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20809 | Windows Kernel Memory Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Free of memory not on the heap in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20810 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Graphics Kernel allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20814 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows Installer allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20816 | Windows Installer Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20822 | Windows Graphics Component Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20826 | Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20831 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability | 2026-01-13 | 7.8 | CVE-2026-20832 | Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Graphics Kernel allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20836 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20837 | Windows Media Remote Code Execution Vulnerability |
| Microsoft–Windows 10 Version 1809 | Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20840 | Windows NTFS Remote Code Execution Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper access control in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20843 | Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use after free in Windows Clipboard Server allows an unauthorized attacker to elevate privileges locally. | 2026-01-13 | 7.4 | CVE-2026-20844 | Windows Clipboard Server Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20848 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Reliance on untrusted inputs in a security decision in Windows Kerberos allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20849 | Windows Kerberos Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Incorrect privilege assignment in Windows Hello allows an unauthorized attacker to perform tampering locally. | 2026-01-13 | 7.7 | CVE-2026-20852 | Windows Hello Tampering Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows WalletService allows an unauthorized attacker to elevate privileges locally. | 2026-01-13 | 7.4 | CVE-2026-20853 | Windows WalletService Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20858 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Access of resource using incompatible type (‘type confusion’) in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20860 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20861 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Heap-based buffer overflow in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20864 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20865 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20866 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20867 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Local Session Manager (LSM) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20869 | Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20873 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20874 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network. | 2026-01-13 | 7.5 | CVE-2026-20875 | Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20877 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20918 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20919 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20921 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20923 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20924 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20926 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20929 | Windows HTTP.sys Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20934 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 22H2 | Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20940 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft–Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20857 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft–Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20938 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
| Microsoft–Windows Admin Center in Azure Portal | Improper verification of cryptographic signature in Windows Admin Center allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.5 | CVE-2026-20965 | Windows Admin Center Elevation of Privilege Vulnerability |
| Microsoft–Windows SDK | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7 | CVE-2026-21219 | Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability |
| Microsoft–Windows Server 2019 | Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network. | 2026-01-13 | 7.5 | CVE-2026-0386 | Windows Deployment Services Remote Code Execution Vulnerability |
| Microsoft–Windows Server 2022 | Access of resource using incompatible type (‘type confusion’) in Windows Win32K – ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20811 | Win32k Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2022 | Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20817 | Windows Error Reporting Service Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2022 | Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20820 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2022 | Use after free in Windows DWM allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20842 | Microsoft DWM Core Library Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2022 | Double free in Windows Win32K – ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20863 | Win32k Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2022 | Use after free in Desktop Windows Manager allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20871 | Desktop Windows Manager Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2022 | Use after free in Windows Win32K – ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20920 | Win32k Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2022 | Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20922 | Windows NTFS Remote Code Execution Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Printer Association Object allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20808 | Windows File Explorer Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20815 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20830 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Use after free in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to execute code over a network. | 2026-01-13 | 7.5 | CVE-2026-20854 | Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20859 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Use after free in Windows Win32K – ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20870 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Improper link resolution before file access (‘link following’) in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20941 | Host Process for Windows Tasks Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-21221 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| Millegpg–MilleGPG5 | MilleGPG5 5.7.2 contains a local privilege escalation vulnerability that allows authenticated users to modify service executable files in the MariaDB bin directory. Attackers can replace the mysqld.exe with a malicious executable, which will execute with system privileges when the computer restarts. | 2026-01-15 | 7.8 | CVE-2021-47761 | ExploitDB-50558 Vendor Homepage |
| mindsdb–mindsdb | MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not “url”. Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1. | 2026-01-12 | 8.1 | CVE-2025-68472 | https://github.com/mindsdb/mindsdb/security/advisories/GHSA-qqhf-pm3j-96g7 |
| MIT–Kerberos 5 | In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash. | 2026-01-16 | 7.1 | CVE-2025-24528 | https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0 https://github.com/krb5/krb5/compare/krb5-1.21.3-final…krb5-1.22-final |
| Modular DS–Modular DS | Incorrect Privilege Assignment vulnerability in Modular DS allows Privilege Escalation.This issue affects Modular DS: from n/a through 2.5.1. | 2026-01-14 | 10 | CVE-2026-23550 | https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-monitor-update-and-backup-multiple-websites-plugin-2-5-1-privilege-escalation-vulnerability?_s_id=cve https://patchstack.com/articles/critical-privilege-escalation-vulnerability-in-modular-ds-plugin-affecting-40k-sites-exploited-in-the-wild/ https://help.modulards.com/en/article/modular-ds-security-release-modular-connector-252-dm3mv0/ |
| Moeditor–Moeditor | Moeditor 0.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload specially crafted markdown files with embedded JavaScript that execute when opened, potentially enabling remote code execution on the victim’s system. | 2026-01-16 | 7.2 | CVE-2021-47840 | ExploitDB-49830 Moeditor Official Homepage Proof of Concept Video VulnCheck Advisory: Moeditor 0.2.0 – Persistent Cross-Site Scripting |
| Mp3-Avi-Mpeg-Wmv-Rm-To-Audio-Cd-Burner–Ether_MP3_CD_Burner | Ether MP3 CD Burner 1.3.8 contains a buffer overflow vulnerability in the registration name field that allows remote code execution. Attackers can craft a malicious payload to overwrite SEH handlers and execute a bind shell on port 3110 by exploiting improper input validation. | 2026-01-15 | 9.8 | CVE-2021-47785 | ExploitDB-50332 Software Download Link VulnCheck Advisory: Ether_MP3_CD_Burner 1.3.8 – Buffer Overflow (SEH) |
| mrvladus–Errands | Errands before 46.2.10 does not verify TLS certificates for CalDAV servers. | 2026-01-12 | 8.2 | CVE-2025-71063 | https://github.com/mrvladus/Errands/issues/401 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123738 https://github.com/mrvladus/Errands/releases/tag/46.2.10 https://github.com/mrvladus/Errands/commit/04e567b432083fc798ea2249363ea6c83ff01099 https://github.com/mrvladus/Errands/compare/46.2.9…46.2.10 |
| n/a–EasyCMS | A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument _order leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 7.3 | CVE-2026-1105 | VDB-341697 | EasyCMS UserAction.class.php sql injection VDB-341697 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731465 | https://github.com/TeamEasy/EasyCMS EasyCMS v1.6 SQL injection vulnerability https://github.com/ueh1013/VULN/issues/15 |
| N/A–Modular DS | Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0. | 2026-01-16 | 10 | CVE-2026-23800 | https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-plugin-2-5-2-privilege-escalation-vulnerability?_s_id=cve |
| n8n–n8n | Using string formatting and exception handling, an attacker may bypass n8n’s python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system. The vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under “Internal” execution mode. If the instance is operating under the “External” execution mode (ex. n8n’s official Docker image) – arbitrary code execution occurs inside a Sidecar container and not the main node, which significantly reduces the vulnerability impact. | 2026-01-18 | 8.5 | CVE-2026-0863 | https://research.jfrog.com/vulnerabilities/n8n-python-runner-sandbox-escape-jfsa-2026-001651077/ https://github.com/n8n-io/n8n/commit/b73a4283cb14e0f27ce19692326f362c7bf3da02 |
| National Oceanic and Atmospheric Administration (NOAA)–Live Access Server (LAS) | Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of ‘gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java’ from 2025-09-24. | 2026-01-15 | 9.8 | CVE-2025-62193 | url url url url url url url |
| Noteburner–NoteBurner | NoteBurner 2.35 contains a buffer overflow vulnerability in the license code input field that allows attackers to crash the application. Attackers can generate a 6000-byte payload and paste it into the ‘Name’ and ‘Code’ fields to trigger an application crash. | 2026-01-15 | 9.8 | CVE-2021-47798 | ExploitDB-50154 Official Product Homepage VulnCheck Advisory: NoteBurner 2.35 – Denial Of Service (DoS) (PoC) |
| Nsauditor–Backup Key Recovery | Backup Key Recovery 2.2.7 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the registration code input field. Attackers can paste a large buffer of 256 repeated characters into the registration key field to trigger application instability and potential crash. | 2026-01-15 | 7.5 | CVE-2021-47813 | ExploitDB-49966 Vendor Homepage VulnCheck Advisory: Backup Key Recovery 2.2.7 – Denial of Service (PoC) |
| Nsauditor–NBMonitor | NBMonitor 1.6.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the registration code input field. Attackers can paste a 256-character buffer into the registration key field to trigger an application crash and potential system instability. | 2026-01-15 | 7.5 | CVE-2021-47814 | ExploitDB-49964 Vendor Homepage VulnCheck Advisory: NBMonitor 1.6.8 – Denial of Service (PoC) |
| Nsauditor–Nsauditor | Nsauditor 3.2.3 contains a denial of service vulnerability in the registration code input field that allows attackers to crash the application. Attackers can paste a large buffer of 256 repeated characters into the ‘Key’ field to trigger an application crash. | 2026-01-15 | 7.5 | CVE-2021-47815 | ExploitDB-49965 Vendor Homepage VulnCheck Advisory: Nsauditor 3.2.3 – Denial of Service (PoC) |
| NVIDIA–NSIGHT Graphics | NVIDIA NSIGHT Graphics for Linux contains a vulnerability where an attacker could cause command injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and denial of service. | 2026-01-14 | 7.8 | CVE-2025-33206 | https://nvd.nist.gov/vuln/detail/CVE-2025-33206 https://www.cve.org/CVERecord?id=CVE-2025-33206 https://nvidia.custhelp.com/app/answers/detail/a_id/5738 |
| Odinesolutions–Odine Solutions GateKeeper | Odine Solutions GateKeeper 1.0 contains a SQL injection vulnerability in the trafficCycle API endpoint that allows remote attackers to inject malicious database queries. Attackers can exploit the vulnerability by sending crafted payloads to the /rass/api/v1/trafficCycle/ endpoint to manipulate PostgreSQL database queries and potentially extract sensitive information. | 2026-01-15 | 8.2 | CVE-2021-47782 | ExploitDB-50381 Odine Solutions GateKeeper Product Homepage VulnCheck Advisory: Odine Solutions GateKeeper 1.0 – ‘trafficCycle’ SQL Injection |
| OpenAgentPlatform–Dive | Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0. | 2026-01-16 | 9.7 | CVE-2026-23523 | https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-pjj5-f3wm-f9m8 https://github.com/OpenAgentPlatform/Dive/commit/a5162ac9eff366d8ea1215b8a47139a81a55a779 |
| OpenC3–cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval(). Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401). This vulnerability is fixed in 6.10.2. | 2026-01-13 | 10 | CVE-2025-68271 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-w757-4qv9-mghp |
| Phoenix Contact–TC ROUTER 3002T-3G | An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and integrity due to improper control of code generation (‘Code Injection’). | 2026-01-13 | 8.8 | CVE-2025-41717 | https://certvde.com/de/advisories/VDE-2025-073 |
| Phphtmledit–CuteEditor | CuteEditor for PHP (now referred to as Rich Text Editor) 6.6 contains a directory traversal vulnerability in the browse template feature that allows attackers to write files to arbitrary web root directories. Attackers can exploit the ServerMapPath() function by renaming uploaded HTML files using directory traversal sequences to write files outside the intended template directory. | 2026-01-13 | 7.5 | CVE-2021-47751 | ExploitDB-50994 Vendor Homepage VulnCheck Advisory: CuteEditor for PHP 6.6 – Directory Traversal |
| Phpkf–phpKF CMS | phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter. | 2026-01-15 | 9.8 | CVE-2021-47753 | ExploitDB-50610 Official Vendor Homepage Software Download Page |
| pimcore–pimcore | Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (–) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14. | 2026-01-14 | 8.8 | CVE-2026-23492 | https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3 |
| pimcore–pimcore | Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14. | 2026-01-15 | 8.6 | CVE-2026-23493 | https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h https://github.com/pimcore/pimcore/pull/18918 https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601 https://github.com/pimcore/pimcore/releases/tag/v11.5.14 https://github.com/pimcore/pimcore/releases/tag/v12.3.1 |
| Pjo2–Tftpd32_SE | Tftpd32 SE 4.60 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with system-level permissions. | 2026-01-13 | 8.4 | CVE-2023-54338 | ExploitDB-51076 Vendor Homepage VulnCheck Advisory: Tftpd32_SE 4.60 – ‘Tftpd32_svc’ Unquoted Service Path |
| plugins360–All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2026-01-16 | 8.8 | CVE-2025-12957 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ad2e1d91-03bd-4e47-b679-81c42414238b?source=cve https://plugins.trac.wordpress.org/changeset/3405593/all-in-one-video-gallery |
| Primera–PTPublisher | PTPublisher 2.3.4 contains an unquoted service path vulnerability in the PTProtect service that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in ‘C:Program Files (x86)Primera TechnologyPTPublisherUsbFlashDongleService.exe’ to inject malicious executables and gain system-level access. | 2026-01-13 | 8.4 | CVE-2022-50915 | ExploitDB-50885 Primera Technology Official Homepage VulnCheck Advisory: PTPublisher 2.3.4 – Unquoted Service Path |
| Private Internet Access–Private Internet Access | Private Internet Access 3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50924 | ExploitDB-50804 Vendor Homepage Software Download Page VulnCheck Advisory: Private Internet Access 3.3 – ‘pia-service’ Unquoted Service Path |
| Progress Software–Flowmon ADS | A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1 where an SQL injection vulnerability allows authenticated users to execute unintended SQL queries and commands. | 2026-01-13 | 8.8 | CVE-2025-13774 | https://community.progress.com/s/article/Flowmon-ADS-CVE-2025-13774 |
| Progress Software–LoadMaster | OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters | 2026-01-13 | 8.4 | CVE-2025-13444 | https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 |
| Progress Software–LoadMaster | OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters | 2026-01-13 | 8.4 | CVE-2025-13447 | https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 |
| Projeqtor–ProjeQtOr Project Management | ProjeQtOr Project Management 9.1.4 contains a file upload vulnerability that allows guest users to upload malicious PHP files with arbitrary code execution capabilities. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded file with a specially crafted request parameter. | 2026-01-15 | 9.8 | CVE-2021-47819 | ExploitDB-49919 ProjeQtOr Official Website |
| ProtonVPN–ProtonVPN | ProtonVPN 1.26.0 contains an unquoted service path vulnerability in its WireGuard service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path by placing malicious executables in specific file system locations to gain elevated privileges during service startup. | 2026-01-13 | 8.4 | CVE-2022-50917 | ExploitDB-50837 ProtonVPN Official Website VulnCheck Advisory: ProtonVPN 1.26.0 – Unquoted Service Path |
| Prowise–Prowise Reflect | Prowise Reflect version 1.0.9 contains a remote keystroke injection vulnerability that allows attackers to send keyboard events through an exposed WebSocket on port 8082. Attackers can craft malicious web pages to inject keystrokes, opening applications and typing arbitrary text by sending specific WebSocket messages. | 2026-01-13 | 9.8 | CVE-2022-50925 | ExploitDB-50796 Prowise Official Homepage VulnCheck Advisory: Prowise Reflect v1.0.9 – Remote Keystroke Injection |
| pyasn1–pyasn1 | pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2. | 2026-01-16 | 7.5 | CVE-2026-23490 | https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970 https://github.com/pyasn1/pyasn1/releases/tag/v0.6.2 |
| Pysoft–Active WebCam | Active WebCam 11.5 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the misconfigured service path by placing malicious executables in specific directory locations to gain administrative access. | 2026-01-15 | 7.8 | CVE-2021-47790 | ExploitDB-50273 Software Download Page Vendor Homepage VulnCheck Advisory: Active WebCam 11.5 – Unquoted Service Path |
| Raimersoft–RarmaRadio | RarmaRadio 2.72.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing network configuration fields with large character buffers. Attackers can generate a 100,000 character buffer and paste it into multiple network settings fields to trigger application instability and potential crash. | 2026-01-16 | 7.5 | CVE-2021-47821 | ExploitDB-49906 Vendor Homepage VulnCheck Advisory: RarmaRadio 2.72.8 – Denial of Service |
| Red Hat–Red Hat OpenShift Dev Spaces (RHOSDS) 3.22 | A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users’ Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333. | 2026-01-13 | 9 | CVE-2025-12548 | RHSA-2025:22620 RHSA-2025:22623 RHSA-2025:22652 https://access.redhat.com/security/cve/CVE-2025-12548 RHBZ#2408850 |
| Redragon–Redragon Gaming Mouse | Redragon Gaming Mouse driver contains a kernel-level vulnerability that allows attackers to trigger a denial of service by sending malformed IOCTL requests. Attackers can send a crafted 2000-byte buffer with specific byte patterns to the REDRAGON_MOUSE device to crash the kernel driver. | 2026-01-15 | 7.5 | CVE-2021-47786 | ExploitDB-50322 Vendor Download Page Vulnerability Research Repository VulnCheck Advisory: Redragon Gaming Mouse – ‘REDRAGON_MOUSE.sys’ Denial of Service (PoC) |
| Remotemouse–Remote Mouse | Remote Mouse 4.002 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the RemoteMouseService to inject malicious executables and gain administrative access. | 2026-01-15 | 7.8 | CVE-2021-47792 | ExploitDB-50258 Official Vendor Homepage VulnCheck Advisory: Remote Mouse 4.002 – Unquoted Service Path |
| Ribccs–Build Smart ERP | Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the ‘eidValue’ parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads like ‘;WAITFOR DELAY ‘0:0:3’– to manipulate database queries and potentially extract or modify database information. | 2026-01-15 | 8.2 | CVE-2021-47777 | ExploitDB-50445 Build Smart ERP Vendor Homepage |
| risesoft-y9–Digital-Infrastructure | A flaw has been found in risesoft-y9 Digital-Infrastructure up to 9.6.7. This affects an unknown function of the file source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java of the component REST Authenticate Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-17 | 7.3 | CVE-2026-1050 | VDB-341603 | risesoft-y9 Digital-Infrastructure REST Authenticate Endpoint Y9PlatformUtil.java sql injection VDB-341603 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731010 | risesoft-y9 Digital-Infrastructure <=9.6.7 SQL Injection https://github.com/risesoft-y9/Digital-Infrastructure/issues/2 https://github.com/risesoft-y9/Digital-Infrastructure/issues/2#issue-3777863959 |
| RocketChat–Rocket.Chat | Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0. | 2026-01-14 | 7.7 | CVE-2026-23477 | https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-g4wm-fg3c-g4p2 |
| roxy-wi–roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice – once sanitized and once raw. This vulnerability is fixed in 8.2.8.2. | 2026-01-15 | 7.5 | CVE-2026-22265 | https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47 https://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2 |
| Sandboxie–Sandboxie Plus | Sandboxie-Plus 5.50.2 contains an unquoted service path vulnerability in the SbieSvc Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. | 2026-01-13 | 8.4 | CVE-2022-50920 | ExploitDB-50819 Official Sandboxie-Plus Product Homepage VulnCheck Advisory: Sandboxie-Plus 5.50.2 – ‘Service SbieSvc’ Unquoted Service Path |
| Sandboxie-Plus–Sandboxie | Sandboxie 5.49.7 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the container folder input field. Attackers can paste a large buffer of repeated characters into the Sandbox container folder setting to trigger an application crash. | 2026-01-16 | 7.5 | CVE-2021-47831 | ExploitDB-49844 Sandboxie Official Homepage VulnCheck Advisory: Sandboxie 5.49.7 – Denial of Service |
| SAP_SE–SAP Application Server for ABAP and SAP NetWeaver RFCSDK | Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability. | 2026-01-13 | 8.4 | CVE-2026-0507 | https://me.sap.com/notes/3675151 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted. | 2026-01-13 | 8.1 | CVE-2026-0511 | https://me.sap.com/notes/3565506 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP HANA database | SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system�s confidentiality, integrity, and availability. | 2026-01-13 | 8.8 | CVE-2026-0492 | https://me.sap.com/notes/3691059 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Landscape Transformation | SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | 2026-01-13 | 9.1 | CVE-2026-0491 | https://me.sap.com/notes/3697979 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP NetWeaver Application Server ABAP and ABAP Platform | Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected. | 2026-01-13 | 8.1 | CVE-2026-0506 | https://me.sap.com/notes/3688703 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP S/4HANA (Private Cloud and On-Premise) | SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | 2026-01-13 | 9.1 | CVE-2026-0498 | https://me.sap.com/notes/3694242 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) | Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application. | 2026-01-13 | 9.9 | CVE-2026-0501 | https://me.sap.com/notes/3687749 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Wily Introscope Enterprise Manager (WorkStation) | Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope Server could execute OS commands on the victim’s machine. This could completely compromising confidentiality, integrity and availability of the system. | 2026-01-13 | 9.6 | CVE-2026-0500 | https://me.sap.com/notes/3668679 https://url.sap/sapsecuritypatchday |
| shopware–shopware | Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(…) override. This vulnerability is fixed in 6.7.6.1. | 2026-01-14 | 7.2 | CVE-2026-23498 | https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475 |
| SICK AG–Incoming Goods Suite | A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: – Viewers can view all dashboards/folders regardless of permissions – Editors can view/edit/delete all dashboards/folders regardless of permissions – Editors can create dashboards in any folder regardless of permissions – Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources. | 2026-01-15 | 8.3 | CVE-2026-0713 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG–Incoming Goods Suite | A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. | 2026-01-15 | 8.3 | CVE-2026-22638 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG–Incoming Goods Suite | In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. | 2026-01-15 | 8.3 | CVE-2026-22643 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG–Incoming Goods Suite | An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01 | 2026-01-15 | 7.6 | CVE-2026-0712 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG–TDC-X401GL | An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data. | 2026-01-15 | 9.9 | CVE-2026-22907 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG–TDC-X401GL | Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality. | 2026-01-15 | 9.1 | CVE-2026-22908 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG–TDC-X401GL | Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations. | 2026-01-15 | 7.5 | CVE-2026-22909 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG–TDC-X401GL | The device is deployed with weak and publicly known default passwords for certain hidden user levels, increasing the risk of unauthorized access. This represents a high risk to the integrity of the system. | 2026-01-15 | 7.5 | CVE-2026-22910 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| Siemens–Industrial Edge Cloud Device (IECD) | Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the attacker has learned the identity of a legitimate user. | 2026-01-13 | 10 | CVE-2025-40805 | https://cert-portal.siemens.com/productcert/html/ssa-014678.html https://cert-portal.siemens.com/productcert/html/ssa-001536.html |
| Siemens–SIMATIC ET 200AL IM 157-1 PN | A vulnerability has been identified in SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0) (All versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0) (All versions), SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants) (All versions < V1.3), SIMATIC ET 200SP IM 155-6 PN R1 (6ES7155-6AU00-0HM0) (All versions < V6.0.1), SIMATIC ET 200SP IM 155-6 PN/2 HF (6ES7155-6AU01-0CN0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 PN/3 HF (6ES7155-6AU30-0CN0) (All versions < V4.2.2), SIMATIC PN/MF Coupler (6ES7158-3MU10-0XA0) (All versions), SIMATIC PN/PN Coupler (6ES7158-3AD10-0XA0) (All versions < V6.0.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-2AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-7AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL (6AG2155-5AA00-1AC0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-2CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-7CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL (6AG2155-6AU01-1CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF TX RAIL (6AG2155-6AU01-4CN0) (All versions >= V4.2.0), SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0) (All versions < V6.0.0). Affected devices do not properly handle S7 protocol session disconnect requests. When receiving a valid S7 protocol Disconnect Request (COTP DR TPDU) on TCP port 102, the devices enter an improper session state. This could allow an attacker to cause the device to become unresponsive, leading to a denial-of-service condition that requires a power cycle to restore normal operation. | 2026-01-13 | 7.5 | CVE-2025-40944 | https://cert-portal.siemens.com/productcert/html/ssa-674753.html |
| Siemens–TeleControl Server Basic | A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.4). Affected application contains a local privilege escalation vulnerability that could allow an attacker to run arbitrary code with elevated privileges. | 2026-01-13 | 8.8 | CVE-2025-40942 | https://cert-portal.siemens.com/productcert/html/ssa-192617.html |
| Skyjos–Owlfiles File Manager | Owlfiles File Manager 12.0.1 contains a path traversal vulnerability in its built-in HTTP server that allows attackers to access system directories. Attackers can exploit the vulnerability by crafting GET requests with directory traversal sequences to access restricted system directories on the device. | 2026-01-13 | 7.5 | CVE-2022-50890 | ExploitDB-51036 Vendor Homepage Official App Store Listing VulnCheck Advisory: Owlfiles File Manager 12.0.1 – Path Traversal |
| SLIMS–Senayan Library Management System | Senayan Library Management System 9.0.0 contains a SQL injection vulnerability in the ‘class’ parameter that allows attackers to inject malicious SQL queries. Attackers can exploit the vulnerability by submitting crafted payloads to manipulate database queries and potentially extract sensitive information. | 2026-01-13 | 8.2 | CVE-2022-50805 | ExploitDB-51161 Senayan Library Management System Official Website Vulnerability Research Repository VulnCheck Advisory: Senayan Library Management System 9.0.0 – SQL Injection |
| Smartertools–SmarterTools SmarterTrack | SmarterTrack 7922 contains an information disclosure vulnerability in the Chat Management search form that reveals agent identification details. Attackers can access the vulnerable /Management/Chat/frmChatSearch.aspx endpoint to retrieve agents’ first and last names along with their unique identifiers. | 2026-01-15 | 7.5 | CVE-2020-36926 | ExploitDB-50328 SmarterTools Official Homepage SmarterTrack Product Page VulnCheck Advisory: SmarterTools SmarterTrack 7922 -Information Disclosure |
| Smartftp–SmartFTP Client | SmartFTP Client 10.0.2909.0 contains multiple denial of service vulnerabilities that allow attackers to crash the application through specific input manipulation. Attackers can trigger crashes by entering malformed paths, using invalid IP addresses, or clearing connection history in the client’s interface. | 2026-01-15 | 7.5 | CVE-2021-47791 | ExploitDB-50266 SmartFTP Official Homepage SmartFTP Download Page VulnCheck Advisory: SmartFTP Client 10.0.2909.0 – ‘Multiple’ Denial of Service |
| SMCI–X12STW-F | There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW-F . An attacker can update the system firmware with a specially crafted image. | 2026-01-16 | 7.2 | CVE-2025-12006 | https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2026 |
| SMCI–X13SEM-F | There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . An attacker can update the system firmware with a specially crafted image. | 2026-01-16 | 7.2 | CVE-2025-12007 | https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2026 |
| SMEWebify–WebErpMesv2 | WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quotes, orders, tasks, and whiteboards. Limited write access allows creation of company records and full manipulation of collaboration whiteboards. This vulnerability is fixed in 1.19. | 2026-01-12 | 8.2 | CVE-2026-22788 | https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-pp68-5pc2-hv7w https://github.com/SMEWebify/WebErpMesv2/commit/3a7ab1c95d1d1c8f7c62c84bc87b3666ecd2fa23 |
| Softlink Education–Oliver Library Server | Oliver Library Server v5 contains a file download vulnerability that allows unauthenticated attackers to access arbitrary system files through unsanitized input in the FileServlet endpoint. Attackers can exploit the vulnerability by manipulating the ‘fileName’ parameter to download sensitive files from the server’s filesystem. | 2026-01-15 | 9.8 | CVE-2021-47755 | ExploitDB-50599 Oliver Library Server Official Product Homepage |
| Splashtop–Splashtop | Splashtop 8.71.12001.0 contains an unquoted service path vulnerability in the Splashtop Software Updater Service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:Program Files (x86)SplashtopSplashtop Software Updater to inject malicious executables and escalate privileges. | 2026-01-13 | 8.4 | CVE-2022-50693 | ExploitDB-51182 Splashtop Official Homepage VulnCheck Advisory: Splashtop 8.71.12001.0 – Unquoted Service Path |
| Splinterware–iDailyDiary | iDailyDiary 4.30 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the preferences tab name field. Attackers can paste a 2,000,000 character buffer into the default diary tab name to trigger an application crash. | 2026-01-16 | 7.5 | CVE-2021-47824 | ExploitDB-49898 Vendor Homepage VulnCheck Advisory: iDailyDiary 4.30 – Denial of Service (PoC) |
| Spy-Emergency–Spy Emergency | Spy Emergency 25.0.650 contains an unquoted service path vulnerability in its Windows service configurations that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted file paths in SpyEmergencyHealth.exe and SpyEmergencySrv.exe to inject malicious code during system startup or service restart. | 2026-01-16 | 7.8 | CVE-2021-47845 | ExploitDB-49997 Vendor Homepage VulnCheck Advisory: Spy Emergency 25.0.650 – Unquoted Service Path |
| stellarwp–Membership Plugin Restrict Content | The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the ‘rcp_stripe_create_setup_intent_for_saved_card’ function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership. | 2026-01-16 | 8.2 | CVE-2025-14844 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c28545d-c7cd-469f-bccf-90e8b52fd4e7?source=cve https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L848 https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L987 https://docs.stripe.com/api/setup_intents/object https://cwe.mitre.org/data/definitions/639.html https://plugins.trac.wordpress.org/changeset/3438168/restrict-content/tags/3.2.17/core/includes/gateways/stripe/functions.php |
| strongSwan–strongSwan | In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow. | 2026-01-16 | 8.1 | CVE-2025-62291 | https://github.com/strongswan/strongswan/releases https://github.com/strongswan/strongswan/commits/master/src/libcharon/plugins/eap_mschapv2 https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-%28cve-2025-62291%29.html |
| suitenumerique–docs | LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacker with document editing privileges can inject a malicious javascript: URL that executes arbitrary code when other users click on the link. This vulnerability is fixed in 4.4.0. | 2026-01-15 | 8.7 | CVE-2026-22867 | https://github.com/suitenumerique/docs/security/advisories/GHSA-4rwv-ghwh-9rv6 https://github.com/suitenumerique/docs/commit/e807237dbedbc189230296b81c3aeccc1c04fa77 https://github.com/suitenumerique/docs/releases/tag/v4.4.0 |
| sumatrapdfreader–sumatrapdf | SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application’s installation directory, leading to arbitrary code execution. | 2026-01-14 | 8.6 | CVE-2026-23512 | https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-rqg5-gj63-x4mv https://github.com/sumatrapdfreader/sumatrapdf/commit/2762e02a8cd7cb779c934a44257aac56ab7de673 |
| Support–Brother BRPrint Auditor | Brother BRPrint Auditor 3.0.7 contains an unquoted service path vulnerability in its Windows service configurations that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted file paths in BrAuSvc and BRPA_Agent services to inject malicious executables and escalate privileges on the system. | 2026-01-15 | 7.8 | CVE-2020-36929 | ExploitDB-50005 Brother BRPrint Auditor Download Page (NL) Brother BRPrint Auditor Download Page (FR) VulnCheck Advisory: Brother BRPrint Auditor 3.0.7 – ‘Multiple’ Unquoted Service Path |
| sveltejs–devalue | Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn’t sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2. | 2026-01-15 | 7.5 | CVE-2026-22774 | https://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mv https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7 https://github.com/sveltejs/devalue/releases/tag/v5.6.2 |
| sveltejs–devalue | Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn’t sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2. | 2026-01-15 | 7.5 | CVE-2026-22775 | https://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4 https://github.com/sveltejs/devalue/releases/tag/v5.6.2 |
| Sylkat-Tools–AWebServer GhostBuilding | AWebServer GhostBuilding 18 contains a denial of service vulnerability that allows remote attackers to overwhelm the server by sending multiple concurrent HTTP requests. Attackers can generate high-volume requests to multiple endpoints including /mysqladmin to potentially crash or render the service unresponsive. | 2026-01-15 | 7.5 | CVE-2021-47752 | ExploitDB-50629 Vendor Homepage Software Download Link |
| Syncbreeze–Sync Breeze | Sync Breeze 13.6.18 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in service binaries located in ‘Program Files’ directories to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47807 | ExploitDB-50023 Vendor Homepage VulnCheck Advisory: Sync Breeze 13.6.18 – ‘Multiple’ Unquoted Service Path |
| Sysax–Sysax Multi Server | Sysax Multi Server 6.95 contains a denial of service vulnerability in the administrative password field that allows attackers to crash the application. Attackers can overwrite the password field with 800 bytes of repeated characters to trigger an application crash and disrupt server functionality. | 2026-01-13 | 7.5 | CVE-2023-54337 | ExploitDB-51066 Vendor Homepage VulnCheck Advisory: Sysax Multi Server 6.95 – ‘Password’ Denial of Service (PoC) |
| Sysgauge–SysGauge | SysGauge Server 7.9.18 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program FilesSysGauge Serverbinsysgaus.exe’ to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2020-36930 | ExploitDB-50009 Vendor Homepage VulnCheck Advisory: SysGauge 7.9.18 – ‘ SysGauge Server’ Unquoted Service Path |
| Tagstoo–Tagstoo | Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim’s computer. | 2026-01-15 | 7.2 | CVE-2021-47843 | ExploitDB-49828 Tagstoo Official Homepage Proof of Concept Video |
| Tdarr–Tdarr | Tdarr 2.00.15 contains an unauthenticated remote code execution vulnerability in its Help terminal that allows attackers to inject and chain arbitrary commands. Attackers can exploit the lack of input filtering by chaining commands like `–help; curl .py | python` to execute remote code without authentication. | 2026-01-13 | 9.8 | CVE-2022-50919 | ExploitDB-50822 Official Vendor Homepage VulnCheck Advisory: Tdarr 2.00.15 – Command Injection |
| TeamSpeak–TeamSpeak | TeamSpeak 3.5.6 contains an insecure file permissions vulnerability that allows local attackers to replace executable files with malicious binaries. Attackers can replace system executables like ts3client_win32.exe with custom files to potentially gain SYSTEM or Administrator-level access. | 2026-01-13 | 8.4 | CVE-2022-50931 | ExploitDB-50743 TeamSpeak Official Vendor Homepage TeamSpeak Downloads Page VulnCheck Advisory: TeamSpeak 3.5.6 – Insecure File Permissions |
| Telcel–FLAME II MODEM USB | Flame II HSPA USB Modem contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path in ‘C:Program Files (x86)Internet TelcelApplicationController.exe’ to execute arbitrary code with elevated system privileges. | 2026-01-13 | 9.8 | CVE-2022-50935 | ExploitDB-50708 Archived Telcel Flame II MODEM USB Product Page VulnCheck Advisory: FLAME II MODEM USB – Unquoted Service Path |
| Telegram–Telegram Desktop | Telegram Desktop 2.9.2 contains a denial of service vulnerability that allows attackers to crash the application by sending an oversized message payload. Attackers can generate a 9 million byte buffer and paste it into the messaging interface to trigger an application crash. | 2026-01-15 | 7.5 | CVE-2021-47793 | ExploitDB-50247 Official Telegram Homepage VulnCheck Advisory: Telegram Desktop 2.9.2 – Denial of Service (PoC) |
| Tenable–Nessus Agent | A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges. | 2026-01-13 | 8.8 | CVE-2025-36640 | https://www.tenable.com/security/tns-2026-01 |
| Termix-SSH–Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0. | 2026-01-12 | 8 | CVE-2026-22804 | https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35 |
| Testlink–TestLink | TestLink versions 1.16 through 1.19 contain an unauthenticated file download vulnerability in the attachmentdownload.php endpoint. Attackers can download arbitrary files by iterating file IDs through the ‘id’ parameter with ‘skipCheck=1’ to bypass access controls. | 2026-01-15 | 9.8 | CVE-2021-47760 | ExploitDB-50578 Official TestLink Product Homepage Archived Researcher Blog |
| The Browser Company of New York–Dia | Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site. | 2026-01-16 | 7.4 | CVE-2025-15032 | https://www.diabrowser.com/security/bulletins#CVE-2025-15032 |
| Thecus–Thecus N4800Eco Nas Server Control Panel | Thecus N4800Eco NAS Server Control Panel contains a command injection vulnerability that allows authenticated attackers to execute arbitrary system commands through user management endpoints. Attackers can inject commands via username and batch user creation parameters to execute shell commands with administrative privileges. | 2026-01-16 | 8.8 | CVE-2021-47816 | ExploitDB-49926 Thecus Official Vendor Homepage Thecus N4800Eco Product Page Researcher Blog VulnCheck Advisory: Thecus N4800Eco Nas Server Control Panel – Command Injection |
| Totalav–TotalAV | TotalAV 5.15.69 contains an unquoted service path vulnerability in multiple system services running with LocalSystem privileges. Attackers can place malicious executables in specific unquoted path segments to potentially gain SYSTEM-level access by exploiting the service path configuration. | 2026-01-15 | 7.8 | CVE-2021-47787 | ExploitDB-50314 TotalAV Official Homepage VulnCheck Advisory: TotalAV 5.15.69 – Unquoted Service Path |
| tridenttechnolabs–Shipping Rate By Cities | The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the ‘city’ parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-14 | 7.5 | CVE-2025-14770 | https://www.wordfence.com/threat-intel/vulnerabilities/id/11e7e798-9fb9-4cff-a96f-a0003f203f5f?source=cve https://plugins.trac.wordpress.org/browser/shipping-rate-by-cities/trunk/shiprate-cities-method-class.php#L372 |
| Umbraco–Forms | In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution. | 2026-01-16 | 7.5 | CVE-2025-68924 | https://our.umbraco.com/packages/developer-tools/umbraco-forms/ https://github.com/advisories/GHSA-vrgw-pc9c-qrrc https://www.nuget.org/packages/UmbracoForms |
| vaghasia3–News and Blog Designer Bundle | The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | 2026-01-14 | 9.8 | CVE-2025-14502 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e02683dc-0771-4bd5-bba3-2b5423da1c80?source=cve https://plugins.trac.wordpress.org/browser/news-and-blog-designer-bundle/trunk/includes/class-nbdb-ajax.php#L31 |
| vesparny–Marky | Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47839 | ExploitDB-49831 Marky GitHub Repository Proof of Concept Video VulnCheck Advisory: Marky 0.0.1 – Persistent Cross-Site Scripting |
| Vianeos–Vianeos OctoPUS | Vianeos OctoPUS 5 contains a time-based blind SQL injection vulnerability in the ‘login_user’ parameter during authentication requests. Attackers can exploit this vulnerability by crafting malicious POST requests with specially constructed SQL payloads that trigger database sleep functions to extract information. | 2026-01-15 | 8.2 | CVE-2021-47801 | ExploitDB-50078 Vendor Homepage Software Product Page VulnCheck Advisory: Vianeos OctoPUS 5 – ‘login_user’ SQLi |
| VIAVIWEB–VIAVIWEB Wallpaper Admin | VIAVIWEB Wallpaper Admin 1.0 contains an unauthenticated remote code execution vulnerability in the image upload functionality. Attackers can upload a malicious PHP file through the add_gallery_image.php endpoint to execute arbitrary code on the server. | 2026-01-13 | 9.8 | CVE-2022-50893 | ExploitDB-51033 Vendor Homepage VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 – Code Execution via Image Upload |
| VIAVIWEB–VIAVIWEB Wallpaper Admin | VIAVIWEB Wallpaper Admin 1.0 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the img_id parameter. Attackers can send GET requests to edit_gallery_image.php with malicious img_id values to extract database information. | 2026-01-13 | 9.8 | CVE-2022-50894 | ExploitDB-51033 Vendor Homepage VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 SQL Injection via edit_gallery_image.php |
| VIAVIWEB–VIAVIWEB Wallpaper Admin | VIAVIWEB Wallpaper Admin 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating login credentials. Attackers can exploit the login page by injecting ‘admin’ or 1=1– – payload to gain unauthorized access to the administrative interface. | 2026-01-13 | 8.2 | CVE-2022-50892 | ExploitDB-51033 Vendor Homepage VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 – SQL Injection via Login Page |
| VIVE–VIVE Runtime Service | VIVE Runtime Service 1.0.0.4 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific system directories to gain LocalSystem access during service startup. | 2026-01-13 | 8.4 | CVE-2022-50918 | ExploitDB-50824 Official VIVE Homepage VIVE Developer Downloads VulnCheck Advisory: VIVE Runtime Service – ‘ViveAgentService’ Unquoted Service Path |
| Wago–WAGO 750-8212 PFC200 | WAGO 750-8212 PFC200 G2 2ETH RS firmware contains a privilege escalation vulnerability that allows attackers to manipulate user session cookies. Attackers can modify the cookie’s ‘name’ and ‘roles’ parameters to elevate from ordinary user to administrative privileges without authentication. | 2026-01-13 | 9.8 | CVE-2022-50926 | ExploitDB-50793 Official Vendor Homepage VulnCheck Advisory: WAGO 750-8212 PFC200 G2 2ETH RS Privilege Escalation |
| Wbce–WBCE CMS | WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload. | 2026-01-13 | 8.8 | CVE-2022-50936 | ExploitDB-50707 WBCE CMS Official Website WBCE CMS Downloads Page WBCE CMS GitHub Repository VulnCheck Advisory: WBCE CMS 1.5.2 – Remote Code Execution (RCE) (Authenticated) |
| WeblateOrg–wlc | wlc is a Weblate command-line client using Weblate’s REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2. | 2026-01-16 | 8.1 | CVE-2026-23535 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg https://github.com/WeblateOrg/wlc/pull/1128 https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f https://github.com/WeblateOrg/wlc/releases/tag/1.17.2 |
| Websitebaker–WebsiteBaker | WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating language installation parameters to achieve remote code execution on the server. | 2026-01-15 | 8.8 | CVE-2021-47788 | ExploitDB-50310 WebsiteBaker Official Homepage VulnCheck Advisory: WebsiteBaker 2.13.0 – Remote Code Execution (RCE) (Authenticated) |
| WebSSH–WebSSH for iOS | WebSSH for iOS 14.16.10 contains a denial of service vulnerability in the mashREPL tool that allows attackers to crash the application by pasting malformed input. Attackers can trigger the vulnerability by copying a 300-character buffer of repeated ‘A’ characters into the mashREPL input field, causing the application to crash. | 2026-01-16 | 7.5 | CVE-2021-47827 | ExploitDB-49883 WebSSH iOS App Store Page VulnCheck Advisory: WebSSH for iOS 14.16.10 – ‘mashREPL’ Denial of Service |
| Weird-Solutions–BOOTP Turbo | BOOTP Turbo 2.0.0.1253 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to execute arbitrary code with elevated LocalSystem privileges during system startup or reboot. | 2026-01-16 | 7.8 | CVE-2021-47828 | ExploitDB-49851 Vendor Homepage VulnCheck Advisory: BOOTP Turbo 2.0.0.1253 – ‘bootpt.exe’ Unquoted Service Path |
| Weird-Solutions–DHCP Broadband | DHCP Broadband 4.1.0.1503 contains an unquoted service path vulnerability in its service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path in ‘C:Program FilesDHCP Broadband 4dhcpt.exe’ to inject malicious code that will execute during service startup with LocalSystem permissions. | 2026-01-16 | 7.8 | CVE-2021-47829 | ExploitDB-49850 Vendor Homepage VulnCheck Advisory: DHCP Broadband 4.1.0.1503 – ‘dhcpt.exe’ Unquoted Service Path |
| Wibu–WibuKey Runtime | WibuKey Runtime 6.51 contains an unquoted service path vulnerability in the WkSvW32.exe service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:PROGRAM FILES (X86)WIBUKEYSERVERWkSvW32.exe’ to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47810 | ExploitDB-49999 Vendor Homepage Software Download Page VulnCheck Advisory: WibuKey Runtime 6.51 – ‘WkSvW32.exe’ Unquoted Service Path |
| Wisecleaner–Wise Care | Wise Care 365 5.6.7.568 contains an unquoted service path vulnerability in the WiseBootAssistant service running with LocalSystem privileges. Attackers can exploit this by inserting a malicious executable in the service path, which will execute with elevated system privileges when the service restarts. | 2026-01-15 | 7.8 | CVE-2021-47804 | ExploitDB-50038 Official Vendor Homepage VulnCheck Advisory: Wise Care 365 5.6.7.568 – ‘WiseBootAssistant’ Unquoted Service Path |
| Wondershare–Wondershare Dr.Fone | Wondershare Dr.Fone 12.0.18 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the misconfigured service path to insert malicious code that will be executed with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50900 | ExploitDB-50813 Vendor Homepage VulnCheck Advisory: Wondershare Dr.Fone 12.0.18 – ‘Wondershare InstallAssist’ Unquoted Service Path |
| Wondershare–Wondershare Dr.Fone | Wondershare Dr.Fone 11.4.9 contains an unquoted service path vulnerability in the DFWSIDService that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:Program Files (x86)WondershareWondershare Dr.Fone to inject malicious executables that would run with LocalSystem privileges. | 2026-01-13 | 8.4 | CVE-2022-50901 | ExploitDB-50755 Vendor Homepage VulnCheck Advisory: Wondershare Dr.Fone 11.4.9 – ‘DFWSIDService’ Unquoted Service Path |
| Wondershare–Wondershare FamiSafe | Wondershare FamiSafe 1.0 contains an unquoted service path vulnerability in the FSService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:Program Files (x86)WondershareFamiSafe to inject malicious code that would run with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50902 | ExploitDB-50757 Vendor Homepage VulnCheck Advisory: Wondershare FamiSafe 1.0 – ‘FSService’ Unquoted Service Path |
| Wondershare–Wondershare MobileTrans | Wondershare MobileTrans 3.5.9 contains an unquoted service path vulnerability in the ElevationService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path by placing malicious executables in specific filesystem locations that will be executed with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50903 | ExploitDB-50756 Vendor Homepage VulnCheck Advisory: Wondershare MobileTrans 3.5.9 – ‘ElevationService’ Unquoted Service Path |
| Wondershare–Wondershare UBackit | Wondershare UBackit 2.0.5 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the wsbackup service to inject malicious executables that would run with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50904 | ExploitDB-50758 Vendor Homepage VulnCheck Advisory: Wondershare UBackit 2.0.5 – ‘wsbackup’ Unquoted Service Path |
| woosaai–Integration Opvius AI for WooCommerce | The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files. | 2026-01-14 | 9.8 | CVE-2025-14301 | https://www.wordfence.com/threat-intel/vulnerabilities/id/34612902-1a26-4759-bca6-b5aaffa25af4?source=cve https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L41 https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L25 https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L79 https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L160 |
| WordPress–Social-Share-Buttons | Social-Share-Buttons 2.2.3 contains a critical SQL injection vulnerability in the project_id parameter that allows attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted POST requests with malicious SQL payloads to retrieve and potentially steal entire database contents. | 2026-01-13 | 8.2 | CVE-2023-54333 | ExploitDB-51116 WP Plugin Webpage Vulnerability Research Repository VulnCheck Advisory: Social-Share-Buttons 2.2.3 – SQL Injection via project_id Parameter |
| WorkOrder–WorkOrder CMS | WorkOrder CMS 0.1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login by manipulating username and password parameters. Attackers can inject malicious SQL queries using techniques like OR ‘1’=’1′ and stacked queries to access database information or execute administrative commands. | 2026-01-13 | 8.2 | CVE-2023-54340 | ExploitDB-51038 WorkOrder CMS GitHub Repository VulnCheck Advisory: WorkOrder CMS 0.1.0 – SQL Injection |
| Yenkee–Yenkee Hornet Gaming Mouse | Yenkee Hornet Gaming Mouse driver GM312Fltr.sys contains a buffer overrun vulnerability that allows attackers to crash the system by sending oversized input. Attackers can exploit the driver by sending a 2000-byte buffer through DeviceIoControl to trigger a kernel-level system crash. | 2026-01-15 | 7.5 | CVE-2021-47789 | ExploitDB-50311 Yenkee Vendor Webpage Quadron Research Lab Kernel Driver Bugs Repository VulnCheck Advisory: Yenkee Hornet Gaming Mouse – ‘GM312Fltr.sys’ Denial of Service (PoC) |
| Yonyou–KSOA | A vulnerability has been found in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_work.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1120 | VDB-341712 | Yonyou KSOA HTTP GET Parameter del_work.jsp sql injection VDB-341712 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734535 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/6 |
| Yonyou–KSOA | A vulnerability was found in Yonyou KSOA 9.0. This affects an unknown function of the file /worksheet/del_workplan.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1121 | VDB-341713 | Yonyou KSOA HTTP GET Parameter del_workplan.jsp sql injection VDB-341713 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734548 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/7 |
| Yonyou–KSOA | A vulnerability was determined in Yonyou KSOA 9.0. This impacts an unknown function of the file /worksheet/work_info.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1122 | VDB-341714 | Yonyou KSOA HTTP GET Parameter work_info.jsp sql injection VDB-341714 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734549 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/8 |
| Yonyou–KSOA | A vulnerability was identified in Yonyou KSOA 9.0. Affected is an unknown function of the file /worksheet/work_mod.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1123 | VDB-341715 | Yonyou KSOA HTTP GET Parameter work_mod.jsp sql injection VDB-341715 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734550 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/9 |
| Yonyou–KSOA | A security flaw has been discovered in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_report.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1124 | VDB-341716 | Yonyou KSOA HTTP GET Parameter work_report.jsp sql injection VDB-341716 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734551 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/10 |
| zalando–skipper | Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0. | 2026-01-16 | 8.8 | CVE-2026-23742 | https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714 https://github.com/zalando/skipper/releases/tag/v0.23.0 |
| Zeslecp–ZesleCP | ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a specified listening host. | 2026-01-15 | 8.8 | CVE-2021-47794 | ExploitDB-50233 ZesleCP Official Website Exploit Demonstration Video VulnCheck Advisory: ZesleCP 3.1.9 – Remote Code Execution (RCE) (Authenticated) |
| Zohocorp–ManageEngine ADSelfService Plus | Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations. | 2026-01-13 | 9.1 | CVE-2025-11250 | https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-11250.html |
| Zohocorp–ManageEngine PAM360 | Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality. | 2026-01-13 | 8.1 | CVE-2025-11669 | https://www.manageengine.com/privileged-access-management/advisory/cve-2025-11669.html |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 1Panel-dev–1Panel | 1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising session data or sensitive system interfaces. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. An attacker could publish a malicious application that, when loaded by users (locally or remotely), can execute arbitrary scripts. This may result in theft of user cookies, unauthorized access to system functions, or other actions that compromise the confidentiality, integrity, and availability of the system. The vulnerability is caused by insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, allowing script execution during content rendering; and similar issues exist in system upgrade-related components, which can be fixed by implementing proper XSS sanitization in the MdEditor component. These vulnerabilities can be mitigated by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Safe versions with a patch incorporated are v1.10.34-lts and v2.0.17. | 2026-01-18 | 6.4 | CVE-2026-23525 | https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-mg24-6h5c-9q42 |
| A-Plus Video Technologies–AP-RM864P | Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information. | 2026-01-12 | 5.3 | CVE-2026-0853 | https://www.twcert.org.tw/tw/cp-132-10620-527f1-1.html https://www.twcert.org.tw/en/cp-139-10621-55584-2.html |
| aankit–SpiceForms Form Builder | The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘spiceforms’ shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 6.4 | CVE-2025-12178 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9a19e96-2ca4-4072-aa2e-ab01f1685911?source=cve https://plugins.trac.wordpress.org/browser/spiceforms-form-builder/tags/1.0/spiceform.php#L135 |
| abage–Sosh Share Buttons | The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the ‘admin_page_content’ function. This makes it possible for unauthenticated attackers to update the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-15377 | https://www.wordfence.com/threat-intel/vulnerabilities/id/38b8b563-10a4-4343-b95a-7d09cf6fd729?source=cve https://plugins.trac.wordpress.org/browser/sosh-share-buttons/tags/1.1.0/sosh.class.php#L138 |
| Adobe–Illustrator | Illustrator versions 29.8.3, 30.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21288 | https://helpx.adobe.com/security/products/illustrator/apsb26-03.html |
| Adobe–InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21278 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe–Substance3D – Designer | Substance3D – Designer versions 15.0.3 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21308 | https://helpx.adobe.com/security/products/substance3d_designer/apsb26-13.html |
| Adobe–Substance3D – Modeler | Substance3D – Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21300 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe–Substance3D – Modeler | Substance3D – Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21301 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe–Substance3D – Modeler | Substance3D – Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21302 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe–Substance3D – Modeler | Substance3D – Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21303 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| adoncreatives–Testimonials Creator | The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2025-14379 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3af18a17-81a0-4720-b222-153ab4ddf7d9?source=cve https://wordpress.org/plugins/testimonials-creator/ |
| akinloluwami–outray | Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5. | 2026-01-14 | 5.9 | CVE-2026-22819 | https://github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9×76-wp9g https://github.com/outray-tunnel/outray/commit/73e8a09575754fb4c395438680454b2ec064d1d6 |
| aliasvault–aliasvault | AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3. | 2026-01-14 | 6.1 | CVE-2026-22694 | https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q https://github.com/aliasvault/aliasvault/issues/1440 https://github.com/aliasvault/aliasvault/pull/1441 https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d https://github.com/aliasvault/aliasvault/releases/tag/0.25.3 |
| Altium–Altium Live | A stored cross-site scripting (XSS) vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend accepts and stores arbitrary HTML and JavaScript supplied via modified POST requests. The injected content is rendered verbatim when support cases are viewed by other users, including support staff with elevated privileges, allowing execution of arbitrary JavaScript in the victim’s browser context. | 2026-01-15 | 6.1 | CVE-2026-1011 | https://www.altium.com/platform/security-compliance/security-advisories |
| AmauriC–tarteaucitron.js | tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0. | 2026-01-13 | 4.4 | CVE-2026-22809 | https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q5f6-qxm2-mcqm https://github.com/AmauriC/tarteaucitron.js/commit/f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52 |
| aplazopayment–Aplazo Payment Gateway | The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status. | 2026-01-14 | 5.3 | CVE-2025-15512 | https://www.wordfence.com/threat-intel/vulnerabilities/id/97b327cc-7a72-4cc3-a4db-a693469f6917?source=cve https://plugins.trac.wordpress.org/browser/aplazo-payment-gateway/tags/1.4.2/includes/module/class-aplazo-module.php#L206 |
| Arunna–Arunna | Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users into submitting the form. | 2026-01-15 | 5.3 | CVE-2021-47754 | ExploitDB-50608 Archived Researcher Blog Arunna GitHub Repository |
| Automattic–Jetpack | Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims’ browsers when they interact with the contact form page. | 2026-01-13 | 6.1 | CVE-2023-54332 | ExploitDB-51104 Jetpack WordPress Plugin Homepage VulnCheck Advisory: Jetpack 11.4 – Cross Site Scripting (XSS) |
| avahi–avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. | 2026-01-12 | 6.5 | CVE-2025-68468 | https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52 https://github.com/avahi/avahi/issues/683 https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a |
| avahi–avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. | 2026-01-12 | 6.5 | CVE-2025-68471 | https://github.com/avahi/avahi/security/advisories/GHSA-56rf-42xr-qmmg https://github.com/avahi/avahi/issues/678 https://github.com/avahi/avahi/commit/9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1 |
| avahi–avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. | 2026-01-12 | 5.5 | CVE-2025-68276 | https://github.com/avahi/avahi/security/advisories/GHSA-mhf3-865v-g5rc https://github.com/avahi/avahi/pull/806 https://github.com/avahi/avahi/commit/ede7048475c5d47d53890e3bc1350dda8e0b3688 |
| Awesome Motive–YouTube Feed Pro | The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the ‘sby_check_wp_submit’ AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the ‘Save Featured Images’ setting is enabled and ‘Disable WP Posts’ is disabled. Note: This vulnerability only affects the Pro version of Feeds for YouTube. | 2026-01-17 | 5.9 | CVE-2025-12002 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e9f31ec5-c376-45b1-9ffe-35c80b89b60d?source=cve https://smashballoon.com/youtube-feed/ https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.php#L1047 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.php#L1038 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L25 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L339 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L383 |
| awesomesupport–Awesome Support WordPress HelpDesk & Support Plugin | The Awesome Support – WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the ‘wpas_do_mr_activate_user’ function not verifying that a user has permission to modify other users’ roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the ‘wpas-do=mr_activate_user’ action with a user-controlled ‘user_id’ parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce. | 2026-01-16 | 6.5 | CVE-2025-12641 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a8e4ca-c16b-4e9d-8ad2-5a671fdbc49a?source=cve https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L36 https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L66 https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-user.php#L1686 https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/themes/default/registration.php#L183 https://plugins.trac.wordpress.org/changeset/3435609/awesome-support/trunk/includes/functions-user.php?contextall=1 |
| axllent–mailpit | Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit’s SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `r` and `n` when used inside a character class. Version 1.28.3 fixes this issue. | 2026-01-18 | 5.3 | CVE-2026-23829 | https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534 https://github.com/axllent/mailpit/releases/tag/v1.28.3 |
| B2Evolution–b2evolution | b2evolution 7.2.2 contains a cross-site request forgery vulnerability that allows attackers to modify admin account details without authentication. Attackers can craft a malicious HTML form to submit unauthorized changes to user profiles by tricking victims into loading a specially crafted webpage. | 2026-01-15 | 5.3 | CVE-2021-47800 | ExploitDB-50081 Official Vendor Homepage Software Download Page B2Evolution GitHub Repository VulnCheck Advisory: b2evolution 7.2.2 – ‘edit account details’ Cross-Site Request Forgery (CSRF) |
| bastillion-io–Bastillion | A vulnerability has been found in bastillion-io Bastillion up to 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 4.7 | CVE-2026-1063 | VDB-341631 | bastillion-io Bastillion Public Key Management System AuthKeysKtrl.java command injection VDB-341631 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731303 | bastillion-io Bastillion <=4.0.1 Command Injection https://github.com/AnalogyC0de/public_exp/blob/main/archives/Bastillion/report1.md |
| bastillion-io–Bastillion | A vulnerability was found in bastillion-io Bastillion up to 4.0.1. This issue affects some unknown processing of the file src/main/java/io/bastillion/manage/control/SystemKtrl.java of the component System Management Module. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 4.7 | CVE-2026-1064 | VDB-341632 | bastillion-io Bastillion System Management SystemKtrl.java command injection VDB-341632 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731308 | bastillion-io Bastillion SSH Key Manager <=4.0.1 Command Injection https://github.com/AnalogyC0de/public_exp/blob/main/archives/Bastillion/report2.md |
| bdthemes–Spin Wheel Interactive spinning wheel that offers coupons | The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the ‘prize_index’ parameter sent to the server, allowing them to always select the most valuable prizes. | 2026-01-17 | 5.3 | CVE-2026-0808 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c023b91e-f633-41a6-b2d7-bcb3f1d026b7?source=cve https://plugins.trac.wordpress.org/browser/spin-wheel/trunk/includes/class-swp-ajax.php#L73 https://plugins.trac.wordpress.org/browser/spin-wheel/tags/2.0.2/includes/class-swp-ajax.php#L73 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437726%40spin-wheel&new=3437726%40spin-wheel&sfp_email=&sfph_mail= |
| BlackBerry Ltd–QNX Software Development Platform | Null pointer dereference in the MsgRegisterEvent() system call could allow an attacker with local access and code execution abilities to crash the QNX Neutrino kernel. | 2026-01-13 | 6.2 | CVE-2025-8090 | https://support.blackberry.com/pkb/s/article/141027 |
| bplugins–Team Section Block Showcase Team Members with Layout Options | The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-17 | 6.4 | CVE-2026-0833 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6348b119-a0dc-40ef-ae62-1de86dcefac7?source=cve https://plugins.trac.wordpress.org/browser/team-section/trunk/build/render.php#L3 https://plugins.trac.wordpress.org/browser/team-section/tags/1.1.0/build/render.php#L3 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436953%40team-section&new=3436953%40team-section&sfp_email=&sfph_mail= |
| brechtvds–WP Recipe Maker | The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from posts they may not be able to edit or read otherwise. This also affects password protected, private, or draft posts that they should not have access to. | 2026-01-16 | 4.3 | CVE-2025-15527 | https://www.wordfence.com/threat-intel/vulnerabilities/id/96f77fdc-4e91-43c0-8bc6-7bb202945c7d?source=cve https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L48 https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L86 https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L172 https://plugins.trac.wordpress.org/changeset/3415263/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php?contextall=1&old=3402554&old_path=%2Fwp-recipe-maker%2Ftrunk%2Fincludes%2Fpublic%2Fapi%2Fclass-wprm-api-utilities.php |
| BYVoid–OpenCC | A weakness has been identified in BYVoid OpenCC up to 1.1.9. This vulnerability affects the function opencc::MaxMatchSegmentation of the file src/MaxMatchSegmentation.cpp. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. Patch name: 345c9a50ab07018f1b4439776bad78a0d40778ec. To fix this issue, it is recommended to deploy a patch. | 2026-01-18 | 5.3 | CVE-2025-15536 | VDB-341708 | BYVoid OpenCC MaxMatchSegmentation.cpp MaxMatchSegmentation heap-based overflow VDB-341708 | CTI Indicators (IOB, IOC, IOA) Submit #733347 | BYVoid OpenCC ver.1.1.9 and master-branch Heap-based Buffer Overflow https://github.com/BYVoid/OpenCC/issues/997 https://github.com/BYVoid/OpenCC/pull/1005 https://github.com/oneafter/1222/blob/main/repro https://github.com/BYVoid/OpenCC/commit/345c9a50ab07018f1b4439776bad78a0d40778ec |
| cakephp–cakephp | CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1. | 2026-01-16 | 5.4 | CVE-2026-23643 | https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5 https://github.com/cakephp/cakephp/issues/19172 https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f https://bakery.cakephp.org/2026/01/14/cakephp_5212.html https://github.com/cakephp/cakephp/releases/tag/5.2.12 https://github.com/cakephp/cakephp/releases/tag/5.3.1 |
| cbutlerjr–WP-Members Membership Plugin | The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-15 | 5.4 | CVE-2025-14448 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89d1fa00-4757-4f86-bddb-a6a2dbcf9625?source=cve https://plugins.trac.wordpress.org/changeset/3418471/wp-members |
| Celestialsoftware–AbsoluteTelnet | AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating DialUp connection and license name fields. Attackers can generate a 1000-character payload and paste it into specific input fields to trigger application crashes and force unexpected termination. | 2026-01-15 | 6.2 | CVE-2021-47764 | ExploitDB-50511 Vendor Homepage |
| Celestialsoftware–AbsoluteTelnet | AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating username and error report fields. Attackers can trigger the crash by inserting 1000 characters into the username or email address fields, causing the application to become unresponsive. | 2026-01-15 | 6.2 | CVE-2021-47765 | ExploitDB-50510 Vendor Homepage |
| Chamilo–LMS | A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.4 | CVE-2026-1106 | VDB-341698 | Chamilo LMS Legal Consent SocialController.php deleteLegal improper authorization VDB-341698 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731510 | Chamilo LMS <= v2.0.0 Beta 1 SocialController IDOR – Legal Consent Data Manipulat https://note-hxlab.wetolink.com/share/w92t1Q0a74Gj |
| cijliu–librtsp | A security vulnerability has been detected in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. The affected element is the function rtsp_rely_dumps. The manipulation leads to buffer overflow. An attack has to be approached locally. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.3 | CVE-2026-1108 | VDB-341700 | cijliu librtsp rtsp_rely_dumps buffer overflow VDB-341700 | CTI Indicators (IOB, IOC, IOA) Submit #732598 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_rely_dumps/librtsp_rtsp_rely_dumps.md |
| cijliu–librtsp | A vulnerability was detected in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. The impacted element is the function rtsp_parse_request. The manipulation results in buffer overflow. Attacking locally is a requirement. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.3 | CVE-2026-1109 | VDB-341701 | cijliu librtsp rtsp_parse_request buffer overflow VDB-341701 | CTI Indicators (IOB, IOC, IOA) Submit #732599 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_parse_request/librtsp_rtsp_parse_request.md |
| cijliu–librtsp | A flaw has been found in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. This affects the function rtsp_parse_method. This manipulation causes buffer overflow. It is possible to launch the attack on the local host. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.3 | CVE-2026-1110 | VDB-341702 | cijliu librtsp rtsp_parse_method buffer overflow VDB-341702 | CTI Indicators (IOB, IOC, IOA) Submit #732603 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_parse_method/librtsp_rtsp_parse_method.md |
| Cinspiration–RDP Manager | RDP Manager 4.9.9.3 contains a denial of service vulnerability in connection input fields that allows local attackers to crash the application. Attackers can add oversized entries in Verbindungsname and Server fields to permanently freeze and crash the software, potentially requiring full reinstallation. | 2026-01-15 | 6.2 | CVE-2021-47771 | ExploitDB-50484 Archived Software Download Page Vulnerability-Lab Disclosure |
| Cisco–Cisco Evolved Programmable Network Manager (EPNM) | A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials. | 2026-01-15 | 4.8 | CVE-2026-20075 | cisco-sa-epnm-pi-stored-xss-GEkX8yWK |
| Cisco–Cisco Identity Services Engine Software | A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2026-01-15 | 4.8 | CVE-2026-20047 | cisco-sa-ise-xss-964cdxW5 |
| Cisco–Cisco Identity Services Engine Software | A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2026-01-15 | 4.8 | CVE-2026-20076 | cisco-sa-ise-xss-9TDh2kx |
| codepeople–CP Image Store with Slideshow | The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the ‘cpis_admin_init’ function’s permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server. | 2026-01-13 | 4.3 | CVE-2026-0684 | https://www.wordfence.com/threat-intel/vulnerabilities/id/28e48604-2aaf-4e02-9b1e-cebf5f0bfcf7?source=cve https://plugins.trac.wordpress.org/browser/cp-image-store/tags/1.1.9/cp-image-store.php#L826 https://plugins.trac.wordpress.org/changeset/3434716/ |
| ConnectWise–PSA | In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values. | 2026-01-16 | 6.5 | CVE-2026-0696 | https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix |
| creativemindssolutions–CM E-Mail Blacklist Simple email filtering for safer registration | The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘black_email’ parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-17 | 4.4 | CVE-2026-0691 | https://www.wordfence.com/threat-intel/vulnerabilities/id/821f4ea9-bc25-4d65-9058-5b77c4f1b230?source=cve https://plugins.trac.wordpress.org/browser/cm-email-blacklist/trunk/backend/views/settings/email_blacklist.phtml#L67 https://plugins.trac.wordpress.org/browser/cm-email-blacklist/tags/1.6.2/backend/views/settings/email_blacklist.phtml#L67 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440158%40cm-email-blacklist&new=3440158%40cm-email-blacklist&sfp_email=&sfph_mail= |
| crushpics–Crush.pics Image Optimizer Image Compression and Optimization | The Crush.pics Image Optimizer – Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings. | 2026-01-14 | 4.3 | CVE-2025-14482 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5e71bf15-aee0-4efc-a1c6-faad9f6e4f38?source=cve https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L66 https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L193 https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L30 |
| cubewp1211–CubeWP Framework | The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-17 | 6.4 | CVE-2025-8615 | https://www.wordfence.com/threat-intel/vulnerabilities/id/efc2baf0-38d9-44be-b439-3585b2f1d4a5?source=cve https://wordpress.org/plugins/cubewp-framework/#developers https://plugins.trac.wordpress.org/changeset/3362001#file10 |
| cubewp1211–CubeWP Framework | The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | 2026-01-17 | 5.3 | CVE-2025-12129 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2006dc4c-ec1a-45ab-94a3-1f86d80e70ca?source=cve https://plugins.trac.wordpress.org/changeset/3422640/cubewp-framework/trunk/cube/classes/class-cubewp-rest-api.php |
| cyberlord92–Integrate Dynamics 365 CRM | The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-17 | 4.4 | CVE-2026-0725 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6b16028a-0b69-422b-9471-32ea6edb93a0?source=cve https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/trunk/Wrappers/class-templatewrapper.php#L491 https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/tags/1.1.1/Wrappers/class-templatewrapper.php#L491 https://plugins.trac.wordpress.org/changeset/3438502/ |
| Dell–SupportAssist OS Recovery, | Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information Tampering. | 2026-01-13 | 6.6 | CVE-2025-46684 | https://www.dell.com/support/kbdoc/en-us/000401506/dsa-2025-456 |
| dfieldfl–WP Allowed Hosts | The WP Allowed Hosts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘allowed-hosts’ parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2026-0734 | https://www.wordfence.com/threat-intel/vulnerabilities/id/700e9d1c-a178-4033-8607-652178860211?source=cve https://plugins.trac.wordpress.org/browser/wp-allow-hosts/trunk/allowed-hosts.php#L170 https://plugins.trac.wordpress.org/browser/wp-allow-hosts/tags/1.0.8/allowed-hosts.php#L170 |
| e107–e107 CMS | e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed. | 2026-01-13 | 4.8 | CVE-2022-50906 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 – Admin Upload Restriction Bypass + Stored XSS |
| Elastic–Kibana | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs. | 2026-01-13 | 6.5 | CVE-2026-0530 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-03/384521 |
| Elastic–Kibana | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users. | 2026-01-13 | 6.5 | CVE-2026-0531 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-04/384522 |
| Elastic–Kibana | Improper Input Validation (CWE-20) in Kibana’s Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed. | 2026-01-13 | 6.5 | CVE-2026-0543 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-08/384523 |
| Elastic–Metricbeat | Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data. | 2026-01-13 | 6.5 | CVE-2026-0528 | https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519 |
| Elastic–Packetbeat | Improper Validation of Array Index (CWE-129) in Packetbeat’s MongoDB protocol parser can allow an attacker to cause Overflow Buffers (CAPEC-100) through specially crafted network traffic. This requires an attacker to send a malformed payload to a monitored network interface where MongoDB protocol parsing is enabled. | 2026-01-14 | 6.5 | CVE-2026-0529 | https://discuss.elastic.co/t/packetbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-02/384520 |
| electric-studio–Electric Studio Download Counter | The Electric Studio Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 4.4 | CVE-2026-0741 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a22bba3e-423a-4231-833b-c0be57a3bf7b?source=cve https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/trunk/electric-studio-download-counter.php#L186 https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/tags/2.4/electric-studio-download-counter.php#L186 https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/trunk/electric-studio-download-counter.php#L202 https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/tags/2.4/electric-studio-download-counter.php#L202 |
| EnterpriseDB–Postgres Enterprise Manager (PEM) | PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu. | 2026-01-16 | 6.5 | CVE-2026-0949 | https://www.enterprisedb.com/docs/security/advisories/cve20260949/ |
| espressif–esp-usb | Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) device to trigger a stack buffer overflow during configuration-descriptor parsing. When UVC configuration-descriptor printing is enabled, the host prints detailed descriptor information provided by the connected USB device. A specially crafted UVC descriptor may advertise an excessively large length. Because this value is not validated before being copied into a fixed-size stack buffer, an attacker can overflow the buffer and corrupt memory. This vulnerability is fixed in 2.4.0. | 2026-01-12 | 6.8 | CVE-2025-68622 | https://github.com/espressif/esp-usb/security/advisories/GHSA-g65h-9ggq-9827 https://github.com/espressif/esp-usb/commit/77a38b15a17f6e3c7aeb620eb4aeaf61d5194cc0 https://components.espressif.com/components/espressif/usb_host_uvc/versions/2.4.0/changelog |
| espressif–esp-usb | Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is requested but continues to use the stale local pointer, leading to an immediate use-after-free when processing attacker-controlled Report Descriptor lengths. This vulnerability is fixed in 1.1.0. | 2026-01-12 | 6.8 | CVE-2025-68656 | https://github.com/espressif/esp-usb/security/advisories/GHSA-2pm2-62mr-c9x7 https://github.com/espressif/esp-usb/commit/81b37c96593c0bec92ef14c6ee6bf8cab8d8f660 https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog |
| espressif–esp-usb | Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0. | 2026-01-12 | 6.4 | CVE-2025-68657 | https://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfv https://github.com/espressif/esp-usb/commit/cd28106e9f72ac2719682c06f94601f9f034390b https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog |
| floattechnologies–Float Payment Gateway | The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed. | 2026-01-14 | 5.3 | CVE-2025-15513 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b2c7fb39-d128-4285-8bc3-1e192e1e1196?source=cve https://plugins.trac.wordpress.org/browser/float-gateway/tags/1.1.9/index.php#L477 |
| Fortinet–FortiClientEMS | An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] vulnerability in Fortinet FortiClientEMS 7.4.3 through 7.4.4, FortiClientEMS 7.4.0 through 7.4.1, FortiClientEMS 7.2.0 through 7.2.10, FortiClientEMS 7.0 all versions may allow an authenticated attacker with at least read-only admin permission to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. | 2026-01-13 | 6.8 | CVE-2025-59922 | https://fortiguard.fortinet.com/psirt/FG-IR-25-735 |
| Fortinet–FortiVoice | An improper limitation of a pathname to a restricted directory (‘path traversal’) vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 allows a privileged attacker to delete files from the underlying filesystem via crafted HTTP or HTTPs requests. | 2026-01-13 | 5.7 | CVE-2025-58693 | https://fortiguard.fortinet.com/psirt/FG-IR-25-778 |
| GeoNetwork–GeoNetwork | Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests. | 2026-01-13 | 6.5 | CVE-2022-50899 | ExploitDB-50982 GeoNetwork Official Homepage VulnCheck Advisory: Geonetwork 4.2.0 – XML External Entity (XXE) |
| Geovision–GeoVision Geowebserver | GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. Attackers can exploit the WebStrings.srf endpoint by manipulating path traversal and injection parameters to access system files and execute malicious scripts. | 2026-01-15 | 6.2 | CVE-2021-47795 | ExploitDB-50211 GeoVision Cyber Security Page VulnCheck Advisory: GeoVision Geowebserver 5.3.3 – Local FIle Inclusion |
| Gotac–Police Statistics Database System | Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory. | 2026-01-16 | 5.3 | CVE-2026-1020 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| gothamdev–Gotham Block Extra Light | The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the ‘ghostban’ shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-01-14 | 6.5 | CVE-2025-15020 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b194b241-d8f4-430c-b00c-d84190026bad?source=cve https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/premium/ghostban.php?marks=56#L56 |
| gothamdev–Gotham Block Extra Light | The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2025-15021 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c36899-3c7b-41b6-a38d-86c8834b4c03?source=cve https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/gothamblock.php?marks=463,470,495,500,504,519,564,578#L463 |
| guillaumev–LinkedIn SC | The LinkedIn SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘linkedin_sc_date_format’, ‘linkedin_sc_api_key’, and ‘linkedin_sc_secret_key’ parameters in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. | 2026-01-14 | 4.4 | CVE-2026-0812 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1c4fd888-aeaf-4451-a151-8f884bc22f0b?source=cve https://plugins.trac.wordpress.org/browser/linkedin-sc/tags/1.1.9/linkedin-sc.php#L164 https://plugins.trac.wordpress.org/browser/linkedin-sc/trunk/linkedin-sc.php#L164 |
| gurayyarar–SnipCommand | SnipCommand 0.1.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into command snippets. Attackers can execute arbitrary code by embedding malicious JavaScript that triggers remote command execution through file or title inputs. | 2026-01-16 | 6.1 | CVE-2021-47841 | ExploitDB-49829 SnipCommand GitHub Repository Proof of Concept Video VulnCheck Advisory: SnipCommand 0.1.0 – Persistent Cross-Site Scripting |
| Hewlett Packard Enterprise (HPE)–ArubaOS (AOS) | A command injection vulnerability in AOS-8 allows an authenticated privileged user to alter a package header to inject shell commands, potentially affecting the execution of internal operations. Successful exploit could allow an authenticated malicious actor to execute commands with the privileges of the impacted mechanism. | 2026-01-13 | 6.5 | CVE-2025-37176 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–ArubaOS (AOS) | An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system. | 2026-01-13 | 6.5 | CVE-2025-37177 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–ArubaOS (AOS) | Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential denial-of-service of the compromised process. | 2026-01-13 | 5.3 | CVE-2025-37178 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–ArubaOS (AOS) | Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential denial-of-service of the compromised process. | 2026-01-13 | 5.3 | CVE-2025-37179 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–EdgeConnect SD-WAN Orchestrator | A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby compromising the integrity of secured access to the system. | 2026-01-14 | 6.5 | CVE-2025-37184 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface and thereby make unauthorized arbitrary configuration changes to the host. | 2026-01-14 | 5.5 | CVE-2025-37185 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Huawei–HarmonyOS | Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 6.2 | CVE-2025-68959 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei–HarmonyOS | Data verification vulnerability in the HiView module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 6.2 | CVE-2025-68964 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei–HarmonyOS | Multi-thread race condition vulnerability in the thermal management module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 6.8 | CVE-2025-68969 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei–HarmonyOS | Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 6.1 | CVE-2025-68970 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei–HarmonyOS | Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 5.1 | CVE-2025-68961 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei–HarmonyOS | Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 5.1 | CVE-2025-68962 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei–HarmonyOS | Man-in-the-middle attack vulnerability in the Clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 5.7 | CVE-2025-68963 | https://consumer.huawei.com/en/support/bulletin/2026/1// |
| Huawei–HarmonyOS | Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 5.1 | CVE-2025-68966 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei–HarmonyOS | Vulnerability of improper permission control in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 5.7 | CVE-2025-68967 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei–HarmonyOS | Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 4.7 | CVE-2025-68965 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Istio–Istio | Istio through 1.28.2 allows iptables rule injection for changing firewall behavior via the traffic.sidecar.istio.io/excludeInterfaces annotation. NOTE: the reporter’s position is “this doesn’t represent a security vulnerability (pod creators can already exclude sidecar injection entirely).” | 2026-01-15 | 4.1 | CVE-2026-23766 | https://github.com/istio/istio/issues/58781 https://github.com/istio/istio/pull/58785 |
| itsourcecode–Society Management System | A vulnerability was detected in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-01-18 | 6.3 | CVE-2026-1118 | VDB-341710 | itsourcecode Society Management System add_activity.php sql injection VDB-341710 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734289 | itsourcecode Society Management System V1.0 SQL injection https://github.com/AriazzzZ/CVE/issues/2 https://itsourcecode.com/ |
| jackdewey–Community Events | The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the ‘eventlist’ parameter. | 2026-01-17 | 5.3 | CVE-2025-14029 | https://www.wordfence.com/threat-intel/vulnerabilities/id/098c3f4c-b6bc-462a-98ef-30e6a68d74cf?source=cve https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php#L160 https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L160 https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L64 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437116%40community-events&new=3437116%40community-events&sfp_email=&sfph_mail= |
| jersou–Markdown Explorer | Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access. | 2026-01-16 | 6.1 | CVE-2021-47836 | ExploitDB-49826 Markdown Explorer GitHub Repository Proof of Concept Video VulnCheck Advisory: Markdown Explorer 0.1.1 – Persistent Cross-Site Scripting |
| jokkedk–Webgrind | Webgrind 1.1 and before contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via the file parameter in index.php. The application does not sufficiently encode user-controlled inputs, allowing attackers to execute arbitrary JavaScript in victim’s browsers by crafting malicious URLs. | 2026-01-13 | 6.1 | CVE-2023-54341 | ExploitDB-51074 Webgrind GitHub Repository VulnCheck Advisory: Webgrind 1.1 – Reflected Cross-Site Scripting (XSS) via file Parameter |
| Juniper Networks–Junos OS | An Improper Handling of Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS allows an unauthenticated, network-adjacent attacker sending a specifically malformed ICMP packet to cause an FPC to crash and restart, resulting in a Denial of Service (DoS). When an ICMP packet is received with a specifically malformed IP header value, the FPC receiving the packet crashes and restarts. Due to the specific type of malformed packet, adjacent upstream routers would not forward the packet, limiting the attack surface to adjacent networks. This issue only affects ICMPv4. ICMPv6 is not vulnerable to this issue. This issue affects Junos OS: * all versions before 21.2R3-S9, * from 21.4 before 21.4R3-S10, * from 22.2 before 22.2R3-S7, * from 22.3 before 22.3R3-S4, * from 22.4 before 22.4R3-S5, * from 23.2 before 23.2R2-S3, * from 23.4 before 23.4R2-S3, * from 24.2 before 24.2R1-S2, 24.2R2. | 2026-01-15 | 6.5 | CVE-2026-0203 | https://supportportal.juniper.net/JSA104294 https://kb.juniper.net/JSA104294 |
| Juniper Networks–Junos OS | A Stack-based Buffer Overflow vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS allows a network-based attacker, authenticated with low privileges to cause a Denial-of-Service (DoS). Subscribing to telemetry sensors at scale causes all FPC connections to drop, resulting in an FPC crash and restart. The issue was not seen when YANG packages for the specific sensors were installed. This issue affects Junos OS: * all versions before 22.4R3-S7, * 23.2 version before 23.2R2-S4, * 23.4 versions before 23.4R2. | 2026-01-15 | 6.5 | CVE-2026-21903 | https://supportportal.juniper.net/JSA106022 https://kb.juniper.net/JSA106022 |
| Juniper Networks–Junos OS | A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition. Memory usage can be monitored through the use of the ‘show task memory detail’ command. For example: user@junos> show task memory detail | match ted-infra TED-INFRA-COOKIE 25 1072 28 1184 229 user@junos> show task memory detail | match ted-infra TED-INFRA-COOKIE 31 1360 34 1472 307 This issue affects: Junos OS: * from 23.2 before 23.2R2, * from 23.4 before 23.4R1-S2, 23.4R2, * from 24.1 before 24.1R2; Junos OS Evolved: * from 23.2 before 23.2R2-EVO, * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO, * from 24.1 before 24.1R2-EVO. This issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO. | 2026-01-15 | 6.5 | CVE-2026-21909 | https://supportportal.juniper.net/JSA106008 https://kb.juniper.net/JSA106008 |
| Juniper Networks–Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on EX4k Series and QFX5k Series platforms allows an unauthenticated network-adjacent attacker flapping an interface to cause traffic between VXLAN Network Identifiers (VNIs) to drop, leading to a Denial of Service (DoS). On all EX4k and QFX5k platforms, a link flap in an EVPN-VXLAN configuration Link Aggregation Group (LAG) results in Inter-VNI traffic dropping when there are multiple load-balanced next-hop routes for the same destination. This issue is only applicable to systems that support EVPN-VXLAN Virtual Port-Link Aggregation Groups (VPLAG), such as the QFX5110, QFX5120, QFX5200, EX4100, EX4300, EX4400, and EX4650. Service can only be restored by restarting the affected FPC via the ‘request chassis fpc restart slot <slot-number>’ command. This issue affects Junos OS on EX4k and QFX5k Series: * all versions before 21.4R3-S12, * all versions of 22.2 * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2. | 2026-01-15 | 6.5 | CVE-2026-21910 | https://supportportal.juniper.net/JSA106009 https://kb.juniper.net/JSA106009 |
| Juniper Networks–Junos OS | A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker authenticated with low privileges to cause a Denial-of-Service (DoS). When telemetry collectors are frequently subscribing and unsubscribing to sensors continuously over a long period of time, telemetry-capable processes like chassisd, rpd or mib2d will crash and restart, which – depending on the process – can cause a complete outage until the system has recovered. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-EVO. | 2026-01-15 | 6.5 | CVE-2026-21921 | https://supportportal.juniper.net/JSA106021 https://kb.juniper.net/JSA106021 |
| Juniper Networks–Junos OS | An Untrusted Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with low privileges to cause a Denial-of-Service (DoS). When the command ‘show route < ( receive-protocol | advertising-protocol ) bgp > detail’ is executed, and at least one of the routes in the intended output has specific attributes, this will cause an rpd crash and restart. ‘show route … extensive’ is not affected. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. | 2026-01-15 | 5.5 | CVE-2025-59959 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103148 |
| Juniper Networks–Junos OS | An Incorrect Permission Assignment for Critical Resource vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged user to write to the Unix socket used to manage the jdhcpd process, resulting in complete control over the resource. This vulnerability allows any low-privileged user logged into the system to connect to the Unix socket and issue commands to manage the DHCP service, in essence, taking administrative control of the local DHCP server or DHCP relay. This issue affects: Junos OS: * all versions before 21.2R3-S10, * all versions of 22.2, * from 21.4 before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S2, * from 24.4 before 24.4R2, * from 25.2 before 25.2R1-S1, 25.2R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S2-EVO, * from 24.4 before 24.4R2-EVO, * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. | 2026-01-15 | 5.5 | CVE-2025-59961 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103150 |
| Juniper Networks–Junos OS | A NULL Pointer Dereference vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS on MX, SRX and EX Series allows a local attacker with low privileges to cause a Denial-of-Service (DoS). When a user executes the ‘show chassis’ command with specifically crafted options, chassisd will crash and restart. Due to this all components but the Routing Engine (RE) in the chassis are reinitialized, which leads to a complete service outage, which the system automatically recovers from. This issue affects: Junos OS on MX, SRX and EX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2. | 2026-01-15 | 5.5 | CVE-2025-60007 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103173 |
| Juniper Networks–Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause an availability impact for downstream devices. When an affected device receives a specific optional, transitive BGP attribute over an existing BGP session, it will be erroneously modified before propagation to peers. When the attribute is detected as malformed by the peers, these peers will most likely terminate the BGP sessions with the affected devices and thereby cause an availability impact due to the resulting routing churn. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5 * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. | 2026-01-15 | 5.8 | CVE-2025-60011 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103161 |
| Juniper Networks–Junos OS | A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in the method to collect FPC Ethernet firmware statistics of Juniper Networks Junos OS on MX10k Series allows a local, low-privileged attacker executing the ‘show system firmware’ CLI command to cause an LC480 or LC2101 line card to reset. On MX10k Series systems with LC480 or LC2101 line cards, repeated execution of the ‘show system firmware’ CLI command can cause the line card to crash and restart. Additionally, some time after the line card crashes, chassisd may also crash and restart, generating a core dump.This issue affects Junos OS on MX10k Series: * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S9, * from 22.2 before 22.2R3-S7, * from 22.4 before 22.4R3-S6, * from 23.2 before 23.2R2-S2, * from 23.4 before 23.4R2-S3, * from 24.2 before 24.2R2. | 2026-01-15 | 5.5 | CVE-2026-21912 | https://supportportal.juniper.net/JSA106011 https://kb.juniper.net/JSA106011 |
| Juniper Networks–Junos OS Evolved | An Incorrect Calculation vulnerability in the Layer 2 Control Protocol Daemon (l2cpd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker flapping the management interface to cause the learning of new MACs over label-switched interfaces (LSI) to stop while generating a flood of logs, resulting in high CPU usage. When the issue is seen, the following log message will be generated: op:1 flag:0x6 mac:xx:xx:xx:xx:xx:xx bd:2 ifl:13302 reason:0(REASON_NONE) i-op:6(INTRNL_OP_HW_FORCE_DELETE) status:10 lstatus:10 err:26(GETIFBD_VALIDATE_FAILED) err-reason 4(IFBD_VALIDATE_FAIL_EPOCH_MISMATCH) hw_wr:0x4 ctxsync:0 fwdsync:0 rtt-id:51 p_ifl:0 fwd_nh:0 svlbnh:0 event:- smask:0x100000000 dmask:0x0 mplsmask 0x1 act:0x5800 extf:0x0 pfe-id 0 hw-notif-ifl 13302 programmed-ifl 4294967295 pseudo-vtep underlay-ifl-idx 0 stack:GET_MAC, ALLOCATE_MAC, GET_IFL, GET_IFF, GET_IFBD, STOP, This issue affects Junos OS Evolved: * all versions before 21.4R3-S7-EVO, * from 22.2 before 22.2R3-S4-EVO, * from 22.3 before 22.3R3-S3-EVO, * from 22.4 before 22.4R3-S2-EVO, * from 23.2 before 23.2R2-S1-EVO, * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO. | 2026-01-15 | 6.5 | CVE-2026-21911 | https://supportportal.juniper.net/JSA106010 https://kb.juniper.net/JSA106010 |
| Juniper Networks–Junos Space | A Use of a Broken or Risky Cryptographic Algorithm vulnerability in the TLS/SSL server of Juniper Networks Junos Space allows the use of static key ciphers (ssl-static-key-ciphers), reducing the confidentiality of on-path traffic communicated across the connection. These ciphers also do not support Perfect Forward Secrecy (PFS), affecting the long-term confidentiality of encrypted communications.This issue affects all versions of Junos Space before 24.1R5. | 2026-01-15 | 5.9 | CVE-2026-21907 | https://supportportal.juniper.net/JSA106006 https://kb.juniper.net/JSA106006 |
| Juniper Networks–Paragon Automation (Pathfinder, Planner, Insights) | A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) due to the application’s failure to set appropriate X-Frame-Options and X-Content-Type HTTP headers. This vulnerability allows an attacker to trick users into interacting with the interface under the attacker’s control. This issue affects all versions of Paragon Automation (Pathfinder, Planner, Insights) before 24.1.1. | 2026-01-15 | 6.1 | CVE-2025-52987 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103145 |
| kalcaddle–kodbox | A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 6.3 | CVE-2026-1066 | VDB-341665 | kalcaddle kodbox Compression zip command injection VDB-341665 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731436 | kalcaddle kodbox <=1.61.10 Command Injection https://github.com/DReazer/CV3/blob/main/Krce.md |
| keesiemeijer–Related Posts by Taxonomy | The Related Posts by Taxonomy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘related_posts_by_tax’ shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-16 | 6.4 | CVE-2026-0916 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0582fe7d-884c-4019-837a-861d36ccc842?source=cve https://plugins.trac.wordpress.org/browser/related-posts-by-taxonomy/tags/2.7.6/includes/functions.php#L259 |
| kimai–kimai | Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai’s export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue. | 2026-01-18 | 6.8 | CVE-2026-23626 | https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg https://github.com/kimai/kimai/pull/5757 https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f https://github.com/kimai/kimai/releases/tag/2.46.0 |
| kiwicommerce–PDF Resume Parser | The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accounts and potentially gain unauthorized access to other systems using the same credentials. | 2026-01-14 | 5.3 | CVE-2025-14464 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8a84bcc2-23e0-4624-89a4-7bbb1b34c498?source=cve https://plugins.trac.wordpress.org/browser/pdf-resume-parser/trunk/pdf-resume-parser.php#L309 https://plugins.trac.wordpress.org/browser/pdf-resume-parser/tags/1.0/pdf-resume-parser.php#L309 |
| kunzemarketing–Kunze Law | The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin’s shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Additional presence of a path traversal vulnerability in the shortcode name allows writing malicious HTML files to arbitrary writable locations on the server. | 2026-01-14 | 4.4 | CVE-2025-15486 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f7957619-e562-4043-920d-275c58684328?source=cve https://plugins.trac.wordpress.org/browser/kunze-law/tags/2.1/kunze-law.php#L406 https://plugins.trac.wordpress.org/browser/kunze-law/tags/2.1/kunze-law.php#L531 |
| Laborator–Kalium 3 | Creative WordPress & WooCommerce Theme | The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. This makes it possible for unauthenticated attackers to use the theme an an open mail relay and send email to arbitrary email addresses on the server’s behalf. | 2026-01-15 | 5.3 | CVE-2025-12895 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0e65a794-1901-4e54-be4f-9422fe444057?source=cve https://themeforest.net/item/kalium-creative-theme-for-professionals/10860525 https://documentation.laborator.co/kb/kalium/kalium-changelog/ |
| LabRedesCefetRJ–WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the “Atendido” selection dropdown. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 4.3 | CVE-2026-23724 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3r3q-8573-g3cq https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ–WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is missing andContent-Security-Policy with frame-ancestors directive is not configured. Because of this, an attacker can load any WeGIA page inside a malicious HTML document, overlay deceptive elements, hide real buttons, or force accidental interaction with sensitive workflows. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 4.3 | CVE-2026-23731 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-99qp-hjvh-c59q https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| Lenovo–ThinkPad L13 Gen 6 BIOS | A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as “On” in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode. | 2026-01-14 | 6.5 | CVE-2026-0421 | https://support.lenovo.com/us/en/product_security/LEN-210688 |
| Lenovo–ThinkPlus FU100 | A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive. | 2026-01-14 | 6.8 | CVE-2025-13453 | https://iknow.lenovo.com.cn/detail/436983 |
| Lenovo–ThinkPlus FU100 | A potential vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to gain access to sensitive device information. | 2026-01-14 | 4.7 | CVE-2025-13454 | https://iknow.lenovo.com.cn/detail/436983 |
| Lenovo–Vantage | An improper link following vulnerability was reported in the SmartPerformanceAddin for Lenovo Vantage that could allow an authenticated local user to perform an arbitrary file deletion with elevated privileges. | 2026-01-14 | 5.5 | CVE-2025-13154 | https://support.lenovo.com/us/en/product_security/LEN-208293 |
| linknacional–Rede Ita for WooCommerce Payment PIX, Credit Card and Debit | The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed. | 2026-01-16 | 5.3 | CVE-2026-0939 | https://www.wordfence.com/threat-intel/vulnerabilities/id/722c666b-913f-4289-82e6-30aa0a3abc2b?source=cve https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L45 https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L460 https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L710 |
| linknacional–Rede Ita for WooCommerce Payment PIX, Credit Card and Debit | The Rede Itaú for WooCommerce – Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.2. This makes it possible for unauthenticated attackers to delete the Rede Order Logs metadata from all WooCommerce orders. | 2026-01-16 | 5.3 | CVE-2026-0942 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4927c060-f2b2-4916-b049-1442bba63e98?source=cve https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L42 https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L58 |
| lobehub–lobe-chat | LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim’s machine. Version 2.0.0-next.180 patches the issue. | 2026-01-18 | 6.4 | CVE-2026-23733 | https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443 |
| logiceverest–Shipping Rates by City for WooCommerce | The Flat Shipping Rate by City for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ‘cities’ parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-14 | 4.9 | CVE-2026-0678 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ada476b-6978-4c38-a5d3-67266a709a3e?source=cve https://plugins.trac.wordpress.org/browser/flat-shipping-rate-by-city-for-woocommerce/trunk/shipping-method-class.php#L154 https://plugins.trac.wordpress.org/browser/flat-shipping-rate-by-city-for-woocommerce/tags/1.0.3/shipping-method-class.php#L154 |
| lottiefile–LottieFiles Lottie block for Gutenberg | The LottieFiles – Lottie block for Gutenberg plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.0 via the `/wp-json/lottiefiles/v1/settings/` REST API endpoint. This makes it possible for unauthenticated attackers to retrieve the site owner’s LottieFiles.com account credentials including their API access token and email address when the ‘Share LottieFiles account with other WordPress users’ option is enabled. | 2026-01-14 | 5.3 | CVE-2026-0717 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19b159ca-4b41-48b4-880d-9b9dc44b3463?source=cve https://plugins.trac.wordpress.org/browser/lottiefiles/tags/3.0.0/src/common.php?marks=21,122#L21 |
| lwj–flow | A security vulnerability has been detected in lwj flow up to a3d2fe8133db9d3b50fda4f66f68634640344641. This affects the function uploadFile of the file flow-masterflow-front-restsrcmainjavacomdragonflowwebresourceflowFormResource.java of the component SVG File Handler. The manipulation of the argument File leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-18 | 6.3 | CVE-2026-1126 | VDB-341718 | lwj flow SVG File FormResource.java uploadFile unrestricted upload VDB-341718 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735122 | https://gitee.com/lwj/flow flowable 1.0 Arbitrary File Upload https://gitee.com/lwj/flow/issues/IDIQSE |
| mailerlite–MailerLite WooCommerce integration | The MailerLite – WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin’s integration settings, delete all plugin options, and drop the plugin’s database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history. | 2026-01-16 | 6.5 | CVE-2026-1000 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e20deec4-f40c-4bd3-91f7-6a9d643a5520?source=cve https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/includes/WooMailerLite.php#L127 https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/admin/controllers/WooMailerLiteAdminSettingsController.php#L231 https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/includes/migrations/WooMailerLiteMigration.php#L33 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3415073%40woo-mailerlite%2Ftrunk&old=3399626%40woo-mailerlite%2Ftrunk&sfp_email=&sfph_mail= |
| makesweat–Makesweat | The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘makesweat_clubid’ setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 4.4 | CVE-2025-13627 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88dec08d-cb27-4ea8-853e-0c12dd0a6ab6?source=cve https://it.wordpress.org/plugins/makesweat/ https://plugins.trac.wordpress.org/browser/makesweat/trunk/makesweat.php#L64 https://plugins.trac.wordpress.org/browser/makesweat/tags/0.1/makesweat.php#L64 https://plugins.trac.wordpress.org/browser/makesweat/trunk/makesweat.php#L85 https://plugins.trac.wordpress.org/browser/makesweat/tags/0.1/makesweat.php#L85 |
| mallsop–List Site Contributors | The List Site Contributors plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘alpha’ parameter in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-14 | 6.1 | CVE-2026-0594 | https://www.wordfence.com/threat-intel/vulnerabilities/id/026a2e0d-4d30-4133-9118-055026aa9f4a?source=cve https://plugins.trac.wordpress.org/browser/list-site-contributors/trunk/list-site-contributors.php#L435 https://plugins.trac.wordpress.org/browser/list-site-contributors/tags/1.1.8/list-site-contributors.php#L435 |
| Mattermost–Mattermost | Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops. | 2026-01-16 | 6.8 | CVE-2025-14435 | https://mattermost.com/security-updates |
| memsource–Phrase TMS Integration for WordPress | The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wp_ajax_delete_log’ AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files. | 2026-01-17 | 4.3 | CVE-2025-12168 | https://www.wordfence.com/threat-intel/vulnerabilities/id/396f2426-7bc4-4221-bc48-920bec5af6e5?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426034%40memsource-connector&new=3426034%40memsource-connector&sfp_email=&sfph_mail= |
| metagauss–EventPrime Events Calendar, Bookings and Tickets | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0. | 2026-01-13 | 5.3 | CVE-2025-14507 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4b170ed1-72ee-40b6-9882-e978d630f6bb?source=cve https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-rest-api.php#L447 https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-rest-api.php#L651 https://plugins.trac.wordpress.org/changeset/3422587/ https://plugins.trac.wordpress.org/changeset/3432454/ |
| Microsoft–Microsoft SharePoint Enterprise Server 2016 | Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to disclose information over a network. | 2026-01-13 | 5.4 | CVE-2026-20958 | Microsoft SharePoint Information Disclosure Vulnerability |
| Microsoft–Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-01-13 | 4.6 | CVE-2026-20959 | Microsoft SharePoint Server Spoofing Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper input validation in Windows LDAP – Lightweight Directory Access Protocol allows an authorized attacker to perform tampering over a network. | 2026-01-13 | 6.5 | CVE-2026-20812 | LDAP Tampering Vulnerability |
| Microsoft–Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Remote Procedure Call allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20821 | Remote Procedure Call Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to perform spoofing over a network. | 2026-01-13 | 6.5 | CVE-2026-20847 | Microsoft Windows File Explorer Spoofing Vulnerability |
| Microsoft–Windows 10 Version 1809 | External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | 2026-01-13 | 6.5 | CVE-2026-20872 | NTLM Hash Disclosure Spoofing Vulnerability |
| Microsoft–Windows 10 Version 1809 | External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | 2026-01-13 | 6.5 | CVE-2026-20925 | NTLM Hash Disclosure Spoofing Vulnerability |
| Microsoft–Windows 10 Version 1809 | Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot. The operating system’s certificate update protection mechanism relies on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably. This leads to potential disruption of the Secure Boot trust chain and requires careful validation and deployment to restore intended security guarantees. Certificate Authority (CA) Location Purpose Expiration Date Microsoft Corporation KEK CA 2011 KEK Signs updates to the DB and DBX 06/24/2026 Microsoft Corporation UEFI CA 2011 DB Signs 3rd party boot loaders, Option ROMs, etc. 06/27/2026 Microsoft Windows Production PCA 2011 DB Signs the Windows Boot Manager 10/19/2026 For more information see this CVE and Windows Secure Boot certificate expiration and CA updates. | 2026-01-13 | 6.4 | CVE-2026-21265 | Secure Boot Certificate Expiration Security Feature Bypass Vulnerability |
| Microsoft–Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20805 | Desktop Window Manager Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20823 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Protection mechanism failure in Windows Remote Assistance allows an unauthorized attacker to bypass a security feature locally. | 2026-01-13 | 5.5 | CVE-2026-20824 | Windows Remote Assistance Security Feature Bypass Vulnerability |
| Microsoft–Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20827 | Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Out-of-bounds read in Windows TPM allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20829 | TPM Trustlet Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20839 | Windows Client-Side Caching (CSC) Service Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Management Services allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20862 | Windows Management Services Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows SMB Server allows an authorized attacker to deny service over a network. | 2026-01-13 | 5.3 | CVE-2026-20927 | Windows SMB Server Denial of Service Vulnerability |
| Microsoft–Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20932 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20937 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20939 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper access control in Windows Hyper-V allows an authorized attacker to disclose information locally. | 2026-01-13 | 4.4 | CVE-2026-20825 | Windows Hyper-V Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Out-of-bounds read in Windows Internet Connection Sharing (ICS) allows an unauthorized attacker to disclose information with a physical attack. | 2026-01-13 | 4.6 | CVE-2026-20828 | Windows rndismp6.sys Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Absolute path traversal in Windows Shell allows an unauthorized attacker to perform spoofing with a physical attack. | 2026-01-13 | 4.6 | CVE-2026-20834 | Windows Spoofing Vulnerability |
| Microsoft–Windows 10 Version 1809 | Out-of-bounds read in Windows NDIS allows an authorized attacker to disclose information with a physical attack. | 2026-01-13 | 4.3 | CVE-2026-20936 | Windows NDIS Information Disclosure Vulnerability |
| Microsoft–Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20935 | Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability |
| Microsoft–Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20819 | Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability |
| Microsoft–Windows 11 Version 25H2 | Use of uninitialized resource in Dynamic Root of Trust for Measurement (DRTM) allows an authorized attacker to disclose information locally. | 2026-01-13 | 4.4 | CVE-2026-20962 | Dynamic Root of Trust for Measurement (DRTM) Information Disclosure Vulnerability |
| Microsoft–Windows Server 2019 | Insertion of sensitive information into log file in Windows Kernel allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20818 | Windows Kernel Information Disclosure Vulnerability |
| Microsoft–Windows Server 2019 | Use of a broken or risky cryptographic algorithm in Windows Kerberos allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20833 | Windows Kerberos Information Disclosure Vulnerability |
| Microsoft–Windows Server 2022 | Generation of error message containing sensitive information in Windows Kernel allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20838 | Windows Kernel Information Disclosure Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Out-of-bounds read in Capability Access Management Service (camsvc) allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20851 | Capability Access Management Service (camsvc) Information Disclosure Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Heap-based buffer overflow in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 6.7 | CVE-2026-20876 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Out-of-bounds read in Capability Access Management Service (camsvc) allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20835 | Capability Access Management Service (camsvc) Information Disclosure Vulnerability |
| monetizemore–Advanced Ads Ad Manager & AdSense | The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the ‘order’ parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-17 | 4.9 | CVE-2025-12984 | https://www.wordfence.com/threat-intel/vulnerabilities/id/729e8a06-abaa-4468-8a80-1e5c6cbace92?source=cve https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.13/includes/admin/class-placement-list-table.php#L254 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429511%40advanced-ads&new=3429511%40advanced-ads&sfp_email=&sfph_mail= |
| mPDF–mPDF | mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through crafted annotation content with file path specifications. | 2026-01-13 | 6.2 | CVE-2022-50897 | ExploitDB-50995 Official mPDF Project Homepage VulnCheck Advisory: mPDF 7.0 – Local File Inclusion |
| n/a–EyouCMS | A weakness has been identified in EyouCMS up to 1.7.1/5.0. Impacted is the function check_userinfo of the file Diyajax.php of the component Member Avatar Handler. Executing a manipulation of the argument viewfile can lead to unrestricted upload. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 6.3 | CVE-2026-1107 | VDB-341699 | EyouCMS Member Avatar Diyajax.php check_userinfo unrestricted upload VDB-341699 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731540 | Hainan Zanzan Network Technology Co. Eyoucms <=1.7.1 causing code execution due to file inclusion https://github.com/24-2021/vul3/blob/main/Eyoucms/Eyoucms%3D1.7.1%20check_userinfo%20api%20viewfile%20exists%2C%20causing%20code%20execution%20due%20to%20file%20inclusion.md https://github.com/24-2021/vul3/blob/main/Eyoucms/Eyoucms%3D1.7.1%20check_userinfo%20api%20viewfile%20exists%2C%20causing%20code%20execution%20due%20to%20file%20inclusion.md#poc |
| n/a–Mapnik | A security vulnerability has been detected in Mapnik up to 4.2.0. This issue affects the function mapnik::dbf_file::string_value of the file plugins/input/shape/dbfile.cpp. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-18 | 5.3 | CVE-2025-15537 | VDB-341709 | Mapnik dbfile.cpp string_value heap-based overflow VDB-341709 | CTI Indicators (IOB, IOC, IOA) Submit #733348 | mapnik Mapnik v4.2.0 and master-branch Heap-based Buffer Overflow https://github.com/mapnik/mapnik/issues/4543 https://github.com/oneafter/1218/blob/main/repro |
| n/a–net.sourceforge.plantuml:plantuml | Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG. | 2026-01-16 | 6.1 | CVE-2026-0858 | https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230 https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd https://github.com/plantuml/plantuml/releases/tag/v1.2026.0 |
| n/a–Open5GS | A vulnerability has been found in Open5GS up to 2.7.6. Affected by this vulnerability is an unknown functionality of the component GTPv2 Bearer Response Handler. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 98f76e98df35cd6a35e868aa62715db7f8141ac1. A patch should be applied to remediate this issue. | 2026-01-16 | 5.3 | CVE-2025-15528 | VDB-341595 | Open5GS GTPv2 Bearer Response denial of service VDB-341595 | CTI Indicators (IOB, IOC, TTP) Submit #728128 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4225 https://github.com/open5gs/open5gs/issues/4225#issue-3769531006 https://github.com/open5gs/open5gs/commit/98f76e98df35cd6a35e868aa62715db7f8141ac1 |
| n/a–Open5GS | A vulnerability was found in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named b19cf6a2dbf5d30811be4488bf059c865bd7d1d2. To fix this issue, it is recommended to deploy a patch. | 2026-01-16 | 5.3 | CVE-2025-15529 | VDB-341596 | Open5GS s5c-handler.c sgwc_s5c_handle_create_session_response denial of service VDB-341596 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728130 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4226 https://github.com/open5gs/open5gs/issues/4226#issue-3769595366 https://github.com/open5gs/open5gs/commit/b19cf6a2dbf5d30811be4488bf059c865bd7d1d2 |
| n/a–Open5GS | A vulnerability was determined in Open5GS up to 2.7.6. This affects the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c. Executing a manipulation can lead to reachable assertion. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The issue report is flagged as already-fixed. | 2026-01-17 | 5.3 | CVE-2025-15530 | VDB-341597 | Open5GS s11-handler.c assertion VDB-341597 | CTI Indicators (IOB, IOC, IOA) Submit #728987 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4231 https://github.com/open5gs/open5gs/issues/4231#issue-3774187007 |
| n/a–Open5GS | A vulnerability was identified in Open5GS up to 2.7.5. This vulnerability affects the function sgwc_bearer_add of the file src/sgwc/context.c. The manipulation leads to reachable assertion. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The issue report is flagged as already-fixed. | 2026-01-17 | 5.3 | CVE-2025-15531 | VDB-341598 | Open5GS context.c sgwc_bearer_add assertion VDB-341598 | CTI Indicators (IOB, IOC, IOA) Submit #729339 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4233 https://github.com/open5gs/open5gs/issues/4233#issue-3776216182 |
| n/a–Open5GS | A security flaw has been discovered in Open5GS up to 2.7.5. This issue affects some unknown processing of the component Timer Handler. The manipulation results in resource consumption. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The patch is identified as c7c131f8d2cb1195ada5e0e691b6868ebcd8a845. It is best practice to apply a patch to resolve this issue. | 2026-01-17 | 5.3 | CVE-2025-15532 | VDB-341599 | Open5GS Timer resource consumption VDB-341599 | CTI Indicators (IOB, IOC, TTP) Submit #729354 | Open5GS SGWC v2.7.6 Denial of Service Submit #729357 | Open5GS SGWC v2.7.6 Denial of Service (Duplicate) https://github.com/open5gs/open5gs/issues/4220 https://github.com/open5gs/open5gs/issues/4221 https://github.com/open5gs/open5gs/issues/4220#issue-3766066853 https://github.com/open5gs/open5gs/commit/c7c131f8d2cb1195ada5e0e691b6868ebcd8a845 |
| n/a–Open5GS | A vulnerability was determined in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_downlink_data_notification_ack of the file src/sgwc/s11-handler.c of the component sgwc. This manipulation causes denial of service. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: b4707272c1caf6a7d4dca905694ea55557a0545f. To fix this issue, it is recommended to deploy a patch. The issue report is flagged as already-fixed. | 2026-01-18 | 5.3 | CVE-2025-15539 | VDB-341732 | Open5GS sgwc s11-handler.c sgwc_s11_handle_downlink_data_notification_ack denial of service VDB-341732 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735339 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4230 https://github.com/open5gs/open5gs/issues/4230#issue-3774173079 https://github.com/open5gs/open5gs/commit/b4707272c1caf6a7d4dca905694ea55557a0545f |
| n8n-io–n8n | n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. This vulnerability is fixed in 2.2.0. | 2026-01-13 | 5.3 | CVE-2025-68949 | https://github.com/n8n-io/n8n/security/advisories/GHSA-w96v-gf22-crwp https://github.com/n8n-io/n8n/issues/23399 https://github.com/n8n-io/n8n/pull/23399 https://github.com/n8n-io/n8n/commit/11f8597d4ad69ea3b58941573997fdbc4de1fec5 |
| naa986–Payment Button for PayPal | The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, product name, amount, or customer information via direct POST requests to the AJAX endpoint, granted they can bypass basic parameter validation. If email sending is enabled, the plugin will also trigger purchase receipt emails to any email address supplied in the request, leading to order database corruption and unauthorized outgoing emails without any real PayPal transaction taking place. | 2026-01-17 | 5.3 | CVE-2025-14463 | https://www.wordfence.com/threat-intel/vulnerabilities/id/814e50de-3690-4adf-bc01-a63cd71bd1cf?source=cve https://plugins.trac.wordpress.org/browser/wp-paypal/trunk/wp-paypal.php#L70 https://plugins.trac.wordpress.org/browser/wp-paypal/tags/1.2.3.41/wp-paypal.php#L70 https://plugins.trac.wordpress.org/browser/wp-paypal/trunk/wp-paypal-checkout.php#L249 https://plugins.trac.wordpress.org/browser/wp-paypal/tags/1.2.3.41/wp-paypal-checkout.php#L249 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3431974%40wp-paypal&new=3431974%40wp-paypal&sfp_email=&sfph_mail= |
| netcashpaynow–Netcash WooCommerce Payment Gateway | The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed. | 2026-01-14 | 5.3 | CVE-2025-14880 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ca11df6-83e3-48b5-84b8-3f3e4f75ac4a?source=cve https://plugins.trac.wordpress.org/browser/netcash-pay-now-payment-gateway-for-woocommerce/tags/4.1.3/includes/class-wc-gateway-paynow.php#L1127 |
| ninjateam–WP Duplicate Page | The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the ‘duplicateBulkHandle’ and ‘duplicateBulkHandleHPOS’ functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin’s “Allowed User Roles” setting, potentially exposing sensitive information and allowing duplicate fulfillment of WooCommerce orders. | 2026-01-13 | 5.4 | CVE-2025-14001 | https://www.wordfence.com/threat-intel/vulnerabilities/id/60830ed8-3ab8-44e8-899c-7032a187da8b?source=cve https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.8/includes/Classes/ButtonDuplicate.php#L54 https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.8/includes/Classes/ButtonDuplicate.php#L79 https://plugins.trac.wordpress.org/changeset/3432233/ |
| nofearinc–WP-CRM System Manage Clients and Projects | The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses. | 2026-01-14 | 5.4 | CVE-2025-14854 | https://www.wordfence.com/threat-intel/vulnerabilities/id/da607df4-1dbb-4b1e-ace6-b339cf9e8512?source=cve https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-functions.php?marks=942-975#L942 https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-dashboard-task-list.php?marks=177-190#L177 |
| NSecsoft–NSecKrnl | NSecsoft ‘NSecKrnl’ is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver. | 2026-01-13 | 4.7 | CVE-2025-68947 | url url url url url |
| obridgeacademy–WPBlogSyn | The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin’s remote sync settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-14389 | https://www.wordfence.com/threat-intel/vulnerabilities/id/141137a4-609f-4ea9-beba-d37b48144c29?source=cve https://plugins.trac.wordpress.org/browser/wpblogsync/tags/1.0/blogsync.php#L14 |
| Open Asset Import Library–Assimp | A security vulnerability has been detected in Open Asset Import Library Assimp up to 6.0.2. Affected by this vulnerability is the function Assimp::LWOImporter::FindUVChannels of the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. Such manipulation leads to use after free. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. This and similar defects are tracked and handled via issue #6128. | 2026-01-18 | 5.3 | CVE-2025-15538 | VDB-341727 | Open Asset Import Library Assimp LWOMaterial.cpp FindUVChannels use after free VDB-341727 | CTI Indicators (IOB, IOC, IOA) Submit #735232 | Open Asset Import Library Assimp 6.0.2 Use After Free https://github.com/assimp/assimp/issues/6258 https://github.com/assimp/assimp/issues/6258#issuecomment-3070999530 https://github.com/user-attachments/files/21216542/assimp_poc10.zip |
| opencryptoki–opencryptoki | openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local access to cause out-of-bounds writes in the host process by supplying a compressed EC public key and invoking C_WrapKey. This can lead to heap corruption, or denial-of-service. | 2026-01-13 | 6.6 | CVE-2026-22791 | https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-26f5-3mwq-4wm7 https://github.com/opencryptoki/opencryptoki/commit/785d7577e1477d12fbe235554e7e7b24f2de34b7 https://github.com/opencryptoki/opencryptoki/commit/e37e9127deeeb7bf3c3c4d852c594256c57ec3a8 |
| OpenSC project–pam_pkcs11 | In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass. | 2026-01-16 | 6.7 | CVE-2025-24531 | https://github.com/OpenSC/pam_pkcs11/security/advisories/GHSA-7mf6-rg36-qgch https://github.com/OpenSC/pam_pkcs11/releases https://www.openwall.com/lists/oss-security/2025/02/06/3 |
| opensourcepos–opensourcepos | Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. An authenticated user with the permission “Configuration: Change OSPOS’s Configuration” can inject a malicious JavaScript payload into the Company Name field when updating Information in Configuration. The malicious payload is stored and later triggered when a user accesses /sales/complete. First select Sales, and choose New Item to create an item, then click on Completed . Due to insufficient input validation and output encoding, the payload is rendered and executed in the user’s browser, resulting in a stored XSS vulnerability. This vulnerability is fixed in 3.4.2. | 2026-01-13 | 4.3 | CVE-2025-68658 | https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-32r8-8r9r-9chw https://github.com/opensourcepos/opensourcepos/commit/849439c71eaa4c15857fb7c603297261c2ddc26d |
| paultgoodchild–Shield: Blocks Bots, Protects Users, and Prevents Security Breaches | The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable Google Authenticator for any user. | 2026-01-16 | 4.3 | CVE-2025-15370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d777014a-5397-4062-af39-7ea86589a0d0?source=cve https://plugins.trac.wordpress.org/browser/wp-simple-firewall/tags/21.0.8/src/lib/src/ActionRouter/Actions/MfaGoogleAuthToggle.php https://plugins.trac.wordpress.org/changeset/3438647/wp-simple-firewall |
| payhere–PayHere Payment Gateway Plugin for WooCommerce | The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold. | 2026-01-14 | 5.3 | CVE-2025-15475 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e0c92241-0bef-4f87-8478-4d805435f09d?source=cve https://plugins.trac.wordpress.org/browser/payhere-payment-gateway/tags/2.3.9/gateway/class-wcgatewaypayhere.php#L709 |
| perfitdev–Perfit WooCommerce | The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter. | 2026-01-14 | 5.3 | CVE-2025-14173 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cb141b46-2585-4b58-8d91-0cdb275348a1?source=cve https://plugins.trac.wordpress.org/browser/perfit-woocommerce/trunk/includes/class-wcp-settings-tab.php#L102 https://plugins.trac.wordpress.org/browser/perfit-woocommerce/tags/1.0.1/includes/class-wcp-settings-tab.php#L102 |
| Phpwcms–Phpwcms | Phpwcms 1.9.30 contains a file upload vulnerability that allows authenticated attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG payloads through the multiple file upload feature to potentially execute cross-site scripting attacks on the platform. | 2026-01-15 | 5.4 | CVE-2021-47783 | ExploitDB-50363 Official Product Homepage VulnCheck Advisory: Phpwcms 1.9.30 – Arbitrary File Upload |
| pimcore–pimcore | Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing “Favourite Output Channel Configurations.” Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1. | 2026-01-15 | 5.4 | CVE-2026-23496 | https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r https://github.com/pimcore/web2print-tools/pull/108 https://github.com/pimcore/web2print-tools/commit/7714452a04b9f9b077752784af4b8d0b05e464a1 https://github.com/pimcore/web2print-tools/releases/tag/v5.2.2 https://github.com/pimcore/web2print-tools/releases/tag/v6.1.1 |
| pimcore–pimcore | Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14. | 2026-01-15 | 4.3 | CVE-2026-23494 | https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf https://github.com/pimcore/pimcore/pull/18893 https://github.com/pimcore/pimcore/releases/tag/v11.5.14 https://github.com/pimcore/pimcore/releases/tag/v12.3.1 |
| pimcore–pimcore | Pimcore’s Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore’s official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16. | 2026-01-15 | 4.3 | CVE-2026-23495 | https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909 https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16 https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3 |
| pnggroup–libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54. | 2026-01-12 | 6.1 | CVE-2026-22695 | https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp https://github.com/pnggroup/libpng/issues/778 https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea https://github.com/pnggroup/libpng/commit/e4f7ad4ea2 |
| pnggroup–libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. | 2026-01-12 | 6.8 | CVE-2026-22801 | https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8 |
| prasannasp–Short Link | The Short Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘short_link_post_title’ and ‘short_link_page_title’ parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. | 2026-01-14 | 4.4 | CVE-2026-0813 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8623d2cc-dcdd-4453-9a86-669bdd44eae1?source=cve https://plugins.trac.wordpress.org/browser/short-link/tags/1.0/short-link.php#L118 https://plugins.trac.wordpress.org/browser/short-link/trunk/short-link.php#L118 |
| radykal–Fancy Product Designer | The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | 2026-01-16 | 5.3 | CVE-2025-15526 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9b39b4ce-3885-4ea4-8cf0-84e66e7f6a12?source=cve https://support.fancyproductdesigner.com/support/discussions/topics/13000036024 |
| raysan5–raylib | A vulnerability was determined in raysan5 raylib up to 909f040. Affected by this vulnerability is the function GenImageFontAtlas of the file src/rtext.c. Executing a manipulation can lead to heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. This patch is called 5a3391fdce046bc5473e52afbd835dd2dc127146. Applying a patch is advised to resolve this issue. | 2026-01-18 | 5.3 | CVE-2025-15533 | VDB-341705 | raysan5 raylib rtext.c GenImageFontAtlas heap-based overflow VDB-341705 | CTI Indicators (IOB, IOC, IOA) Submit #733341 | raysan5 raylib 909f040 Heap-based Buffer Overflow Submit #733342 | raysan5 raylib 909f040 Heap-based Buffer Overflow (Duplicate) https://github.com/raysan5/raylib/issues/5433 https://github.com/raysan5/raylib/pull/5450 https://github.com/oneafter/1224/blob/main/hbf2 https://github.com/raysan5/raylib/commit/5a3391fdce046bc5473e52afbd835dd2dc127146 |
| raysan5–raylib | A vulnerability was identified in raysan5 raylib up to 909f040. Affected by this issue is the function LoadFontData of the file src/rtext.c. The manipulation leads to integer overflow. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The identifier of the patch is 5a3391fdce046bc5473e52afbd835dd2dc127146. It is suggested to install a patch to address this issue. | 2026-01-18 | 5.3 | CVE-2025-15534 | VDB-341706 | raysan5 raylib rtext.c LoadFontData integer overflow VDB-341706 | CTI Indicators (IOB, IOC, IOA) Submit #733343 | raysan5 raylib 909f040 Integer Overflow https://github.com/raysan5/raylib/issues/5436 https://github.com/raysan5/raylib/pull/5450 https://github.com/oneafter/1224/blob/main/segv1 https://github.com/raysan5/raylib/commit/5a3391fdce046bc5473e52afbd835dd2dc127146 |
| rebelcode–RSS Aggregator RSS Import, News Feeds, Feed to Post, and Autoblogging | The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-16 | 6.1 | CVE-2025-14375 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3d2dde13-2940-478e-8e2b-baf60003754a?source=cve https://plugins.trac.wordpress.org/changeset/3439384/wp-rss-aggregator |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence. | 2026-01-14 | 6.5 | CVE-2025-14242 | RHSA-2026:0605 RHSA-2026:0606 RHSA-2026:0608 https://access.redhat.com/security/cve/CVE-2025-14242 RHBZ#2419826 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. | 2026-01-15 | 5.9 | CVE-2026-0990 | https://access.redhat.com/security/cve/CVE-2026-0990 RHBZ#2429959 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in libsoup’s WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup’s WebSocket support with this configuration may be impacted. | 2026-01-13 | 4.8 | CVE-2026-0716 | https://access.redhat.com/security/cve/CVE-2026-0716 RHBZ#2427896 https://gitlab.gnome.org/GNOME/libsoup/-/issues/476 |
| rndsand81–Stopwords for comments | The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the ‘set_stopwords_for_comments’ and ‘delete_stopwords_for_comments’ functions. This makes it possible for unauthenticated attackers to add or delete stopwords via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-15376 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dd8c45c7-dbb2-46ab-8e50-e02062587b00?source=cve https://plugins.trac.wordpress.org/browser/stopwords-for-comments/trunk/functions.php?marks=151,170#L151 |
| roxnor–GetGenie AI Content Writer with Keyword Research & SEO Tracking Tools | The GetGenie plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.0. This is due to the plugin not properly verifying that a user is authorized to delete a specific post. This makes it possible for authenticated attackers, with Author-level access and above, to delete any post on the WordPress site, including posts authored by other users. | 2026-01-16 | 4.3 | CVE-2026-1003 | https://www.wordfence.com/threat-intel/vulnerabilities/id/38ec647a-3c0c-4d3c-ba34-64c17803867b?source=cve https://plugins.trac.wordpress.org/browser/getgenie/trunk/app/Api/GetGenieChat.php#L153 https://plugins.trac.wordpress.org/changeset/3436920/ |
| saadiqbal–Quick Contact Form | The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the ‘qcf_validate_form’ AJAX endpoint allowing a user controlled parameter to set the ‘from’ email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details. | 2026-01-17 | 5.8 | CVE-2025-12718 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dc7ba538-a7ee-48c8-996c-b8db1934fdeb?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433286%40quick-contact-form&new=3433286%40quick-contact-form&sfp_email=&sfph_mail= |
| sablab–Internal Link Builder | The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2025-14725 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1febe071-b296-4958-a9e8-9be9391f2390?source=cve https://plugins.trac.wordpress.org/browser/internal-link-builder/trunk/InternalLinkBuilder.php#L133 |
| Sanluan–PublicCMS | A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.4 | CVE-2026-1112 | VDB-341704 | Sanluan PublicCMS Trade Address Deletion Endpoint TradeAddressController.java delete improper authorization VDB-341704 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732771 | publiccms PublicCMS <= V5.202506.d Insecure Direct Object Reference (IDOR) https://github.com/AnalogyC0de/public_exp/issues/4 |
| Sanluan–PublicCMS | A vulnerability has been found in Sanluan PublicCMS up to 5.202506.d. This impacts the function Save of the file com/publiccms/controller/admin/sys/TaskTemplateAdminController.java of the component Task Template Management Handler. Such manipulation of the argument path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 4.7 | CVE-2026-1111 | VDB-341703 | Sanluan PublicCMS Task Template Management TaskTemplateAdminController.java save path traversal VDB-341703 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732726 | publiccms PublicCMS <= V5.202506.d Remote Code Execution (RCE) https://github.com/AnalogyC0de/public_exp/issues/2 |
| SAP_SE–Business Server Pages Application (Product Designer Web UI) | SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application. | 2026-01-13 | 4.3 | CVE-2026-0497 | https://me.sap.com/notes/3677111 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Business Connector | Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability. | 2026-01-13 | 6.1 | CVE-2026-0514 | https://me.sap.com/notes/3666061 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) | Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can access, modify or delete certain change pointer information within EHS objects in the application which might further affect the subsequent systems. This vulnerability leads to a low impact on confidentiality and integrity of the application with no affect on the availability. | 2026-01-13 | 6.4 | CVE-2026-0503 | https://me.sap.com/notes/3681523 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application. | 2026-01-13 | 6.6 | CVE-2026-0496 | https://me.sap.com/notes/3565506 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application. | 2026-01-13 | 5.1 | CVE-2026-0495 | https://me.sap.com/notes/3565506 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Fiori App (Intercompany Balance Reconciliation) | Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability. | 2026-01-13 | 4.3 | CVE-2026-0493 | https://me.sap.com/notes/3655229 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Fiori App (Intercompany Balance Reconciliation) | Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted. | 2026-01-13 | 4.3 | CVE-2026-0494 | https://me.sap.com/notes/3655227 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP NetWeaver Enterprise Portal | SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user’s browser when the crafted URL is visited, leading to theft of session information, manipulation of portal content, or user redirection, resulting in a low impact on the application’s confidentiality and integrity, with no impact on availability. | 2026-01-13 | 6.1 | CVE-2026-0499 | https://me.sap.com/notes/3687372 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Supplier Relationship Management (SICF Handler in SRM Catalog) | Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted. | 2026-01-13 | 4.7 | CVE-2026-0513 | https://me.sap.com/notes/3638716 https://url.sap/sapsecuritypatchday |
| SchedMD–Slurm | In SchedMD Slurm before 24.11.5, 24.05.8, and 23.11.11, the accounting system can allow a Coordinator to promote a user to Administrator. | 2026-01-16 | 4.2 | CVE-2025-43904 | https://www.schedmd.com/security-policy/ https://lists.schedmd.com/mailman3/hyperkitty/list/slurm-announce@lists.schedmd.com/message/B73QHKW6TKE2T5KDWVPIWNE5H4KWX667/ |
| Schlix–Schlix CMS | Schlix CMS 2.2.6-6 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into category titles. Attackers can create a new contact category with a script payload that will execute when the page is viewed by other users. | 2026-01-16 | 6.4 | CVE-2021-47834 | ExploitDB-49837 Vendor Homepage VulnCheck Advisory: Schlix CMS 2.2.6-6 – ‘title’ Persistent Cross-Site Scripting (Authenticated) |
| searchwiz–SearchWiz | The SearchWiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in search results in all versions up to, and including, 1.0.0. This is due to the plugin using `esc_attr()` instead of `esc_html()` when outputting post titles in search results. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in post titles that will execute whenever a user performs a search and views the search results page. | 2026-01-14 | 6.4 | CVE-2026-0694 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e60a315-7f74-4d81-b6d2-ad3d40d489ef?source=cve https://plugins.trac.wordpress.org/browser/searchwiz/trunk/public/class-sw-ajax.php#L616 https://plugins.trac.wordpress.org/browser/searchwiz/tags/1.0.0/public/class-sw-ajax.php#L616 |
| shoheitanaka–PAYGENT for WooCommerce | The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint. | 2026-01-17 | 5.3 | CVE-2025-14078 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9de42bd9-a1d2-48f2-a594-4013a9490e25?source=cve https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/trunk/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199 https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/tags/2.4.2/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433179%40woocommerce-for-paygent-payment-main&new=3433179%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432342%40woocommerce-for-paygent-payment-main&new=3432342%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail= |
| SICK AG–Incoming Goods Suite | The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript. | 2026-01-15 | 6.8 | CVE-2026-22637 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG–Incoming Goods Suite | An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: – Not part of any organization, or – Part of the same organization as the Organization administrator Impact: – Organization administrators can permanently delete Server administrator accounts – If the only Server administrator is deleted, the Grafana instance becomes unmanageable – No super-user permissions remain in the system – Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance. | 2026-01-15 | 5.5 | CVE-2026-22640 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG–Incoming Goods Suite | This vulnerability in Grafana’s datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources. | 2026-01-15 | 5 | CVE-2026-22641 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG–Incoming Goods Suite | Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user’s session and gain unauthorized access. | 2026-01-15 | 5.3 | CVE-2026-22644 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG–Incoming Goods Suite | The application discloses all used components, versions and license information to unauthenticated actors, giving attackers the opportunity to target known security vulnerabilities of used components. | 2026-01-15 | 5.3 | CVE-2026-22645 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG–Incoming Goods Suite | Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01 | 2026-01-15 | 4.3 | CVE-2026-22639 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG–Incoming Goods Suite | An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: – Multiple organizations must exist in the Grafana instance – Victim must be on a different organization than the one specified in the URL | 2026-01-15 | 4.2 | CVE-2026-22642 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG–Incoming Goods Suite | Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the application’s internal structure and discover other, more critical vulnerabilities. | 2026-01-15 | 4.3 | CVE-2026-22646 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG–TDC-X401GL | Firmware update files may expose password hashes for system accounts, which could allow a remote attacker to recover credentials and gain unauthorized access to the device. | 2026-01-15 | 5.3 | CVE-2026-22911 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG–TDC-X401GL | Improper validation of a login parameter may allow attackers to redirect users to malicious websites after authentication. This can lead to various risk including stealing credentials from unsuspecting users. | 2026-01-15 | 4.3 | CVE-2026-22912 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG–TDC-X401GL | Improper handling of a URL parameter may allow attackers to execute code in a user’s browser after login. This can lead to the extraction of sensitive data. | 2026-01-15 | 4.3 | CVE-2026-22913 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG–TDC-X401GL | An attacker with limited permissions may still be able to write files to specific locations on the device, potentially leading to system manipulation. | 2026-01-15 | 4.3 | CVE-2026-22914 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG–TDC-X401GL | An attacker with low privileges may be able to read files from specific directories on the device, potentially exposing sensitive information. | 2026-01-15 | 4.3 | CVE-2026-22915 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG–TDC-X401GL | An attacker with low privileges may be able to trigger critical system functions such as reboot or factory reset without proper restrictions, potentially leading to service disruption or loss of configuration. | 2026-01-15 | 4.3 | CVE-2026-22916 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG–TDC-X401GL | Improper input handling in a system endpoint may allow attackers to overload resources, causing a denial of service. | 2026-01-15 | 4.3 | CVE-2026-22917 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG–TDC-X401GL | An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data. | 2026-01-15 | 4.3 | CVE-2026-22918 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| sigstore–fulcio | Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio’s metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5. | 2026-01-12 | 5.8 | CVE-2026-22772 | https://github.com/sigstore/fulcio/security/advisories/GHSA-59jp-pj84-45mr https://github.com/sigstore/fulcio/commit/eaae2f2be56df9dea5f9b439ec81bedae4c0978d |
| Skyjos–Owlfiles File Manager | Owlfiles File Manager 12.0.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the path parameter in HTTP server endpoints. Attackers can craft URLs targeting the download and list endpoints with embedded script tags to execute arbitrary JavaScript in users’ browsers. | 2026-01-13 | 6.2 | CVE-2022-50891 | ExploitDB-51036 Vendor Homepage Official App Store Listing VulnCheck Advisory: Owlfiles File Manager 12.0.1 Cross-Site Scripting via HTTP Server |
| SMEWebify–WebErpMesv2 | WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19. | 2026-01-12 | 5.4 | CVE-2026-22789 | https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-64rv-f829-x6m4 https://github.com/SMEWebify/WebErpMesv2/commit/c9e7f4a85aeb774a0ea4b61ad57a51b941166b69 |
| smings–LEAV Last Email Address Validator | The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-16 | 4.3 | CVE-2025-14853 | https://www.wordfence.com/threat-intel/vulnerabilities/id/93db56df-d21b-4788-84b2-7b28641b5a7a?source=cve https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L66 https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L2183 https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L257 |
| smub–All in One SEO Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic | The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token. | 2026-01-16 | 4.3 | CVE-2025-14384 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f47d53e1-42ac-425e-a6f2-901a6d26845d?source=cve https://plugins.trac.wordpress.org/changeset/3435276/all-in-one-seo-pack |
| socialchampio–SocialChamp with WordPress | The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-14846 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bdbb660b-19aa-4c68-865c-0a51b85d1e5a?source=cve https://plugins.trac.wordpress.org/browser/auto-post-to-social-media-wp-to-social-champ/tags/1.3.3/admin/class-wp-socialchamp-settings-init.php#L157 |
| softwarepub–hermes | hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1. | 2026-01-12 | 5.9 | CVE-2026-22798 | https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23 https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1 https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514 |
| specialk–User Submitted Posts Enable Users to Submit Posts from the Front End | The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘usp_access’ shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-16 | 6.4 | CVE-2026-0913 | https://www.wordfence.com/threat-intel/vulnerabilities/id/85bf7a1b-3c54-40c9-8f19-fcb9dd478a0e?source=cve https://plugins.trac.wordpress.org/browser/user-submitted-posts/tags/20251210/library/shortcode-access.php#L20 https://plugins.trac.wordpress.org/changeset/3439027/ |
| Spring–CLI VSCode Extension | The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine. | 2026-01-14 | 6.8 | CVE-2026-22718 | https://spring.io/security/cve-2026-22718 |
| stylemix–Cost Calculator Builder | The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via window.ccb_nonces in the page source, any unauthenticated attacker can mark any order’s payment status as “completed” without actual payment. | 2026-01-16 | 5.3 | CVE-2025-14757 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b8415e5f-17a4-425c-ac28-5dd886d1bcf1?source=cve https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBOrderController.php#L408 https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBAjaxAction.php#L98 https://plugins.trac.wordpress.org/changeset/3437516/cost-calculator-builder/trunk/includes/classes/CCBOrderController.php?old=3426823&old_path=cost-calculator-builder%2Ftrunk%2Fincludes%2Fclasses%2FCCBOrderController.php |
| sweetdaisy86–RepairBuddy Repair Shop CRM & Booking Plugin for WordPress | The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary signatures to any order in the system, potentially modifying order metadata and triggering unauthorized status changes. | 2026-01-17 | 5.3 | CVE-2026-0820 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1b2ad299-03b1-4b9e-a241-d2ad2d85c3ac?source=cve https://plugins.trac.wordpress.org/browser/computer-repair-shop/trunk/lib/includes/classes/class-wcrb_signature.php#L562 https://plugins.trac.wordpress.org/browser/computer-repair-shop/tags/4.1116/lib/includes/classes/class-wcrb_signature.php#L562 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436356%40computer-repair-shop&new=3436356%40computer-repair-shop&sfp_email=&sfph_mail= |
| Syed Balkhi–WPForms | WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim’s browser. | 2026-01-13 | 6.1 | CVE-2020-36919 | ExploitDB-51152 WPForms Lite Plugin Homepage VulnCheck Advisory: WPForms 1.7.8 – Cross-Site Scripting (XSS) |
| techknowprime–Responsive Accordion Slider | The Responsive Accordion Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘resp_accordion_silder_save_images’ function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify any slider’s image metadata including titles, descriptions, alt text, and links. | 2026-01-14 | 4.3 | CVE-2026-0635 | https://www.wordfence.com/threat-intel/vulnerabilities/id/55cfb2c6-ca3f-45b7-8cd9-a5a1c3783ae0?source=cve https://plugins.trac.wordpress.org/browser/responsive-accordion-slider/tags/1.2.2/includes/admin/class-ras-admin.php#L101 |
| Testa–Testa | Testa 3.5.1 contains a reflected cross-site scripting vulnerability in the login.php redirect parameter that allows attackers to inject malicious scripts. Attackers can craft a specially encoded payload in the redirect parameter to execute arbitrary JavaScript in victim’s browser context. | 2026-01-13 | 6.1 | CVE-2022-50896 | ExploitDB-51023 Archived Product Homepage VulnCheck Advisory: Testa 3.5.1 Online Test Management System – Reflected Cross-Site Scripting (XSS) |
| thimpress–Thim Blocks | The Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server via the ‘iconSVG’ parameter, which can contain sensitive information such as wp-config.php. | 2026-01-17 | 6.5 | CVE-2025-13725 | https://www.wordfence.com/threat-intel/vulnerabilities/id/80de464f-a4b0-4aaf-8869-f8d29a422bdb?source=cve https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92 https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92 https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97 https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3424998%40thim-blocks&new=3424998%40thim-blocks&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3419638%40thim-blocks&new=3419638%40thim-blocks&sfp_email=&sfph_mail= |
| thimpress–WP Hotel Booking | The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the ‘hotel_booking_fetch_customer_info’ AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce. | 2026-01-17 | 5.3 | CVE-2025-14075 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1fc4eaec-b5d8-4707-9260-bac02a4b1866?source=cve https://plugins.trac.wordpress.org/browser/wp-hotel-booking/trunk/includes/class-wphb-ajax.php#L192 https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.2.7/includes/class-wphb-ajax.php#L192 https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.2.7/includes/class-wphb-ajax.php#L36 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429399%40wp-hotel-booking&new=3429399%40wp-hotel-booking&sfp_email=&sfph_mail= |
| thundernest–ImportExportTools NG | ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or session credentials. | 2026-01-15 | 6.1 | CVE-2021-47768 | ExploitDB-50496 ImportExportTools NG GitHub Repository Thunderbird Addon Page Vulnerability-Lab Disclosure |
| torstenbulk–DK PDF WordPress PDF Generator | The DK PDF – WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the ‘addContentToMpdf’ function. This makes it possible for authenticated attackers, author level and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-01-16 | 5 | CVE-2025-14793 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b062f72a-542c-4212-af83-4faefbf69bd7?source=cve https://plugins.trac.wordpress.org/browser/dk-pdf/trunk/modules/Frontend/WordPressIntegration.php?marks=22-25#L22 https://plugins.trac.wordpress.org/browser/dk-pdf/trunk/modules/PDF/Generator.php?marks=24-56#L24 https://plugins.trac.wordpress.org/browser/dk-pdf/tags/2.3.0/modules/PDF/DocumentBuilder.php#L213 https://plugins.trac.wordpress.org/browser/dk-pdf/tags/2.3.0/templates/dkpdf-index.php#L134 |
| traefik–traefik | Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates’ automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7. | 2026-01-15 | 5.9 | CVE-2026-22045 | https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d https://github.com/traefik/traefik/releases/tag/v2.11.35 https://github.com/traefik/traefik/releases/tag/v3.6.7 |
| treeverse–lakeFS | lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS’s S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0. | 2026-01-15 | 6.5 | CVE-2025-68671 | https://github.com/treeverse/lakeFS/security/advisories/GHSA-f2ph-gc9m-q55f https://github.com/treeverse/lakeFS/issues/9599 https://github.com/treeverse/lakeFS/commit/92966ae611d7f1a2bbe7fd56f9568c975aab2bd8 |
| Ttyplus–MTPutty | MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability that allows local attackers to view SSH connection passwords through Windows PowerShell process listing. Attackers can run a PowerShell command to retrieve the full command line of MTPutty processes, exposing plaintext SSH credentials. | 2026-01-15 | 6.2 | CVE-2021-47759 | ExploitDB-50574 Official MTPutty Product Homepage |
| Ubeeinteractive–Ubee EVW327 | Ubee EVW327 contains a cross-site request forgery vulnerability that allows attackers to enable remote access without user interaction. Attackers can craft a malicious webpage that automatically submits a form to change router remote access settings to port 8080 without the user’s consent. | 2026-01-16 | 5.3 | CVE-2021-47820 | ExploitDB-49920 Ubee Interactive Official Homepage VulnCheck Advisory: Ubee EVW327 – ‘Enable Remote Access’ Cross-Site Request Forgery (CSRF) |
| umbraco–Umbraco | Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts. | 2026-01-15 | 5.3 | CVE-2021-47776 | ExploitDB-50462 Umbraco Official Homepage Umbraco CMS Release Notes |
| Vertiv–Cyclades Serial Console Server | Cyclades Serial Console Server 3.3.0 contains a local privilege escalation vulnerability due to overly permissive sudo privileges for the admin user and admin group. Attackers can exploit the default user configuration to gain root access by manipulating system binaries and leveraging unrestricted sudo permissions. | 2026-01-13 | 6.2 | CVE-2022-50927 | ExploitDB-50773 Vertiv Official Homepage VulnCheck Advisory: Cyclades Serial Console Server 3.3.0 – Local Privilege Escalation |
| VideoLAN–VLC media player | mmstu.c in VideoLAN VLC media player before 3.0.22 allows an out-of-bounds read and denial of service via a crafted 0x01 response from an MMS server. | 2026-01-16 | 4.8 | CVE-2025-51602 | https://www.videolan.org/security/sb-vlc3022.html https://code.videolan.org/videolan/vlc/-/issues/29146 |
| Visual-Tools–Visual Tools DVR VX16 | Visual Tools DVR VX16 version 4.2.28 contains a local privilege escalation vulnerability in its Sudo configuration that allows attackers to gain root access. Attackers can exploit the unsafe Sudo settings by using mount commands to bind a shell, enabling unauthorized system-level privileges. | 2026-01-15 | 6.2 | CVE-2021-47799 | ExploitDB-50104 Official Vendor Homepage |
| vk011–Real Post Slider Lite | The Real Post Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2026-0680 | https://www.wordfence.com/threat-intel/vulnerabilities/id/324fd823-8ec9-4187-8694-6160bad8e093?source=cve https://plugins.trac.wordpress.org/browser/real-post-slider-lite/trunk/real-post-slider-lite.php#L130 https://plugins.trac.wordpress.org/browser/real-post-slider-lite/tags/2.4/real-post-slider-lite.php#L130 |
| webbu–WMF Mobile Redirector | The WMF Mobile Redirector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 4.4 | CVE-2026-0739 | https://www.wordfence.com/threat-intel/vulnerabilities/id/037b5c2c-510a-4fa5-b489-cb0478603be2?source=cve https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/trunk/includes/options-page.php#L55 https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/tags/1.2/includes/options-page.php#L55 https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/trunk/includes/options-page.php#L62 https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/tags/1.2/includes/options-page.php#L62 |
| WeblateOrg–wlc | wlc is a Weblate command-line client using Weblate’s REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers. | 2026-01-12 | 5.3 | CVE-2026-22251 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766 https://github.com/WeblateOrg/wlc/pull/1098 https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797 |
| Wireshark Foundation–Wireshark | IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | 2026-01-14 | 5.3 | CVE-2026-0959 | https://www.wireshark.org/security/wnpa-sec-2026-02.html GitLab Issue #20939 |
| Wireshark Foundation–Wireshark | BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | 2026-01-14 | 5.5 | CVE-2026-0961 | https://www.wireshark.org/security/wnpa-sec-2026-01.html GitLab Issue #20880 |
| Wireshark Foundation–Wireshark | SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | 2026-01-14 | 5.3 | CVE-2026-0962 | https://www.wireshark.org/security/wnpa-sec-2026-03.html GitLab Issue #20945 |
| Wireshark Foundation–Wireshark | HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service | 2026-01-14 | 4.7 | CVE-2026-0960 | https://www.wireshark.org/security/wnpa-sec-2026-04.html GitLab Issue #20944 |
| wpcenter–AffiliateX Amazon Affiliate Plugin | The AffiliateX – Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to store arbitrary JavaScript that executes whenever an AffiliateX block renders on the site. | 2026-01-15 | 6.4 | CVE-2025-13859 | https://www.wordfence.com/threat-intel/vulnerabilities/id/36d57b8d-7e62-413b-8ea9-87963b8cd469?source=cve https://plugins.trac.wordpress.org/changeset/3420957/affiliatex/trunk/includes/functions/AjaxFunctions.php https://plugins.trac.wordpress.org/changeset/3420957/affiliatex/trunk/includes/helpers/class-affiliatex-helpers.php |
| wpchill–Filr Secure document library | The Filr – Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the ‘filr’ post type. | 2026-01-17 | 4.4 | CVE-2025-14632 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c16c3a8d-bae1-4729-86c8-ec13481ff187?source=cve https://plugins.trac.wordpress.org/browser/filr-protection/trunk/src/class-filr-uploader.php#L14 https://plugins.trac.wordpress.org/browser/filr-protection/tags/1.2.10/src/class-filr-uploader.php#L14 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425333%40filr-protection&new=3425333%40filr-protection&sfp_email=&sfph_mail= |
| wpdevelop–Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users. | 2026-01-16 | 4.3 | CVE-2025-14982 | https://www.wordfence.com/threat-intel/vulnerabilities/id/161d92e3-d255-4967-9449-be263a46bec8?source=cve https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L150 https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L722 https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L918 https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L158 https://plugins.trac.wordpress.org/browser/booking/trunk/core/wpbc-activation.php#L661 https://plugins.trac.wordpress.org/browser/booking/trunk/core/any/class-admin-menu.php#L22 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432649%40booking%2Ftrunk&old=3416518%40booking%2Ftrunk&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking&old=3436482&new_path=%2Fbooking&new=3436482&sfp_email=&sfph_mail= |
| wpdevteam–Essential Addons for Elementor Popular Elementor Templates & Widgets | The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the ‘eael_product_quickview_popup’ function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted. | 2026-01-16 | 5.3 | CVE-2026-1004 | https://www.wordfence.com/threat-intel/vulnerabilities/id/06ef9a21-e2b9-40c7-9de5-cff175fa10a5?source=cve https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L820 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L64 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L65 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L832 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L1439 https://github.com/WPDevelopers/essential-addons-for-elementor-lite/commit/4e43db06bcf12870cc3b185ed59b3fe2cd227945 |
| wpswings–Wallet System for WooCommerce Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments | The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘change_wallet_fund_request_status_callback’ function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users’ balances. | 2026-01-17 | 6.5 | CVE-2025-14450 | https://www.wordfence.com/threat-intel/vulnerabilities/id/466a5315-fc05-4b96-9dfd-17862fc406c5?source=cve https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/trunk/includes/class-wallet-system-ajaxhandler.php#L140 https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/tags/2.7.2/includes/class-wallet-system-ajaxhandler.php#L140 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3435898%40wallet-system-for-woocommerce&new=3435898%40wallet-system-for-woocommerce&sfp_email=&sfph_mail= |
| xiweicheng–TMS | A vulnerability was detected in xiweicheng TMS up to 2.28.0. Affected by this issue is the function Upload of the file src/main/java/com/lhjz/portal/controller/FileController.java. The manipulation of the argument filename results in unrestricted upload. The attack may be performed from remote. The exploit is now public and may be used. | 2026-01-17 | 6.3 | CVE-2026-1061 | VDB-341629 | xiweicheng TMS FileController.java upload unrestricted upload VDB-341629 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731240 | https://gitee.com/xiweicheng/tms/ Merchant Mall – Mall Development/TMS 1.0 Unrestricted Upload https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md |
| xiweicheng–TMS | A flaw has been found in xiweicheng TMS up to 2.28.0. This affects the function Summary of the file src/main/java/com/lhjz/portal/util/HtmlUtil.java. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-01-17 | 6.3 | CVE-2026-1062 | VDB-341630 | xiweicheng TMS HtmlUtil.java summary server-side request forgery VDB-341630 | CTI Indicators (IOB, IOC, IOA) Submit #731241 | https://gitee.com/xiweicheng/tms/ Merchant Mall – Mall Development/TMS 1.0 Server-Side Request Forgery Submit #731242 | https://gitee.com/xiweicheng/tms/ Merchant Mall – Mall Development/TMS 1.0 Server-Side Request Forgery (Duplicate) https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/SSRF%EF%BC%881%EF%BC%89.md https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/SSRF%EF%BC%882%EF%BC%89.md |
| Xmind–Xmind | Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. Attackers can craft malicious files with embedded JavaScript that execute system commands when opened, enabling remote code execution through mouse interactions or file opening. | 2026-01-16 | 6.1 | CVE-2021-47844 | ExploitDB-49827 Official Xmind Product Homepage Proof of Concept Video VulnCheck Advisory: Xmind 2020 – Persistent Cross-Site Scripting |
| YouPHPTube–YouPHPTube | YouPHPTube <= 7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the ‘lang’ parameter in GET requests. Attackers can exploit the path traversal flaw in locale/function.php to include and view PHP files outside the intended directory by using directory traversal sequences. | 2026-01-13 | 6.2 | CVE-2021-47749 | ExploitDB-51101 Archived YouPHPTube Homepage VulnCheck Advisory: YouPHPTube <= 7.8 – Directory Traversal |
| YouPHPTube–YouPHPTube | YouPHPTube <= 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims’ browsers when they access the signup page. | 2026-01-13 | 6.1 | CVE-2021-47750 | ExploitDB-51101 Archived YouPHPTube Homepage VulnCheck Advisory: YouPHPTube <= 7.8 – Cross-Site Scripting |
| zealopensource–User Registration Using Contact Form 7 | The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘get_cf7_form_data’ function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets. | 2026-01-17 | 5.3 | CVE-2025-12825 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b49978c1-9254-4229-8d32-e12896301f3d?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433276%40user-registration-using-contact-form-7&new=3433276%40user-registration-using-contact-form-7&sfp_email=&sfph_mail= |
| Zippy–Zstore | Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim’s browser context. | 2026-01-13 | 6.1 | CVE-2023-53985 | ExploitDB-51207 Zstore/Zippy-CRM Product Homepage Zstore/Zippy-CRM GitHub Repository Vulnerability Reproduction Repository VulnCheck Advisory: Zstore 6.5.4 – Reflected Cross-Site Scripting (XSS) |
| zitadel–zitadel | ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel’s login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6. | 2026-01-15 | 5.3 | CVE-2026-23511 | https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r https://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2 https://github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858d https://github.com/zitadel/zitadel/releases/tag/v3.4.6 https://github.com/zitadel/zitadel/releases/tag/v4.9.1 |
| Zohocorp–ManageEngine ADManager Plus | Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module | 2026-01-13 | 5.5 | CVE-2025-9435 | https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2025-9435.html |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| andy_moyle–Church Admin | The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the ‘audio_url’ parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-01-17 | 2.2 | CVE-2026-0682 | https://www.wordfence.com/threat-intel/vulnerabilities/id/77227fc5-7c38-476d-af4c-4b2ad3dd8420?source=cve https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/sermon-podcast.php#L1181 https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/sermon-podcast.php#L1181 https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/functions.php#L6297 https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/functions.php#L6297 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440847%40church-admin&new=3440847%40church-admin&sfp_email=&sfph_mail= |
| bestpractical–Request Tracker | Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. | 2026-01-16 | 2.6 | CVE-2025-61873 | https://docs.bestpractical.com/release-notes/rt/index.html |
| Fortinet–FortiSandbox | A Server-Side Request Forgery (SSRF) vulnerability [CWE-918] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox 4.4 all versions, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to proxy internal requests limited to plaintext endpoints only via crafted HTTP requests. | 2026-01-13 | 3.4 | CVE-2025-67685 | https://fortiguard.fortinet.com/psirt/FG-IR-25-783 |
| glenwpcoder–Drag and Drop Multiple File Upload for Contact Form 7 | The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the “Send attachments as links” setting is enabled. | 2026-01-15 | 3.7 | CVE-2025-14457 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a182243-b24a-4c46-8b65-6b38d8509a51?source=cve https://plugins.trac.wordpress.org/changeset/3428236/drag-and-drop-multiple-file-upload-contact-form-7 |
| Lenovo–Tab M11 TB330FU TB330XU | A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the “Allow Control Center access when locked” option is disabled. | 2026-01-14 | 3.2 | CVE-2025-14058 | https://support.lenovo.com/us/en/product_security/LEN-207951 |
| Mattermost–Mattermost | Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens | 2026-01-16 | 3.1 | CVE-2025-14822 | https://mattermost.com/security-updates |
| n/a–LigeroSmart | A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketZoom. This manipulation of the argument TicketID causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-17 | 3.5 | CVE-2026-1048 | VDB-341600 | LigeroSmart index.pl cross site scripting VDB-341600 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729399 | LigeroSmart 6.1.26 Cross Site Scripting https://github.com/LigeroSmart/ligerosmart/issues/279 https://github.com/LigeroSmart/ligerosmart/issues/279#issue-3775562926 |
| n/a–LigeroSmart | A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument TicketID leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-17 | 3.5 | CVE-2026-1049 | VDB-341601 | LigeroSmart index.pl cross site scripting VDB-341601 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729402 | LigeroSmart 6.1.26 Cross Site Scripting https://github.com/LigeroSmart/ligerosmart/issues/280 https://github.com/LigeroSmart/ligerosmart/issues/280#issue-3776580352 |
| nicbarker–clay | A security flaw has been discovered in nicbarker clay up to 0.14. This affects the function Clay__MeasureTextCached in the library clay.h. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-18 | 3.3 | CVE-2025-15535 | VDB-341707 | nicbarker clay clay.h Clay__MeasureTextCached null pointer dereference VDB-341707 | CTI Indicators (IOB, IOC, IOA) Submit #733346 | nicbarker clay v0.14 and master-branch Memory Corruption https://github.com/nicbarker/clay/issues/566 https://github.com/oneafter/1215/blob/main/repro |
| nodejs–undici | Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0. | 2026-01-14 | 3.7 | CVE-2026-22036 | https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9 https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable. | 2026-01-15 | 3.7 | CVE-2026-0976 | https://access.redhat.com/security/cve/CVE-2026-0976 RHBZ#2429869 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk. | 2026-01-15 | 3.7 | CVE-2026-0989 | https://access.redhat.com/security/cve/CVE-2026-0989 RHBZ#2429933 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition. | 2026-01-15 | 2.9 | CVE-2026-0992 | https://access.redhat.com/security/cve/CVE-2026-0992 RHBZ#2429975 |
| SAP_SE–NW AS Java UME User Mapping | The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attacker with high-privileged access to exploit the vulnerability under specific conditions potentially leading to partial disclosure of sensitive information.This has low impact on confidentiality with no impact on integrity and availability of the application. | 2026-01-13 | 3 | CVE-2026-0510 | https://me.sap.com/notes/3593356 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Identity Management | Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability. | 2026-01-13 | 3.8 | CVE-2026-0504 | https://me.sap.com/notes/3657998 https://url.sap/sapsecuritypatchday |
| SICK AG–TDC-X401GL | An attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data. | 2026-01-15 | 3.8 | CVE-2026-22919 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG–TDC-X401GL | The device’s passwords have not been adequately salted, making them vulnerable to password extraction attacks. | 2026-01-15 | 3.7 | CVE-2026-22920 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| THM-Health–PILOS | PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs a destructive action but is exposed via an HTTP GET request. Although proper authorization checks are enforced and the endpoint cannot be triggered cross-site, the use of GET allows the action to be implicitly invoked through same-site content (e.g. embedded resources rendered within the application). As a result, an authenticated administrator who views crafted content within the application may unknowingly trigger the endpoint, causing all active video conferences on the server to be terminated without explicit intent or confirmation. This vulnerability is fixed in 4.10.0. | 2026-01-12 | 2.4 | CVE-2026-22800 | https://github.com/THM-Health/PILOS/security/advisories/GHSA-r24c-9p4j-rqw9 https://github.com/THM-Health/PILOS/commit/d9ab9bb7ac0a8581c25e24cb7db2152d40be4d1b |
| WeblateOrg–wlc | wlc is a Weblate command-line client using Weblate’s REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0. | 2026-01-12 | 2.5 | CVE-2026-22250 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh https://github.com/WeblateOrg/wlc/pull/1097 https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AbhishekMali21–AbhishekMali21 | Multiple SQL Injection vulnerabilities exist in AbhishekMali21 GYM-MANAGEMENT-SYSTEM 1.0 via the ‘name’ parameter in (1) member_search.php, (2) trainer_search.php, and (3) gym_search.php, and via the ‘id’ parameter in (4) payment_search.php. An unauthenticated remote attacker can exploit these issues to inject malicious SQL commands, leading to unauthorized data extraction, authentication bypass, or modification of database contents. | 2026-01-12 | not yet calculated | CVE-2025-67146 | https://github.com/AbhishekMali21/GYM-MANAGEMENT-SYSTEM/issues/4 |
| AbhishekMali21–AbhishekMali21 | Multiple SQL Injection vulnerabilities exist in amansuryawanshi Gym-Management-System-PHP 1.0 via the ‘name’, ’email’, and ‘comment’ parameters in (1) submit_contact.php, the ‘username’ and ‘pass_key’ parameters in (2) secure_login.php, and the ‘login_id’, ‘pwfield’, and ‘login_key’ parameters in (3) change_s_pwd.php. An unauthenticated or authenticated attacker can exploit these issues to bypass authentication, execute arbitrary SQL commands, modify database records, delete data, or escalate privileges to administrator level. | 2026-01-12 | not yet calculated | CVE-2025-67147 | https://github.com/amansuryawanshi/Gym-Management-System-PHP/issues/3 |
| Absolute Security–Secure Access | CVE-2026-0517 is a denial-of-service vulnerability in versions of Secure Access Server prior to 14.20. An attacker can send a specially crafted packet to a server and cause the server to crash | 2026-01-17 | not yet calculated | CVE-2026-0517 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0517 |
| Absolute Security–Secure Access | CVE-2026-0518 is a cross-site scripting vulnerability in versions of Secure Access prior to 14.20. An attacker with administrative privileges can interfere with another administrator’s use of the console. | 2026-01-17 | not yet calculated | CVE-2026-0518 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0518 |
| Absolute Security–Secure Access | In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system. | 2026-01-17 | not yet calculated | CVE-2026-0519 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0519 |
| Acora–Acora | A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack. | 2026-01-12 | not yet calculated | CVE-2025-63314 | http://ddsn.com http://acora.com https://github.com/padayali-JD/CVE-2025-63314 |
| adonisjs–lucid | @adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6. | 2026-01-13 | not yet calculated | CVE-2026-22814 | https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f |
| Airth–Airth | An issue in AIRTH SMART HOME AQI MONITOR Bootloader v.1.005 allows a physically proximate attacker to obtain sensitive information via the UART port of the BK7231N controller (Wi-Fi and BLE module) on the device is open to access | 2026-01-14 | not yet calculated | CVE-2025-67399 | http://airth.com https://github.com/rupeshsurve04/CVE-2025-67399/blob/main/AIRTH_SMART_HOME_AQI_MONITOR_CVE-2025-67399.pdf |
| akinloluwami–outray | Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5. | 2026-01-14 | not yet calculated | CVE-2026-22820 | https://github.com/outray-tunnel/outray/security/advisories/GHSA-3pqc-836w-jgr7 https://github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581 |
| alextselegidis–easyappointments | Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim’s browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover. | 2026-01-15 | not yet calculated | CVE-2026-23622 | https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj |
| AltumCode–AltumCode | Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file | 2026-01-12 | not yet calculated | CVE-2025-66939 | https://66biolinks.com/ https://gist.github.com/Waqar-Arain/2a21b135a04e7804c124688ea1085875 |
| AMD–AMD EPYC 9004 Series Processors | Write what were condition within AMD CPUs may allow an admin-privileged attacker to modify the configuration of the CPU pipeline potentially resulting in the corruption of the stack pointer inside an SEV-SNP guest. | 2026-01-16 | not yet calculated | CVE-2025-29943 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3027.html |
| anomalyco–opencode | OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10. | 2026-01-12 | not yet calculated | CVE-2026-22813 | https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp |
| Anycomment–Anycomment | Cross Site Scripting vulnerability in Anycomment anycomment.io 0.4.4 allows a remote attacker to execute arbitrary code via the Anycomment comment section | 2026-01-15 | not yet calculated | CVE-2025-67025 | https://bdu.fstec.ru/vul/2023-08900 https://anycomment.io/site/changelog |
| Apache Software Foundation–Apache Airflow | In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue | 2026-01-16 | not yet calculated | CVE-2025-68438 | https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff |
| Apache Software Foundation–Apache Airflow | In Apache Airflow versions before 3.1.6, the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue | 2026-01-16 | not yet calculated | CVE-2025-68675 | https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5 |
| Apache Software Foundation–Apache bRPC | Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter.. Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.15.0. 2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually. | 2026-01-16 | not yet calculated | CVE-2025-60021 | https://lists.apache.org/thread/xy51d2fx6drzhfp92xptsx5845q7b37m |
| Apache Software Foundation–Apache Camel Neo4j | Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are recommended to upgrade to version 4.10.8 for 4.10.x LTS and 4.14.3 for 4.14.x LTS and 4.17.0. | 2026-01-14 | not yet calculated | CVE-2025-66169 | https://camel.apache.org/security/CVE-2025-66169.html |
| Apple–iOS and iPadOS | The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. An app may be able to corrupt coprocessor memory. | 2026-01-16 | not yet calculated | CVE-2024-44238 | https://support.apple.com/en-us/121563 |
| Apple–iOS and iPadOS | This issue was addressed through improved state management. This issue is fixed in iOS 18.1 and iPadOS 18.1. A user may be able to view restricted content from the lock screen. | 2026-01-16 | not yet calculated | CVE-2024-54556 | https://support.apple.com/en-us/121563 |
| Apple–iOS and iPadOS | A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user’s installed apps. | 2026-01-16 | not yet calculated | CVE-2025-24089 | https://support.apple.com/en-us/122066 |
| Apple–iOS and iPadOS | A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user’s installed apps. | 2026-01-16 | not yet calculated | CVE-2025-24090 | https://support.apple.com/en-us/122066 |
| Apple–macOS | This issue was addressed with improved permissions checking. This issue is fixed in macOS Sequoia 15.1. An app may be able to access user-sensitive data. | 2026-01-16 | not yet calculated | CVE-2024-44210 | https://support.apple.com/en-us/121564 |
| Apple–macOS | A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2026-01-16 | not yet calculated | CVE-2025-43508 | https://support.apple.com/en-us/125634 |
| Apple–Xcode | A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. An app may be able to bypass Privacy preferences. | 2026-01-16 | not yet calculated | CVE-2025-31186 | https://support.apple.com/en-us/122380 |
| Arm–Neoverse-N2 | In certain Arm CPUs, a CPP RCTX instruction executed on one Processing Element (PE) may inhibit TLB invalidation when a TLBI is issued to the PE, either by the same PE or another PE in the shareability domain. In this case, the PE may retain stale TLB entries which should have been invalidated by the TLBI. | 2026-01-14 | not yet calculated | CVE-2025-0647 | https://developer.arm.com/documentation/111546 |
| Assaf Parag–Poll, Survey & Quiz Maker Plugin by Opinion Stage | Poll, Survey & Quiz Maker Plugin by Opinion Stage WordPress plugin versions prior to 19.6.25 contain a stored cross-site scripting (XSS) vulnerability via multiple parameters due to insufficient input validation and output escaping. An unauthenticated attacker can inject arbitrary script into content that executes when a victim views an affected page. | 2026-01-16 | not yet calculated | CVE-2019-25297 | https://wpscan.com/vulnerability/4ed1edd6-3813-44a3-bee7-f07c1774b679/ https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/social-polls-by-opinionstage/poll-survey-quiz-maker-plugin-by-opinion-stage-19625-unauthenticated-stored-cross-site-scripting https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-poll-survey-form-quiz-maker-by-opinionstage-cross-site-scripting-19-6-24/ https://wordpress.org/plugins/social-polls-by-opinionstage/ https://plugins.trac.wordpress.org/changeset/2158590/social-polls-by-opinionstage https://web.archive.org/web/20191020011448/https://www.pluginvulnerabilities.com/2019/09/16/hackers-may-already-be-targeting-this-persistent-xss-vulnerability-in-poll-survey-form-quiz-maker-by-opinionstage/ https://www.vulncheck.com/advisories/poll-survey-and-quiz-maker-plugin-by-opinion-stage-stored-xss |
| Automai–Automai | An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges | 2026-01-12 | not yet calculated | CVE-2025-46066 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/4e325d09d08e16efb506076da2184f42 |
| Automai–Automai | An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges and obtain sensitive information via a crafted js file | 2026-01-12 | not yet calculated | CVE-2025-46067 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/98204cff0065e611cf9e9acc3be59e03 |
| Automai–Automai | An issue in Automai Director v.25.2.0 allows a remote attacker to execute arbitrary code via the update mechanism | 2026-01-12 | not yet calculated | CVE-2025-46068 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/00ea6cce1299e1d999b5d1faac4248f1 |
| Automai–Automai | An issue in Automai BotManager v.25.2.0 allows a remote attacker to execute arbitrary code via the BotManager.exe component | 2026-01-12 | not yet calculated | CVE-2025-46070 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/776dd7e927d9b2f8ef10807abe124f8e |
| bee interactive–Livewire Filemanager | Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed. | 2026-01-16 | not yet calculated | CVE-2025-14894 | https://github.com/livewire-filemanager/filemanager https://hackingbydoing.wixsite.com/hackingbydoing/post/unauthenticated-rce-in-livewire-filemanager |
| Bluspark Global–BLUVOYIX | The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers’ data and completely compromise the targeted platform. | 2026-01-14 | not yet calculated | CVE-2026-22236 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global–BLUVOYIX | The vulnerability exists in BLUVOYIX due to the exposure of sensitive internal API documentation. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the APIs exposed by the documentation. Successful exploitation of this vulnerability could allow the attacker to cause damage to the targeted platform by abusing internal functionality. | 2026-01-14 | not yet calculated | CVE-2026-22237 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global–BLUVOYIX | The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers’ data and completely compromise the targeted platform by logging in to the newly-created admin user. | 2026-01-14 | not yet calculated | CVE-2026-22238 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global–BLUVOYIX | The vulnerability exists in BLUVOYIX due to design flaws in the email sending API. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable email sending API. Successful exploitation of this vulnerability could allow the attacker to send unsolicited emails to anyone on behalf of the company. | 2026-01-14 | not yet calculated | CVE-2026-22239 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global–BLUVOYIX | The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers’ data and completely compromise the targeted platform by logging in using an exposed admin email address and password. | 2026-01-14 | not yet calculated | CVE-2026-22240 | https://blusparkglobal.com/bluvoyix/ |
| Broadcom–DX NetOps Spectrum | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Path Traversal.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69267 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom–DX NetOps Spectrum | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Reflected XSS.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69268 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom–DX NetOps Spectrum | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows OS Command Injection.This issue affects DX NetOps Spectrum: 23.3.6 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69269 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom–DX NetOps Spectrum | Information Exposure Through Query Strings in GET Request vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Session Hijacking.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69270 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom–DX NetOps Spectrum | Insufficiently Protected Credentials vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69271 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom–DX NetOps Spectrum | Cleartext Transmission of Sensitive Information vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 21.2.1 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69272 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom–DX NetOps Spectrum | Improper Authentication vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Authentication Bypass.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69273 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom–DX NetOps Spectrum | Authorization Bypass Through User-Controlled Key vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Privilege Escalation.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69274 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom–DX NetOps Spectrum | Dependency on Vulnerable Third-Party Component vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows DOM-Based XSS.This issue affects DX NetOps Spectrum: 24.3.9 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69275 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom–DX NetOps Spectrum | Deserialization of Untrusted Data vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Object Injection.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69276 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| calcom–cal.com | Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user’s account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7. | 2026-01-13 | not yet calculated | CVE-2026-23478 | https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg |
| Chainlit–Chainlit | Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product. | 2026-01-14 | not yet calculated | CVE-2025-68492 | https://github.com/Chainlit/chainlit/releases https://jvn.jp/en/jp/JVN34964581/ |
| Chamillo–Chamillo | An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to view confidential information. This leads to profiling, impersonation, targeted attacks, and significant privacy risks. | 2026-01-16 | not yet calculated | CVE-2025-69581 | https://github.com/chamilo/chamilo-lms https://github.com/Rivek619/CVE-2025-69581 |
| Changjetong Information Technology Co., Ltd.–T+ | Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation on 2023-08-19 (UTC). | 2026-01-15 | not yet calculated | CVE-2023-7334 | https://www.chanjetvip.com/product/goods/detail?id=6077e91b70fa071069139f62 https://www.freebuf.com/articles/web/381731.html https://blog.csdn.net/qq_53003652/article/details/134031230 https://blog.csdn.net/u010025272/article/details/131553591 https://github.com/MD-SEC/MDPOCS/blob/main/ChangJieTongTPlus_GetStoreWarehouseByStore_Rce_Poc.py https://www.vulncheck.com/advisories/changjetong-tplus-getstorewarehousebystore-deserialization-rce |
| cursor–cursor | Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3. | 2026-01-14 | not yet calculated | CVE-2026-22708 | https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w |
| Cyber Cafe–Cyber Cafe | A stored cross-site scripting (XSS) vulnerability exists in Cyber Cafe Management System v1.0. An authenticated attacker can inject arbitrary JavaScript code into the username parameter via the add-users.php endpoint. The injected payload is stored and executed in the victim s browser when the affected page is accessed. | 2026-01-15 | not yet calculated | CVE-2025-70890 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70890 |
| Cyber Cafe–Cyber Cafe | A stored cross-site scripting (XSS) vulnerability exists in Phpgurukul Cyber Cafe Management System v1.0 within the user management module. The application does not properly sanitize or encode user-supplied input submitted via the uadd parameter in the add-users.php endpoint. An authenticated attacker can inject arbitrary JavaScript code that is persistently stored in the database. The malicious payload is triggered when a privileged user clicks the View button on the view-allusers.php page. | 2026-01-15 | not yet calculated | CVE-2025-70891 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70891 |
| Cyber Cafe–Cyber Cafe | Phpgurukul Cyber Cafe Management System v1.0 contains a SQL Injection vulnerability in the user management module. The application fails to properly validate user-supplied input in the username parameter of the add-users.php endpoint. | 2026-01-15 | not yet calculated | CVE-2025-70892 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70892 |
| Cyber Cafe–Cyber Cafe | A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1.0 within the adminprofile.php endpoint. The application fails to properly sanitize user-supplied input provided via the adminname parameter, allowing authenticated attackers to inject arbitrary SQL expressions. | 2026-01-15 | not yet calculated | CVE-2025-70893 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70893 |
| dask–distributed | Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0. | 2026-01-16 | not yet calculated | CVE-2026-23528 | https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2 https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa |
| DataDog–guarddog | GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog’s safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1. | 2026-01-13 | not yet calculated | CVE-2026-22870 | https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b |
| DataDog–guarddog | GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, there is a path traversal vulnerability exists in GuardDog’s safe_extract() function that allows malicious PyPI packages to write arbitrary files outside the intended extraction directory, leading to Arbitrary File Overwrite and Remote Code Execution on systems running GuardDog. This vulnerability is fixed in 2.7.1. | 2026-01-13 | not yet calculated | CVE-2026-22871 | https://github.com/DataDog/guarddog/security/advisories/GHSA-xg9w-vg3g-6m68 https://github.com/DataDog/guarddog/commit/9aa6a725b2c71d537d3c18d1c15621395ebb879c |
| defenseunicorns–pepr | Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5. | 2026-01-16 | not yet calculated | CVE-2026-23634 | https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q https://github.com/defenseunicorns/pepr/releases/tag/v1.0.5 |
| denoland–deno | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn’t finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0. | 2026-01-15 | not yet calculated | CVE-2026-22863 | https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v https://github.com/denoland/deno/releases/tag/v2.6.0 |
| Drupal–Facebook Pixel | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1. | 2026-01-14 | not yet calculated | CVE-2025-14557 | https://www.herodevs.com/vulnerability-directory/cve-2025-14557 https://d7es.tag1.com/security-advisories/facebook-pixel-less-critical-cross-site-scripting |
| Drupal–Flag | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9. | 2026-01-14 | not yet calculated | CVE-2025-14556 | https://www.herodevs.com/vulnerability-directory/cve-2025-14556 https://d7es.tag1.com/security-advisories/flag-moderately-critical-cross-site-scripting-backdrop-sa-contrib-2025-011 |
| Eclipse Vert.x–Eclipse Vert.x | The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false); | 2026-01-15 | not yet calculated | CVE-2026-1002 | https://github.com/eclipse-vertx/vert.x/pull/5895 |
| eigent-ai–eigent | Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An attacker can exploit this to steal credentials, post comments, push code, or create releases. | 2026-01-13 | not yet calculated | CVE-2026-22869 | https://github.com/eigent-ai/eigent/security/advisories/GHSA-gvh4-93cq-5xxp https://github.com/eigent-ai/eigent/pull/836 https://github.com/eigent-ai/eigent/pull/837 https://github.com/eigent-ai/eigent/commit/bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5 |
| eKoopmans–html2pdf.js | html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page’s data. This vulnerability has been fixed in html2pdf.js@0.14.0. | 2026-01-14 | not yet calculated | CVE-2026-22787 | https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc https://github.com/eKoopmans/html2pdf.js/issues/865 https://github.com/eKoopmans/html2pdf.js/pull/877 https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0 |
| Emaintenance–Crazy Bubble Tea | In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server does not verify the permissions required to obtain the data. This issue was fixed in version 915 (Android) and 7.4.1 (iOS). | 2026-01-14 | not yet calculated | CVE-2025-14317 | https://crazybubble.pl/aplikacja-crazy-bubble/ https://cert.pl/posts/2026/01/CVE-2025-14317 |
| emlog–emlog | Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a valid API key or admin session cookie) to upload arbitrary files (including malicious PHP scripts) to the server. An attacker can obtain the API key either by gaining administrator access to enable the REST API setting, or via information disclosure vulnerabilities in the application. Once uploaded, the malicious PHP file can be executed to gain remote code execution (RCE) on the target server, leading to full server compromise. | 2026-01-12 | not yet calculated | CVE-2026-22799 | https://github.com/emlog/emlog/security/advisories/GHSA-p837-mrw9-5x5j https://github.com/emlog/emlog/commit/429b02fda842254b9b9b39303e9161999c180560 |
| Enhancesoft–osTicket | Enhancesoft osTicket versions 1.18.3 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled. | 2026-01-12 | not yet calculated | CVE-2026-22200 | https://github.com/osTicket/osTicket/releases/tag/v1.18.3 https://github.com/osTicket/osTicket/commit/c59b067 https://www.vulncheck.com/advisories/osticket-pdf-export-arbitrary-file-read |
| Entrust Corporation–Instant Financial Issuance (IF) | Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host. | 2026-01-15 | not yet calculated | CVE-2026-23746 | https://www.entrust.com/products/issuance-systems/instant/financial-card https://trustedcare.entrust.com/s/article/E26-001-NET-Remoting-Vulnerabilities-in-the-Smart-Card-Controller-Service-of-the-Instant-Financial-Issuance-On-Premise-Software https://www.vulncheck.com/advisories/entrust-ifi-smartcardcontroller-service-net-remoting-rce |
| Eptura Archibuss–Eptura Archibus | In Eptura Archibus 2024.03.01.109, the “Run script” and “Server File” components of the “Database Update Wizard” are vulnerable to directory traversal. | 2026-01-13 | not yet calculated | CVE-2025-25652 | https://eptura.com/our-platform/archibus/ https://packetstorm.news/files/id/213675 |
| Eramba-Eramba | A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This permits malicious third-party websites to perform authenticated cross-origin requests against the Eramba API, including endpoints like /system-api/login and /system-api/user/me. The response includes sensitive user session data (ID, name, email, access groups), which is accessible to the attacker’s JavaScript. This flaw enables full session hijack and data exfiltration without user interaction. Eramba versions 3.23.3 and earlier were tested and appear unaffected. The vulnerability is present in default installations, requiring no custom configuration. | 2026-01-13 | not yet calculated | CVE-2025-55462 | http://eramba.com https://discussions.eramba.org/t/release-3-28-0/7860 |
| esm-dev–esm.sh | esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue. | 2026-01-18 | not yet calculated | CVE-2026-23644 | https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16 https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093 https://pkg.go.dev/vuln/GO-2025-4138 |
| ethereum–go-ethereum | go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8. | 2026-01-13 | not yet calculated | CVE-2026-22862 | https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mr7q-c9w9-wh4h https://github.com/ethereum/go-ethereum/commit/abeb78c647e354ed922726a1d719ac7bc64a07e2 |
| ethereum–go-ethereum | go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8. | 2026-01-13 | not yet calculated | CVE-2026-22868 | https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mq3p-rrmp-79jg https://github.com/ethereum/go-ethereum/commit/abeb78c647e354ed922726a1d719ac7bc64a07e2 |
| Flare Camera–Blurams | A vulnerability in the boot process of Blurams Flare Camera version 24.1114.151.929 and earlier allows a physically proximate attacker to hijack the boot mechanism and gain a bootloader shell via the UART interface. This is achieved by inducing a read error from the SPI flash memory during the boot, by shorting a data pin of the IC to ground. An attacker can then dump the entire firmware, leading to the disclosure of sensitive information including cryptographic keys and user configurations. | 2026-01-14 | not yet calculated | CVE-2025-65396 | http://blurams.com http://flare.com https://lessonsec.com/cve/cve-2025-65396/ |
| Flare Camera–Blurams | An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges, if file /opt/images/public_key.der is not present in the file system. The vulnerability can be triggered by providing a maliciously crafted auth.ini file on the device’s SD card. | 2026-01-14 | not yet calculated | CVE-2025-65397 | http://blurams.com http://flare.com https://lessonsec.com/cve/cve-2025-65397/ |
| flipped-aurora–gin-vue-admin | Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../). An attacker with file upload privileges could exploit this vulnerability. | 2026-01-12 | not yet calculated | CVE-2026-22786 | https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-3558-j79f-vvm6 https://github.com/flipped-aurora/gin-vue-admin/commit/2242f5d6e133e96d1b359ac019bf54fa0e975dd5 |
| frappe–lms | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages. | 2026-01-14 | not yet calculated | CVE-2026-23497 | https://github.com/frappe/lms/security/advisories/GHSA-78mq-3whw-69j5 https://github.com/frappe/lms/commit/e7ccf0a711d0e0ab5e6b28b7a1e4e0510b6b9543 |
| FreeImage–FreeImage | FreeImage 3.18.0 contains a Use After Free in PluginTARGA.cpp;loadRLE(). | 2026-01-14 | not yet calculated | CVE-2025-70968 | https://github.com/MiracleWolf/FreeimageCrash/tree/main |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22851 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8g87-6pvc-wh99 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22852 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22853 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22854 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47vj-g3c3-3rmf https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22855 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22856 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w842-c386-fxhv https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22857 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gxq-jhq6-4cr8 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP’s Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22858 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22859 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-56f5-76qv-2r36 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| Google–Android | In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user’s conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-01-15 | not yet calculated | CVE-2025-36911 | https://source.android.com/security/bulletin/pixel/2026-01-01 |
| Google–Google Devices | In cpm_fwtp_msg_handler of cpm/google/lib/tracepoint/cpm_fwtp_ipc.c, there is a possible memory overwrite due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-01-16 | not yet calculated | CVE-2025-48647 | https://source.android.com/docs/security/bulletin/pixel/2026/2026-01-01 |
| Google–Keras | Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape. | 2026-01-15 | not yet calculated | CVE-2026-0897 | https://github.com/keras-team/keras/pull/21880 |
| GPAC–GPAC | GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function. | 2026-01-15 | not yet calculated | CVE-2025-70298 | https://github.com/zakkanijia/POC/blob/main/dmx_ogg/GPAC_oggdmx_parse_tags_offbyone.md |
| GPAC–GPAC | A heap overflow in the avi_parse_input_file() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted AVI file. | 2026-01-15 | not yet calculated | CVE-2025-70299 | https://github.com/zakkanijia/POC/blob/main/gpac_avi/GPAC_AVI_indx_heap_overflow.md |
| GPAC–GPAC | A heap overflow in the ghi_dmx_declare_opid_bin() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-15 | not yet calculated | CVE-2025-70302 | https://github.com/zakkanijia/POC/blob/main/gpac_ghi/ghi.md |
| GPAC–GPAC | A heap overflow in the uncv_parse_config() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. | 2026-01-15 | not yet calculated | CVE-2025-70303 | https://github.com/zakkanijia/POC/blob/main/gpac_uncv/GPAC_UNCV_CPAT.md |
| GPAC–GPAC | A buffer overflow in the vobsub_get_subpic_duration() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. | 2026-01-15 | not yet calculated | CVE-2025-70304 | https://github.com/zakkanijia/POC/blob/main/gpac_vobsub/GPAC_vobsub.md |
| GPAC–GPAC | A stack overflow in the dmx_saf function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .saf file. | 2026-01-15 | not yet calculated | CVE-2025-70305 | https://github.com/zakkanijia/POC/blob/main/gpac_saf/GPAC_SAF.md |
| GPAC–GPAC | A stack overflow in the dump_ttxt_sample function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. | 2026-01-15 | not yet calculated | CVE-2025-70307 | https://github.com/zakkanijia/POC/blob/main/gpac_boxDump/GPAC_tx3g.md |
| GPAC–GPAC | An out-of-bounds read in the GSF demuxer filter component of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .gsf file. | 2026-01-15 | not yet calculated | CVE-2025-70308 | https://github.com/zakkanijia/POC/blob/main/gpac_gsf/GPAC_gsf.md |
| GPAC–GPAC | A stack overflow in the pcmreframe_flush_packet function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted WAV file. | 2026-01-15 | not yet calculated | CVE-2025-70309 | https://github.com/zakkanijia/POC/blob/main/gpac_rawpcm/GPAC_RFPCM.md |
| GPAC–GPAC | A heap overflow in the vorbis_to_intern() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .ogg file. | 2026-01-15 | not yet calculated | CVE-2025-70310 | https://github.com/zakkanijia/POC/blob/main/gpac_dec_vorbis/GPAC_VORBIS.md |
| gradle–gradle | Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another repository. An unresolvable host name could be caused by allowing a repository’s domain name registration to lapse or typo-ing the real domain name. This behavior could allow an attacker to register a service under the host name used by the build and serve malicious artifacts. The attack requires the repository to be listed before others in the build configuration. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors. | 2026-01-16 | not yet calculated | CVE-2026-22816 | https://github.com/gradle/gradle/security/advisories/GHSA-w78c-w6vf-rw82 https://github.com/gradle/gradle/commit/e5707d0d8fce3d768c9c489004700d78eab1773a |
| gradle–gradle | Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors. | 2026-01-16 | not yet calculated | CVE-2026-22865 | https://github.com/gradle/gradle/security/advisories/GHSA-mqwm-5m85-gmcv |
| graphql-hive–graphql-modules | GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1. | 2026-01-16 | not yet calculated | CVE-2026-23735 | https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7 https://github.com/graphql-hive/graphql-modules/issues/2613 https://github.com/graphql-hive/graphql-modules/pull/2521 https://github.com/graphql-hive/graphql-modules/releases/tag/release-1768575025568 |
| Home Security System–D3D | D3D Wi-Fi Home Security System ZX-G12 v2.1.1 is vulnerable to RF replay attacks on the 433 MHz sensor communication channel. The system does not implement rolling codes, message authentication, or anti-replay protection, allowing an attacker within RF range to record valid alarm/control frames and replay them to trigger false alarms. | 2026-01-12 | not yet calculated | CVE-2025-65552 | http://d3d.com https://github.com/EmbdCDACHyd/CVE/tree/main/CVE-2025-65552 |
| Home Security System–D3D | D3D Wi-Fi Home Security System ZX-G12 v2.1.17 is susceptible to RF jamming on the 433 MHz alarm sensor channel. An attacker within RF range can transmit continuous interference to block sensor transmissions, resulting in missed alarms and loss of security monitoring. The device lacks jamming detection or mitigations, creating a denial-of-service condition that may lead to undetected intrusions or failure to trigger safety alerts. | 2026-01-12 | not yet calculated | CVE-2025-65553 | http://d3d.com https://github.com/EmbdCDACHyd/CVE/tree/main/CVE-2025-65553 |
| https://github.com/linrunner–TLP | A Improper Authentication vulnerability in TLP allows local users to arbitrarily control the power profile in use as well as the daemon’s log settings.This issue affects TLP: from 1.9 before 1.9.1. | 2026-01-14 | not yet calculated | CVE-2025-67859 | https://security.opensuse.org/2026/01/07/tlp-polkit-authentication-bypass.html https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67859 |
| https://github.com/ShadowBlip–inputplumber | Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005. | 2026-01-14 | not yet calculated | CVE-2025-14338 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-14338 https://security.opensuse.org/2026/01/09/inputplumber-lack-of-dbus-auth.html |
| https://github.com/ShadowBlip–inputplumber | Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session. | 2026-01-14 | not yet calculated | CVE-2025-66005 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66005 https://security.opensuse.org/2026/01/09/inputplumber-lack-of-dbus-auth.html |
| Hubert Imoveis–Hubert Imoveis | An arbitrary file upload vulnerability in the /utils/uploadFile component of Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. | 2026-01-13 | not yet calculated | CVE-2025-65783 | http://hub.com http://hubert.com https://github.com/carlos-artmann/vulnerability-research/tree/main/CVE-2025-65783 |
| Hubert Imoveis–Hubert Imoveis | Insecure permissions in Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows authenticated attackers with low-level privileges to access other users’ information via a crafted API request. | 2026-01-13 | not yet calculated | CVE-2025-65784 | http://hub.com http://hubert.com https://github.com/carlos-artmann/vulnerability-research/tree/main/CVE-2025-65784 |
| HumanSignal–label-studio | Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users’ browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim’s API token or call token reset endpoints – enabling full account takeover and unauthorized API access. | 2026-01-12 | not yet calculated | CVE-2026-22033 | https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch https://github.com/HumanSignal/label-studio/pull/9084 https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505 |
| Imagination Technologies–Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free. Improper reference counting on an internal resource caused scenario where potential for use after free was present. | 2026-01-13 | not yet calculated | CVE-2025-10865 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies–Graphics DDK | Intermediate register values of secure workloads can be exfiltrated in workloads scheduled from applications running in the non-secure environment of a platform. | 2026-01-13 | not yet calculated | CVE-2025-25176 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies–Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour. This attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory. | 2026-01-13 | not yet calculated | CVE-2025-58409 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies–Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting creating a potential use after free scenario. Improper resource management and reference counting on an internal resource caused scenario where potential write use after free was present. | 2026-01-13 | not yet calculated | CVE-2025-58411 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imaster–MEMS Events CRM | Imaster’s MEMS Events CRM contains an SQL injection vulnerability in’keyword’ parameter in ‘/memsdemo/exchange_offers.php’. | 2026-01-12 | not yet calculated | CVE-2025-41005 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| Imaster–MEMS Events CRM | Imaster’s MEMS Events CRM contains an SQL injection vulnerability in ‘phone’ parameter in ‘/memsdemo/login.php’. | 2026-01-12 | not yet calculated | CVE-2025-41006 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| Imaster–Patient Record Management System | Imaster’s Patient Record Management System contains a stored Cross-Site Scripting (XSS) vulnerability in the endpoint ‘/projects/hospital/admin/edit_patient.php’. By injecting a malicious script into the ‘firstname’ parameter, the JavaScript code is stored and executed every time a user accesses the patient list, allowing an attacker to execute arbitrary JavaScript in a victim’s browser. | 2026-01-12 | not yet calculated | CVE-2025-41003 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| Imaster–Patient Record Management System | Imaster’s Patient Records Management System is vulnerable to SQL Injection in the endpoint ‘/projects/hospital/admin/complaints.php’ through the ‘id’ parameter. | 2026-01-12 | not yet calculated | CVE-2025-41004 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| InvoicePlane–InvoicePlane | An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in “maxQuantity” and “minQuantity” parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes. | 2026-01-15 | not yet calculated | CVE-2025-67082 | https://github.com/InvoicePlane/InvoicePlane https://www.helx.io/blog/advisory-invoice-plane/ |
| InvoicePlane–InvoicePlane | Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration. | 2026-01-15 | not yet calculated | CVE-2025-67083 | https://github.com/InvoicePlane/InvoicePlane https://www.helx.io/blog/advisory-invoice-plane/ |
| InvoicePlane–InvoicePlane | File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE). | 2026-01-15 | not yet calculated | CVE-2025-67084 | https://github.com/InvoicePlane/InvoicePlane https://www.helx.io/blog/advisory-invoice-plane/ |
| ippprint–Sagemcom | Buffer Overflow in the ippprint (Internet Printing Protocol) service in Sagemcom F@st 3686 MAGYAR_4.121.0 allows remote attacker to execute arbitrary code by sending a crafted HTTP request. | 2026-01-12 | not yet calculated | CVE-2025-29329 | http://sagemcom.com http://fst.com https://github.com/SilverS3c/Sagemcom-fast-3686-ippprint |
| isaacs–node-tar | node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3. | 2026-01-16 | not yet calculated | CVE-2026-23745 | https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97 https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e |
| Itflow–Itflow | An SQL injection vulnerability in Itflow through 25.06 has been identified in the “role_id” parameter when editing a profile. An attacker with admin account can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing on integer parameter. | 2026-01-15 | not yet calculated | CVE-2025-67081 | https://github.com/itflow-org/itflow https://www.helx.io/blog/advisory-itflow/ |
| KACE–KACE | Quest KACE Desktop Authority through 11.3.1 has Insecure Permissions on the Named Pipes used for inter-process communication | 2026-01-12 | not yet calculated | CVE-2025-67813 | https://quest.com https://support.quest.com/kb/4381743/quest-kace-desktop-authority-insecure-named-pipe-permissions-cve-2025-67813 |
| kashipara–kashipara | A SQL Injection was found in the /exam/user/profile.php page of kashipara Online Exam System V1.0, which allows remote attackers to execute arbitrary SQL command to get unauthorized database access via the rname, rcollage, rnumber, rgender and rpassword parameters in a POST HTTP request. | 2026-01-12 | not yet calculated | CVE-2025-51567 | https://github.com/0xBhushan/Writeups/blob/main/CVE/Kashipara/Online%20Exam%20System/SQL%20Injection-Profile%20Update.pdf |
| LabRedesCefetRJ–WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/pet/adotantes/cadastro_adotante.php and html/pet/adotantes/informacao_adotantes.php endpoint of the WeGIA application. The application does not sanitize user-controlled input before rendering it inside the Adopters Information table, allowing persistent JavaScript injection. Any user who visits the page will have the payload executed automatically. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23725 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-c85q-4fwg-99gw https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ–WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, An Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoEntradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23726 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-h7qx-j7g3-7fx3 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ–WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoSaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23727 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-pmq9-8p4w-m4f3 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ–WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=DestinoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23728 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jf25-p56f-wpgh https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ–WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarDescricao and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23729 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w88p-v7h6-m728 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ–WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23730 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6gx4-6gwv-cxc3 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LangChain AI–LangChain | LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition. | 2026-01-12 | not yet calculated | CVE-2024-58340 | https://huntr.com/bounties/e7ece02c-d4bb-4166-8e08-6baf4f8845bb https://www.langchain.com/ https://github.com/langchain-ai/langchain https://www.vulncheck.com/advisories/langchain-mrkloutputparser-redos |
| Lemonsoft–WordPress add-on | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Lemonsoft WordPress add on allows Cross-Site Scripting (XSS).This issue affects WordPress add on: 2025.7.1. | 2026-01-13 | not yet calculated | CVE-2025-9427 | https://lemondoc.atlassian.net/wiki/spaces/LEMONSHOP/pages/754909038/Versiohistoria+-+Lemonsoft+integration+lis+osa |
| Libsndfile–Libsndfile | Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file. | 2026-01-14 | not yet calculated | CVE-2025-56226 | https://github.com/libsndfile/libsndfile/issues/1089 https://gist.github.com/Sisyphus-wang/f9e6e017b7d478bebee6e8187672abc8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: Verify inode mode when loading from disk syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when the S_IFMT bits of the 16bits “mode” field loaded from disk are corrupted. According to [1], the permissions field was treated as reserved in Mac OS 8 and 9. According to [2], the reserved field was explicitly initialized with 0, and that field must remain 0 as long as reserved. Therefore, when the “mode” field is not 0 (i.e. no longer reserved), the file must be S_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/ S_IFBLK/S_IFIFO/S_IFSOCK if dir == 0. | 2026-01-13 | not yet calculated | CVE-2025-68767 | https://git.kernel.org/stable/c/6f768724aabd5b321c5b8f15acdca11e4781cf32 https://git.kernel.org/stable/c/d92333c7a35856e419500e7eed72dac1afa404a5 https://git.kernel.org/stable/c/001f44982587ad462b3002ee40c75e8df67d597d https://git.kernel.org/stable/c/05ec9af3cc430683c97f76027e1c55ac6fd25c59 https://git.kernel.org/stable/c/edfb2e602b5ba5ca6bf31cbac20b366efb72b156 https://git.kernel.org/stable/c/91f114bffa36ce56d0e1f60a0a44fc09baaefc79 https://git.kernel.org/stable/c/005d4b0d33f6b4a23d382b7930f7a96b95b01f39 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: inet: frags: flush pending skbs in fqdir_pre_exit() We have been seeing occasional deadlocks on pernet_ops_rwsem since September in NIPA. The stuck task was usually modprobe (often loading a driver like ipvlan), trying to take the lock as a Writer. lockdep does not track readers for rwsems so the read wasn’t obvious from the reports. On closer inspection the Reader holding the lock was conntrack looping forever in nf_conntrack_cleanup_net_list(). Based on past experience with occasional NIPA crashes I looked thru the tests which run before the crash and noticed that the crash follows ip_defrag.sh. An immediate red flag. Scouring thru (de)fragmentation queues reveals skbs sitting around, holding conntrack references. The problem is that since conntrack depends on nf_defrag_ipv6, nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its netns exit hooks run _after_ conntrack’s netns exit hook. Flush all fragment queue SKBs during fqdir_pre_exit() to release conntrack references before conntrack cleanup runs. Also flush the queues in timer expiry handlers when they discover fqdir->dead is set, in case packet sneaks in while we’re running the pre_exit flush. The commit under Fixes is not exactly the culprit, but I think previously the timer firing would eventually unblock the spinning conntrack. | 2026-01-13 | not yet calculated | CVE-2025-68768 | https://git.kernel.org/stable/c/c70df25214ac9b32b53e18e6ae3b8f073ffa6903 https://git.kernel.org/stable/c/006a5035b495dec008805df249f92c22c89c3d2e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix return value of f2fs_recover_fsync_data() With below scripts, it will trigger panic in f2fs: mkfs.f2fs -f /dev/vdd mount /dev/vdd /mnt/f2fs touch /mnt/f2fs/foo sync echo 111 >> /mnt/f2fs/foo f2fs_io fsync /mnt/f2fs/foo f2fs_io shutdown 2 /mnt/f2fs umount /mnt/f2fs mount -o ro,norecovery /dev/vdd /mnt/f2fs or mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0 F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f F2FS-fs (vdd): Stopped filesystem due to reason: 0 F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1 Filesystem f2fs get_tree() didn’t set fc->root, returned 1 ————[ cut here ]———— kernel BUG at fs/super.c:1761! Oops: invalid opcode: 0000 [#1] SMP PTI CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:vfs_get_tree.cold+0x18/0x1a Call Trace: <TASK> fc_mount+0x13/0xa0 path_mount+0x34e/0xc50 __x64_sys_mount+0x121/0x150 do_syscall_64+0x84/0x800 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fa6cc126cfe The root cause is we missed to handle error number returned from f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or ro,disable_roll_forward mount option, result in returning a positive error number to vfs_get_tree(), fix it. | 2026-01-13 | not yet calculated | CVE-2025-68769 | https://git.kernel.org/stable/c/e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725 https://git.kernel.org/stable/c/0de4977a1eeafe9d77701e3c031a1bcdba389243 https://git.kernel.org/stable/c/9bc246018aaa3b46a7710428d0a2196c229f9d49 https://git.kernel.org/stable/c/a4c67d96f92eefcfa5596a08f069e77b743c5865 https://git.kernel.org/stable/c/473550e715654ad7612aa490d583cb7c25fe2ff3 https://git.kernel.org/stable/c/4560db9678a2c5952b6205fbca468c6805c2ba2a https://git.kernel.org/stable/c/01fba45deaddcce0d0b01c411435d1acf6feab7b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix XDP_TX path For XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not correct. __bnxt_poll_work() -> bnxt_rx_pkt() -> bnxt_rx_xdp() may be looping within NAPI and some event flags may be set in earlier iterations. In particular, if BNXT_TX_EVENT is set earlier indicating some XDP_TX packets are ready and pending, it will be cleared if it is XDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we successfully call __bnxt_xmit_xdp(). But if the TX ring has no more room, the flag will not be set. This will cause the TX producer to be ahead but the driver will not hit the TX doorbell. For multi-buf XDP_TX, there is no need to clear the event flags and set BNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in bnxt_rx_pkt(). The visible symptom of this is that the RX ring associated with the TX XDP ring will eventually become empty and all packets will be dropped. Because this condition will cause the driver to not refill the RX ring seeing that the TX ring has forever pending XDP_TX packets. The fix is to only clear BNXT_RX_EVENT when we have successfully called __bnxt_xmit_xdp(). | 2026-01-13 | not yet calculated | CVE-2025-68770 | https://git.kernel.org/stable/c/4b83902a1e67ff327ab5c6c65021a03e72c081d6 https://git.kernel.org/stable/c/f17e0c1208485b24d61271bc1ddc8f2087e71561 https://git.kernel.org/stable/c/0373d5c387f24de749cc22e694a14b3a7c7eb515 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix kernel BUG in ocfs2_find_victim_chain syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the `cl_next_free_rec` field of the allocation chain list (next free slot in the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec) condition in ocfs2_find_victim_chain() and panicking the kernel. To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(), just before calling ocfs2_find_victim_chain(), the code block in it being executed when either of the following conditions is true: 1. `cl_next_free_rec` is equal to 0, indicating that there are no free chains in the allocation chain list 2. `cl_next_free_rec` is greater than `cl_count` (the total number of chains in the allocation chain list) Either of them being true is indicative of the fact that there are no chains left for usage. This is addressed using ocfs2_error(), which prints the error log for debugging purposes, rather than panicking the kernel. | 2026-01-13 | not yet calculated | CVE-2025-68771 | https://git.kernel.org/stable/c/1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7 https://git.kernel.org/stable/c/d0fd1f732ea8063cecd07a3879b7d815c7ee71ed https://git.kernel.org/stable/c/b08a33d5f80efe6979a6e8f905c1a898910c21dd https://git.kernel.org/stable/c/96f1b074c98c20f55a3b23d2ab44d9fb0f619869 https://git.kernel.org/stable/c/e24aedae71652d4119049f1fbef6532ccbe3966d https://git.kernel.org/stable/c/7acc0390e0dd7474c4451d05465a677d55ad4268 https://git.kernel.org/stable/c/039bef30e320827bac8990c9f29d2a68cd8adb5f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating compression context during writeback Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below: Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857 Call Trace: <TASK> f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline] f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317 do_writepages+0x38e/0x640 mm/page-writeback.c:2634 filemap_fdatawrite_wbc mm/filemap.c:386 [inline] __filemap_fdatawrite_range mm/filemap.c:419 [inline] file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794 f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294 generic_write_sync include/linux/fs.h:3043 [inline] f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x7e9/0xe00 fs/read_write.c:686 ksys_write+0x19d/0x2d0 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The bug was triggered w/ below race condition: fsync setattr ioctl – f2fs_do_sync_file – file_write_and_wait_range – f2fs_write_cache_pages : inode is non-compressed : cc.cluster_size = F2FS_I(inode)->i_cluster_size = 0 – tag_pages_for_writeback – f2fs_setattr – truncate_setsize – f2fs_truncate – f2fs_fileattr_set – f2fs_setflags_common – set_compress_context : F2FS_I(inode)->i_cluster_size = 4 : set_inode_flag(inode, FI_COMPRESSED_FILE) – f2fs_compressed_file : return true – f2fs_all_cluster_page_ready : “pgidx % cc->cluster_size” trigger dividing 0 issue Let’s change as below to fix this issue: – introduce a new atomic type variable .writeback in structure f2fs_inode_info to track the number of threads which calling f2fs_write_cache_pages(). – use .i_sem lock to protect .writeback update. – check .writeback before update compression context in f2fs_setflags_common() to avoid race w/ ->writepages. | 2026-01-13 | not yet calculated | CVE-2025-68772 | https://git.kernel.org/stable/c/ad26bfbc085c939b5dca77ff8c14798c06d151c4 https://git.kernel.org/stable/c/bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0 https://git.kernel.org/stable/c/0bf1a02494c7eb5bd43445de4c83c8592e02c4bf https://git.kernel.org/stable/c/0df713a9c082a474c8b0bcf670edc8e98461d5a0 https://git.kernel.org/stable/c/10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: fsl-cpm: Check length parity before switching to 16 bit mode Commit fc96ec826bce (“spi: fsl-cpm: Use 16 bit mode for large transfers with even size”) failed to make sure that the size is really even before switching to 16 bit mode. Until recently the problem went unnoticed because kernfs uses a pre-allocated bounce buffer of size PAGE_SIZE for reading EEPROM. But commit 8ad6249c51d0 (“eeprom: at25: convert to spi-mem API”) introduced an additional dynamically allocated bounce buffer whose size is exactly the size of the transfer, leading to a buffer overrun in the fsl-cpm driver when that size is odd. Add the missing length parity verification and remain in 8 bit mode when the length is not even. | 2026-01-13 | not yet calculated | CVE-2025-68773 | https://git.kernel.org/stable/c/c8f1d35076b78df61ace737e41cc1f4b7b63236c https://git.kernel.org/stable/c/9c34a4a2ead00979d203a8c16bea87f0ef5291d8 https://git.kernel.org/stable/c/837a23a11e0f734f096c7c7b0778d0e625e3dc87 https://git.kernel.org/stable/c/3dd6d01384823e1bd8602873153d6fc4337ac4fe https://git.kernel.org/stable/c/743cebcbd1b2609ec5057ab474979cef73d1b681 https://git.kernel.org/stable/c/be0b613198e6bfa104ad520397cab82ad3ec1771 https://git.kernel.org/stable/c/1417927df8049a0194933861e9b098669a95c762 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create When sync() and link() are called concurrently, both threads may enter hfs_bnode_find() without finding the node in the hash table and proceed to create it. Thread A: hfsplus_write_inode() -> hfsplus_write_system_inode() -> hfs_btree_write() -> hfs_bnode_find(tree, 0) -> __hfs_bnode_create(tree, 0) Thread B: hfsplus_create_cat() -> hfs_brec_insert() -> hfs_bnode_split() -> hfs_bmap_alloc() -> hfs_bnode_find(tree, 0) -> __hfs_bnode_create(tree, 0) In this case, thread A creates the bnode, sets refcnt=1, and hashes it. Thread B also tries to create the same bnode, notices it has already been inserted, drops its own instance, and uses the hashed one without getting the node. “` node2 = hfs_bnode_findhash(tree, cnid); if (!node2) { <- Thread A hash = hfs_bnode_hash(cnid); node->next_hash = tree->node_hash[hash]; tree->node_hash[hash] = node; tree->node_hash_cnt++; } else { <- Thread B spin_unlock(&tree->hash_lock); kfree(node); wait_event(node2->lock_wq, !test_bit(HFS_BNODE_NEW, &node2->flags)); return node2; } “` However, hfs_bnode_find() requires each call to take a reference. Here both threads end up setting refcnt=1. When they later put the node, this triggers: BUG_ON(!atomic_read(&node->refcnt)) In this scenario, Thread B in fact finds the node in the hash table rather than creating a new one, and thus must take a reference. Fix this by calling hfs_bnode_get() when reusing a bnode newly created by another thread to ensure the refcount is updated correctly. A similar bug was fixed in HFS long ago in commit a9dc087fd3c4 (“fix missing hfs_bnode_get() in __hfs_bnode_create”) but the same issue remained in HFS+ until now. | 2026-01-13 | not yet calculated | CVE-2025-68774 | https://git.kernel.org/stable/c/3b0fc7af50b896d0f3d104e70787ba1973bc0b56 https://git.kernel.org/stable/c/39e149d58ef4d7883cbf87448d39d51292fd342d https://git.kernel.org/stable/c/b68dc4134b18a3922cd33439ec614aad4172bc86 https://git.kernel.org/stable/c/b9d1c6bb5f19460074ce9862cb80be86b5fb0a50 https://git.kernel.org/stable/c/457f795e7abd7770de10216d7f9994a3f12a56d6 https://git.kernel.org/stable/c/5882e7c8cdbb5e254a69628b780acff89c78071e https://git.kernel.org/stable/c/152af114287851583cf7e0abc10129941f19466a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/handshake: duplicate handshake cancellations leak socket When a handshake request is cancelled it is removed from the handshake_net->hn_requests list, but it is still present in the handshake_rhashtbl until it is destroyed. If a second cancellation request arrives for the same handshake request, then remove_pending() will return false… and assuming HANDSHAKE_F_REQ_COMPLETED isn’t set in req->hr_flags, we’ll continue processing through the out_true label, where we put another reference on the sock and a refcount underflow occurs. This can happen for example if a handshake times out – particularly if the SUNRPC client sends the AUTH_TLS probe to the server but doesn’t follow it up with the ClientHello due to a problem with tlshd. When the timeout is hit on the server, the server will send a FIN, which triggers a cancellation request via xs_reset_transport(). When the timeout is hit on the client, another cancellation request happens via xs_tls_handshake_sync(). Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel path so duplicate cancels can be detected. | 2026-01-13 | not yet calculated | CVE-2025-68775 | https://git.kernel.org/stable/c/011ae80c49d9bfa5b4336f8bd387cd25c7593663 https://git.kernel.org/stable/c/e1641177e7fb48a0a5a06658d4aab51da6656659 https://git.kernel.org/stable/c/3c330f1dee3cd92b57e19b9d21dc8ce5970b09be https://git.kernel.org/stable/c/15564bd67e2975002f2a8e9defee33e321d3183f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std but doesn’t check if the allocation failed. If __pskb_copy() returns NULL, skb_clone() is called with a NULL pointer, causing a crash: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041 Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207 RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480 RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000 RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000 R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00 FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0 Call Trace: <TASK> hsr_forward_do net/hsr/hsr_forward.c:-1 [inline] hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741 hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84 __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966 __netif_receive_skb_one_core net/core/dev.c:6077 [inline] __netif_receive_skb+0x72/0x380 net/core/dev.c:6192 netif_receive_skb_internal net/core/dev.c:6278 [inline] netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337 tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485 tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0449f8e1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48 RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8 RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001 R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003 </TASK> Add a NULL check immediately after __pskb_copy() to handle allocation failures gracefully. | 2026-01-13 | not yet calculated | CVE-2025-68776 | https://git.kernel.org/stable/c/3ce95a57d8a1f0e20b637cdeddaaed81831ca819 https://git.kernel.org/stable/c/c851e43b88b40bb7c20176c51cbf4f8c8d960dd9 https://git.kernel.org/stable/c/7be6d25f4d974e44918ba3a5d58ebb9d36879087 https://git.kernel.org/stable/c/8f289fa12926aae44347ca7d490e216555d8f255 https://git.kernel.org/stable/c/1742974c24a9c1f1fd2e5edca0cbaccb720b397a https://git.kernel.org/stable/c/6220d38a08f8837575cd8f830928b49a3a5a5095 https://git.kernel.org/stable/c/188e0fa5a679570ea35474575e724d8211423d17 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Input: ti_am335x_tsc – fix off-by-one error in wire_order validation The current validation ‘wire_order[i] > ARRAY_SIZE(config_pins)’ allows wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds access when used as index in ‘config_pins[wire_order[i]]’. Since config_pins has 4 elements (indices 0-3), the valid range for wire_order should be 0-3. Fix the off-by-one error by using >= instead of > in the validation check. | 2026-01-13 | not yet calculated | CVE-2025-68777 | https://git.kernel.org/stable/c/a7ff2360431561b56f559d3a628d1f096048d178 https://git.kernel.org/stable/c/136abe173a3cc2951d70c6e51fe7abdbadbb204b https://git.kernel.org/stable/c/08c0b561823a7026364efb38ed7f4a3af48ccfcd https://git.kernel.org/stable/c/bf95ec55805828c4f2b5241fb6b0c12388548570 https://git.kernel.org/stable/c/84e4d3543168912549271b34261f5e0f94952d6e https://git.kernel.org/stable/c/40e3042de43ffa0017a8460ff9b4cad7b8c7cb96 https://git.kernel.org/stable/c/248d3a73a0167dce15ba100477c3e778c4787178 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: don’t log conflicting inode if it’s a dir moved in the current transaction We can’t log a conflicting inode if it’s a directory and it was moved from one parent directory to another parent directory in the current transaction, as this can result an attempt to have a directory with two hard links during log replay, one for the old parent directory and another for the new parent directory. The following scenario triggers that issue: 1) We have directories “dir1” and “dir2” created in a past transaction. Directory “dir1” has inode A as its parent directory; 2) We move “dir1” to some other directory; 3) We create a file with the name “dir1” in directory inode A; 4) We fsync the new file. This results in logging the inode of the new file and the inode for the directory “dir1” that was previously moved in the current transaction. So the log tree has the INODE_REF item for the new location of “dir1”; 5) We move the new file to some other directory. This results in updating the log tree to included the new INODE_REF for the new location of the file and removes the INODE_REF for the old location. This happens during the rename when we call btrfs_log_new_name(); 6) We fsync the file, and that persists the log tree changes done in the previous step (btrfs_log_new_name() only updates the log tree in memory); 7) We have a power failure; 8) Next time the fs is mounted, log replay happens and when processing the inode for directory “dir1” we find a new INODE_REF and add that link, but we don’t remove the old link of the inode since we have not logged the old parent directory of the directory inode “dir1”. As a result after log replay finishes when we trigger writeback of the subvolume tree’s extent buffers, the tree check will detect that we have a directory a hard link count of 2 and we get a mount failure. The errors and stack traces reported in dmesg/syslog are like this: [ 3845.729764] BTRFS info (device dm-0): start tree-log replay [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c [ 3845.731236] memcg:ffff9264c02f4e00 [ 3845.731751] aops:btree_aops [btrfs] ino:1 [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8 [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00 [ 3845.735305] page dumped because: eb page dump [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5 [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701 [ 3845.737792] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 [ 3845.737794] inode generation 3 transid 9 size 16 nbytes 16384 [ 3845.737795] block group 0 mode 40755 links 1 uid 0 gid 0 [ 3845.737797] rdev 0 sequence 2 flags 0x0 [ 3845.737798] atime 1764259517.0 [ 3845.737800] ctime 1764259517.572889464 [ 3845.737801] mtime 1764259517.572889464 [ 3845.737802] otime 1764259517.0 [ 3845.737803] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 [ 3845.737805] index 0 name_len 2 [ 3845.737807] item 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34 [ 3845.737808] location key (257 1 0) type 2 [ 3845.737810] transid 9 data_len 0 name_len 4 [ 3845.737811] item 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34 [ 3845.737813] location key (258 1 0) type 2 [ 3845.737814] transid 9 data_len 0 name_len 4 [ 3845.737815] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 [ 3845.737816] location key (257 1 0) type 2 [ —truncated— | 2026-01-13 | not yet calculated | CVE-2025-68778 | https://git.kernel.org/stable/c/d64f3834dffef80f0a9185a037617a54ed7f4bd2 https://git.kernel.org/stable/c/7359e1d39c78816ecbdb0cb4e93975794ce53973 https://git.kernel.org/stable/c/d478f50727c3ee46d0359f0d2ae114f70191816e https://git.kernel.org/stable/c/a35788ddf8df65837897ecbb0ddb2896b863159e https://git.kernel.org/stable/c/266273eaf4d99475f1ae57f687b3e42bc71ec6f0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid unregistering PSP twice PSP is unregistered twice in: _mlx5e_remove -> mlx5e_psp_unregister mlx5e_nic_cleanup -> mlx5e_psp_unregister This leads to a refcount underflow in some conditions: ————[ cut here ]———— refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 1694 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0 […] mlx5e_psp_unregister+0x26/0x50 [mlx5_core] mlx5e_nic_cleanup+0x26/0x90 [mlx5_core] mlx5e_remove+0xe6/0x1f0 [mlx5_core] auxiliary_bus_remove+0x18/0x30 device_release_driver_internal+0x194/0x1f0 bus_remove_device+0xc6/0x130 device_del+0x159/0x3c0 mlx5_rescan_drivers_locked+0xbc/0x2a0 [mlx5_core] […] Do not directly remove psp from the _mlx5e_remove path, the PSP cleanup happens as part of profile cleanup. | 2026-01-13 | not yet calculated | CVE-2025-68779 | https://git.kernel.org/stable/c/e12c912f92ccea671b514caf371f28485714bb4b https://git.kernel.org/stable/c/35e93736f69963337912594eb3951ab320b77521 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sched/deadline: only set free_cpus for online runqueues Commit 16b269436b72 (“sched/deadline: Modify cpudl::free_cpus to reflect rd->online”) introduced the cpudl_set/clear_freecpu functions to allow the cpu_dl::free_cpus mask to be manipulated by the deadline scheduler class rq_on/offline callbacks so the mask would also reflect this state. Commit 9659e1eeee28 (“sched/deadline: Remove cpu_active_mask from cpudl_find()”) removed the check of the cpu_active_mask to save some processing on the premise that the cpudl::free_cpus mask already reflected the runqueue online state. Unfortunately, there are cases where it is possible for the cpudl_clear function to set the free_cpus bit for a CPU when the deadline runqueue is offline. When this occurs while a CPU is connected to the default root domain the flag may retain the bad state after the CPU has been unplugged. Later, a different CPU that is transitioning through the default root domain may push a deadline task to the powered down CPU when cpudl_find sees its free_cpus bit is set. If this happens the task will not have the opportunity to run. One example is outlined here: https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com Another occurs when the last deadline task is migrated from a CPU that has an offlined runqueue. The dequeue_task member of the deadline scheduler class will eventually call cpudl_clear and set the free_cpus bit for the CPU. This commit modifies the cpudl_clear function to be aware of the online state of the deadline runqueue so that the free_cpus mask can be updated appropriately. It is no longer necessary to manage the mask outside of the cpudl_set/clear functions so the cpudl_set/clear_freecpu functions are removed. In addition, since the free_cpus mask is now only updated under the cpudl lock the code was changed to use the non-atomic __cpumask functions. | 2026-01-13 | not yet calculated | CVE-2025-68780 | https://git.kernel.org/stable/c/9019e399684e3cc68c4a3f050e268f74d69c1317 https://git.kernel.org/stable/c/fb36846cbcc936954f2ad2bffdff13d16c0be08a https://git.kernel.org/stable/c/91e448e69aca4bb0ba2e998eb3e555644db7322b https://git.kernel.org/stable/c/dbc61834b0412435df21c71410562d933e4eba49 https://git.kernel.org/stable/c/3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8 https://git.kernel.org/stable/c/382748c05e58a9f1935f5a653c352422375566ea |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal The delayed work item otg_event is initialized in fsl_otg_conf() and scheduled under two conditions: 1. When a host controller binds to the OTG controller. 2. When the USB ID pin state changes (cable insertion/removal). A race condition occurs when the device is removed via fsl_otg_remove(): the fsl_otg instance may be freed while the delayed work is still pending or executing. This leads to use-after-free when the work function fsl_otg_event() accesses the already freed memory. The problematic scenario: (detach thread) | (delayed work) fsl_otg_remove() | kfree(fsl_otg_dev) //FREE| fsl_otg_event() | og = container_of(…) //USE | og-> //USE Fix this by calling disable_delayed_work_sync() in fsl_otg_remove() before deallocating the fsl_otg structure. This ensures the delayed work is properly canceled and completes execution prior to memory deallocation. This bug was identified through static analysis. | 2026-01-13 | not yet calculated | CVE-2025-68781 | https://git.kernel.org/stable/c/4476c73bbbb09b13a962176fca934b32d3954a2e https://git.kernel.org/stable/c/319f7a85b3c4e34ac2fe083eb146fe129a556317 https://git.kernel.org/stable/c/69f9a0701abc3d1f8225074c56c27e6c16a37222 https://git.kernel.org/stable/c/2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23 https://git.kernel.org/stable/c/41ca62e3e21e48c2903b3b45e232cf4f2ff7434f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: target: Reset t_task_cdb pointer in error case If allocation of cmd->t_task_cdb fails, it remains NULL but is later dereferenced in the ‘err’ path. In case of error, reset NULL t_task_cdb value to point at the default fixed-size buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-01-13 | not yet calculated | CVE-2025-68782 | https://git.kernel.org/stable/c/6cac97b12bdab04832e0416d049efcd0d48d303b https://git.kernel.org/stable/c/45fd86b444105c8bd07a763f58635c87e5dc7aea https://git.kernel.org/stable/c/8727663ded659aad55eef21e3864ebf5a4796a96 https://git.kernel.org/stable/c/0260ad551b0815eb788d47f32899fbcd65d6f128 https://git.kernel.org/stable/c/0d36db68fdb8a3325386fd9523b67735f944e1f3 https://git.kernel.org/stable/c/8edbb9e371af186b4cf40819dab65fafe109df4d https://git.kernel.org/stable/c/5053eab38a4c4543522d0c320c639c56a8b59908 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-mixer: us16x08: validate meter packet indices get_meter_levels_from_urb() parses the 64-byte meter packets sent by the device and fills the per-channel arrays meter_level[], comp_level[] and master_level[] in struct snd_us16x08_meter_store. Currently the function derives the channel index directly from the meter packet (MUB2(meter_urb, s) – 1) and uses it to index those arrays without validating the range. If the packet contains a negative or out-of-range channel number, the driver may write past the end of these arrays. Introduce a local channel variable and validate it before updating the arrays. We reject negative indices, limit meter_level[] and comp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[] updates with ARRAY_SIZE(master_level). | 2026-01-13 | not yet calculated | CVE-2025-68783 | https://git.kernel.org/stable/c/53461710a95e15ac1f6542450943a492ecf8e550 https://git.kernel.org/stable/c/2168866396bd28ec4f3c8da0fbc7d08b5bd4f053 https://git.kernel.org/stable/c/cde47f4ccad6751ac36b7471572ddf38ee91870c https://git.kernel.org/stable/c/2f21a7cbaaa93926f5be15bc095b9c57c35748d9 https://git.kernel.org/stable/c/a8ad320efb663be30b794e3dd3e829301c0d0ed3 https://git.kernel.org/stable/c/eaa95228b8a56c4880a182c0350d67922b22408f https://git.kernel.org/stable/c/5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix a UAF problem in xattr repair The xchk_setup_xattr_buf function can allocate a new value buffer, which means that any reference to ab->value before the call could become a dangling pointer. Fix this by moving an assignment to after the buffer setup. | 2026-01-13 | not yet calculated | CVE-2025-68784 | https://git.kernel.org/stable/c/1e2d3aa19c7962b9474b22893160cb460494c45f https://git.kernel.org/stable/c/d29ed9ff972afe17c215cab171761d7a15d7063f https://git.kernel.org/stable/c/5990fd756943836978ad184aac980e2b36ab7e01 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix middle attribute validation in push_nsh() action The push_nsh() action structure looks like this: OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,…)) The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK’ed by the nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK’ed by the nla_for_each_nested() inside nsh_key_put_from_nlattr(). But nothing checks if the attribute in the middle is OK. We don’t even check that this attribute is the OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data() calls – first time directly while calling validate_push_nsh() and the second time as part of the nla_for_each_nested() macro, which isn’t safe, potentially causing invalid memory access if the size of this attribute is incorrect. The failure may not be noticed during validation due to larger netlink buffer, but cause trouble later during action execution where the buffer is allocated exactly to the size: BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] Read of size 184 at addr ffff88816459a634 by task a.out/22624 CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary) Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x2c/0x390 kasan_report+0xdd/0x110 kasan_check_range+0x35/0x1b0 __asan_memcpy+0x20/0x60 nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] push_nsh+0x82/0x120 [openvswitch] do_execute_actions+0x1405/0x2840 [openvswitch] ovs_execute_actions+0xd5/0x3b0 [openvswitch] ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch] genl_family_rcv_msg_doit+0x1d6/0x2b0 genl_family_rcv_msg+0x336/0x580 genl_rcv_msg+0x9f/0x130 netlink_rcv_skb+0x11f/0x370 genl_rcv+0x24/0x40 netlink_unicast+0x73e/0xaa0 netlink_sendmsg+0x744/0xbf0 __sys_sendto+0x3d6/0x450 do_syscall_64+0x79/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Let’s add some checks that the attribute is properly sized and it’s the only one attribute inside the action. Technically, there is no real reason for OVS_KEY_ATTR_NSH to be there, as we know that we’re pushing an NSH header already, it just creates extra nesting, but that’s how uAPI works today. So, keeping as it is. | 2026-01-13 | not yet calculated | CVE-2025-68785 | https://git.kernel.org/stable/c/d0c135b8bbbcf92836068fd395bebeb7ae6c7bef https://git.kernel.org/stable/c/3bc2efff20a38b2c7ca18317649715df0dd62ced https://git.kernel.org/stable/c/1b569db9c2f28b599e40050524aae5f7332bc294 https://git.kernel.org/stable/c/10ffc558246f2c75619aedda0921906095e46702 https://git.kernel.org/stable/c/2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9 https://git.kernel.org/stable/c/c999153bfb2d1d9b295b7010d920f2a7c6d7595f https://git.kernel.org/stable/c/5ace7ef87f059d68b5f50837ef3e8a1a4870c36e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: skip lock-range check on equal size to avoid size==0 underflow When size equals the current i_size (including 0), the code used to call check_lock_range(filp, i_size, size – 1, WRITE), which computes `size – 1` and can underflow for size==0. Skip the equal case. | 2026-01-13 | not yet calculated | CVE-2025-68786 | https://git.kernel.org/stable/c/52fcbb92e0d3acfd1448b2a43b6595d540da5295 https://git.kernel.org/stable/c/da29cd197246c85c0473259f1cad897d9d28faea https://git.kernel.org/stable/c/a6f4cfa3783804336491e0edcb250c25f9b59d33 https://git.kernel.org/stable/c/571204e4758a528fbd67330bd4b0dfbdafb33dd8 https://git.kernel.org/stable/c/5d510ac31626ed157d2182149559430350cf2104 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netrom: Fix memory leak in nr_sendmsg() syzbot reported a memory leak [1]. When function sock_alloc_send_skb() return NULL in nr_output(), the original skb is not freed, which was allocated in nr_sendmsg(). Fix this by freeing it before return. [1] BUG: memory leak unreferenced object 0xffff888129f35500 (size 240): comm “syz.0.17”, pid 6119, jiffies 4294944652 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ……….R(…. backtrace (crc 1456a3e4): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4983 [inline] slab_alloc_node mm/slub.c:5288 [inline] kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340 __alloc_skb+0x203/0x240 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671 sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965 sock_alloc_send_skb include/net/sock.h:1859 [inline] nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x293/0x2a0 net/socket.c:1195 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0x143/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2026-01-13 | not yet calculated | CVE-2025-68787 | https://git.kernel.org/stable/c/f77e538ac4e3adb1882d5bccb7bfdc111b5963d3 https://git.kernel.org/stable/c/09efbf54eeaecebe882af603c9939a4b1bb9567e https://git.kernel.org/stable/c/73839497bbde5cd4fd02bbd9c8bc2640780ae65d https://git.kernel.org/stable/c/156a0f6341dce634a825db49ca20b48b1ae9bcc1 https://git.kernel.org/stable/c/8d1ccba4b171cd504ecfa47349cb9864fc9d687c https://git.kernel.org/stable/c/51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977 https://git.kernel.org/stable/c/613d12dd794e078be8ff3cf6b62a6b9acf7f4619 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fsnotify: do not generate ACCESS/MODIFY events on child for special files inotify/fanotify do not allow users with no read access to a file to subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the same user to subscribe for watching events on children when the user has access to the parent directory (e.g. /dev). Users with no read access to a file but with read access to its parent directory can still stat the file and see if it was accessed/modified via atime/mtime change. The same is not true for special files (e.g. /dev/null). Users will not generally observe atime/mtime changes when other users read/write to special files, only when someone sets atime/mtime via utimensat(). Align fsnotify events with this stat behavior and do not generate ACCESS/MODIFY events to parent watchers on read/write of special files. The events are still generated to parent watchers on utimensat(). This closes some side-channels that could be possibly used for information exfiltration [1]. [1] https://snee.la/pdf/pubs/file-notification-attacks.pdf | 2026-01-13 | not yet calculated | CVE-2025-68788 | https://git.kernel.org/stable/c/df2711544b050aba703e6da418c53c7dc5d443ca https://git.kernel.org/stable/c/859bdf438f01d9aa7f84b09c1202d548c7cad9e8 https://git.kernel.org/stable/c/6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91 https://git.kernel.org/stable/c/e0643d46759db8b84c0504a676043e5e341b6c81 https://git.kernel.org/stable/c/82f7416bcbd951549e758d15fc1a96a5afc2e900 https://git.kernel.org/stable/c/7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6 https://git.kernel.org/stable/c/635bc4def026a24e071436f4f356ea08c0eed6ff |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (ibmpex) fix use-after-free in high/low store The ibmpex_high_low_store() function retrieves driver data using dev_get_drvdata() and uses it without validation. This creates a race condition where the sysfs callback can be invoked after the data structure is freed, leading to use-after-free. Fix by adding a NULL check after dev_get_drvdata(), and reordering operations in the deletion path to prevent TOCTOU. | 2026-01-13 | not yet calculated | CVE-2025-68789 | https://git.kernel.org/stable/c/3ce9b7ae9d4d148672b35147aaf7987a4f82bb94 https://git.kernel.org/stable/c/533ead425f8109b02fecc7e72d612b8898ec347a https://git.kernel.org/stable/c/fa37adcf1d564ef58b9dfb01b6c36d35c5294bad https://git.kernel.org/stable/c/68d62e5bebbd118b763e8bb210d5cf2198ef450c https://git.kernel.org/stable/c/5aa2139201667c1f644601e4529c4acd6bf8db5a https://git.kernel.org/stable/c/6946c726c3f4c36f0f049e6f97e88c510b15f65d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix double unregister of HCA_PORTS component Clear hca_devcom_comp in device’s private data after unregistering it in LAG teardown. Otherwise a slightly lagging second pass through mlx5_unload_one() might try to unregister it again and trip over use-after-free. On s390 almost all PCI level recovery events trigger two passes through mxl5_unload_one() – one through the poll_health() method and one through mlx5_pci_err_detected() as callback from generic PCI error recovery. While testing PCI error recovery paths with more kernel debug features enabled, this issue reproducibly led to kernel panics with the following call chain: Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803 ESOP-2 FSI Fault in home space mode while using kernel ASCE. AS:00000000705c4007 R3:0000000000000024 Oops: 0038 ilc:3 [#1]SMP CPU: 14 UID: 0 PID: 156 Comm: kmcheck Kdump: loaded Not tainted 6.18.0-20251130.rc7.git0.16131a59cab1.300.fc43.s390x+debug #1 PREEMPT Krnl PSW : 0404e00180000000 0000020fc86aa1dc (__lock_acquire+0x5c/0x15f0) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000000 0000020f00000001 6b6b6b6b6b6b6c33 0000000000000000 0000000000000000 0000000000000000 0000000000000001 0000000000000000 0000000000000000 0000020fca28b820 0000000000000000 0000010a1ced8100 0000010a1ced8100 0000020fc9775068 0000018fce14f8b8 0000018fce14f7f8 Krnl Code: 0000020fc86aa1cc: e3b003400004 lg %r11,832 0000020fc86aa1d2: a7840211 brc 8,0000020fc86aa5f4 *0000020fc86aa1d6: c09000df0b25 larl %r9,0000020fca28b820 >0000020fc86aa1dc: d50790002000 clc 0(8,%r9),0(%r2) 0000020fc86aa1e2: a7840209 brc 8,0000020fc86aa5f4 0000020fc86aa1e6: c0e001100401 larl %r14,0000020fca8aa9e8 0000020fc86aa1ec: c01000e25a00 larl %r1,0000020fca2f55ec 0000020fc86aa1f2: a7eb00e8 aghi %r14,232 Call Trace: __lock_acquire+0x5c/0x15f0 lock_acquire.part.0+0xf8/0x270 lock_acquire+0xb0/0x1b0 down_write+0x5a/0x250 mlx5_detach_device+0x42/0x110 [mlx5_core] mlx5_unload_one_devl_locked+0x50/0xc0 [mlx5_core] mlx5_unload_one+0x42/0x60 [mlx5_core] mlx5_pci_err_detected+0x94/0x150 [mlx5_core] zpci_event_attempt_error_recovery+0xcc/0x388 | 2026-01-13 | not yet calculated | CVE-2025-68790 | https://git.kernel.org/stable/c/d2495f529d60e8e8c43e6ad524089c38b8be7bc4 https://git.kernel.org/stable/c/6a107cfe9c99a079e578a4c5eb70038101a3599f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: missing copy_finish in fuse-over-io-uring argument copies Fix a possible reference count leak of payload pages during fuse argument copies. [Joanne: simplified error cleanup] | 2026-01-13 | not yet calculated | CVE-2025-68791 | https://git.kernel.org/stable/c/b79938863f436960eff209130f025c4bd3026bf8 https://git.kernel.org/stable/c/6e0d7f7f4a43ac8868e98c87ecf48805aa8c24dd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix out of range indexing in name_size ‘name_size’ does not have any range checks, and it just directly indexes with TPM_ALG_ID, which could lead into memory corruption at worst. Address the issue by only processing known values and returning -EINVAL for unrecognized values. Make also ‘tpm_buf_append_name’ and ‘tpm_buf_fill_hmac_session’ fallible so that errors are detected before causing any spurious TPM traffic. End also the authorization session on failure in both of the functions, as the session state would be then by definition corrupted. | 2026-01-13 | not yet calculated | CVE-2025-68792 | https://git.kernel.org/stable/c/47e676ce4d68f461dfcab906f6aeb254f7276deb https://git.kernel.org/stable/c/04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43 https://git.kernel.org/stable/c/6e9722e9a7bfe1bbad649937c811076acf86e1fd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix a job->pasid access race in gpu recovery Avoid a possible UAF in GPU recovery due to a race between the sched timeout callback and the tdr work queue. The gpu recovery function calls drm_sched_stop() and later drm_sched_start(). drm_sched_start() restarts the tdr queue which will eventually free the job. If the tdr queue frees the job before time out callback completes, the job will be freed and we’ll get a UAF when accessing the pasid. Cache it early to avoid the UAF. Example KASAN trace: [ 493.058141] BUG: KASAN: slab-use-after-free in amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.067530] Read of size 4 at addr ffff88b0ce3f794c by task kworker/u128:1/323 [ 493.074892] [ 493.076485] CPU: 9 UID: 0 PID: 323 Comm: kworker/u128:1 Tainted: G E 6.16.0-1289896.2.zuul.bf4f11df81c1410bbe901c4373305a31 #1 PREEMPT(voluntary) [ 493.076493] Tainted: [E]=UNSIGNED_MODULE [ 493.076495] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019 [ 493.076500] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched] [ 493.076512] Call Trace: [ 493.076515] <TASK> [ 493.076518] dump_stack_lvl+0x64/0x80 [ 493.076529] print_report+0xce/0x630 [ 493.076536] ? _raw_spin_lock_irqsave+0x86/0xd0 [ 493.076541] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 493.076545] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.077253] kasan_report+0xb8/0xf0 [ 493.077258] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.077965] amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.078672] ? __pfx_amdgpu_device_gpu_recover+0x10/0x10 [amdgpu] [ 493.079378] ? amdgpu_coredump+0x1fd/0x4c0 [amdgpu] [ 493.080111] amdgpu_job_timedout+0x642/0x1400 [amdgpu] [ 493.080903] ? pick_task_fair+0x24e/0x330 [ 493.080910] ? __pfx_amdgpu_job_timedout+0x10/0x10 [amdgpu] [ 493.081702] ? _raw_spin_lock+0x75/0xc0 [ 493.081708] ? __pfx__raw_spin_lock+0x10/0x10 [ 493.081712] drm_sched_job_timedout+0x1b0/0x4b0 [gpu_sched] [ 493.081721] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 493.081725] process_one_work+0x679/0xff0 [ 493.081732] worker_thread+0x6ce/0xfd0 [ 493.081736] ? __pfx_worker_thread+0x10/0x10 [ 493.081739] kthread+0x376/0x730 [ 493.081744] ? __pfx_kthread+0x10/0x10 [ 493.081748] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 493.081751] ? __pfx_kthread+0x10/0x10 [ 493.081755] ret_from_fork+0x247/0x330 [ 493.081761] ? __pfx_kthread+0x10/0x10 [ 493.081764] ret_from_fork_asm+0x1a/0x30 [ 493.081771] </TASK> (cherry picked from commit 20880a3fd5dd7bca1a079534cf6596bda92e107d) | 2026-01-13 | not yet calculated | CVE-2025-68793 | https://git.kernel.org/stable/c/dac58c012c47cadf337a35eb05d44498c43e5cd0 https://git.kernel.org/stable/c/77f73253015cbc7893fca1821ac3eae9eb4bc943 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iomap: adjust read range correctly for non-block-aligned positions iomap_adjust_read_range() assumes that the position and length passed in are block-aligned. This is not always the case however, as shown in the syzbot generated case for erofs. This causes too many bytes to be skipped for uptodate blocks, which results in returning the incorrect position and length to read in. If all the blocks are uptodate, this underflows length and returns a position beyond the folio. Fix the calculation to also take into account the block offset when calculating how many bytes can be skipped for uptodate blocks. | 2026-01-13 | not yet calculated | CVE-2025-68794 | https://git.kernel.org/stable/c/82b60ffbb532d919959702768dca04c3c0500ae5 https://git.kernel.org/stable/c/12053695c8ef5410e8cc6c9ed4c0db9cd9c82b3e https://git.kernel.org/stable/c/142194fb21afe964d2d194cab1fc357cbf87e899 https://git.kernel.org/stable/c/7aa6bc3e8766990824f66ca76c19596ce10daf3e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ethtool: Avoid overflowing userspace buffer on stats query The ethtool -S command operates across three ioctl calls: ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and ETHTOOL_GSTATS for the values. If the number of stats changes between these calls (e.g., due to device reconfiguration), userspace’s buffer allocation will be incorrect, potentially leading to buffer overflow. Drivers are generally expected to maintain stable stat counts, but some drivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making this scenario possible. Some drivers try to handle this internally: – bnad_get_ethtool_stats() returns early in case stats.n_stats is not equal to the driver’s stats count. – micrel/ksz884x also makes sure not to write anything beyond stats.n_stats and overflow the buffer. However, both use stats.n_stats which is already assigned with the value returned from get_sset_count(), hence won’t solve the issue described here. Change ethtool_get_strings(), ethtool_get_stats(), ethtool_get_phy_stats() to not return anything in case of a mismatch between userspace’s size and get_sset_size(), to prevent buffer overflow. The returned n_stats value will be equal to zero, to reflect that nothing has been returned. This could result in one of two cases when using upstream ethtool, depending on when the size change is detected: 1. When detected in ethtool_get_strings(): # ethtool -S eth2 no stats available 2. When detected in get stats, all stats will be reported as zero. Both cases are presumably transient, and a subsequent ethtool call should succeed. Other than the overflow avoidance, these two cases are very evident (no output/cleared stats), which is arguably better than presenting incorrect/shifted stats. I also considered returning an error instead of a “silent” response, but that seems more destructive towards userspace apps. Notes: – This patch does not claim to fix the inherent race, it only makes sure that we do not overflow the userspace buffer, and makes for a more predictable behavior. – RTNL lock is held during each ioctl, the race window exists between the separate ioctl calls when the lock is released. – Userspace ethtool always fills stats.n_stats, but it is likely that these stats ioctls are implemented in other userspace applications which might not fill it. The added code checks that it’s not zero, to prevent any regressions. | 2026-01-13 | not yet calculated | CVE-2025-68795 | https://git.kernel.org/stable/c/3df375a1e75483b7d973c3cc2e46aa374db8428b https://git.kernel.org/stable/c/f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5 https://git.kernel.org/stable/c/4afcb985355210e1688560dc47e64b94dad35d71 https://git.kernel.org/stable/c/ca9983bc3a1189bd72f9ae449d925a66b2616326 https://git.kernel.org/stable/c/7bea09f60f2ad5d232e2db8f1c14e850fd3fd416 https://git.kernel.org/stable/c/4066b5b546293f44cd6d0e84ece6e3ee7ff27093 https://git.kernel.org/stable/c/7b07be1ff1cb6c49869910518650e8d0abc7d25f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating zero-sized extent in extent cache As syzbot reported: F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0] ————[ cut here ]———— kernel BUG at fs/f2fs/extent_cache.c:678! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678 Call Trace: <TASK> f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085 f2fs_do_zero_range fs/f2fs/file.c:1657 [inline] f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737 f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030 vfs_fallocate+0x669/0x7e0 fs/open.c:342 ioctl_preallocate fs/ioctl.c:289 [inline] file_ioctl+0x611/0x780 fs/ioctl.c:-1 do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576 __do_sys_ioctl fs/ioctl.c:595 [inline] __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f07bc58eec9 In error path of f2fs_zero_range(), it may add a zero-sized extent into extent cache, it should be avoided. | 2026-01-13 | not yet calculated | CVE-2025-68796 | https://git.kernel.org/stable/c/9c07bd262c13ca922adad6e7613d48505f97f548 https://git.kernel.org/stable/c/72c58a82e6fb7b327e8701f5786c70c3edc56188 https://git.kernel.org/stable/c/e50b81c50fcbe63f50405bb40f262162ff32af88 https://git.kernel.org/stable/c/efe3371001f50a2d6f746b50bdc6f9f26b2089ec https://git.kernel.org/stable/c/4f244c64efe628d277b916f47071adf480eb8646 https://git.kernel.org/stable/c/bac23833220a1f8fe8dfab7e16efa20ff64d7589 https://git.kernel.org/stable/c/7c37c79510329cd951a4dedf3f7bf7e2b18dccec |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: char: applicom: fix NULL pointer dereference in ac_ioctl Discovered by Atuin – Automated Vulnerability Discovery Engine. In ac_ioctl, the validation of IndexCard and the check for a valid RamIO pointer are skipped when cmd is 6. However, the function unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the end. If cmd is 6, IndexCard may reference a board that does not exist (where RamIO is NULL), leading to a NULL pointer dereference. Fix this by skipping the readb access when cmd is 6, as this command is a global information query and does not target a specific board context. | 2026-01-13 | not yet calculated | CVE-2025-68797 | https://git.kernel.org/stable/c/5a6240804fb7bbd4f5f6e706955248a6f4c1abbc https://git.kernel.org/stable/c/d1b0452280029d05a98c75631131ee61c0b0d084 https://git.kernel.org/stable/c/0b8b353e09888bccee405e0dd6feafb60360f478 https://git.kernel.org/stable/c/d285517429a75423789e6408653e57b6fdfc8e54 https://git.kernel.org/stable/c/74883565c621eec6cd2e35fe6d27454cf2810c23 https://git.kernel.org/stable/c/f83e3e9f89181b42f6076a115d767a7552c4a39e https://git.kernel.org/stable/c/82d12088c297fa1cef670e1718b3d24f414c23f7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/amd: Check event before enable to avoid GPF On AMD machines cpuc->events[idx] can become NULL in a subtle race condition with NMI->throttle->x86_pmu_stop(). Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF. This appears to be an AMD only issue. Syzkaller reported a GPF in amd_pmu_enable_all. INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143 msecs Oops: general protection fault, probably for non-canonical address 0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7] CPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk RIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195 arch/x86/events/core.c:1430) RSP: 0018:ffff888118009d60 EFLAGS: 00010012 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002 R13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601 FS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0 Call Trace: <IRQ> amd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2)) x86_pmu_enable (arch/x86/events/core.c:1360) event_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186 kernel/events/core.c:2346) __perf_remove_from_context (kernel/events/core.c:2435) event_function (kernel/events/core.c:259) remote_function (kernel/events/core.c:92 (discriminator 1) kernel/events/core.c:72 (discriminator 1)) __flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64 kernel/smp.c:135 kernel/smp.c:540) __sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272) sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47) arch/x86/kernel/smp.c:266 (discriminator 47)) </IRQ> | 2026-01-13 | not yet calculated | CVE-2025-68798 | https://git.kernel.org/stable/c/49324a0c40f7e9bae1bd0362d23fc42232e14621 https://git.kernel.org/stable/c/6e41d9ec8d7cc3f01b9ba785e05f0ebef8b3b37f https://git.kernel.org/stable/c/e1028fb38b328084bc683a4efb001c95d3108573 https://git.kernel.org/stable/c/43c2e5c2acaae50e99d1c20a5a46e367c442fb3b https://git.kernel.org/stable/c/866cf36bfee4fba6a492d2dcc5133f857e3446b0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: caif: fix integer underflow in cffrml_receive() The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2. If an attacker sends a malicious packet with a length field of 0 or 1 to an interface with FCS disabled, the subtraction causes an integer underflow. This can lead to memory exhaustion and kernel instability, potential information disclosure if padding contains uninitialized kernel memory. Fix this by validating that len >= 2 before performing the subtraction. | 2026-01-13 | not yet calculated | CVE-2025-68799 | https://git.kernel.org/stable/c/f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691 https://git.kernel.org/stable/c/c54091eec6fed19e94182aa05dd6846600a642f7 https://git.kernel.org/stable/c/785c7be6361630070790f6235b696da156ac71b3 https://git.kernel.org/stable/c/f818cd472565f8b0c2c409b040e0121c5cf8592c https://git.kernel.org/stable/c/4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3 https://git.kernel.org/stable/c/21fdcc00656a60af3c7aae2dea8dd96abd35519c https://git.kernel.org/stable/c/8a11ff0948b5ad09b71896b7ccc850625f9878d1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Cited commit added a dedicated mutex (instead of RTNL) to protect the multicast route list, so that it will not change while the driver periodically traverses it in order to update the kernel about multicast route stats that were queried from the device. One instance of list entry deletion (during route replace) was missed and it can result in a use-after-free [1]. Fix by acquiring the mutex before deleting the entry from the list and releasing it afterwards. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043 CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full) Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017 Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum] Call Trace: <TASK> dump_stack_lvl+0xba/0x110 print_report+0x174/0x4f5 kasan_report+0xdf/0x110 mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 Freed by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x43/0x70 kfree+0x14e/0x700 mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 | 2026-01-13 | not yet calculated | CVE-2025-68800 | https://git.kernel.org/stable/c/b957366f5611bbaba03dd10ef861283347ddcc88 https://git.kernel.org/stable/c/6e367c361a523a4b54fe618215c64a0ee189caf0 https://git.kernel.org/stable/c/37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73 https://git.kernel.org/stable/c/5f2831fc593c2b2efbff7dd0dd7441cec76adcd5 https://git.kernel.org/stable/c/216afc198484fde110ebeafc017992266f4596ce https://git.kernel.org/stable/c/4049a6ace209f4ed150429f86ae796d7d6a4c22b https://git.kernel.org/stable/c/8ac1dacec458f55f871f7153242ed6ab60373b90 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix neighbour use-after-free We sometimes observe use-after-free when dereferencing a neighbour [1]. The problem seems to be that the driver stores a pointer to the neighbour, but without holding a reference on it. A reference is only taken when the neighbour is used by a nexthop. Fix by simplifying the reference counting scheme. Always take a reference when storing a neighbour pointer in a neighbour entry. Avoid taking a referencing when the neighbour is used by a nexthop as the neighbour entry associated with the nexthop already holds a reference. Tested by running the test that uncovered the problem over 300 times. Without this patch the problem was reproduced after a handful of iterations. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310 Read of size 8 at addr ffff88817f8e3420 by task ip/3929 CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full) Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6e/0x300 print_report+0xfc/0x1fb kasan_report+0xe4/0x110 mlxsw_sp_neigh_entry_update+0x2d4/0x310 mlxsw_sp_router_rif_gone_sync+0x35f/0x510 mlxsw_sp_rif_destroy+0x1ea/0x730 mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0 __mlxsw_sp_inetaddr_lag_event+0xcc/0x130 __mlxsw_sp_inetaddr_event+0xf5/0x3c0 mlxsw_sp_router_netdevice_event+0x1015/0x1580 notifier_call_chain+0xcc/0x150 call_netdevice_notifiers_info+0x7e/0x100 __netdev_upper_dev_unlink+0x10b/0x210 netdev_upper_dev_unlink+0x79/0xa0 vrf_del_slave+0x18/0x50 do_set_master+0x146/0x7d0 do_setlink.isra.0+0x9a0/0x2880 rtnl_newlink+0x637/0xb20 rtnetlink_rcv_msg+0x6fe/0xb90 netlink_rcv_skb+0x123/0x380 netlink_unicast+0x4a3/0x770 netlink_sendmsg+0x75b/0xc90 __sock_sendmsg+0xbe/0x160 ____sys_sendmsg+0x5b2/0x7d0 ___sys_sendmsg+0xfd/0x180 __sys_sendmsg+0x124/0x1c0 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 […] Allocated by task 109: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x2c1/0x790 neigh_alloc+0x6af/0x8f0 ___neigh_create+0x63/0xe90 mlxsw_sp_nexthop_neigh_init+0x430/0x7e0 mlxsw_sp_nexthop_type_init+0x212/0x960 mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280 mlxsw_sp_nexthop6_group_get+0x392/0x6a0 mlxsw_sp_fib6_entry_create+0x46a/0xfd0 mlxsw_sp_router_fib6_replace+0x1ed/0x5f0 mlxsw_sp_router_fib6_event_work+0x10a/0x2a0 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 Freed by task 154: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free_bulk.part.0+0x1eb/0x5e0 kvfree_rcu_bulk+0x1f2/0x260 kfree_rcu_work+0x130/0x1b0 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 Last potentially related work creation: kasan_save_stack+0x30/0x50 kasan_record_aux_stack+0x8c/0xa0 kvfree_call_rcu+0x93/0x5b0 mlxsw_sp_router_neigh_event_work+0x67d/0x860 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 | 2026-01-13 | not yet calculated | CVE-2025-68801 | https://git.kernel.org/stable/c/a2dfe6758fc63e542105bee8b17a3a7485684db0 https://git.kernel.org/stable/c/9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc https://git.kernel.org/stable/c/c437fbfd4382412598cdda1f8e2881b523668cc2 https://git.kernel.org/stable/c/4a3c569005f42ab5e5b2ad637132a33bf102cc08 https://git.kernel.org/stable/c/ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a https://git.kernel.org/stable/c/675c5aeadf6472672c472dc0f26401e4fcfbf254 https://git.kernel.org/stable/c/8b0e69763ef948fb872a7767df4be665d18f5fd4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Limit num_syncs to prevent oversized allocations The exec and vm_bind ioctl allow userspace to specify an arbitrary num_syncs value. Without bounds checking, a very large num_syncs can force an excessively large allocation, leading to kernel warnings from the page allocator as below. Introduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request exceeding this limit. ” ————[ cut here ]———— WARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124 … Call Trace: <TASK> alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416 ___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317 __kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348 __do_kmalloc_node mm/slub.c:4364 [inline] __kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388 kmalloc_noprof include/linux/slab.h:909 [inline] kmalloc_array_noprof include/linux/slab.h:948 [inline] xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158 drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797 drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894 xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f … ” v2: Add “Reported-by” and Cc stable kernels. v3: Change XE_MAX_SYNCS from 64 to 1024. (Matt & Ashutosh) v4: s/XE_MAX_SYNCS/DRM_XE_MAX_SYNCS/ (Matt) v5: Do the check at the top of the exec func. (Matt) (cherry picked from commit b07bac9bd708ec468cd1b8a5fe70ae2ac9b0a11c) | 2026-01-13 | not yet calculated | CVE-2025-68802 | https://git.kernel.org/stable/c/e281d1fd6903a081ef023c341145ae92258e38d2 https://git.kernel.org/stable/c/1d200017f55f829b9e376093bd31dfbec92081de https://git.kernel.org/stable/c/8e461304009135270e9ccf2d7e2dfe29daec9b60 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: “the ACL attribute is set as given”. The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whether to call nfsd_setattr(). However, nfsd_attrs_valid() checks only for iattr changes and security labels, but not POSIX ACLs. When only an ACL is present, the function returns false, nfsd_setattr() is skipped, and the POSIX ACL is never applied to the inode. Subsequently, when the client retrieves the ACL, the server finds no POSIX ACL on the inode and returns one generated from the file’s mode bits rather than returning the originally-specified ACL. | 2026-01-13 | not yet calculated | CVE-2025-68803 | https://git.kernel.org/stable/c/c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d https://git.kernel.org/stable/c/75f91534f9acdfef77f8fa094313b7806f801725 https://git.kernel.org/stable/c/60dbdef2ebc2317266a385e4debdb1bb0e57afe1 https://git.kernel.org/stable/c/381261f24f4e4b41521c0e5ef5cc0b9a786a9862 https://git.kernel.org/stable/c/bf4e671c651534a307ab2fabba4926116beef8c3 https://git.kernel.org/stable/c/214b396480061cbc8b16f2c518b2add7fbfa5192 https://git.kernel.org/stable/c/913f7cf77bf14c13cfea70e89bcb6d0b22239562 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver After unbinding the driver, another kthread `cros_ec_console_log_work` is still accessing the device, resulting an UAF and crash. The driver doesn’t unregister the EC device in .remove() which should shutdown sub-devices synchronously. Fix it. | 2026-01-13 | not yet calculated | CVE-2025-68804 | https://git.kernel.org/stable/c/27037916db38e6b78a0242031d3b93d997b84020 https://git.kernel.org/stable/c/e1da6e399df976dd04c7c73ec008bc81da368a95 https://git.kernel.org/stable/c/8dc1f5a85286290dbf04dd5951d020570f49779b https://git.kernel.org/stable/c/393b8f9bedc7806acb9c47cefdbdb223b4b6164b https://git.kernel.org/stable/c/4701493ba37654b3c38b526f6591cf0b02aa172f https://git.kernel.org/stable/c/24a2062257bbdfc831de5ed21c27b04b5bdf2437 https://git.kernel.org/stable/c/944edca81e7aea15f83cf9a13a6ab67f711e8abd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: fix io-uring list corruption for terminated non-committed requests When a request is terminated before it has been committed, the request is not removed from the queue’s list. This leaves a dangling list entry that leads to list corruption and use-after-free issues. Remove the request from the queue’s list for terminated non-committed requests. | 2026-01-13 | not yet calculated | CVE-2025-68805 | https://git.kernel.org/stable/c/a6d1f1ace16d0e777a85f84267160052d3499b6e https://git.kernel.org/stable/c/95c39eef7c2b666026c69ab5b30471da94ea2874 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix buffer validation by including null terminator size in EA length The smb2_set_ea function, which handles Extended Attributes (EA), was performing buffer validation checks that incorrectly omitted the size of the null terminating character (+1 byte) for EA Name. This patch fixes the issue by explicitly adding ‘+ 1’ to EaNameLength where the null terminator is expected to be present in the buffer, ensuring the validation accurately reflects the total required buffer size. | 2026-01-13 | not yet calculated | CVE-2025-68806 | https://git.kernel.org/stable/c/cae52c592a07e1d3fa3338a5f064a374a5f26750 https://git.kernel.org/stable/c/a28a375a5439eb474e9f284509a407efb479c925 https://git.kernel.org/stable/c/d26af6d14da43ab92d07bc60437c62901dc522e6 https://git.kernel.org/stable/c/6dc8cf6e7998ef7aeb9383a4c2904ea5d22fa2e4 https://git.kernel.org/stable/c/95d7a890e4b03e198836d49d699408fd1867cb55 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: block: fix race between wbt_enable_default and IO submission When wbt_enable_default() is moved out of queue freezing in elevator_change(), it can cause the wbt inflight counter to become negative (-1), leading to hung tasks in the writeback path. Tasks get stuck in wbt_wait() because the counter is in an inconsistent state. The issue occurs because wbt_enable_default() could race with IO submission, allowing the counter to be decremented before proper initialization. This manifests as: rq_wait[0]: inflight: -1 has_waiters: True rwb_enabled() checks the state, which can be updated exactly between wbt_wait() (rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter will become negative. And results in hung task warnings like: task:kworker/u24:39 state:D stack:0 pid:14767 Call Trace: rq_qos_wait+0xb4/0x150 wbt_wait+0xa9/0x100 __rq_qos_throttle+0x24/0x40 blk_mq_submit_bio+0x672/0x7b0 … Fix this by: 1. Splitting wbt_enable_default() into: – __wbt_enable_default(): Returns true if wbt_init() should be called – wbt_enable_default(): Wrapper for existing callers (no init) – wbt_init_enable_default(): New function that checks and inits WBT 2. Using wbt_init_enable_default() in blk_register_queue() to ensure proper initialization during queue registration 3. Move wbt_init() out of wbt_enable_default() which is only for enabling disabled wbt from bfq and iocost, and wbt_init() isn’t needed. Then the original lock warning can be avoided. 4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling code since it’s no longer needed This ensures WBT is properly initialized before any IO can be submitted, preventing the counter from going negative. | 2026-01-13 | not yet calculated | CVE-2025-68807 | https://git.kernel.org/stable/c/f55201fb3becff6a903fd29f4d1147cc7e91eb0c https://git.kernel.org/stable/c/9869d3a6fed381f3b98404e26e1afc75d680cbf9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign(). The problem here is that the local pointer where the memory ownership transfer was completed is not initialized to NULL. This causes the vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and in the flow that jumps to free_eit, the memory that was freed by vidtv_psi_*_table_destroy() can be accessed again by vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it is freed once again. Therefore, to prevent use-after-free and double-free vulnerability, local pointers must be initialized to NULL when transferring memory ownership. | 2026-01-13 | not yet calculated | CVE-2025-68808 | https://git.kernel.org/stable/c/c342e294dac4988c8ada759b2f057246e48c5108 https://git.kernel.org/stable/c/12ab6ebb37789b84073e83e4d9b14a5e0d133323 https://git.kernel.org/stable/c/3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e https://git.kernel.org/stable/c/fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8 https://git.kernel.org/stable/c/a69c7fd603bf5ad93177394fbd9711922ee81032 https://git.kernel.org/stable/c/30f4d4e5224a9e44e9ceb3956489462319d804ce https://git.kernel.org/stable/c/98aabfe2d79f74613abc2b0b1cef08f97eaf5322 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: vfs: fix race on m_flags in vfs_cache ksmbd maintains delete-on-close and pending-delete state in ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under inconsistent locking: some paths read and modify m_flags under ci->m_lock while others do so without taking the lock at all. Examples: – ksmbd_query_inode_status() and __ksmbd_inode_close() use ci->m_lock when checking or updating m_flags. – ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close() used to read and modify m_flags without ci->m_lock. This creates a potential data race on m_flags when multiple threads open, close and delete the same file concurrently. In the worst case delete-on-close and pending-delete bits can be lost or observed in an inconsistent state, leading to confusing delete semantics (files that stay on disk after delete-on-close, or files that disappear while still in use). Fix it by: – Making ksmbd_query_inode_status() look at m_flags under ci->m_lock after dropping inode_hash_lock. – Adding ci->m_lock protection to all helpers that read or modify m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()). – Keeping the existing ci->m_lock protection in __ksmbd_inode_close(), and moving the actual unlink/xattr removal outside the lock. This unifies the locking around m_flags and removes the data race while preserving the existing delete-on-close behaviour. | 2026-01-13 | not yet calculated | CVE-2025-68809 | https://git.kernel.org/stable/c/5adad9727a815c26013b0d41cfee92ffa7d4037c https://git.kernel.org/stable/c/ccc78781041589ea383e61d5d7a1e9a31b210b93 https://git.kernel.org/stable/c/ee63729760f5b61a66f345c54dc4c7514e62383d https://git.kernel.org/stable/c/991f8a79db99b14c48d20d2052c82d65b9186cad |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was initially created with a guest_memfd binding, as KVM doesn’t support toggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling KVM_MEM_GUEST_MEMFD, but doesn’t prevent clearing the flag. Failure to reject the new memslot results in a use-after-free due to KVM not unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY change is easy enough, and can/will be done as a hardening measure (in anticipation of KVM supporting dirty logging on guest_memfd at some point), but fixing the use-after-free would only address the immediate symptom. ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm] Write of size 8 at addr ffff8881111ae908 by task repro/745 CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x51/0x60 print_report+0xcb/0x5c0 kasan_report+0xb4/0xe0 kvm_gmem_release+0x362/0x400 [kvm] __fput+0x2fa/0x9d0 task_work_run+0x12c/0x200 do_exit+0x6ae/0x2100 do_group_exit+0xa8/0x230 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0x737/0x740 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f581f2eac31 </TASK> Allocated by task 745 on cpu 6 at 9.746971s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_kmalloc+0x77/0x90 kvm_set_memory_region.part.0+0x652/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 745 on cpu 6 at 9.747467s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_save_free_info+0x37/0x50 __kasan_slab_free+0x3b/0x60 kfree+0xf5/0x440 kvm_set_memslot+0x3c2/0x1160 [kvm] kvm_set_memory_region.part.0+0x86a/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 | 2026-01-13 | not yet calculated | CVE-2025-68810 | https://git.kernel.org/stable/c/89dbbe6ff323fc34659621a577fe0af913f47386 https://git.kernel.org/stable/c/cb51bef465d8ec60a968507330e01020e35dc127 https://git.kernel.org/stable/c/9935df5333aa503a18de5071f53762b65c783c4c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: svcrdma: use rc_pageoff for memcpy byte offset svc_rdma_copy_inline_range added rc_curpage (page index) to the page base instead of the byte offset rc_pageoff. Use rc_pageoff so copies land within the current page. Found by ZeroPath (https://zeropath.com) | 2026-01-13 | not yet calculated | CVE-2025-68811 | https://git.kernel.org/stable/c/e8623e9c451e23d84b870811f42fd872b4089ef6 https://git.kernel.org/stable/c/2a77c8dd49bccf0ca232be7c836cec1209abb8da https://git.kernel.org/stable/c/a8ee9099f30654917aa68f55d707b5627e1dbf77 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: Add sanity check for stop streaming Add sanity check in iris_vb2_stop_streaming. If inst->state is already IRIS_INST_ERROR, we should skip the stream_off operation because it would still send packets to the firmware. In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash. [bod: remove qcom from patch title] | 2026-01-13 | not yet calculated | CVE-2025-68812 | https://git.kernel.org/stable/c/f8b136296722e258ec43237a35f72c92a6d4501a https://git.kernel.org/stable/c/ad699fa78b59241c9d71a8cafb51525f3dab04d4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages. The issue emerged after commit ed0de45a1008 (“ipv4: recompile ip options in ipv4_link_failure”) started calling __ip_options_compile() from ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst() which dereferences skb->dev. An attempt was made to fix the NULL skb->dev dereference in commit 0113d9c9d1cc (“ipv4: fix null-deref in ipv4_link_failure”), but it only addressed the immediate dev_net(skb->dev) dereference by using a fallback device. The fix was incomplete because fib_compute_spec_dst() later in the call chain still accesses skb->dev directly, which remains NULL when IPVS calls dst_link_failure(). The crash occurs when: 1. IPVS processes a packet in NAT mode with a misconfigured destination 2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route 3. The error path calls dst_link_failure(skb) with skb->dev == NULL 4. ipv4_link_failure() → ipv4_send_dest_unreach() → __ip_options_compile() → fib_compute_spec_dst() 5. fib_compute_spec_dst() dereferences NULL skb->dev Apply the same fix used for IPv6 in commit 326bf17ea5d4 (“ipvs: fix ipv6 route unreach panic”): set skb->dev from skb_dst(skb)->dev before calling dst_link_failure(). KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f] CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2 RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233 RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285 Call Trace: <TASK> spec_dst_fill net/ipv4/ip_options.c:232 spec_dst_fill net/ipv4/ip_options.c:229 __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330 ipv4_send_dest_unreach net/ipv4/route.c:1252 ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265 dst_link_failure include/net/dst.h:437 __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412 ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764 | 2026-01-13 | not yet calculated | CVE-2025-68813 | https://git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903 https://git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcd https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447 https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8 https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90 https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix filename leak in __io_openat_prep() __io_openat_prep() allocates a struct filename using getname(). However, for the condition of the file being installed in the fixed file table as well as having O_CLOEXEC flag set, the function returns early. At that point, the request doesn’t have REQ_F_NEED_CLEANUP flag set. Due to this, the memory for the newly allocated struct filename is not cleaned up, causing a memory leak. Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the successful getname() call, so that when the request is torn down, the filename will be cleaned up, along with other resources needing cleanup. | 2026-01-13 | not yet calculated | CVE-2025-68814 | https://git.kernel.org/stable/c/2420ef01b2e836fbc05a0a8c73a1016504eb0458 https://git.kernel.org/stable/c/8f44c4a550570cd5903625133f938c6b51310c9b https://git.kernel.org/stable/c/18b99fa603d0df5e1c898699c17d3b92ddc80746 https://git.kernel.org/stable/c/e232269d511566b1f80872256a48593acc1becf4 https://git.kernel.org/stable/c/7fbfb85b05bc960cc50e09d03e5e562131e48d45 https://git.kernel.org/stable/c/b14fad555302a2104948feaff70503b64c80ac01 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Remove drr class from the active list if it changes to strict Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn’t checking whether that class was in the active list and removing it. This means that, if a user changes a strict class (which was in the active list) back to a drr one, that class will be added twice to the active list [1]. Doing so with the following commands: tc qdisc add dev lo root handle 1: ets bands 2 strict 1 tc qdisc add dev lo parent 1:2 handle 20: tbf rate 8bit burst 100b latency 1s tc filter add dev lo parent 1: basic classid 1:2 ping -c1 -W0.01 -s 56 127.0.0.1 tc qdisc change dev lo root handle 1: ets bands 2 strict 2 tc qdisc change dev lo root handle 1: ets bands 2 strict 1 ping -c1 -W0.01 -s 56 127.0.0.1 Will trigger the following splat with list debug turned on: [ 59.279014][ T365] ————[ cut here ]———— [ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0. [ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220 [ 59.280860][ T365] Modules linked in: [ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary) [ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220 [ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44 … [ 59.288812][ T365] Call Trace: [ 59.289056][ T365] <TASK> [ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80 [ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0 [ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10 [ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240 [ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10 [ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.292313][ T365] ? trace_contention_end+0xc8/0x110 [ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0 Fix this by always checking and removing an ets class from the active list when changing it to strict. [1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663 | 2026-01-13 | not yet calculated | CVE-2025-68815 | https://git.kernel.org/stable/c/58fdce6bc005e964f1dbc3ca716f5fe0f68839a2 https://git.kernel.org/stable/c/02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87 https://git.kernel.org/stable/c/8067db5c95aab9461d23117679338cd8869831fa https://git.kernel.org/stable/c/2f125ebe47d6369e562f3cbd9b6227cff51eaf34 https://git.kernel.org/stable/c/cca2ed931b734fe48139bc6f020e47367346630f https://git.kernel.org/stable/c/43d9a530c8c094d137159784e7c951c65f11ec6c https://git.kernel.org/stable/c/b1e125ae425aba9b45252e933ca8df52a843ec70 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fw_tracer, Validate format string parameters Add validation for format string parameters in the firmware tracer to prevent potential security vulnerabilities and crashes from malformed format strings received from firmware. The firmware tracer receives format strings from the device firmware and uses them to format trace messages. Without proper validation, bad firmware could provide format strings with invalid format specifiers (e.g., %s, %p, %n) that could lead to crashes, or other undefined behavior. Add mlx5_tracer_validate_params() to validate that all format specifiers in trace strings are limited to safe integer/hex formats (%x, %d, %i, %u, %llx, %lx, etc.). Reject strings containing other format types that could be used to access arbitrary memory or cause crashes. Invalid format strings are added to the trace output for visibility with “BAD_FORMAT: ” prefix. | 2026-01-13 | not yet calculated | CVE-2025-68816 | https://git.kernel.org/stable/c/95624b731c490a4b849844269193a233d6d556a0 https://git.kernel.org/stable/c/768d559f466cdd72849110a7ecd76a21d52dcfe3 https://git.kernel.org/stable/c/38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d https://git.kernel.org/stable/c/8ac688c0e430dab19f6a9b70df94b1f635612c1a https://git.kernel.org/stable/c/45bd283b1d69e2c97cddcb9956f0e0261fc4efd7 https://git.kernel.org/stable/c/8c35c2448086870509ede43947845be0833251f0 https://git.kernel.org/stable/c/b35966042d20b14e2d83330049f77deec5229749 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it. | 2026-01-13 | not yet calculated | CVE-2025-68817 | https://git.kernel.org/stable/c/d092de8a26c952379ded8e6b0bda31d89befac1a https://git.kernel.org/stable/c/d64977495e44855f2b28d8ce56107c963a7a50e4 https://git.kernel.org/stable/c/21a3d01fc6db5129f81edb0ab7cb94fd758bcbea https://git.kernel.org/stable/c/063cbbc6f595ea36ad146e1b7d2af820894beb21 https://git.kernel.org/stable/c/b39a1833cc4a2755b02603eec3a71a85e9dff926 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: Revert “scsi: qla2xxx: Perform lockless command completion in abort path” This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9. The commit being reverted added code to __qla2x00_abort_all_cmds() to call sp->done() without holding a spinlock. But unlike the older code below it, this new code failed to check sp->cmd_type and just assumed TYPE_SRB, which results in a jump to an invalid pointer in target-mode with TYPE_TGT_CMD: qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success 0000000009f7a79b qla2xxx [0000:65:00.0]-5003:8: ISP System Error – mbx1=1ff5h mbx2=10h mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h. qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event 0x8002 occurred qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery – ha=0000000058183fda. BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor instruction fetch in kernel mode PF: error_code(0x0010) – not-present page PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1 Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206 RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000 RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0 RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045 R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40 R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400 FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x4d/0x8b ? page_fault_oops+0x91/0x180 ? trace_buffer_unlock_commit_regs+0x38/0x1a0 ? exc_page_fault+0x391/0x5e0 ? asm_exc_page_fault+0x22/0x30 __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst] qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst] qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst] qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst] qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst] kthread+0xa8/0xd0 </TASK> Then commit 4475afa2646d (“scsi: qla2xxx: Complete command early within lock”) added the spinlock back, because not having the lock caused a race and a crash. But qla2x00_abort_srb() in the switch below already checks for qla2x00_chip_is_down() and handles it the same way, so the code above the switch is now redundant and still buggy in target-mode. Remove it. | 2026-01-13 | not yet calculated | CVE-2025-68818 | https://git.kernel.org/stable/c/b04b3733fff7e94566386b962e4795550fbdfd3d https://git.kernel.org/stable/c/50b097d92c99f718831b8b349722bc79f718ba1b https://git.kernel.org/stable/c/c5c37a821bd1708f26a9522b4a6f47b9f7a20003 https://git.kernel.org/stable/c/e9e601b7df58ba0c667baf30263331df2c02ffe1 https://git.kernel.org/stable/c/b10ebbfd59a535c8d22f4ede6e8389622ce98dc0 https://git.kernel.org/stable/c/1c728951bc769b795d377852eae1abddad88635d https://git.kernel.org/stable/c/b57fbc88715b6d18f379463f48a15b560b087ffe |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() rlen value is a user-controlled value, but dtv5100_i2c_msg() does not check the size of the rlen value. Therefore, if it is set to a value larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. Therefore, we need to add proper range checking to prevent this vuln. | 2026-01-13 | not yet calculated | CVE-2025-68819 | https://git.kernel.org/stable/c/c2c293ea7b61f12cdaad1e99a5b4efc58c88960a https://git.kernel.org/stable/c/c2305b4c5fc15e20ac06c35738e0578eb4323750 https://git.kernel.org/stable/c/61f214a878e96e2a8750bf96a98f78c658dba60c https://git.kernel.org/stable/c/4a54d8fcb093761e4c56eb211cf4e39bf8401fa1 https://git.kernel.org/stable/c/fe3e129ab49806aaaa3f22067ebc75c2dfbe4658 https://git.kernel.org/stable/c/ac92151ff2494130d9fc686055d6bbb9743a673e https://git.kernel.org/stable/c/b91e6aafe8d356086cc621bc03e35ba2299e4788 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: xattr: fix null pointer deref in ext4_raw_inode() If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED), iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all() lacks error checking, this will lead to a null pointer dereference in ext4_raw_inode(), called right after ext4_get_inode_loc(). Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-01-13 | not yet calculated | CVE-2025-68820 | https://git.kernel.org/stable/c/b72a3476f0c97d02f63a6e9fff127348d55436f6 https://git.kernel.org/stable/c/3d8d22e75f7edfa0b30ff27330fd6a1285d594c3 https://git.kernel.org/stable/c/190ad0f22ba49f1101182b80e3af50ca2ddfe72f https://git.kernel.org/stable/c/b5d942922182e82724b7152cb998f540132885ec https://git.kernel.org/stable/c/5b154e901fda2e98570b8f426a481f5740097dc2 https://git.kernel.org/stable/c/ce5f54c065a4a7cbb92787f4f140917112350142 https://git.kernel.org/stable/c/b97cb7d6a051aa6ebd57906df0e26e9e36c26d14 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: fix readahead reclaim deadlock Commit e26ee4efbc79 (“fuse: allocate ff->release_args only if release is needed”) skips allocating ff->release_args if the server does not implement open. However in doing so, fuse_prepare_release() now skips grabbing the reference on the inode, which makes it possible for an inode to be evicted from the dcache while there are inflight readahead requests. This causes a deadlock if the server triggers reclaim while servicing the readahead request and reclaim attempts to evict the inode of the file being read ahead. Since the folio is locked during readahead, when reclaim evicts the fuse inode and fuse_evict_inode() attempts to remove all folios associated with the inode from the page cache (truncate_inode_pages_range()), reclaim will block forever waiting for the lock since readahead cannot relinquish the lock because it is itself blocked in reclaim: >>> stack_trace(1504735) folio_wait_bit_common (mm/filemap.c:1308:4) folio_lock (./include/linux/pagemap.h:1052:3) truncate_inode_pages_range (mm/truncate.c:336:10) fuse_evict_inode (fs/fuse/inode.c:161:2) evict (fs/inode.c:704:3) dentry_unlink_inode (fs/dcache.c:412:3) __dentry_kill (fs/dcache.c:615:3) shrink_kill (fs/dcache.c:1060:12) shrink_dentry_list (fs/dcache.c:1087:3) prune_dcache_sb (fs/dcache.c:1168:2) super_cache_scan (fs/super.c:221:10) do_shrink_slab (mm/shrinker.c:435:9) shrink_slab (mm/shrinker.c:626:10) shrink_node (mm/vmscan.c:5951:2) shrink_zones (mm/vmscan.c:6195:3) do_try_to_free_pages (mm/vmscan.c:6257:3) do_swap_page (mm/memory.c:4136:11) handle_pte_fault (mm/memory.c:5562:10) handle_mm_fault (mm/memory.c:5870:9) do_user_addr_fault (arch/x86/mm/fault.c:1338:10) handle_page_fault (arch/x86/mm/fault.c:1481:3) exc_page_fault (arch/x86/mm/fault.c:1539:2) asm_exc_page_fault+0x22/0x27 Fix this deadlock by allocating ff->release_args and grabbing the reference on the inode when preparing the file for release even if the server does not implement open. The inode reference will be dropped when the last reference on the fuse file is dropped (see fuse_file_put() -> fuse_release_end()). | 2026-01-13 | not yet calculated | CVE-2025-68821 | https://git.kernel.org/stable/c/cbbf3f1bb9f834bb2acbb61ddca74363456e19cd https://git.kernel.org/stable/c/4703bc0e8cd3409acb1476a70cb5b7ff943cf39a https://git.kernel.org/stable/c/cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f https://git.kernel.org/stable/c/fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6 https://git.kernel.org/stable/c/e0d6de83a4cc22bbac72713f3a58121af36cc411 https://git.kernel.org/stable/c/bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Input: alps – fix use-after-free bugs caused by dev3_register_work The dev3_register_work delayed work item is initialized within alps_reconnect() and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device connected to the ALPS touchpad. During device detachment, the original implementation calls flush_workqueue() in psmouse_disconnect() to ensure completion of dev3_register_work. However, the flush_workqueue() in psmouse_disconnect() only blocks and waits for work items that were already queued to the workqueue prior to its invocation. Any work items submitted after flush_workqueue() is called are not included in the set of tasks that the flush operation awaits. This means that after flush_workqueue() has finished executing, the dev3_register_work could still be scheduled. Although the psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(), the scheduling of dev3_register_work remains unaffected. The race condition can occur as follows: CPU 0 (cleanup path) | CPU 1 (delayed work) psmouse_disconnect() | psmouse_set_state() | flush_workqueue() | alps_report_bare_ps2_packet() alps_disconnect() | psmouse_queue_work() kfree(priv); // FREE | alps_register_bare_ps2_mouse() | priv = container_of(work…); // USE | priv->dev3 // USE Add disable_delayed_work_sync() in alps_disconnect() to ensure that dev3_register_work is properly canceled and prevented from executing after the alps_data structure has been deallocated. This bug is identified by static analysis. | 2026-01-13 | not yet calculated | CVE-2025-68822 | https://git.kernel.org/stable/c/ed8c61b89be0c45f029228b2913d5cf7b5cda1a7 https://git.kernel.org/stable/c/a9c115e017b2c633d25bdfe6709dda6fc36f08c2 https://git.kernel.org/stable/c/bf40644ef8c8a288742fa45580897ed0e0289474 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: fix deadlock when reading partition table When one process(such as udev) opens ublk block device (e.g., to read the partition table via bdev_open()), a deadlock[1] can occur: 1. bdev_open() grabs disk->open_mutex 2. The process issues read I/O to ublk backend to read partition table 3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request() runs bio->bi_end_io() callbacks 4. If this triggers fput() on file descriptor of ublk block device, the work may be deferred to current task’s task work (see fput() implementation) 5. This eventually calls blkdev_release() from the same context 6. blkdev_release() tries to grab disk->open_mutex again 7. Deadlock: same task waiting for a mutex it already holds The fix is to run blk_update_request() and blk_mq_end_request() with bottom halves disabled. This forces blkdev_release() to run in kernel work-queue context instead of current task work context, and allows ublk server to make forward progress, and avoids the deadlock. [axboe: rewrite comment in ublk] | 2026-01-13 | not yet calculated | CVE-2025-68823 | https://git.kernel.org/stable/c/0460e09a614291f06c008443f47393c37b7358e7 https://git.kernel.org/stable/c/c258f5c4502c9667bccf5d76fa731ab9c96687c1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: hns3: using the num_tqps in the vf driver to apply for resources Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller than hdev->num_tqps, which causes some hdev->htqp[i] to remain uninitialized in hclgevf_knic_setup(). Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps, ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent and that all elements are properly initialized. | 2026-01-13 | not yet calculated | CVE-2025-71064 | https://git.kernel.org/stable/c/c149decd8c18ae6acdd7a6041d74507835cf26e6 https://git.kernel.org/stable/c/bcefdb288eedac96fd2f583298927e9c6c481489 https://git.kernel.org/stable/c/6cd8a2930df850f4600fe8c57d0662b376520281 https://git.kernel.org/stable/c/1956d47a03eb625951e9e070db39fe2590e27510 https://git.kernel.org/stable/c/429f946a7af3fbf08761d218746cd4afa80a7954 https://git.kernel.org/stable/c/62f28d79a6186a602a9d926a2dbb5b12b6867df7 https://git.kernel.org/stable/c/c2a16269742e176fccdd0ef9c016a233491a49ad |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid potential deadlock As Jiaming Zhang and syzbot reported, there is potential deadlock in f2fs as below: Chain exists of: &sbi->cp_rwsem –> fs_reclaim –> sb_internal#2 Possible unsafe locking scenario: CPU0 CPU1 —- —- rlock(sb_internal#2); lock(fs_reclaim); lock(sb_internal#2); rlock(&sbi->cp_rwsem); *** DEADLOCK *** 3 locks held by kswapd0/73: #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline] #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389 #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline] #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197 #2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890 stack backtrace: CPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043 check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175 check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908 __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868 down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537 f2fs_down_read fs/f2fs/f2fs.h:2278 [inline] f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline] f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791 f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867 f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925 f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897 evict+0x504/0x9c0 fs/inode.c:810 f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853 evict+0x504/0x9c0 fs/inode.c:810 dispose_list fs/inode.c:852 [inline] prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000 super_cache_scan+0x39b/0x4b0 fs/super.c:224 do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437 shrink_slab_memcg mm/shrinker.c:550 [inline] shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628 shrink_one+0x28a/0x7c0 mm/vmscan.c:4955 shrink_many mm/vmscan.c:5016 [inline] lru_gen_shrink_node mm/vmscan.c:5094 [inline] shrink_node+0x315d/0x3780 mm/vmscan.c:6081 kswapd_shrink_node mm/vmscan.c:6941 [inline] balance_pgdat mm/vmscan.c:7124 [inline] kswapd+0x147c/0x2800 mm/vmscan.c:7389 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The root cause is deadlock among four locks as below: kswapd – fs_reclaim — Lock A – shrink_one – evict – f2fs_evict_inode – sb_start_intwrite — Lock B – iput – evict – f2fs_evict_inode – sb_start_intwrite — Lock B – f2fs_truncate – f2fs_truncate_blocks – f2fs_do_truncate_blocks – f2fs_lock_op — Lock C ioctl – f2fs_ioc_commit_atomic_write – f2fs_lock_op — Lock C – __f2fs_commit_atomic_write – __replace_atomic_write_block – f2fs_get_dnode_of_data – __get_node_folio – f2fs_check_nid_range – f2fs_handle_error – f2fs_record_errors – f2fs_down_write — Lock D open – do_open – do_truncate – security_inode_need_killpriv – f2fs_getxattr – lookup_all_xattrs – f2fs_handle_error – f2fs_record_errors – f2fs_down_write — Lock D – f2fs_commit_super – read_mapping_folio – filemap_alloc_folio_noprof – prepare_alloc_pages – fs_reclaim_acquire — Lock A In order to a —truncated— | 2026-01-13 | not yet calculated | CVE-2025-71065 | https://git.kernel.org/stable/c/8bd6dff8b801abaa362272894bda795bf0cf1307 https://git.kernel.org/stable/c/6c3bab5c6261aa22c561ef56b7365959a90e7d91 https://git.kernel.org/stable/c/86a85a7b622e6e8dba69810257733ce5eab5ed55 https://git.kernel.org/stable/c/ca8b201f28547e28343a6f00a6e91fa8c09572fe |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change zdi-disclosures@trendmicro.com says: The vulnerability is a race condition between `ets_qdisc_dequeue` and `ets_qdisc_change`. It leads to UAF on `struct Qdisc` object. Attacker requires the capability to create new user and network namespace in order to trigger the bug. See my additional commentary at the end of the analysis. Analysis: static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, struct netlink_ext_ack *extack) { … // (1) this lock is preventing .change handler (`ets_qdisc_change`) //to race with .dequeue handler (`ets_qdisc_dequeue`) sch_tree_lock(sch); for (i = nbands; i < oldbands; i++) { if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) list_del_init(&q->classes[i].alist); qdisc_purge_queue(q->classes[i].qdisc); } WRITE_ONCE(q->nbands, nbands); for (i = nstrict; i < q->nstrict; i++) { if (q->classes[i].qdisc->q.qlen) { // (2) the class is added to the q->active list_add_tail(&q->classes[i].alist, &q->active); q->classes[i].deficit = quanta[i]; } } WRITE_ONCE(q->nstrict, nstrict); memcpy(q->prio2band, priomap, sizeof(priomap)); for (i = 0; i < q->nbands; i++) WRITE_ONCE(q->classes[i].quantum, quanta[i]); for (i = oldbands; i < q->nbands; i++) { q->classes[i].qdisc = queues[i]; if (q->classes[i].qdisc != &noop_qdisc) qdisc_hash_add(q->classes[i].qdisc, true); } // (3) the qdisc is unlocked, now dequeue can be called in parallel // to the rest of .change handler sch_tree_unlock(sch); ets_offload_change(sch); for (i = q->nbands; i < oldbands; i++) { // (4) we’re reducing the refcount for our class’s qdisc and // freeing it qdisc_put(q->classes[i].qdisc); // (5) If we call .dequeue between (4) and (5), we will have // a strong UAF and we can control RIP q->classes[i].qdisc = NULL; WRITE_ONCE(q->classes[i].quantum, 0); q->classes[i].deficit = 0; gnet_stats_basic_sync_init(&q->classes[i].bstats); memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats)); } return 0; } Comment: This happens because some of the classes have their qdiscs assigned to NULL, but remain in the active list. This commit fixes this issue by always removing the class from the active list before deleting and freeing its associated qdisc Reproducer Steps (trimmed version of what was sent by zdi-disclosures@trendmicro.com) “` DEV=”${DEV:-lo}” ROOT_HANDLE=”${ROOT_HANDLE:-1:}” BAND2_HANDLE=”${BAND2_HANDLE:-20:}” # child under 1:2 PING_BYTES=”${PING_BYTES:-48}” PING_COUNT=”${PING_COUNT:-200000}” PING_DST=”${PING_DST:-127.0.0.1}” SLOW_TBF_RATE=”${SLOW_TBF_RATE:-8bit}” SLOW_TBF_BURST=”${SLOW_TBF_BURST:-100b}” SLOW_TBF_LAT=”${SLOW_TBF_LAT:-1s}” cleanup() { tc qdisc del dev “$DEV” root 2>/dev/null } trap cleanup EXIT ip link set “$DEV” up tc qdisc del dev “$DEV” root 2>/dev/null || true tc qdisc add dev “$DEV” root handle “$ROOT_HANDLE” ets bands 2 strict 2 tc qdisc add dev “$DEV” parent 1:2 handle “$BAND2_HANDLE” tbf rate “$SLOW_TBF_RATE” burst “$SLOW_TBF_BURST” latency “$SLOW_TBF_LAT” tc filter add dev “$DEV” parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2 tc -s qdisc ls dev $DEV ping -I “$DEV” -f -c “$PING_COUNT” -s “$PING_BYTES” -W 0.001 “$PING_DST” >/dev/null 2>&1 & tc qdisc change dev “$DEV” root handle “$ROOT_HANDLE” ets bands 2 strict 0 tc qdisc change dev “$DEV” root handle “$ROOT_HANDLE” ets bands 2 strict 2 tc -s qdisc ls dev $DEV tc qdisc del dev “$DEV” parent —truncated— | 2026-01-13 | not yet calculated | CVE-2025-71066 | https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3 https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9 https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0 https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39 https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs: set dummy blocksize to read boot_block when mounting When mounting, sb->s_blocksize is used to read the boot_block without being defined or validated. Set a dummy blocksize before attempting to read the boot_block. The issue can be triggered with the following syz reproducer: mkdirat(0xffffffffffffff9c, &(0x7f0000000080)=’./file1x00′, 0x0) r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0) ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000) mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)=’./cgroupx00′, &(0x7f0000000000)=’ntfs3x00′, 0x2208004, 0x0) syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0) Here, the ioctl sets the bdev block size to 16384. During mount, get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)), but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves sb->s_blocksize at zero. Later, ntfs_init_from_boot() attempts to read the boot_block while sb->s_blocksize is still zero, which triggers the bug. [almaz.alexandrovich@paragon-software.com: changed comment style, added return value handling] | 2026-01-13 | not yet calculated | CVE-2025-71067 | https://git.kernel.org/stable/c/44a38eb4f7876513db5a1bccde74de9bc4389d43 https://git.kernel.org/stable/c/4fff9a625da958a33191c8553a03283786f9f417 https://git.kernel.org/stable/c/b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a https://git.kernel.org/stable/c/d1693a7d5a38acf6424235a6070bcf5b186a360d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verifying rc_curpage stays within the allocated page array. Add guards before the first use and after advancing to a new page. | 2026-01-13 | not yet calculated | CVE-2025-71068 | https://git.kernel.org/stable/c/a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9 https://git.kernel.org/stable/c/7ba826aae1d43212f3baa53a2175ad949e21926e https://git.kernel.org/stable/c/5f140b525180c628db8fa6c897f138194a2de417 https://git.kernel.org/stable/c/da1ccfc4c452541584a4eae89e337cfa21be6d5a https://git.kernel.org/stable/c/d1bea0ce35b6095544ee82bb54156fc62c067e58 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: invalidate dentry cache on failed whiteout creation F2FS can mount filesystems with corrupted directory depth values that get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT operations are performed on such directories, f2fs_rename performs directory modifications (updating target entry and deleting source entry) before attempting to add the whiteout entry via f2fs_add_link. If f2fs_add_link fails due to the corrupted directory structure, the function returns an error to VFS, but the partial directory modifications have already been committed to disk. VFS assumes the entire rename operation failed and does not update the dentry cache, leaving stale mappings. In the error path, VFS does not call d_move() to update the dentry cache. This results in new_dentry still pointing to the old inode (new_inode) which has already had its i_nlink decremented to zero. The stale cache causes subsequent operations to incorrectly reference the freed inode. This causes subsequent operations to use cached dentry information that no longer matches the on-disk state. When a second rename targets the same entry, VFS attempts to decrement i_nlink on the stale inode, which may already have i_nlink=0, triggering a WARNING in drop_nlink(). Example sequence: 1. First rename (RENAME_WHITEOUT): file2 → file1 – f2fs updates file1 entry on disk (points to inode 8) – f2fs deletes file2 entry on disk – f2fs_add_link(whiteout) fails (corrupted directory) – Returns error to VFS – VFS does not call d_move() due to error – VFS cache still has: file1 → inode 7 (stale!) – inode 7 has i_nlink=0 (already decremented) 2. Second rename: file3 → file1 – VFS uses stale cache: file1 → inode 7 – Tries to drop_nlink on inode 7 (i_nlink already 0) – WARNING in drop_nlink() Fix this by explicitly invalidating old_dentry and new_dentry when f2fs_add_link fails during whiteout creation. This forces VFS to refresh from disk on subsequent operations, ensuring cache consistency even when the rename partially succeeds. Reproducer: 1. Mount F2FS image with corrupted i_current_depth 2. renameat2(file2, file1, RENAME_WHITEOUT) 3. renameat2(file3, file1, 0) 4. System triggers WARNING in drop_nlink() | 2026-01-13 | not yet calculated | CVE-2025-71069 | https://git.kernel.org/stable/c/7f2bae0c881aa1e0a6318756df692cc13df2cc83 https://git.kernel.org/stable/c/3d95ed8cf980fdfa67a3ab9491357521ae576168 https://git.kernel.org/stable/c/64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb https://git.kernel.org/stable/c/3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5 https://git.kernel.org/stable/c/c89845fae250efdd59c1d4ec60e9e1c652cee4b6 https://git.kernel.org/stable/c/0dde30753c1e8648665dbe069d814e540ce2fd37 https://git.kernel.org/stable/c/d33f89b34aa313f50f9a512d58dd288999f246b0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: clean up user copy references on ublk server exit If a ublk server process releases a ublk char device file, any requests dispatched to the ublk server but not yet completed will retain a ref value of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 (“ublk: simplify aborting ublk request”), __ublk_fail_req() would decrement the reference count before completing the failed request. However, that commit optimized __ublk_fail_req() to call __ublk_complete_rq() directly without decrementing the request reference count. The leaked reference count incorrectly allows user copy and zero copy operations on the completed ublk request. It also triggers the WARN_ON_ONCE(refcount_read(&io->ref)) warnings in ublk_queue_reinit() and ublk_deinit_queue(). Commit c5c5eb24ed61 (“ublk: avoid ublk_io_release() called after ublk char dev is closed”) already fixed the issue for ublk devices using UBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference count leak also affects UBLK_F_USER_COPY, the other reference-counted data copy mode. Fix the condition in ublk_check_and_reset_active_ref() to include all reference-counted data copy modes. This ensures that any ublk requests still owned by the ublk server when it exits have their reference counts reset to 0. | 2026-01-13 | not yet calculated | CVE-2025-71070 | https://git.kernel.org/stable/c/13456b4f1033d911f8bf3a0a1195656f293ba0f6 https://git.kernel.org/stable/c/daa24603d9f0808929514ee62ced30052ca7221c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors. This can potentially lead to a use-after-free in case a larb device has not yet been bound to its driver so that the iommu driver probe defers. Fix this by keeping the references as expected while the iommu driver is bound. | 2026-01-13 | not yet calculated | CVE-2025-71071 | https://git.kernel.org/stable/c/896ec55da3b90bdb9fc04fedc17ad8c359b2eee5 https://git.kernel.org/stable/c/5c04217d06a1161aaf36267e9d971ab6f847d5a7 https://git.kernel.org/stable/c/1ef70a0b104ae8011811f60bcfaa55ff49385171 https://git.kernel.org/stable/c/f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a https://git.kernel.org/stable/c/de83d4617f9fe059623e97acf7e1e10d209625b5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: shmem: fix recovery on rename failures maple_tree insertions can fail if we are seriously short on memory; simple_offset_rename() does not recover well if it runs into that. The same goes for simple_offset_rename_exchange(). Moreover, shmem_whiteout() expects that if it succeeds, the caller will progress to d_move(), i.e. that shmem_rename2() won’t fail past the successful call of shmem_whiteout(). Not hard to fix, fortunately – mtree_store() can’t fail if the index we are trying to store into is already present in the tree as a singleton. For simple_offset_rename_exchange() that’s enough – we just need to be careful about the order of operations. For simple_offset_rename() solution is to preinsert the target into the tree for new_dir; the rest can be done without any potentially failing operations. That preinsertion has to be done in shmem_rename2() rather than in simple_offset_rename() itself – otherwise we’d need to deal with the possibility of failure after successful shmem_whiteout(). | 2026-01-13 | not yet calculated | CVE-2025-71072 | https://git.kernel.org/stable/c/4b0fe71fb3965d0db83cdfc2f4fe0b3227d70113 https://git.kernel.org/stable/c/4642686699a46718d7f2fb5acd1e9d866a9d9cca https://git.kernel.org/stable/c/e1b4c6a58304fd490124cc2b454d80edc786665c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd – disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields. lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd structure without preventing the reinit work from being queued again until serio_close() returns. This can allow the work handler to run after the structure has been freed, leading to a potential use-after-free. Use disable_work_sync() instead of cancel_work_sync() to ensure the reinit work cannot be re-queued, and call it both in lkkbd_disconnect() and in lkkbd_connect() error paths after serio_open(). | 2026-01-13 | not yet calculated | CVE-2025-71073 | https://git.kernel.org/stable/c/3a7cd1397c209076c371d53bf39a55c138f62342 https://git.kernel.org/stable/c/cffc4e29b1e2d44ab094cf142d7c461ff09b9104 https://git.kernel.org/stable/c/e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: functionfs: fix the open/removal races ffs_epfile_open() can race with removal, ending up with file->private_data pointing to freed object. There is a total count of opened files on functionfs (both ep0 and dynamic ones) and when it hits zero, dynamic files get removed. Unfortunately, that removal can happen while another thread is in ffs_epfile_open(), but has not incremented the count yet. In that case open will succeed, leaving us with UAF on any subsequent read() or write(). The root cause is that ffs->opened is misused; atomic_dec_and_test() vs. atomic_add_return() is not a good idea, when object remains visible all along. To untangle that * serialize openers on ffs->mutex (both for ep0 and for dynamic files) * have dynamic ones use atomic_inc_not_zero() and fail if we had zero ->opened; in that case the file we are opening is doomed. * have the inodes of dynamic files marked on removal (from the callback of simple_recursive_removal()) – clear ->i_private there. * have open of dynamic ones verify they hadn’t been already removed, along with checking that state is FFS_ACTIVE. | 2026-01-13 | not yet calculated | CVE-2025-71074 | https://git.kernel.org/stable/c/b49c766856fb5901490de577e046149ebf15e39d https://git.kernel.org/stable/c/e5bf5ee266633cb18fff6f98f0b7d59a62819eee |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability. When a device removal is triggered (via hot-unplug or module unload), race condition can occur. The fix adds tasklet_kill() before freeing the asd_ha structure, ensuring all scheduled tasklets complete before cleanup proceeds. | 2026-01-13 | not yet calculated | CVE-2025-71075 | https://git.kernel.org/stable/c/c8f6f88cd1df35155258285c4f43268b361819df https://git.kernel.org/stable/c/278455a82245a572aeb218a6212a416a98e418de https://git.kernel.org/stable/c/b3e655e52b98a1d3df41c8e42035711e083099f8 https://git.kernel.org/stable/c/e354793a7ab9bb0934ea699a9d57bcd1b48fc27b https://git.kernel.org/stable/c/a41dc180b6e1229ae49ca290ae14d82101c148c3 https://git.kernel.org/stable/c/751c19635c2bfaaf2836a533caa3663633066dcf https://git.kernel.org/stable/c/f6ab594672d4cba08540919a4e6be2e202b60007 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Limit num_syncs to prevent oversized allocations The OA open parameters did not validate num_syncs, allowing userspace to pass arbitrarily large values, potentially leading to excessive allocations. Add check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS, returning -EINVAL when the limit is violated. v2: use XE_IOCTL_DBG() and drop duplicated check. (Ashutosh) (cherry picked from commit e057b2d2b8d815df3858a87dffafa2af37e5945b) | 2026-01-13 | not yet calculated | CVE-2025-71076 | https://git.kernel.org/stable/c/b963636331fb4f3f598d80492e2fa834757198eb https://git.kernel.org/stable/c/338849090ee610ff6d11e5e90857d2c27a4121ab https://git.kernel.org/stable/c/f8dd66bfb4e184c71bd26418a00546ebe7f5c17a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: Cap the number of PCR banks tpm2_get_pcr_allocation() does not cap any upper limit for the number of banks. Cap the limit to eight banks so that out of bounds values coming from external I/O cause on only limited harm. | 2026-01-13 | not yet calculated | CVE-2025-71077 | https://git.kernel.org/stable/c/8ceee7288152bc121a6bf92997261838c78bfe06 https://git.kernel.org/stable/c/275c686f1e3cc056ec66c764489ec1fe1e51b950 https://git.kernel.org/stable/c/ceb70d31da5671d298bad94ae6c20e4bbb800f96 https://git.kernel.org/stable/c/d88481653d74d622d1d0d2c9bad845fc2cc6fd23 https://git.kernel.org/stable/c/b69492161c056d36789aee42a87a33c18c8ed5e1 https://git.kernel.org/stable/c/858344bc9210bea9ab2bdc7e9e331ba84c164e50 https://git.kernel.org/stable/c/faf07e611dfa464b201223a7253e9dc5ee0f3c9e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multihit issue during SLB preload On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB buffer. This preload cache is subject to periodic eviction – typically after every 256 context switches – to remove old entry. To optimize performance, the kernel skips switch_mmu_context() in switch_mm_irqs_off() when the prev and next mm_struct are the same. However, on hash MMU systems, this can lead to inconsistencies between the hardware SLB and the software preload cache. If an SLB entry for a process is evicted from the software cache on one CPU, and the same process later runs on another CPU without executing switch_mmu_context(), the hardware SLB may retain stale entries. If the kernel then attempts to reload that entry, it can trigger an SLB multi-hit error. The following timeline shows how stale SLB entries are created and can cause a multi-hit error when a process moves between CPUs without a MMU context switch. CPU 0 CPU 1 —– —– Process P exec swapper/1 load_elf_binary begin_new_exc activate_mm switch_mm_irqs_off switch_mmu_context switch_slb /* * This invalidates all * the entries in the HW * and setup the new HW * SLB entries as per the * preload cache. */ context_switch sched_migrate_task migrates process P to cpu-1 Process swapper/0 context switch (to process P) (uses mm_struct of Process P) switch_mm_irqs_off() switch_slb load_slb++ /* * load_slb becomes 0 here * and we evict an entry from * the preload cache with * preload_age(). We still * keep HW SLB and preload * cache in sync, that is * because all HW SLB entries * anyways gets evicted in * switch_slb during SLBIA. * We then only add those * entries back in HW SLB, * which are currently * present in preload_cache * (after eviction). */ load_elf_binary continues… setup_new_exec() slb_setup_new_exec() sched_switch event sched_migrate_task migrates process P to cpu-0 context_switch from swapper/0 to Process P switch_mm_irqs_off() /* * Since both prev and next mm struct are same we don’t call * switch_mmu_context(). This will cause the HW SLB and SW preload * cache to go out of sync in preload_new_slb_context. Because there * was an SLB entry which was evicted from both HW and preload cache * on cpu-1. Now later in preload_new_slb_context(), when we will try * to add the same preload entry again, we will add this to the SW * preload cache and then will add it to the HW SLB. Since on cpu-0 * this entry was never invalidated, hence adding this entry to the HW * SLB will cause a SLB multi-hit error. */ load_elf_binary cont —truncated— | 2026-01-13 | not yet calculated | CVE-2025-71078 | https://git.kernel.org/stable/c/01324c0328181b94cf390bda22ff91c75126ea57 https://git.kernel.org/stable/c/2e9a95d60f1df7b57618fd5ef057aef331575bd2 https://git.kernel.org/stable/c/c9f865022a1823d814032a09906e91e4701a35fc https://git.kernel.org/stable/c/b13a3dbfa196af68eae2031f209743735ad416bf https://git.kernel.org/stable/c/895123c309a34d2cfccf7812b41e17261a3a6f37 https://git.kernel.org/stable/c/4ae1e46d8a290319f33f71a2710a1382ba5431e8 https://git.kernel.org/stable/c/00312419f0863964625d6dcda8183f96849412c6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock Thread B (nfc_unregister_device): nfc_unregister_device() device_lock(&dev->dev) rfkill_unregister() mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex This creates a classic ABBA deadlock scenario. Fix this by moving rfkill_unregister() and rfkill_destroy() outside the device_lock critical section. Store the rfkill pointer in a local variable before releasing the lock, then call rfkill_unregister() after releasing device_lock. This change is safe because rfkill_fop_write() holds rfkill_global_mutex while calling the rfkill callbacks, and rfkill_unregister() also acquires rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will wait for any ongoing callback to complete before proceeding, and device_del() is only called after rfkill_unregister() returns, preventing any use-after-free. The similar lock ordering in nfc_register_device() (device_lock -> rfkill_global_mutex via rfkill_register) is safe because during registration the device is not yet in rfkill_list, so no concurrent rfkill operations can occur on this device. | 2026-01-13 | not yet calculated | CVE-2025-71079 | https://git.kernel.org/stable/c/2e0831e9fc46a06daa6d4d8d57a2738e343130c3 https://git.kernel.org/stable/c/e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012 https://git.kernel.org/stable/c/ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5 https://git.kernel.org/stable/c/6b93c8ab6f6cda8818983a4ae3fcf84b023037b4 https://git.kernel.org/stable/c/8fc4632fb508432895430cd02b38086bdd649083 https://git.kernel.org/stable/c/f3a8a7c1aa278f2378b2f3a10500c6674dffdfda https://git.kernel.org/stable/c/1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the current task can be preempted. Another task running on the same CPU may then execute rt6_make_pcpu_route() and successfully install a pcpu_rt entry. When the first task resumes execution, its cmpxchg() in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer NULL, triggering the BUG_ON(prev). It’s easy to reproduce it by adding mdelay() after rt6_get_pcpu_route(). Using preempt_disable/enable is not appropriate here because ip6_rt_pcpu_alloc() may sleep. Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT: free our allocation and return the existing pcpu_rt installed by another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT kernels where such races should not occur. | 2026-01-13 | not yet calculated | CVE-2025-71080 | https://git.kernel.org/stable/c/1dc33ad0867325f8d2c6d7b2a6f542d4f3121f66 https://git.kernel.org/stable/c/787515ccb2292f82eb0876993129154629a49651 https://git.kernel.org/stable/c/1adaea51c61b52e24e7ab38f7d3eba023b2d050d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: sai: fix OF node leak on probe The reference taken to the sync provider OF node when probing the platform device is currently only dropped if the set_sync() callback fails during DAI probe. Make sure to drop the reference on platform probe failures (e.g. probe deferral) and on driver unbind. This also avoids a potential use-after-free in case the DAI is ever reprobed without first rebinding the platform driver. | 2026-01-13 | not yet calculated | CVE-2025-71081 | https://git.kernel.org/stable/c/7daa50a2157e41c964b745ab1dc378b5b3b626d1 https://git.kernel.org/stable/c/acda653169e180b1d860dbb6bc5aceb105858394 https://git.kernel.org/stable/c/4054a3597d047f3fe87864ef87f399b5d523e6c0 https://git.kernel.org/stable/c/bae74771fc5d3b2a9cf6f5aa64596083d032c4a3 https://git.kernel.org/stable/c/3752afcc6d80d5525e236e329895ba2cb93bcb26 https://git.kernel.org/stable/c/23261f0de09427367e99f39f588e31e2856a690e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devm_kzalloc in btusb This reverts commit 98921dbd00c4e (“Bluetooth: Use devm_kzalloc in btusb.c file”). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This ties the lifetime of all the btusb data to the binding of a driver to one interface, INTF. In a driver that binds to other interfaces, ISOC and DIAG, this is an accident waiting to happen. The issue is revealed in btusb_disconnect(), where calling usb_driver_release_interface(&btusb_driver, data->intf) will have devm free the data that is also being used by the other interfaces of the driver that may not be released yet. To fix this, revert the use of devm and go back to freeing memory explicitly. | 2026-01-13 | not yet calculated | CVE-2025-71082 | https://git.kernel.org/stable/c/fff9206b0907252a41eb12b7c1407b9347df18b1 https://git.kernel.org/stable/c/cca0e9206e3bcc63cd3e72193e60149165d493cc https://git.kernel.org/stable/c/c0ecb3e4451fe94f4315e6d09c4046dfbc42090b https://git.kernel.org/stable/c/1e54c19eaf84ba652c4e376571093e58e144b339 https://git.kernel.org/stable/c/fdf7c640fb8a44a59b0671143d8c2f738bc48003 https://git.kernel.org/stable/c/252714f1e8bdd542025b16321c790458014d6880 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted. When devcoredump tries to read the contents of all BOs for dumping, we need to expect this as well — in this case, ENODATA is recorded instead of the buffer contents. | 2026-01-13 | not yet calculated | CVE-2025-71083 | https://git.kernel.org/stable/c/47a85604a761005d255ae38115ee630cc6931756 https://git.kernel.org/stable/c/4b9944493c6d92d7b29cfd83aaf3deb842b8da79 https://git.kernel.org/stable/c/3d004f7341d4898889801ebb2ef61ffca610dd6f https://git.kernel.org/stable/c/5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0 https://git.kernel.org/stable/c/b94182b3d7228aec18d069cba56d5982e9bfe1b1 https://git.kernel.org/stable/c/491adc6a0f9903c32b05f284df1148de39e8e644 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancel_work_sync() will prevent the work from running which also prevents destroying the ah_attr. This leaks a refcount and triggers a WARN: GID entry ref leak for dev syz1 index 2 ref=573 WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline] WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886 Destroy the ah_attr after canceling the work, it is safe to call this twice. | 2026-01-13 | not yet calculated | CVE-2025-71084 | https://git.kernel.org/stable/c/d5ce588a9552878859a4d44b70b724216c188a5f https://git.kernel.org/stable/c/abf38398724ecc888f62c678d288da40d11878af https://git.kernel.org/stable/c/ab668a58c4a2ccb6d54add7a76f2f955d15d0196 https://git.kernel.org/stable/c/c0acdee513239e1d6e1b490f56be0e6837dfd162 https://git.kernel.org/stable/c/5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3 https://git.kernel.org/stable/c/3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5 https://git.kernel.org/stable/c/57f3cb6c84159d12ba343574df2115fb18dd83ca |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom – skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing “negative” headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size – (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0); | 2026-01-13 | not yet calculated | CVE-2025-71085 | https://git.kernel.org/stable/c/86f365897068d09418488165a68b23cb5baa37f2 https://git.kernel.org/stable/c/6b7522424529556c9cbc15e15e7bd4eeae310910 https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1 https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0 https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24 https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570 https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer dereference and also leaks references taken via sock_hold(). Fix the index to use i. | 2026-01-13 | not yet calculated | CVE-2025-71086 | https://git.kernel.org/stable/c/819fb41ae54960f66025802400c9d3935eef4042 https://git.kernel.org/stable/c/ed2639414d43ba037f798eaf619e878309310451 https://git.kernel.org/stable/c/1418c12cd3bba79dc56b57b61c99efe40f579981 https://git.kernel.org/stable/c/9f6185a32496834d6980b168cffcccc2d6b17280 https://git.kernel.org/stable/c/b409ba9e1e63ccf3ab4cc061e33c1f804183543e https://git.kernel.org/stable/c/92d900aac3a5721fb54f3328f1e089b44a861c38 https://git.kernel.org/stable/c/6595beb40fb0ec47223d3f6058ee40354694c8e4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 (“i40evf: Allow PF driver to configure RSS”), the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX which is safe since the value is the last valid index. That commit changed the bounds to: i <= adapter->rss_{key,lut}_size / 4 where `rss_{key,lut}_size / 4` is the number of dwords, so the last valid index is `(rss_{key,lut}_size / 4) – 1`. Therefore, using `<=` accesses one element past the end. Fix the issues by using `<` instead of `<=`, ensuring we do not exceed the bounds. [1] KASAN splat about rss_key_size off-by-one BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: iavf iavf_watchdog_task Call Trace: <TASK> dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x1a0 iavf_config_rss+0x619/0x800 iavf_watchdog_task+0x2be7/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 63: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x246/0x6f0 iavf_watchdog_task+0x28fc/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff888102c50100 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes to the right of allocated 52-byte region [ffff888102c50100, ffff888102c50134) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 flags: 0x200000000000000(node=0|zone=2) page_type: f5(slab) raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ^ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | 2026-01-13 | not yet calculated | CVE-2025-71087 | https://git.kernel.org/stable/c/ceb8459df28d22c225a82d74c0f725f2a935d194 https://git.kernel.org/stable/c/5bb18bfd505ca1affbca921462c350095a6c798c https://git.kernel.org/stable/c/d7369dc8dd7cbf5cee3a22610028d847b6f02982 https://git.kernel.org/stable/c/18de0e41d69d97fab10b91fecf10ae78a5e43232 https://git.kernel.org/stable/c/f36de3045d006e6d9be1be495f2ed88d1721e752 https://git.kernel.org/stable/c/3095228e1320371e143835d0cebeef1a8a754c66 https://git.kernel.org/stable/c/6daa2893f323981c7894c68440823326e93a7d61 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6 RSP: 0018:ffffc900006cf338 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900 R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0 Call Trace: <TASK> tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197 tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922 tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672 tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918 ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500 dst_input include/net/dst.h:471 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092 process_backlog+0x442/0x15e0 net/core/dev.c:6444 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494 napi_poll net/core/dev.c:7557 [inline] net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579 run_ksoftirqd kernel/softirq.c:968 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160 kthread+0x3c2/0x780 kernel/kthread.c:463 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The TCP subflow can process the simult-connect syn-ack packet after transitioning to TCP_FIN1 state, bypassing the MPTCP fallback check, as the sk_state_change() callback is not invoked for * -> FIN_WAIT1 transitions. That will move the msk socket to an inconsistent status and the next incoming data will hit the reported splat. Close the race moving the simult-fallback check at the earliest possible stage – that is at syn-ack generation time. About the fixes tags: [2] was supposed to also fix this issue introduced by [3]. [1] is required as a dependence: it was not explicitly marked as a fix, but it is one and it has already been backported before [3]. In other words, this commit should be backported up to [3], including [2] and [1] if that’s not already there. | 2026-01-13 | not yet calculated | CVE-2025-71088 | https://git.kernel.org/stable/c/b5f46a08269265e2f5e87d855287d6d22de0a32b https://git.kernel.org/stable/c/c9bf315228287653522894df9d851e9b43db9516 https://git.kernel.org/stable/c/79f80a7a47849ef1b3c25a0bedcc448b9cb551c1 https://git.kernel.org/stable/c/25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86 https://git.kernel.org/stable/c/71154bbe49423128c1c8577b6576de1ed6836830 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series “Fix stale IOTLB entries for kernel address space”, v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU’s page tables. The x86 architecture maps the kernel’s virtual address space into the upper portion of every process’s page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU’s internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages. | 2026-01-13 | not yet calculated | CVE-2025-71089 | https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9 https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4 https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661 https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg() nfsd4_add_rdaccess_to_wrdeleg() unconditionally overwrites fp->fi_fds[O_RDONLY] with a newly acquired nfsd_file. However, if the client already has a SHARE_ACCESS_READ open from a previous OPEN operation, this action overwrites the existing pointer without releasing its reference, orphaning the previous reference. Additionally, the function originally stored the same nfsd_file pointer in both fp->fi_fds[O_RDONLY] and fp->fi_rdeleg_file with only a single reference. When put_deleg_file() runs, it clears fi_rdeleg_file and calls nfs4_file_put_access() to release the file. However, nfs4_file_put_access() only releases fi_fds[O_RDONLY] when the fi_access[O_RDONLY] counter drops to zero. If another READ open exists on the file, the counter remains elevated and the nfsd_file reference from the delegation is never released. This potentially causes open conflicts on that file. Then, on server shutdown, these leaks cause __nfsd_file_cache_purge() to encounter files with an elevated reference count that cannot be cleaned up, ultimately triggering a BUG() in kmem_cache_destroy() because there are still nfsd_file objects allocated in that cache. | 2026-01-13 | not yet calculated | CVE-2025-71090 | https://git.kernel.org/stable/c/c07dc84ed67c5a182273171639bacbbb87c12175 https://git.kernel.org/stable/c/8072e34e1387d03102b788677d491e2bcceef6f5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enabled in team_queue_override_port_prio_changed() There has been a syzkaller bug reported recently with the following trace: list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) ————[ cut here ]———— kernel BUG at lib/list_debug.c:59! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59 Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286 RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000 RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005 RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230 R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480 FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0 Call Trace: <TASK> __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del_rcu include/linux/rculist.h:178 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline] team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline] team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534 team_option_set drivers/net/team/team_core.c:376 [inline] team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653 genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684 __sys_sendmsg+0x16d/0x220 net/socket.c:2716 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The problem is in this flow: 1) Port is enabled, queue_id != 0, in qom_list 2) Port gets disabled -> team_port_disable() -> team_queue_override_port_del() -> del (removed from list) 3) Port is disabled, queue_id != 0, not in any list 4) Priority changes -> team_queue_override_port_prio_changed() -> checks: port disabled && queue_id != 0 -> calls del – hits the BUG as it is removed already To fix this, change the check in team_queue_override_port_prio_changed() so it returns early if port is not enabled. | 2026-01-13 | not yet calculated | CVE-2025-71091 | https://git.kernel.org/stable/c/25029e813c4aae5fcf7118e8dd5c56e382b9a1a3 https://git.kernel.org/stable/c/f820e438b8ec2a8354e70e75145f05fe45500d97 https://git.kernel.org/stable/c/53a727a8bfd78c739e130a781192d0f6f8e03d39 https://git.kernel.org/stable/c/6bfb62b6010a16112dcae52f490e5e0e6abe12a3 https://git.kernel.org/stable/c/107d245f84cb4f55f597d31eda34b42a2b7d6952 https://git.kernel.org/stable/c/b71187648ef2349254673d0523fdf96d1fe3d758 https://git.kernel.org/stable/c/932ac51d9953eaf77a1252f79b656d4ca86163c6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats() Commit ef56081d1864 (“RDMA/bnxt_re: RoCE related hardware counters update”) added three new counters and placed them after BNXT_RE_OUT_OF_SEQ_ERR. BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware statistics with different num_counters values on chip_gen_p5_p7 devices. As a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating hw_stats, which leads to an out-of-bounds write in bnxt_re_copy_err_stats(). The counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not only p5/p7 devices. Fix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they are included in the generic counter set. | 2026-01-13 | not yet calculated | CVE-2025-71092 | https://git.kernel.org/stable/c/369a161c48723f60f06f3510b82ea7d96d0499ab https://git.kernel.org/stable/c/9b68a1cc966bc947d00e4c0df7722d118125aa37 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e1000_tbi_should_accept() we read the last byte of the frame via ‘data[length – 1]’ to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated slab objects. The issue is observed from the NAPI receive path (e1000_clean_rx_irq): ================================================================== BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790 Read of size 1 at addr ffff888014114e54 by task sshd/363 CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x5a/0x74 print_address_description+0x7b/0x440 print_report+0x101/0x200 kasan_report+0xc1/0xf0 e1000_tbi_should_accept+0x610/0x790 e1000_clean_rx_irq+0xa8c/0x1110 e1000_clean+0xde2/0x3c10 __napi_poll+0x98/0x380 net_rx_action+0x491/0xa20 __do_softirq+0x2c9/0x61d do_softirq+0xd1/0x120 </IRQ> <TASK> __local_bh_enable_ip+0xfe/0x130 ip_finish_output2+0x7d5/0xb00 __ip_queue_xmit+0xe24/0x1ab0 __tcp_transmit_skb+0x1bcb/0x3340 tcp_write_xmit+0x175d/0x6bd0 __tcp_push_pending_frames+0x7b/0x280 tcp_sendmsg_locked+0x2e4f/0x32d0 tcp_sendmsg+0x24/0x40 sock_write_iter+0x322/0x430 vfs_write+0x56c/0xa60 ksys_write+0xd1/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f511b476b10 Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24 RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10 RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003 RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00 R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003 </TASK> Allocated by task 1: __kasan_krealloc+0x131/0x1c0 krealloc+0x90/0xc0 add_sysfs_param+0xcb/0x8a0 kernel_add_sysfs_param+0x81/0xd4 param_sysfs_builtin+0x138/0x1a6 param_sysfs_init+0x57/0x5b do_one_initcall+0x104/0x250 do_initcall_level+0x102/0x132 do_initcalls+0x46/0x74 kernel_init_freeable+0x28f/0x393 kernel_init+0x14/0x1a0 ret_from_fork+0x22/0x30 The buggy address belongs to the object at ffff888014114000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1620 bytes to the right of 2048-byte region [ffff888014114000, ffff888014114800] The buggy address belongs to the physical page: page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110 head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head|node=0|zone=1) raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected ================================================================== This happens because the TBI check unconditionally dereferences the last byte without validating the reported length first: u8 last_byte = *(data + length – 1); Fix by rejecting the frame early if the length is zero, or if it exceeds adapter->rx_buffer_len. This preserves the TBI workaround semantics for valid frames and prevents touching memory beyond the RX buffer. | 2026-01-13 | not yet calculated | CVE-2025-71093 | https://git.kernel.org/stable/c/4ccfa56f272241e8d8e2c38191fdbb03df489d80 https://git.kernel.org/stable/c/278b7cfe0d4da7502c7fd679b15032f014c92892 https://git.kernel.org/stable/c/ad7a2a45e2417ac54089926b520924f8f0d91aea https://git.kernel.org/stable/c/2c4c0c09f9648ba766d399917d420d03e7b3e1f8 https://git.kernel.org/stable/c/26c8bebc2f25288c2bcac7bc0a7662279a0e817c https://git.kernel.org/stable/c/ee7c125fb3e8b04dd46510130b9fc92380e5d578 https://git.kernel.org/stable/c/9c72a5182ed92904d01057f208c390a303f00a0f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY address before use The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(). A malicious or faulty device can return an invalid address (>= PHY_MAX_ADDR), which causes a warning in mdiobus_get_phy(): addr 207 out of range WARNING: drivers/net/phy/mdio_bus.c:76 Validate the PHY address in asix_read_phy_addr() and remove the now-redundant check in ax88172a.c. | 2026-01-13 | not yet calculated | CVE-2025-71094 | https://git.kernel.org/stable/c/fc96018f09f8d30586ca6582c5045a84eafef146 https://git.kernel.org/stable/c/f5f4f30f3811d37e1aa48667c36add74e5a8d99f https://git.kernel.org/stable/c/38722e69ee64dbb020028c93898d25d6f4c0e0b2 https://git.kernel.org/stable/c/98a12c2547a44a5f03f35c108d2022cc652cbc4d https://git.kernel.org/stable/c/bf8a0f3b787ca7c5889bfca12c60c483041fbee3 https://git.kernel.org/stable/c/a1e077a3f76eea0dc671ed6792e7d543946227e8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 [ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 [ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 [ 216.326576] __napi_poll+0x40/0x218 [ 216.408054] Kernel panic – not syncing: Oops: Fatal exception in interrupt For XDP_TX action, the xdp_buff is converted to xdp_frame by xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame depends on the memory type of the xdp_buff. For page pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy XSK pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the memory type and always uses the page pool type, this leads to invalid mappings and causes the crash. Therefore, check the xdp_buff memory type in stmmac_xdp_xmit_back() to fix this issue. | 2026-01-13 | not yet calculated | CVE-2025-71095 | https://git.kernel.org/stable/c/3f7823219407f2f18044c2b72366a48810c5c821 https://git.kernel.org/stable/c/4d0ceb7677e1c4616afb96abb4518f70b65abb0d https://git.kernel.org/stable/c/45ee0462b88396a0bd1df1991f801c89994ea72b https://git.kernel.org/stable/c/5e5988736a95b1de7f91b10ac2575454b70e4897 https://git.kernel.org/stable/c/a48e232210009be50591fdea8ba7c07b0f566a13 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation and parsing into one function. Fixes an uninitialized read from the stack triggered by userspace if it does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE query. BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline] BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 hex_byte_pack include/linux/hex.h:13 [inline] ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509 ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633 pointer+0xc09/0x1bd0 lib/vsprintf.c:2542 vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930 vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279 vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426 vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465 vprintk+0x36/0x50 kernel/printk/printk_safe.c:82 _printk+0x17e/0x1b0 kernel/printk/printk.c:2475 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline] ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline] rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x333/0x3d0 net/socket.c:729 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671 __sys_sendmsg+0x1aa/0x300 net/socket.c:2703 __compat_sys_sendmsg net/compat.c:346 [inline] __do_compat_sys_sendmsg net/compat.c:353 [inline] __se_compat_sys_sendmsg net/compat.c:350 [inline] __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350 ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3 | 2026-01-13 | not yet calculated | CVE-2025-71096 | https://git.kernel.org/stable/c/376f46c8983458ead26cac83aa897a0b78491831 https://git.kernel.org/stable/c/bfe10318fc23e0b3f1d0a18dad387d29473a624d https://git.kernel.org/stable/c/45532638de5da24c201aa2a9b3dd4b054064de7b https://git.kernel.org/stable/c/9d85524789c2f17c0e87de8d596bcccc3683a1fc https://git.kernel.org/stable/c/acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec https://git.kernel.org/stable/c/0b948afc1ded88b3562c893114387f34389eeb94 https://git.kernel.org/stable/c/a7b8e876e0ef0232b8076972c57ce9a7286b47ca |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when their nexthop object is deleted: # ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1 As such, they keep holding a reference on the nexthop object which in turn holds a reference on the nexthop device, resulting in a reference count leak: # ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 Fix by flushing error routes when their nexthop is marked as dead. IPv6 does not suffer from this problem. | 2026-01-13 | not yet calculated | CVE-2025-71097 | https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536 https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43 https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 ————[ cut here ]———— kernel BUG at net/core/skbuff.c:213 ! <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 neigh_output include/net/neighbour.h:556 [inline] ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 | 2026-01-13 | not yet calculated | CVE-2025-71098 | https://git.kernel.org/stable/c/17e7386234f740f3e7d5e58a47b5847ea34c3bc2 https://git.kernel.org/stable/c/41a1a3140aff295dee8063906f70a514548105e8 https://git.kernel.org/stable/c/adee129db814474f2f81207bd182bf343832a52e https://git.kernel.org/stable/c/1717357007db150c2d703f13f5695460e960f26c https://git.kernel.org/stable/c/5fe210533e3459197eabfdbf97327dacbdc04d60 https://git.kernel.org/stable/c/91a2b25be07ce1a7549ceebbe82017551d2eec92 https://git.kernel.org/stable/c/db5b4e39c4e63700c68a7e65fc4e1f1375273476 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock. Since this lock protects the lifetime of oa_config, an attacker could guess the id and call xe_oa_remove_config_ioctl() with perfect timing, freeing oa_config before we dereference it, leading to a potential use-after-free. Fix this by caching the id in a local variable while holding the lock. v2: (Matt A) – Dropped mutex_unlock(&oa->metrics_lock) ordering change from xe_oa_remove_config_ioctl() (cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31) | 2026-01-13 | not yet calculated | CVE-2025-71099 | https://git.kernel.org/stable/c/c6d30b65b7a44dac52ad49513268adbf19eab4a2 https://git.kernel.org/stable/c/7cdb9a9da935c687563cc682155461fef5f9b48d https://git.kernel.org/stable/c/dcb171931954c51a1a7250d558f02b8f36570783 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() TID getting from ieee80211_get_tid() might be out of range of array size of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise, UBSAN warn: UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30 index 10 is out of range for type ‘rtl_tid_data [9]’ | 2026-01-13 | not yet calculated | CVE-2025-71100 | https://git.kernel.org/stable/c/9765d6eb8298b07d499cdf9ef7c237d3540102d6 https://git.kernel.org/stable/c/90a15ff324645aa806d81fa349497cd964861b66 https://git.kernel.org/stable/c/dd39edb445f07400e748da967a07d5dca5c5f96e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data structures using a for loop with index variable ‘elem’ that iterates through enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. When processing multi-element fields like PREREQUISITES and ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array elements using expressions like ‘enum_obj[elem + reqs]’ and ‘enum_obj[elem + pos_values]’ within nested loops. The bug is that the bounds check only validated elem, but did not consider the additional offset when accessing elem + reqs or elem + pos_values. The fix changes the bounds check to validate the actual accessed index. | 2026-01-13 | not yet calculated | CVE-2025-71101 | https://git.kernel.org/stable/c/cf7ae870560b988247a4bbbe5399edd326632680 https://git.kernel.org/stable/c/db4c26adf7117b1a4431d1197ae7109fee3230ad https://git.kernel.org/stable/c/79cab730dbaaac03b946c7f5681bd08c986e2abd https://git.kernel.org/stable/c/e44c42c830b7ab36e3a3a86321c619f24def5206 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scs: fix a wrong parameter in __scs_magic __scs_magic() needs a ‘void *’ variable, but a ‘struct task_struct *’ is given. ‘task_scs(tsk)’ is the starting address of the task’s shadow call stack, and ‘__scs_magic(task_scs(tsk))’ is the end address of the task’s shadow call stack. Here should be ‘__scs_magic(task_scs(tsk))’. The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE is enabled, the shadow call stack usage checking function (scs_check_usage) would scan an incorrect memory range. This could lead 1. **Inaccurate stack usage reporting**: The function would calculate wrong usage statistics for the shadow call stack, potentially showing incorrect value in kmsg. 2. **Potential kernel crash**: If the value of __scs_magic(tsk)is greater than that of __scs_magic(task_scs(tsk)), the for loop may access unmapped memory, potentially causing a kernel panic. However, this scenario is unlikely because task_struct is allocated via the slab allocator (which typically returns lower addresses), while the shadow call stack returned by task_scs(tsk) is allocated via vmalloc(which typically returns higher addresses). However, since this is purely a debugging feature (CONFIG_DEBUG_STACK_USAGE), normal production systems should be not unaffected. The bug only impacts developers and testers who are actively debugging stack usage with this configuration enabled. | 2026-01-14 | not yet calculated | CVE-2025-71102 | https://git.kernel.org/stable/c/1727e8bd69103a68963a5613a0ddb6d8d37df5d3 https://git.kernel.org/stable/c/cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c https://git.kernel.org/stable/c/57ba40b001be27786d0570dd292289df748b306b https://git.kernel.org/stable/c/062774439d442882b44f5eab8c256ad3423ef284 https://git.kernel.org/stable/c/9ef28943471a16e4f9646bc3e8e2de148e7d8d7b https://git.kernel.org/stable/c/a19fb3611e4c06624fc0f83ef19f4fb8d57d4751 https://git.kernel.org/stable/c/08bd4c46d5e63b78e77f2605283874bbe868ab19 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: adreno: fix deferencing ifpc_reglist when not declared On plaforms with an a7xx GPU not supporting IFPC, the ifpc_reglist if still deferenced in a7xx_patch_pwrup_reglist() which causes a kernel crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 … pc : a6xx_hw_init+0x155c/0x1e4c [msm] lr : a6xx_hw_init+0x9a8/0x1e4c [msm] … Call trace: a6xx_hw_init+0x155c/0x1e4c [msm] (P) msm_gpu_hw_init+0x58/0x88 [msm] adreno_load_gpu+0x94/0x1fc [msm] msm_open+0xe4/0xf4 [msm] drm_file_alloc+0x1a0/0x2e4 [drm] drm_client_init+0x7c/0x104 [drm] drm_fbdev_client_setup+0x94/0xcf0 [drm_client_lib] drm_client_setup+0xb4/0xd8 [drm_client_lib] msm_drm_kms_post_init+0x2c/0x3c [msm] msm_drm_init+0x1a4/0x228 [msm] msm_drm_bind+0x30/0x3c [msm] … Check the validity of ifpc_reglist before deferencing the table to setup the register values. Patchwork: https://patchwork.freedesktop.org/patch/688944/ | 2026-01-14 | not yet calculated | CVE-2025-71103 | https://git.kernel.org/stable/c/19648135e904bce447d368ecb6136e5da809639c https://git.kernel.org/stable/c/129049d4fe22c998ae9fd1ec479fbb4ed5338c15 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest’s APIC timer in periodic mode, set the expiration to “now” if the target expiration is in the past (similar to what is done in update_target_expiration()). Blindly adding the period to the previous target expiration can result in KVM generating a practically unbounded number of hrtimer IRQs due to programming an expired timer over and over. In extreme scenarios, e.g. if userspace pauses/suspends a VM for an extended duration, this can even cause hard lockups in the host. Currently, the bug only affects Intel CPUs when using the hypervisor timer (HV timer), a.k.a. the VMX preemption timer. Unlike the software timer, a.k.a. hrtimer, which KVM keeps running even on exits to userspace, the HV timer only runs while the guest is active. As a result, if the vCPU does not run for an extended duration, there will be a huge gap between the target expiration and the current time the vCPU resumes running. Because the target expiration is incremented by only one period on each timer expiration, this leads to a series of timer expirations occurring rapidly after the vCPU/VM resumes. More critically, when the vCPU first triggers a periodic HV timer expiration after resuming, advancing the expiration by only one period will result in a target expiration in the past. As a result, the delta may be calculated as a negative value. When the delta is converted into an absolute value (tscdeadline is an unsigned u64), the resulting value can overflow what the HV timer is capable of programming. I.e. the large value will exceed the VMX Preemption Timer’s maximum bit width of cpu_preemption_timer_multi + 32, and thus cause KVM to switch from the HV timer to the software timer (hrtimers). After switching to the software timer, periodic timer expiration callbacks may be executed consecutively within a single clock interrupt handler, because hrtimers honors KVM’s request for an expiration in the past and immediately re-invokes KVM’s callback after reprogramming. And because the interrupt handler runs with IRQs disabled, restarting KVM’s hrtimer over and over until the target expiration is advanced to “now” can result in a hard lockup. E.g. the following hard lockup was triggered in the host when running a Windows VM (only relevant because it used the APIC timer in periodic mode) after resuming the VM from a long suspend (in the host). NMI watchdog: Watchdog detected hard LOCKUP on cpu 45 … RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm] … RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046 RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500 RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0 R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0 R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8 FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0 PKRU: 55555554 Call Trace: <IRQ> apic_timer_fn+0x31/0x50 [kvm] __hrtimer_run_queues+0x100/0x280 hrtimer_interrupt+0x100/0x210 ? ttwu_do_wakeup+0x19/0x160 smp_apic_timer_interrupt+0x6a/0x130 apic_timer_interrupt+0xf/0x20 </IRQ> Moreover, if the suspend duration of the virtual machine is not long enough to trigger a hard lockup in this scenario, since commit 98c25ead5eda (“KVM: VMX: Move preemption timer <=> hrtimer dance to common x86”), KVM will continue using the software timer until the guest reprograms the APIC timer in some way. Since the periodic timer does not require frequent APIC timer register programming, the guest may continue to use the software timer in —truncated— | 2026-01-14 | not yet calculated | CVE-2025-71104 | https://git.kernel.org/stable/c/786ed625c125c5cd180d6aaa37e653e3e4ffb8d9 https://git.kernel.org/stable/c/d2da0df7bbc4fb4fd7d0a1da704f81a09c72fe73 https://git.kernel.org/stable/c/807dbe8f3862fa7c164155857550ce94b36a11b9 https://git.kernel.org/stable/c/7b54ccef865e0aa62e4871d4ada2ba4b9dcb8bed https://git.kernel.org/stable/c/e746e51947053a02af2ea964593dc4887108d379 https://git.kernel.org/stable/c/e23f46f1a971c73dad2fd63e1408696114ddebe2 https://git.kernel.org/stable/c/18ab3fc8e880791aa9f7c000261320fc812b5465 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: use global inline_xattr_slab instead of per-sb slab cache As Hong Yun reported in mailing list: loop7: detected capacity change from 0 to 131072 ————[ cut here ]———— kmem_cache of name ‘f2fs_xattr_entry-7:7’ already exists WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline] WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline] RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 Call Trace: __kmem_cache_create include/linux/slab.h:353 [inline] f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline] f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843 f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918 get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692 vfs_get_tree+0x43/0x140 fs/super.c:1815 do_new_mount+0x201/0x550 fs/namespace.c:3808 do_mount fs/namespace.c:4136 [inline] __do_sys_mount fs/namespace.c:4347 [inline] __se_sys_mount+0x298/0x2f0 fs/namespace.c:4324 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug can be reproduced w/ below scripts: – mount /dev/vdb /mnt1 – mount /dev/vdc /mnt2 – umount /mnt1 – mounnt /dev/vdb /mnt1 The reason is if we created two slab caches, named f2fs_xattr_entry-7:3 and f2fs_xattr_entry-7:7, and they have the same slab size. Actually, slab system will only create one slab cache core structure which has slab name of “f2fs_xattr_entry-7:3”, and two slab caches share the same structure and cache address. So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will decrease reference count of slab cache, rather than release slab cache entirely, since there is one more user has referenced the cache. Then, if we try to create slab cache w/ name “f2fs_xattr_entry-7:3” again, slab system will find that there is existed cache which has the same name and trigger the warning. Let’s changes to use global inline_xattr_slab instead of per-sb slab cache for fixing. | 2026-01-14 | not yet calculated | CVE-2025-71105 | https://git.kernel.org/stable/c/93d30fe19660dec6bf1bd3d5c186c1c737b21aa5 https://git.kernel.org/stable/c/474cc3ed37436ddfd63cac8dbffe3b1e219e9100 https://git.kernel.org/stable/c/72ce19dfed162da6e430467333b2da70471d08a4 https://git.kernel.org/stable/c/be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a https://git.kernel.org/stable/c/1eb0b130196bcbc56c5c80c83139fa70c0aa82c5 https://git.kernel.org/stable/c/e6d828eae00ec192e18c2ddaa2fd32050a96048a https://git.kernel.org/stable/c/1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs: PM: Fix reverse check in filesystems_freeze_callback() The freeze_all_ptr check in filesystems_freeze_callback() introduced by commit a3f8f8662771 (“power: always freeze efivarfs”) is reverse which quite confusingly causes all file systems to be frozen when filesystem_freeze_enabled is false. On my systems it causes the WARN_ON_ONCE() in __set_task_frozen() to trigger, most likely due to an attempt to freeze a file system that is not ready for that. Add a logical negation to the check in question to reverse it as appropriate. | 2026-01-14 | not yet calculated | CVE-2025-71106 | https://git.kernel.org/stable/c/b107196729ff6b9d6cde0a71f49c1243def43328 https://git.kernel.org/stable/c/222047f68e8565c558728f792f6fef152a1d4d51 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: ensure node page reads complete before f2fs_put_super() finishes Xfstests generic/335, generic/336 sometimes crash with the following message: F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ————[ cut here ]———— kernel BUG at fs/f2fs/super.c:1939! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none) Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:f2fs_put_super+0x3b3/0x3c0 Call Trace: <TASK> generic_shutdown_super+0x7e/0x190 kill_block_super+0x1a/0x40 kill_f2fs_super+0x9d/0x190 deactivate_locked_super+0x30/0xb0 cleanup_mnt+0xba/0x150 task_work_run+0x5c/0xa0 exit_to_user_mode_loop+0xb7/0xc0 do_syscall_64+0x1ae/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> —[ end trace 0000000000000000 ]— It appears that sometimes it is possible that f2fs_put_super() is called before all node page reads are completed. Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem. | 2026-01-14 | not yet calculated | CVE-2025-71107 | https://git.kernel.org/stable/c/c3031cf2b61f1508662fc95ef9ad505cb0882a5f https://git.kernel.org/stable/c/3b15d5f12935e9e25f9a571e680716bc9ee61025 https://git.kernel.org/stable/c/0b36fae23621a09e772c8adf918b9011158f8511 https://git.kernel.org/stable/c/297baa4aa263ff8f5b3d246ee16a660d76aa82c4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Handle incorrect num_connectors capability The UCSI spec states that the num_connectors field is 7 bits, and the 8th bit is reserved and should be set to zero. Some buggy FW has been known to set this bit, and it can lead to a system not booting. Flag that the FW is not behaving correctly, and auto-fix the value so that the system boots correctly. Found on Lenovo P1 G8 during Linux enablement program. The FW will be fixed, but seemed worth addressing in case it hit platforms that aren’t officially Linux supported. | 2026-01-14 | not yet calculated | CVE-2025-71108 | https://git.kernel.org/stable/c/07c8d2a109d847775b3b4e2c3294c8e1eea75432 https://git.kernel.org/stable/c/58941bbb0050e365a98c64f1fc4a9a0ac127dba6 https://git.kernel.org/stable/c/f72f97d0aee4a993a35f2496bca5efd24827235d https://git.kernel.org/stable/c/914605b0de8128434eafc9582445306830748b93 https://git.kernel.org/stable/c/3042a57a8e8bce4a3100c3f6f03dc372aab24943 https://git.kernel.org/stable/c/132fe187e0d940f388f839fe2cde9b84106ad20d https://git.kernel.org/stable/c/30cd2cb1abf4c4acdb1ddb468c946f68939819fb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Since commit e424054000878 (“MIPS: Tracing: Reduce the overhead of dynamic Function Tracer”), the macro UASM_i_LA_mostly has been used, and this macro can generate more than 2 instructions. At the same time, the code in ftrace assumes that no more than 2 instructions can be generated, which is why it stores them in an int[2] array. However, as previously noted, the macro UASM_i_LA_mostly (and now UASM_i_LA) causes a buffer overflow when _mcount is beyond 32 bits. This leads to corruption of the variables located in the __read_mostly section. This corruption was observed because the variable __cpu_primary_thread_mask was corrupted, causing a hang very early during boot. This fix prevents the corruption by avoiding the generation of instructions if they could exceed 2 instructions in length. Fortunately, insn_la_mcount is only used if the instrumented code is located outside the kernel code section, so dynamic ftrace can still be used, albeit in a more limited scope. This is still preferable to corrupting memory and/or crashing the kernel. | 2026-01-14 | not yet calculated | CVE-2025-71109 | https://git.kernel.org/stable/c/e3e33ac2eb69d595079a1a1e444c2fb98efdd42d https://git.kernel.org/stable/c/7f39b9d0e86ed6236b9a5fb67616ab1f76c4f150 https://git.kernel.org/stable/c/36dac9a3dda1f2bae343191bc16b910c603cac25 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free(). On ARM64 with MTE (Memory Tagging Extension), kasan_slab_free() poisons the memory and changes the tag from the original (e.g., 0xf3) to a poison tag (0xfe). When defer_free() then tries to write to the freed object to build the deferred free list via llist_add(), the pointer still has the old tag, causing a tag mismatch and triggering a KASAN use-after-free report: BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537 Write at addr f3f000000854f020 by task kworker/u8:6/983 Pointer tag: [f3], memory tag: [fe] Fix this by calling kasan_reset_tag() before accessing the freed memory. This is safe because defer_free() is part of the allocator itself and is expected to manipulate freed memory for bookkeeping purposes. | 2026-01-14 | not yet calculated | CVE-2025-71110 | https://git.kernel.org/stable/c/65d4e5af2a2e82f4fc50d8259aee208fbc6b2c1d https://git.kernel.org/stable/c/53ca00a19d345197a37a1bf552e8d1e7b091666c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU The macro FAN_FROM_REG evaluates its arguments multiple times. When used in lockless contexts involving shared driver data, this leads to Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially causing divide-by-zero errors. Convert the macro to a static function. This guarantees that arguments are evaluated only once (pass-by-value), preventing the race conditions. Additionally, in store_fan_div, move the calculation of the minimum limit inside the update lock. This ensures that the read-modify-write sequence operates on consistent data. Adhere to the principle of minimal changes by only converting macros that evaluate arguments multiple times and are used in lockless contexts. | 2026-01-14 | not yet calculated | CVE-2025-71111 | https://git.kernel.org/stable/c/3dceb68f6ad33156032ef4da21a93d84059cca6d https://git.kernel.org/stable/c/bf5b03227f2e6d4360004886d268f9df8993ef8f https://git.kernel.org/stable/c/f2b579a0c37c0df19603d719894a942a295f634a https://git.kernel.org/stable/c/f94800fbc26ccf7c81eb791707b038a57aa39a18 https://git.kernel.org/stable/c/a9fb6e8835a22f5796c1182ed612daed3fd273af https://git.kernel.org/stable/c/c8cf0c2bdcccc6634b6915ff793b844e12436680 https://git.kernel.org/stable/c/670d7ef945d3a84683594429aea6ab2cdfa5ceb4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validation before using Currently, the VLAN id may be used without validation when receive a VLAN configuration mailbox from VF. The length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause out-of-bounds memory access once the VLAN id is bigger than or equal to VLAN_N_VID. Therefore, VLAN id needs to be checked to ensure it is within the range of VLAN_N_VID. | 2026-01-14 | not yet calculated | CVE-2025-71112 | https://git.kernel.org/stable/c/46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8 https://git.kernel.org/stable/c/42c91dfa772c57de141e5a55a187ac760c0fd7e1 https://git.kernel.org/stable/c/00e56a7706e10b3d00a258d81fcb85a7e96372d6 https://git.kernel.org/stable/c/b7b4f3bf118f51b67691a55b464f04452e5dc6fc https://git.kernel.org/stable/c/95cca255a7a5ad782639ff0298c2a486707d1046 https://git.kernel.org/stable/c/91a51d01be5c9f82c12c2921ca5cceaa31b67128 https://git.kernel.org/stable/c/6ef935e65902bfed53980ad2754b06a284ea8ac1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg – zero initialize memory allocated via sock_kmalloc Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error paths or when new fields are added in the future. The ACVP patches also contain two user-space interface files: algif_kpp.c and algif_akcipher.c. These too rely on proper initialization of their context structures. A particular issue has been observed with the newly added ‘inflight’ variable introduced in af_alg_ctx by commit: 67b164a871af (“crypto: af_alg – Disallow multiple in-flight AIO requests”) Because the context is not memset to zero after allocation, the inflight variable has contained garbage values. As a result, af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when the garbage value was interpreted as true: https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 The check directly tests ctx->inflight without explicitly comparing against true/false. Since inflight is only ever set to true or false later, an uninitialized value has triggered -EBUSY failures. Zero-initializing memory allocated with sock_kmalloc() ensures inflight and other fields start in a known state, removing random issues caused by uninitialized data. | 2026-01-14 | not yet calculated | CVE-2025-71113 | https://git.kernel.org/stable/c/e125c8e346e4eb7b3e854c862fcb4392bc13ddba https://git.kernel.org/stable/c/543bf004e4eafbb302b1e6c78570d425d2ca13a0 https://git.kernel.org/stable/c/f81244fd6b14fecfa93b66b6bb1d59f96554e550 https://git.kernel.org/stable/c/84238876e3b3b262cf62d5f4d1338e983fb27010 https://git.kernel.org/stable/c/5a4b65523608974a81edbe386f8a667a3e10c726 https://git.kernel.org/stable/c/51a5ab36084f3251ef87eda3e6a6236f6488925e https://git.kernel.org/stable/c/6f6e309328d53a10c0fe1f77dec2db73373179b6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: via_wdt: fix critical boot hang due to unnamed resource allocation The VIA watchdog driver uses allocate_resource() to reserve a MMIO region for the watchdog control register. However, the allocated resource was not given a name, which causes the kernel resource tree to contain an entry marked as “<BAD>” under /proc/iomem on x86 platforms. During boot, this unnamed resource can lead to a critical hang because subsequent resource lookups and conflict checks fail to handle the invalid entry properly. | 2026-01-14 | not yet calculated | CVE-2025-71114 | https://git.kernel.org/stable/c/1d56025a3af50db0f3da2792f41eb9943eee5324 https://git.kernel.org/stable/c/c7b986adc9e9336066350542ac5a2005d305ae78 https://git.kernel.org/stable/c/47c910965c936724070d2a8094a4c3ed8f452856 https://git.kernel.org/stable/c/d2c7c90aca7b37f60f16b2bedcfeb16204f2f35d https://git.kernel.org/stable/c/f7b6370d0fbee06a867037d675797a606cb62e57 https://git.kernel.org/stable/c/c6a2dd4f2e4e6cbdfe7a1618160281af897b75db https://git.kernel.org/stable/c/7aa31ee9ec92915926e74731378c009c9cc04928 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: um: init cpu_tasks[] earlier This is currently done in uml_finishsetup(), but e.g. with KCOV enabled we’ll crash because some init code can call into e.g. memparse(), which has coverage annotations, and then the checks in check_kcov_mode() crash because current is NULL. Simply initialize the cpu_tasks[] array statically, which fixes the crash. For the later SMP work, it seems to have not really caused any problems yet, but initialize all of the entries anyway. | 2026-01-14 | not yet calculated | CVE-2025-71115 | https://git.kernel.org/stable/c/dbbf6d47130674640cd12a0781a0fb2a575d0e44 https://git.kernel.org/stable/c/7b5d4416964c07c902163822a30a622111172b01 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value. This patch adds explicit bounds checks for each field that is decoded or skipped. | 2026-01-14 | not yet calculated | CVE-2025-71116 | https://git.kernel.org/stable/c/d061be4c8040ffb1110d537654a038b8b6ad39d2 https://git.kernel.org/stable/c/145d140abda80e33331c5781d6603014fa75d258 https://git.kernel.org/stable/c/c82e39ff67353a5a6cbc07b786b8690bd2c45aaa https://git.kernel.org/stable/c/e927ab132b87ba3f076705fc2684d94b24201ed1 https://git.kernel.org/stable/c/5d0d8c292531fe356c4e94dcfdf7d7212aca9957 https://git.kernel.org/stable/c/2acb8517429ab42146c6c0ac1daed1f03d2fd125 https://git.kernel.org/stable/c/8c738512714e8c0aa18f8a10c072d5b01c83db39 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: block: Remove queue freezing from several sysfs store callbacks Freezing the request queue from inside sysfs store callbacks may cause a deadlock in combination with the dm-multipath driver and the queue_if_no_path option. Additionally, freezing the request queue slows down system boot on systems where sysfs attributes are set synchronously. Fix this by removing the blk_mq_freeze_queue() / blk_mq_unfreeze_queue() calls from the store callbacks that do not strictly need these callbacks. Add the __data_racy annotation to request_queue.rq_timeout to suppress KCSAN data race reports about the rq_timeout reads. This patch may cause a small delay in applying the new settings. For all the attributes affected by this patch, I/O will complete correctly whether the old or the new value of the attribute is used. This patch affects the following sysfs attributes: * io_poll_delay * io_timeout * nomerges * read_ahead_kb * rq_affinity Here is an example of a deadlock triggered by running test srp/002 if this patch is not applied: task:multipathd Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 schedule_preempt_disabled+0x1c/0x30 __mutex_lock+0xb89/0x1650 mutex_lock_nested+0x1f/0x30 dm_table_set_restrictions+0x823/0xdf0 __bind+0x166/0x590 dm_swap_table+0x2a7/0x490 do_resume+0x1b1/0x610 dev_suspend+0x55/0x1a0 ctl_ioctl+0x3a5/0x7e0 dm_ctl_ioctl+0x12/0x20 __x64_sys_ioctl+0x127/0x1a0 x64_sys_call+0xe2b/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> task:(udev-worker) Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 blk_mq_freeze_queue_wait+0xf2/0x140 blk_mq_freeze_queue_nomemsave+0x23/0x30 queue_ra_store+0x14e/0x290 queue_attr_store+0x23e/0x2c0 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3b2/0x630 vfs_write+0x4fd/0x1390 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x276/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> | 2026-01-14 | not yet calculated | CVE-2025-71117 | https://git.kernel.org/stable/c/3997b3147c7b68b0308378fa95a766015f8ceb1c https://git.kernel.org/stable/c/935a20d1bebf6236076785fac3ff81e3931834e9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ACPICA: Avoid walking the Namespace if start_node is NULL Although commit 0c9992315e73 (“ACPICA: Avoid walking the ACPI Namespace if it is not there”) fixed the situation when both start_node and acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed on Honor Magicbook 14 Pro [1]. That happens due to the access to the member of parent_node in acpi_ns_get_next_node(). The NULL pointer dereference will always happen, no matter whether or not the start_node is equal to ACPI_ROOT_OBJECT, so move the check of start_node being NULL out of the if block. Unfortunately, all the attempts to contact Honor have failed, they refused to provide any technical support for Linux. The bad DSDT table’s dump could be found on GitHub [2]. DMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025 [ rjw: Subject adjustment, changelog edits ] | 2026-01-14 | not yet calculated | CVE-2025-71118 | https://git.kernel.org/stable/c/b84edef48cc8afb41150949a87dcfa81bc95b53e https://git.kernel.org/stable/c/ecb296286c8787895625bd4c53e9478db4ae139c https://git.kernel.org/stable/c/7f9b951ed11842373851dd3c91860778356d62d3 https://git.kernel.org/stable/c/1bc34293dfbd266c29875206849b4f8e8177e6df https://git.kernel.org/stable/c/0d8bb08126920fd4b12dbf32d9250757c9064b36 https://git.kernel.org/stable/c/f91dad0a3b381244183ffbea4cec5a7a69d6f41e https://git.kernel.org/stable/c/9d6c58dae8f6590c746ac5d0012ffe14a77539f0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/kexec: Enable SMT before waking offline CPUs If SMT is disabled or a partial SMT state is enabled, when a new kernel image is loaded for kexec, on reboot the following warning is observed: kexec: Waking offline cpu 228. WARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc [snip] NIP kexec_prepare_cpus+0x1b0/0x1bc LR kexec_prepare_cpus+0x1a0/0x1bc Call Trace: kexec_prepare_cpus+0x1a0/0x1bc (unreliable) default_machine_kexec+0x160/0x19c machine_kexec+0x80/0x88 kernel_kexec+0xd0/0x118 __do_sys_reboot+0x210/0x2c4 system_call_exception+0x124/0x320 system_call_vectored_common+0x15c/0x2ec This occurs as add_cpu() fails due to cpu_bootable() returning false for CPUs that fail the cpu_smt_thread_allowed() check or non primary threads if SMT is disabled. Fix the issue by enabling SMT and resetting the number of SMT threads to the number of threads per core, before attempting to wake up all present CPUs. | 2026-01-14 | not yet calculated | CVE-2025-71119 | https://git.kernel.org/stable/c/7cccd82a0e4aad192fd74fc60e61ed9aed5857a3 https://git.kernel.org/stable/c/d790ef0c4819424ee0c2f448c0a8154c5ca369d1 https://git.kernel.org/stable/c/f0c0a681ffb77b8c5290c88c02d968199663939b https://git.kernel.org/stable/c/0d5c9e901ad40bd39b38e119c0454b52d7663930 https://git.kernel.org/stable/c/c2296a1e42418556efbeb5636c4fa6aa6106713a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0. | 2026-01-14 | not yet calculated | CVE-2025-71120 | https://git.kernel.org/stable/c/a8f1e445ce3545c90d69c9e8ff8f7821825fe810 https://git.kernel.org/stable/c/4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d https://git.kernel.org/stable/c/f9e53f69ac3bc4ef568b08d3542edac02e83fefd https://git.kernel.org/stable/c/7452d53f293379e2c38cfa8ad0694aa46fc4788b https://git.kernel.org/stable/c/a2c6f25ab98b423f99ccd94874d655b8bcb01a19 https://git.kernel.org/stable/c/1c8bb965e9b0559ff0f5690615a527c30f651dd8 https://git.kernel.org/stable/c/d4b69a6186b215d2dc1ebcab965ed88e8d41768d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: parisc: Do not reprogram affinitiy on ASP chip The ASP chip is a very old variant of the GSP chip and is used e.g. in HP 730 workstations. When trying to reprogram the affinity it will crash with a HPMC as the relevant registers don’t seem to be at the usual location. Let’s avoid the crash by checking the sversion. Also note, that reprogramming isn’t necessary either, as the HP730 is a just a single-CPU machine. | 2026-01-14 | not yet calculated | CVE-2025-71121 | https://git.kernel.org/stable/c/845a92b74cf7a730200532ecb4482981cec9d006 https://git.kernel.org/stable/c/7a146f34e5be96330467397c9fd9d3d851b2cbbe https://git.kernel.org/stable/c/4d0858bbeea12a50bfb32137f74d4b74917ebadd https://git.kernel.org/stable/c/e09fd2eb6d4c993ee9eaae556cb51e30ec1042df https://git.kernel.org/stable/c/60560d13ff368415c96a0c1247bea16d427c0641 https://git.kernel.org/stable/c/c8f810e20f4bbe50b49f73429d9fa6efad00623e https://git.kernel.org/stable/c/dca7da244349eef4d78527cafc0bf80816b261f5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED syzkaller found it could overflow math in the test infrastructure and cause a WARN_ON by corrupting the reserved interval tree. This only effects test kernels with CONFIG_IOMMUFD_TEST. Validate the user input length in the test ioctl. | 2026-01-14 | not yet calculated | CVE-2025-71122 | https://git.kernel.org/stable/c/4cc829d61f10c20523fd4085c1546e741a792a97 https://git.kernel.org/stable/c/e6c122cffcbb2e84d321ec8ba0e38ce8e7c10925 https://git.kernel.org/stable/c/b166b8e0a381429fefd9180e67fbc834b3cee82f https://git.kernel.org/stable/c/e6a973af11135439de32ece3b9cbe3bfc043bea8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can’t be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size. Commit 0efc5990bca5 (“string.h: Introduce memtostr() and memtostr_pad()”) provides additional information in that regard. So if this happens, the following warning is observed: strnlen: detected buffer overflow: 65 byte read of buffer size 64 WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Modules linked in: CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Call Trace: <TASK> __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039 strnlen include/linux/fortify-string.h:235 [inline] sized_strscpy include/linux/fortify-string.h:309 [inline] parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline] __ext4_fill_super fs/ext4/super.c:5261 [inline] ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706 get_tree_bdev_flags+0x387/0x620 fs/super.c:1636 vfs_get_tree+0x93/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3553 [inline] path_mount+0x6ae/0x1f70 fs/namespace.c:3880 do_mount fs/namespace.c:3893 [inline] __do_sys_mount fs/namespace.c:4103 [inline] __se_sys_mount fs/namespace.c:4080 [inline] __x64_sys_mount+0x280/0x300 fs/namespace.c:4080 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e Since userspace is expected to provide s_mount_opts field to be at most 63 characters long with the ending byte being NUL-term, use a 64-byte buffer which matches the size of s_mount_opts, so that strscpy_pad() does its job properly. Return with error if the user still managed to provide a non-NUL-term string here. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2026-01-14 | not yet calculated | CVE-2025-71123 | https://git.kernel.org/stable/c/52ac96c4a2dd7bc47666000440b0602d9742e820 https://git.kernel.org/stable/c/6e37143560e37869d51b7d9e0ac61fc48895f8a0 https://git.kernel.org/stable/c/902ca2356f1e3ec5355c5808ad5d3f9d0095b0cc https://git.kernel.org/stable/c/db9ee13fab0267eccf6544ee35b16c9522db9aac https://git.kernel.org/stable/c/5bbacbbf1ca4419861dca3c6b82707c10e9c021c https://git.kernel.org/stable/c/ee5a977b4e771cc181f39d504426dbd31ed701cc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: move preempt_prepare_postamble after error check Move the call to preempt_prepare_postamble() after verifying that preempt_postamble_ptr is valid. If preempt_postamble_ptr is NULL, dereferencing it in preempt_prepare_postamble() would lead to a crash. This change avoids calling the preparation function when the postamble allocation has failed, preventing potential NULL pointer dereference and ensuring proper error handling. Patchwork: https://patchwork.freedesktop.org/patch/687659/ | 2026-01-14 | not yet calculated | CVE-2025-71124 | https://git.kernel.org/stable/c/2c46497eb148ec61909f4101b8443f3c4c2daaec https://git.kernel.org/stable/c/ef3b04091fd8bc737dc45312375df8625b8318e2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Do not register unsupported perf events Synthetic events currently do not have a function to register perf events. This leads to calling the tracepoint register functions with a NULL function pointer which triggers: ————[ cut here ]———— WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:tracepoint_add_func+0x357/0x370 Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc <0f> 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246 RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000 RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8 RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780 R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78 FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0 Call Trace: <TASK> tracepoint_probe_register+0x5d/0x90 synth_event_reg+0x3c/0x60 perf_trace_event_init+0x204/0x340 perf_trace_init+0x85/0xd0 perf_tp_event_init+0x2e/0x50 perf_try_init_event+0x6f/0x230 ? perf_event_alloc+0x4bb/0xdc0 perf_event_alloc+0x65a/0xdc0 __se_sys_perf_event_open+0x290/0x9f0 do_syscall_64+0x93/0x7b0 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e ? trace_hardirqs_off+0x53/0xc0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Instead, have the code return -ENODEV, which doesn’t warn and has perf error out with: # perf record -e synthetic:futex_wait Error: The sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait). “dmesg | grep -i perf” may provide additional information. Ideally perf should support synthetic events, but for now just fix the warning. The support can come later. | 2026-01-14 | not yet calculated | CVE-2025-71125 | https://git.kernel.org/stable/c/6819bc6285c0ff835f67cfae7efebc03541782f6 https://git.kernel.org/stable/c/6d15f08e6d8d4b4fb02d90805ea97f3e2c1d6fbc https://git.kernel.org/stable/c/f7305697b60d79bc69c0a6e280fc931b4e8862dd https://git.kernel.org/stable/c/65b1971147ec12f0b1cee0811c859a3d7d9b04ce https://git.kernel.org/stable/c/3437c775bf209c674ad66304213b6b3c3b1b3f69 https://git.kernel.org/stable/c/6df47e5bb9b62d72f186f826ab643ea1856877c7 https://git.kernel.org/stable/c/ef7f38df890f5dcd2ae62f8dbde191d72f3bebae |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: avoid deadlock on fallback while reinjecting Jakub reported an MPTCP deadlock at fallback time: WARNING: possible recursive locking detected 6.18.0-rc7-virtme #1 Not tainted ——————————————– mptcp_connect/20858 is trying to acquire lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280 but task is already holding lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 —- lock(&msk->fallback_lock); lock(&msk->fallback_lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by mptcp_connect/20858: #0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0 #1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0 #2: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 stack backtrace: CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full) Hardware name: Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_deadlock_bug.cold+0xc0/0xcd validate_chain+0x2ff/0x5f0 __lock_acquire+0x34c/0x740 lock_acquire.part.0+0xbc/0x260 _raw_spin_lock_bh+0x38/0x50 __mptcp_try_fallback+0xd8/0x280 mptcp_sendmsg_frag+0x16c2/0x3050 __mptcp_retrans+0x421/0xaa0 mptcp_release_cb+0x5aa/0xa70 release_sock+0xab/0x1d0 mptcp_sendmsg+0xd5b/0x1bc0 sock_write_iter+0x281/0x4d0 new_sync_write+0x3c5/0x6f0 vfs_write+0x65e/0xbb0 ksys_write+0x17e/0x200 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fa5627cbc5e Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005 RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920 R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c The packet scheduler could attempt a reinjection after receiving an MP_FAIL and before the infinite map has been transmitted, causing a deadlock since MPTCP needs to do the reinjection atomically from WRT fallback. Address the issue explicitly avoiding the reinjection in the critical scenario. Note that this is the only fallback critical section that could potentially send packets and hit the double-lock. | 2026-01-14 | not yet calculated | CVE-2025-71126 | https://git.kernel.org/stable/c/0107442e82c0f8d6010e07e6030741c59c520d6e https://git.kernel.org/stable/c/252892d5a6a2f163ce18f32716e46fa4da7d4e79 https://git.kernel.org/stable/c/0ca9fb4335e726dab4f23b3bfe87271d8f005f41 https://git.kernel.org/stable/c/50f47c02be419bf0a3ae94c118addf67beef359f https://git.kernel.org/stable/c/ffb8c27b0539dd90262d1021488e7817fae57c42 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Discard Beacon frames to non-broadcast address Beacon frames are required to be sent to the broadcast address, see IEEE Std 802.11-2020, 11.1.3.1 (“The Address 1 field of the Beacon .. frame shall be set to the broadcast address”). A unicast Beacon frame might be used as a targeted attack to get one of the associated STAs to do something (e.g., using CSA to move it to another channel). As such, it is better have strict filtering for this on the received side and discard all Beacon frames that are sent to an unexpected address. This is even more important for cases where beacon protection is used. The current implementation in mac80211 is correctly discarding unicast Beacon frames if the Protected Frame bit in the Frame Control field is set to 0. However, if that bit is set to 1, the logic used for checking for configured BIGTK(s) does not actually work. If the driver does not have logic for dropping unicast Beacon frames with Protected Frame bit 1, these frames would be accepted in mac80211 processing as valid Beacon frames even though they are not protected. This would allow beacon protection to be bypassed. While the logic for checking beacon protection could be extended to cover this corner case, a more generic check for discard all Beacon frames based on A1=unicast address covers this without needing additional changes. Address all these issues by dropping received Beacon frames if they are sent to a non-broadcast address. | 2026-01-14 | not yet calculated | CVE-2025-71127 | https://git.kernel.org/stable/c/be0974be5c42584e027883ac2af7dab5e950098c https://git.kernel.org/stable/c/0a59a3895f804469276d188effa511c72e752f35 https://git.kernel.org/stable/c/88aab153d1528bc559292a12fb5105ee97528e1f https://git.kernel.org/stable/c/6e5bff40bb38741e40c33043ba0816fba5f93661 https://git.kernel.org/stable/c/7b240a8935d554ad36a52c2c37c32039f9afaef2 https://git.kernel.org/stable/c/a21704df4024708be698fb3fd5830d5b113b70e0 https://git.kernel.org/stable/c/193d18f60588e95d62e0f82b6a53893e5f2f19f8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erspan: Initialize options_len before referencing options. The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute. The compiler will use this information to enforce runtime bounds checking deployed by FORTIFY_SOURCE string helpers. As laid out in the GCC documentation, the counter must be initialized before the first reference to the flexible array member. After scanning through the files that use struct ip_tunnel_info and also refer to options or options_len, it appears the normal case is to use the ip_tunnel_info_opts_set() helper. Said helper would initialize options_len properly before copying data into options, however in the GRE ERSPAN code a partial update is done, preventing the use of the helper function. Before this change the handling of ERSPAN traffic in GRE tunnels would cause a kernel panic when the kernel is compiled with GCC 15+ and having FORTIFY_SOURCE configured: memcpy: detected buffer overflow: 4 byte write of buffer size 0 Call Trace: <IRQ> __fortify_panic+0xd/0xf erspan_rcv.cold+0x68/0x83 ? ip_route_input_slow+0x816/0x9d0 gre_rcv+0x1b2/0x1c0 gre_rcv+0x8e/0x100 ? raw_v4_input+0x2a0/0x2b0 ip_protocol_deliver_rcu+0x1ea/0x210 ip_local_deliver_finish+0x86/0x110 ip_local_deliver+0x65/0x110 ? ip_rcv_finish_core+0xd6/0x360 ip_rcv+0x186/0x1a0 Reported-at: https://launchpad.net/bugs/2129580 | 2026-01-14 | not yet calculated | CVE-2025-71128 | https://git.kernel.org/stable/c/b282b2a9eed848587c1348abdd5d83fa346a2743 https://git.kernel.org/stable/c/35ddf66c65eff93fff91406756ba273600bf61a3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Sign extend kfunc call arguments The kfunc calls are native calls so they should follow LoongArch calling conventions. Sign extend its arguments properly to avoid kernel panic. This is done by adding a new emit_abi_ext() helper. The emit_abi_ext() helper performs extension in place meaning a value already store in the target register (Note: this is different from the existing sign_extend() helper and thus we can’t reuse it). | 2026-01-14 | not yet calculated | CVE-2025-71129 | https://git.kernel.org/stable/c/fd43edf357a3a1f5ed1c4bf450b60001c9091c39 https://git.kernel.org/stable/c/0d666db731e95890e0eda7ea61bc925fd2be90c6 https://git.kernel.org/stable/c/321993a874f571a94b5a596f1132f798c663b56e https://git.kernel.org/stable/c/3f5a238f24d7b75f9efe324d3539ad388f58536e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Initialize the eb.vma array with values of 0 when the eb structure is first set up. In particular, this sets the eb->vma[i].vma pointers to NULL, simplifying cleanup and getting rid of the bug described below. During the execution of eb_lookup_vmas(), the eb->vma array is successively filled up with struct eb_vma objects. This process includes calling eb_add_vma(), which might fail; however, even in the event of failure, eb->vma[i].vma is set for the currently processed buffer. If eb_add_vma() fails, eb_lookup_vmas() returns with an error, which prompts a call to eb_release_vmas() to clean up the mess. Since eb_lookup_vmas() might fail during processing any (possibly not first) buffer, eb_release_vmas() checks whether a buffer’s vma is NULL to know at what point did the lookup function fail. In eb_lookup_vmas(), eb->vma[i].vma is set to NULL if either the helper function eb_lookup_vma() or eb_validate_vma() fails. eb->vma[i+1].vma is set to NULL in case i915_gem_object_userptr_submit_init() fails; the current one needs to be cleaned up by eb_release_vmas() at this point, so the next one is set. If eb_add_vma() fails, neither the current nor the next vma is set to NULL, which is a source of a NULL deref bug described in the issue linked in the Closes tag. When entering eb_lookup_vmas(), the vma pointers are set to the slab poison value, instead of NULL. This doesn’t matter for the actual lookup, since it gets overwritten anyway, however the eb_release_vmas() function only recognizes NULL as the stopping value, hence the pointers are being set to NULL as they go in case of intermediate failure. This patch changes the approach to filling them all with NULL at the start instead, rather than handling that manually during failure. (cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd) | 2026-01-14 | not yet calculated | CVE-2025-71130 | https://git.kernel.org/stable/c/25d69e07770745992387c016613fd7ac8eaf9893 https://git.kernel.org/stable/c/0336188cc85d0eab8463bd1bbd4ded4e9602de8b https://git.kernel.org/stable/c/24d55ac8e31d2f8197bfad71ffcb3bae21ed7117 https://git.kernel.org/stable/c/63f23aa2fbb823c8b15a29269fde220d227ce5b3 https://git.kernel.org/stable/c/4fe2bd195435e71c117983d87f278112c5ab364c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv – Do not use req->iv after crypto_aead_encrypt As soon as crypto_aead_encrypt is called, the underlying request may be freed by an asynchronous completion. Thus dereferencing req->iv after it returns is invalid. Instead of checking req->iv against info, create a new variable unaligned_info and use it for that purpose instead. | 2026-01-14 | not yet calculated | CVE-2025-71131 | https://git.kernel.org/stable/c/18202537856e0fae079fed2c9308780bcff2bb9d https://git.kernel.org/stable/c/baf0e2d1e03ddb04781dfe7f22a654d3611f69b2 https://git.kernel.org/stable/c/50f196d2bbaee4ab2494bb1b0d294deba292951a https://git.kernel.org/stable/c/0279978adec6f1296af66b642cce641c6580be46 https://git.kernel.org/stable/c/ccbb96434d88e32358894c879457b33f7508e798 https://git.kernel.org/stable/c/5476f7f8a311236604b78fcc5b2a63b3a61b0169 https://git.kernel.org/stable/c/50fdb78b7c0bcc550910ef69c0984e751cac72fa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smc91x: fix broken irq-context in PREEMPT_RT When smc91x.c is built with PREEMPT_RT, the following splat occurs in FVP_RevC: [ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000 [ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106] [ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work [ 13.062266] C ** replaying previous printk message ** [ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)} [ 13.062353] Hardware name: , BIOS [ 13.062382] Workqueue: mld mld_ifc_work [ 13.062469] Call trace: [ 13.062494] show_stack+0x24/0x40 (C) [ 13.062602] __dump_stack+0x28/0x48 [ 13.062710] dump_stack_lvl+0x7c/0xb0 [ 13.062818] dump_stack+0x18/0x34 [ 13.062926] process_scheduled_works+0x294/0x450 [ 13.063043] worker_thread+0x260/0x3d8 [ 13.063124] kthread+0x1c4/0x228 [ 13.063235] ret_from_fork+0x10/0x20 This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT, but smc_special_unlock() does not restore IRQs on PREEMPT_RT. The reason is that smc_special_unlock() calls spin_unlock_irqrestore(), and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero. To address this issue, replace smc_special_trylock() with spin_trylock_irqsave(). | 2026-01-14 | not yet calculated | CVE-2025-71132 | https://git.kernel.org/stable/c/1c4cb705e733250d13243f6a69b8b5a92e39b9f6 https://git.kernel.org/stable/c/9d222141b00156509d67d80c771fbefa92c43ace https://git.kernel.org/stable/c/ef277ae121b3249c99994652210a326b52d527b0 https://git.kernel.org/stable/c/36561b86cb2501647662cfaf91286dd6973804a6 https://git.kernel.org/stable/c/b6018d5c1a8f09d5efe4d6961d7ee45fdf3a7ce3 https://git.kernel.org/stable/c/6402078bd9d1ed46e79465e1faaa42e3458f8a33 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: avoid invalid read in irdma_net_event irdma_net_event() should not dereference anything from “neigh” (alias “ptr”) until it has checked that the event is NETEVENT_NEIGH_UPDATE. Other events come with different structures pointed to by “ptr” and they may be smaller than struct neighbour. Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case. The bug is mostly harmless, but it triggers KASAN on debug kernels: BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 Hardware name: […] Workqueue: events rt6_probe_deferred Call Trace: <IRQ> dump_stack_lvl+0x60/0xb0 print_address_description.constprop.0+0x2c/0x3f0 print_report+0xb4/0x270 kasan_report+0x92/0xc0 irdma_net_event+0x32e/0x3b0 [irdma] notifier_call_chain+0x9e/0x180 atomic_notifier_call_chain+0x5c/0x110 rt6_do_redirect+0xb91/0x1080 tcp_v6_err+0xe9b/0x13e0 icmpv6_notify+0x2b2/0x630 ndisc_redirect_rcv+0x328/0x530 icmpv6_rcv+0xc16/0x1360 ip6_protocol_deliver_rcu+0xb84/0x12e0 ip6_input_finish+0x117/0x240 ip6_input+0xc4/0x370 ipv6_rcv+0x420/0x7d0 __netif_receive_skb_one_core+0x118/0x1b0 process_backlog+0xd1/0x5d0 __napi_poll.constprop.0+0xa3/0x440 net_rx_action+0x78a/0xba0 handle_softirqs+0x2d4/0x9c0 do_softirq+0xad/0xe0 </IRQ> | 2026-01-14 | not yet calculated | CVE-2025-71133 | https://git.kernel.org/stable/c/db93ae6fa66f1c61ae63400191195e3ee58021da https://git.kernel.org/stable/c/305c02e541befe4a44ffde30ed374970f41aeb6c https://git.kernel.org/stable/c/fc23d05f0b3fb4d80657e7afebae2cae686b31c8 https://git.kernel.org/stable/c/bf197c7c79ef6458d1ee84dd7db251b51784885f https://git.kernel.org/stable/c/d9b9affd103f51b42322da4ed5ac025b560bc354 https://git.kernel.org/stable/c/6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: change all pageblocks migrate type on coalescing When a page is freed it coalesces with a buddy into a higher order page while possible. When the buddy page migrate type differs, it is expected to be updated to match the one of the page being freed. However, only the first pageblock of the buddy page is updated, while the rest of the pageblocks are left unchanged. That causes warnings in later expand() and other code paths (like below), since an inconsistency between migration type of the list containing the page and the page-owned pageblocks migration types is introduced. [ 308.986589] ————[ cut here ]———— [ 308.987227] page type is 0, passed migratetype is 1 (nr=256) [ 308.987275] WARNING: CPU: 1 PID: 5224 at mm/page_alloc.c:812 expand+0x23c/0x270 [ 308.987293] Modules linked in: algif_hash(E) af_alg(E) nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) nf_tables(E) s390_trng(E) vfio_ccw(E) mdev(E) vfio_iommu_type1(E) vfio(E) sch_fq_codel(E) drm(E) i2c_core(E) drm_panel_orientation_quirks(E) loop(E) nfnetlink(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vsock(E) ctcm(E) fsm(E) diag288_wdt(E) watchdog(E) zfcp(E) scsi_transport_fc(E) ghash_s390(E) prng(E) aes_s390(E) des_generic(E) des_s390(E) libdes(E) sha3_512_s390(E) sha3_256_s390(E) sha_common(E) paes_s390(E) crypto_engine(E) pkey_cca(E) pkey_ep11(E) zcrypt(E) rng_core(E) pkey_pckmo(E) pkey(E) autofs4(E) [ 308.987439] Unloaded tainted modules: hmac_s390(E):2 [ 308.987650] CPU: 1 UID: 0 PID: 5224 Comm: mempig_verify Kdump: loaded Tainted: G E 6.18.0-gcc-bpf-debug #431 PREEMPT [ 308.987657] Tainted: [E]=UNSIGNED_MODULE [ 308.987661] Hardware name: IBM 3906 M04 704 (z/VM 7.3.0) [ 308.987666] Krnl PSW : 0404f00180000000 00000349976fa600 (expand+0x240/0x270) [ 308.987676] R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3 [ 308.987682] Krnl GPRS: 0000034980000004 0000000000000005 0000000000000030 000003499a0e6d88 [ 308.987688] 0000000000000005 0000034980000005 000002be803ac000 0000023efe6c8300 [ 308.987692] 0000000000000008 0000034998d57290 000002be00000100 0000023e00000008 [ 308.987696] 0000000000000000 0000000000000000 00000349976fa5fc 000002c99b1eb6f0 [ 308.987708] Krnl Code: 00000349976fa5f0: c020008a02f2 larl %r2,000003499883abd4 00000349976fa5f6: c0e5ffe3f4b5 brasl %r14,0000034997378f60 #00000349976fa5fc: af000000 mc 0,0 >00000349976fa600: a7f4ff4c brc 15,00000349976fa498 00000349976fa604: b9040026 lgr %r2,%r6 00000349976fa608: c0300088317f larl %r3,0000034998800906 00000349976fa60e: c0e5fffdb6e1 brasl %r14,00000349976b13d0 00000349976fa614: af000000 mc 0,0 [ 308.987734] Call Trace: [ 308.987738] [<00000349976fa600>] expand+0x240/0x270 [ 308.987744] ([<00000349976fa5fc>] expand+0x23c/0x270) [ 308.987749] [<00000349976ff95e>] rmqueue_bulk+0x71e/0x940 [ 308.987754] [<00000349976ffd7e>] __rmqueue_pcplist+0x1fe/0x2a0 [ 308.987759] [<0000034997700966>] rmqueue.isra.0+0xb46/0xf40 [ 308.987763] [<0000034997703ec8>] get_page_from_freelist+0x198/0x8d0 [ 308.987768] [<0000034997706fa8>] __alloc_frozen_pages_noprof+0x198/0x400 [ 308.987774] [<00000349977536f8>] alloc_pages_mpol+0xb8/0x220 [ 308.987781] [<0000034997753bf6>] folio_alloc_mpol_noprof+0x26/0xc0 [ 308.987786] [<0000034997753e4c>] vma_alloc_folio_noprof+0x6c/0xa0 [ 308.987791] [<0000034997775b22>] vma_alloc_anon_folio_pmd+0x42/0x240 [ 308.987799] [<000003499777bfea>] __do_huge_pmd_anonymous_page+0x3a/0x210 [ 308.987804] [<00000349976cb0 —truncated— | 2026-01-14 | not yet calculated | CVE-2025-71134 | https://git.kernel.org/stable/c/914769048818021556c940b9163e8056be9507dd https://git.kernel.org/stable/c/a794d65b132107a085d165caba33aae1101316a5 https://git.kernel.org/stable/c/7838a4eb8a1d23160bd3f588ea7f2b8f7c00c55b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() The variable mddev->private is first assigned to conf and then checked: conf = mddev->private; if (!conf) … If conf is NULL, then mddev->private is also NULL. In this case, null-pointer dereferences can occur when calling raid5_quiesce(): raid5_quiesce(mddev, true); raid5_quiesce(mddev, false); since mddev->private is assigned to conf again in raid5_quiesce(), and conf is dereferenced in several places, for example: conf->quiesce = 0; wake_up(&conf->wait_for_quiescent); To fix this issue, the function should unlock mddev and return before invoking raid5_quiesce() when conf is NULL, following the existing pattern in raid5_change_consistency_policy(). | 2026-01-14 | not yet calculated | CVE-2025-71135 | https://git.kernel.org/stable/c/20597b7229aea8b5bc45cd92097640257c7fc33b https://git.kernel.org/stable/c/e5abb6af905de6b2fead8a0b3f32ab0b81468a01 https://git.kernel.org/stable/c/7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It’s possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays. Fix that by checking return values where it’s needed. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-01-14 | not yet calculated | CVE-2025-71136 | https://git.kernel.org/stable/c/f81ee181cb036d046340c213091b69d9a8701a76 https://git.kernel.org/stable/c/f913b9a2ccd6114b206b9e91dae5e3dc13a415a0 https://git.kernel.org/stable/c/d6a22a4a96e4dfe6897cb3532d2b3016d87706f0 https://git.kernel.org/stable/c/a73881ae085db5702d8b13e2fc9f78d51c723d3f https://git.kernel.org/stable/c/60dde0960e3ead8a9569f6c494d90d0232ac0983 https://git.kernel.org/stable/c/b693d48a6ed0cd09171103ad418e4a693203d6e4 https://git.kernel.org/stable/c/8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix “UBSAN: shift-out-of-bounds error” This patch ensures that the RX ring size (rx_pending) is not set below the permitted length. This avoids UBSAN shift-out-of-bounds errors when users passes small or zero ring sizes via ethtool -G. | 2026-01-14 | not yet calculated | CVE-2025-71137 | https://git.kernel.org/stable/c/5d8dfa3abb9a845302e021cf9c92d941abbc011a https://git.kernel.org/stable/c/4cc4cfe4d23c883120b6f3d41145edbaa281f2ab https://git.kernel.org/stable/c/658caf3b8aad65f8b8e102670ca4f68c7030f655 https://git.kernel.org/stable/c/b23a2e15589466a027c9baa3fb5813c9f6a6c6dc https://git.kernel.org/stable/c/aa743b0d98448282b2cb37356db8db2a48524624 https://git.kernel.org/stable/c/442848e457f5a9f71a4e7e14d24d73dae278ebe3 https://git.kernel.org/stable/c/85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add missing NULL pointer check for pingpong interface It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a single place the check is missing. Also use convenient locals instead of phys_enc->* where available. Patchwork: https://patchwork.freedesktop.org/patch/693860/ | 2026-01-14 | not yet calculated | CVE-2025-71138 | https://git.kernel.org/stable/c/678d1c86566dfbb247ba25482d37fddde6140cc9 https://git.kernel.org/stable/c/471baae774a30a04cf066907b60eaf3732928cb7 https://git.kernel.org/stable/c/35ea3282136a630a3fd92b76f5a3a02651145ef1 https://git.kernel.org/stable/c/88733a0b64872357e5ecd82b7488121503cb9cc6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: kernel/kexec: fix IMA when allocation happens in CMA area *** Bug description *** When I tested kexec with the latest kernel, I ran into the following warning: [ 40.712410] ————[ cut here ]———— [ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198 […] [ 40.816047] Call trace: [ 40.818498] kimage_map_segment+0x144/0x198 (P) [ 40.823221] ima_kexec_post_load+0x58/0xc0 [ 40.827246] __do_sys_kexec_file_load+0x29c/0x368 […] [ 40.855423] —[ end trace 0000000000000000 ]— *** How to reproduce *** This bug is only triggered when the kexec target address is allocated in the CMA area. If no CMA area is reserved in the kernel, use the “cma=” option in the kernel command line to reserve one. *** Root cause *** The commit 07d24902977e (“kexec: enable CMA based contiguous allocation”) allocates the kexec target address directly on the CMA area to avoid copying during the jump. In this case, there is no IND_SOURCE for the kexec segment. But the current implementation of kimage_map_segment() assumes that IND_SOURCE pages exist and map them into a contiguous virtual address by vmap(). *** Solution *** If IMA segment is allocated in the CMA area, use its page_address() directly. | 2026-01-14 | not yet calculated | CVE-2025-71139 | https://git.kernel.org/stable/c/a843e4155c83211c55b1b6cc17eab27a6a2c5b6f https://git.kernel.org/stable/c/a3785ae5d334bb71d47a593d54c686a03fb9d136 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid, resulting in a NULL pointer dereference in the IPI handler. Turns out on the MT8173, the VPU IPI handler is called from hard IRQ context. This causes a big warning from the scheduler. This was first reported downstream on the ChromeOS kernels, but is also reproducible on mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though the actual capture format is not supported, the affected code paths are triggered. Since this lock just protects the context list and operations on it are very fast, it should be OK to switch to a spinlock. | 2026-01-14 | not yet calculated | CVE-2025-71140 | https://git.kernel.org/stable/c/2c1ea6214827041f548279c9eda341eda0cc8351 https://git.kernel.org/stable/c/b92c19675f632a41af1222027a231bc2b7efa7ed https://git.kernel.org/stable/c/3e858938b0e659f6ec9ddcf853a87f1c5c3f44e1 https://git.kernel.org/stable/c/a5844227e0f030d2af2d85d4aed10c5eca6ca176 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tilcdc: Fix removal actions in case of failed probe The drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers should only be called when the device has been successfully registered. Currently, these functions are called unconditionally in tilcdc_fini(), which causes warnings during probe deferral scenarios. [ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68 … [ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108 [ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8 [ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144 [ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc] [ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc] Fix this by rewriting the failed probe cleanup path using the standard goto error handling pattern, which ensures that cleanup functions are only called on successfully initialized resources. Additionally, remove the now-unnecessary is_registered flag. | 2026-01-14 | not yet calculated | CVE-2025-71141 | https://git.kernel.org/stable/c/21e52dc7762908c3d499cfb493d1b8281fc1d3ab https://git.kernel.org/stable/c/71be8825e83c90c1e020feb77b29e6a99629e642 https://git.kernel.org/stable/c/a585c7ef9cabda58088916baedc6573e9a5cd2a7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cpuset: fix warning when disabling remote partition A warning was triggered as follows: WARNING: kernel/cgroup/cpuset.c:1651 at remote_partition_disable+0xf7/0x110 RIP: 0010:remote_partition_disable+0xf7/0x110 RSP: 0018:ffffc90001947d88 EFLAGS: 00000206 RAX: 0000000000007fff RBX: ffff888103b6e000 RCX: 0000000000006f40 RDX: 0000000000006f00 RSI: ffffc90001947da8 RDI: ffff888103b6e000 RBP: ffff888103b6e000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: ffff88810b2e2728 R12: ffffc90001947da8 R13: 0000000000000000 R14: ffffc90001947da8 R15: ffff8881081f1c00 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f55c8bbe0b2 CR3: 000000010b14c000 CR4: 00000000000006f0 Call Trace: <TASK> update_prstate+0x2d3/0x580 cpuset_partition_write+0x94/0xf0 kernfs_fop_write_iter+0x147/0x200 vfs_write+0x35d/0x500 ksys_write+0x66/0xe0 do_syscall_64+0x6b/0x390 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f55c8cd4887 Reproduction steps (on a 16-CPU machine): # cd /sys/fs/cgroup/ # mkdir A1 # echo +cpuset > A1/cgroup.subtree_control # echo “0-14” > A1/cpuset.cpus.exclusive # mkdir A1/A2 # echo “0-14” > A1/A2/cpuset.cpus.exclusive # echo “root” > A1/A2/cpuset.cpus.partition # echo 0 > /sys/devices/system/cpu/cpu15/online # echo member > A1/A2/cpuset.cpus.partition When CPU 15 is offlined, subpartitions_cpus gets cleared because no CPUs remain available for the top_cpuset, forcing partitions to share CPUs with the top_cpuset. In this scenario, disabling the remote partition triggers a warning stating that effective_xcpus is not a subset of subpartitions_cpus. Partitions should be invalidated in this case to inform users that the partition is now invalid(cpus are shared with top_cpuset). To fix this issue: 1. Only emit the warning only if subpartitions_cpus is not empty and the effective_xcpus is not a subset of subpartitions_cpus. 2. During the CPU hotplug process, invalidate partitions if subpartitions_cpus is empty. | 2026-01-14 | not yet calculated | CVE-2025-71142 | https://git.kernel.org/stable/c/5d8b9d38a7676be7bb5e7d57f92156a98dab39fb https://git.kernel.org/stable/c/aa7d3a56a20f07978d9f401e13637a6479b13bd0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: clk: samsung: exynos-clkout: Assign .num before accessing .hws Commit f316cdff8d67 (“clk: Annotate struct clk_hw_onecell_data with __counted_by”) annotated the hws member of ‘struct clk_hw_onecell_data’ with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS) about the number of elements in .hws[], so that it can warn when .hws[] is accessed out of bounds. As noted in that change, the __counted_by member must be initialized with the number of elements before the first array access happens, otherwise there will be a warning from each access prior to the initialization because the number of elements is zero. This occurs in exynos_clkout_probe() due to .num being assigned after .hws[] has been accessed: UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18 index 0 is out of range for type ‘clk_hw *[*]’ Move the .num initialization to before the first access of .hws[], clearing up the warning. | 2026-01-14 | not yet calculated | CVE-2025-71143 | https://git.kernel.org/stable/c/fbf57f5e453dadadb3d29b2d1dbe067e3dc4e236 https://git.kernel.org/stable/c/eb1f3a6ab3efee2b52361879cdc2dc6b11f499c0 https://git.kernel.org/stable/c/a317f63255ebc3dac378c79c5bff4f8d0561c290 https://git.kernel.org/stable/c/cf33f0b7df13685234ccea7be7bfe316b60db4db |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure context reset on disconnect() After the blamed commit below, if the MPC subflow is already in TCP_CLOSE status or has fallback to TCP at mptcp_disconnect() time, mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later __mptcp_close_ssk() does not reset anymore the related subflow context. Any later connection will be created with both the `request_mptcp` flag and the msk-level fallback status off (it is unconditionally cleared at MPTCP disconnect time), leading to a warning in subflow_data_ready(): WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13)) Modules linked in: CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary) Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13)) Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 <0f> 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09 RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435 RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005 RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0 Call Trace: <TASK> tcp_data_ready (net/ipv4/tcp_input.c:5356) tcp_data_queue (net/ipv4/tcp_input.c:5445) tcp_rcv_state_process (net/ipv4/tcp_input.c:7165) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955) __release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6)) release_sock (net/core/sock.c:3737) mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857) inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7)) __sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15)) __x64_sys_sendto (net/socket.c:2247) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f883326702d Address the issue setting an explicit `fastclosing` flag at fastclose time, and checking such flag after mptcp_do_fastclose(). | 2026-01-14 | not yet calculated | CVE-2025-71144 | https://git.kernel.org/stable/c/5c7c7135468f3fc6379cde9777a2c18bfe92d82f https://git.kernel.org/stable/c/1c7c3a9314d8a7fc0e9a508606466a967c8e774a https://git.kernel.org/stable/c/f1a77dfc3b045c3dd5f6e64189b9f52b90399f07 https://git.kernel.org/stable/c/86730ac255b0497a272704de9a1df559f5d6602e |
| Ludashi–Ludashi | A local information disclosure vulnerability exists in the Ludashi driver before 5.1025 due to a lack of access control in the IOCTL handler. This driver exposes a device interface accessible to a normal user and handles attacker-controlled structures containing the lower 4GB of physical addresses. The handler maps arbitrary physical memory via MmMapIoSpace and copies data back to user mode without verifying the caller’s privileges or the target address range. This allows unprivileged users to read arbitrary physical memory, potentially exposing kernel data structures, kernel pointers, security tokens, and other sensitive information. This vulnerability can be further exploited to bypass the Kernel Address Space Layout Rules (KASLR) and achieve local privilege escalation. | 2026-01-15 | not yet calculated | CVE-2025-67246 | http://ludashi.com https://github.com/CDipper/CVE-Publication |
| LycheeOrg–Lychee | Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee’s album password unlock functionality that allows users to gain possibly unauthorized access to other users’ password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0. | 2026-01-12 | not yet calculated | CVE-2026-22784 | https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-jj56-2c54-4f25 https://github.com/LycheeOrg/Lychee/commit/f021a29f9ab2bafa81d9f5e32ff5bc89915c7d41 |
| maximmasiutin–TinyWeb | TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98. | 2026-01-12 | not yet calculated | CVE-2026-22781 | https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-m779-84h5-72q2 https://github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96 https://www.masiutin.net/tinyweb-cve-2025-cgi-command-injection.html |
| MCP Server–Zen | A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_dangerous_path() validation function that uses exact string matching against a blacklist of system directories. Attackers can bypass these restrictions by accessing subdirectories of blacklisted paths. | 2026-01-12 | not yet calculated | CVE-2025-66689 | https://github.com/BeehiveInnovations/zen-mcp-server/issues/293 https://github.com/Team-Off-course/MCP-Server-Vuln-Analysis/blob/main/CVE-2025-66689.md |
| metabase–metabase | Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This vulnerability is fixed in 55.13, 56.3, and 57.1. | 2026-01-12 | not yet calculated | CVE-2026-22805 | https://github.com/metabase/metabase/security/advisories/GHSA-2wgg-7r2p-cmqx |
| Microsoft–Microsoft Edge (Chromium-based) | Microsoft Edge Elevation Service exposes a privileged COM interface that inadequately validates the privileges of the calling process. A standard (non‑administrator) local user can invoke the IElevatorEdge interface method LaunchUpdateCmdElevatedAndWait, causing the service to execute privileged update commands as LocalSystem. This allows a non‑administrator to enable or disable Windows Virtualization‑Based Security (VBS) by modifying protected system registry keys under HKLMSYSTEMCurrentControlSetControlDeviceGuard. Disabling VBS weakens critical platform protections such as Credential Guard, Hypervisor‑protected Code Integrity (HVCI), and the Secure Kernel, resulting in a security feature bypass. | 2026-01-16 | not yet calculated | CVE-2026-21223 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability |
| Mini Router–Italy Wireless | A Stored Cross-Site Scripting (XSS) vulnerability in Web management interface in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to execute arbitrary scripts via a crafted payload due to unsanitized repeater AP SSID value when is displayed in any page at /index.htm. | 2026-01-15 | not yet calculated | CVE-2025-65349 | https://imgur.com/a/X9DNOBj https://github.com/5ulfur/security-advisories/tree/main/CVE-2025-65349 |
| Mitel MiVoice–Mitel MiVoice | A vulnerability in the Provisioning Manager component of Mitel MiVoice MX-ONE 7.3 (7.3.0.0.50) through 7.8 SP1 (7.8.1.0.14) could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication mechanisms. A successful exploit could allow an attacker to gain unauthorized access to user or admin accounts in the system. | 2026-01-15 | not yet calculated | CVE-2025-67822 | https://www.mitel.com/support/security-advisories https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0009 |
| Mitel–Mitel | A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. A successful exploit requires user interaction where the email channel is enabled. This could allow an attacker to execute arbitrary scripts in the victim’s browser or desktop client application. | 2026-01-15 | not yet calculated | CVE-2025-67823 | https://www.mitel.com/support/security-advisories https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0010 |
| mlflow–mlflow/mlflow | MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0. | 2026-01-12 | not yet calculated | CVE-2025-14279 | https://huntr.com/bounties/ef478f72-2e4f-44dc-8055-fc06bef03108 https://github.com/mlflow/mlflow/commit/b0ffd289e9b0d0cc32c9e3a9b9f3843ae83dbec3 |
| Mozilla–Firefox | Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0877 | https://bugzilla.mozilla.org/show_bug.cgi?id=1999257 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla–Firefox | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0878 | https://bugzilla.mozilla.org/show_bug.cgi?id=2003989 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla–Firefox | Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0879 | https://bugzilla.mozilla.org/show_bug.cgi?id=2004602 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla–Firefox | Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0880 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005014 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla–Firefox | Sandbox escape in the Messaging System component. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0881 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005845 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| Mozilla–Firefox | Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0882 | https://bugzilla.mozilla.org/show_bug.cgi?id=1924125 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla–Firefox | Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0883 | https://bugzilla.mozilla.org/show_bug.cgi?id=1989340 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla–Firefox | Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0884 | https://bugzilla.mozilla.org/show_bug.cgi?id=2003588 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla–Firefox | Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0885 | https://bugzilla.mozilla.org/show_bug.cgi?id=2003607 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla–Firefox | Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0886 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005658 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla–Firefox | Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0887 | https://bugzilla.mozilla.org/show_bug.cgi?id=2006500 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla–Firefox | Information disclosure in the XML component. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0888 | https://bugzilla.mozilla.org/show_bug.cgi?id=1985996 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| Mozilla–Firefox | Denial-of-service in the DOM: Service Workers component. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0889 | https://bugzilla.mozilla.org/show_bug.cgi?id=1999084 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| Mozilla–Firefox | Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0890 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005081 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla–Firefox | Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0891 | Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla–Firefox | Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0892 | Memory safety bugs fixed in Firefox 147 and Thunderbird 147 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| nanomq–nanomq | An issue in nanomq v0.22.7 allows attackers to cause a Denial of Service (DoS) via a crafted request. The number of data packets received in the recv-q queue of the Nanomq process continues to increase, causing the nanomq broker to fall into a deadlock and be unable to provide normal services. | 2026-01-15 | not yet calculated | CVE-2024-48077 | https://github.com/nanomq/nanomq https://gist.github.com/pengwGit/2379e7a8fe75d09621f7c060db0237c4 |
| NAVER–lucy-xss-filter | lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension. | 2026-01-16 | not yet calculated | CVE-2026-23768 | https://cve.naver.com/detail/cve-2026-23768.html https://github.com/naver/lucy-xss-filter/pull/31 |
| NAVER–lucy-xss-filter | lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files. | 2026-01-16 | not yet calculated | CVE-2026-23769 | https://cve.naver.com/detail/cve-2026-23769.html https://github.com/naver/lucy-xss-filter/pull/32 |
| Neoteroi–BlackSheep | BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new header) or even create a new HTTP request. Exploitation requires developers to pass unsanitized user input directly into headers.The server part is not affected because BlackSheep delegates to an underlying ASGI server handling of response headers. This vulnerability is fixed in 2.4.6. | 2026-01-14 | not yet calculated | CVE-2026-22779 | https://github.com/Neoteroi/BlackSheep/security/advisories/GHSA-6pw3-h7xf-x4gp https://github.com/Neoteroi/BlackSheep/commit/bd4ecb9542b5d52442276b5a6907931b90f38d12 https://github.com/Neoteroi/BlackSheep/releases/tag/v2.4.6 |
| NETAPP–ONTAP 9 | ONTAP versions 9.16.1 prior to 9.16.1P9 and 9.17.1 prior to 9.17.1P2 with snapshot locking enabled are susceptible to a vulnerability which could allow a privileged remote attacker to set the snapshot expiry time to none. | 2026-01-12 | not yet calculated | CVE-2026-22050 | https://security.netapp.com/advisory/NTAP-20260112-0001 |
| NETGEAR–EX5000 | An insufficient authentication vulnerability in NETGEAR WiFi range extenders allows a network adjacent attacker with WiFi authentication or a physical Ethernet port connection to bypass the authentication process and access the admin panel. | 2026-01-13 | not yet calculated | CVE-2026-0407 | https://www.netgear.com/support/product/ex5000 https://www.netgear.com/support/product/ex3110 https://www.netgear.com/support/product/ex6110 https://www.netgear.com/support/product/ex2800 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR–EX5000 | A path traversal vulnerability in NETGEAR WiFi range extenders allows an attacker with LAN authentication to access the router’s IP and review the contents of the dynamically generated webproc file, which records the username and password submitted to the router GUI. | 2026-01-13 | not yet calculated | CVE-2026-0408 | https://www.netgear.com/support/product/ex5000 https://www.netgear.com/support/product/ex3110 https://www.netgear.com/support/product/ex6110 https://www.netgear.com/support/product/ex2800 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR–RBE970 | An authentication bypass vulnerability in NETGEAR Orbi devices allows users connected to the local network to access the router web interface as an admin. | 2026-01-13 | not yet calculated | CVE-2026-0405 | https://www.netgear.com/support/product/rbe971 https://www.netgear.com/support/product/rbe970 https://www.netgear.com/support/product/cbr750 https://www.netgear.com/support/product/nbr750 https://www.netgear.com/support/product/rbe770 https://www.netgear.com/support/product/rbe771 https://www.netgear.com/support/product/rbe772 https://www.netgear.com/support/product/rbe773 https://www.netgear.com/support/product/rbr750 https://www.netgear.com/support/product/rbs750 https://www.netgear.com/support/product/rbr840 https://www.netgear.com/support/product/rbs840 https://www.netgear.com/support/product/rbr850 https://www.netgear.com/support/product/rbs850 https://www.netgear.com/support/product/rbr860 https://www.netgear.com/support/product/rbs860 https://www.netgear.com/support/product/rbre950 https://www.netgear.com/support/product/rbse950 https://www.netgear.com/support/product/rbre960 https://www.netgear.com/support/product/rbse960 https://www.netgear.com/support/product/rbe370 https://www.netgear.com/support/product/rbe371 https://www.netgear.com/support/product/rbe372 https://www.netgear.com/support/product/rbe373 https://www.netgear.com/support/product/rbe374 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR–RBR750 | An insufficient input validation vulnerability in NETGEAR Orbi routers allows attackers connected to the router’s LAN to execute OS command injections. | 2026-01-13 | not yet calculated | CVE-2026-0403 | https://www.netgear.com/support/product/rbr750 https://www.netgear.com/support/product/rbs750 https://www.netgear.com/support/product/rbre960 https://www.netgear.com/support/product/rbse960 https://www.netgear.com/support/product/rbr850 https://www.netgear.com/support/product/rbs850 https://www.netgear.com/support/product/rbe971 https://www.netgear.com/support/product/rbe970 https://www.netgear.com/support/product/rbr860 https://www.netgear.com/support/product/rbs860 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR–RBRE960 | An insufficient input validation vulnerability in NETGEAR Orbi devices’ DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default. | 2026-01-13 | not yet calculated | CVE-2026-0404 | https://www.netgear.com/support/product/rbre960 https://www.netgear.com/support/product/rbse960 https://www.netgear.com/support/product/rbr850 https://www.netgear.com/support/product/rbs850 https://www.netgear.com/support/product/rbr860 https://www.netgear.com/support/product/rbs860 https://www.netgear.com/support/product/rbre950 https://www.netgear.com/support/product/rbse950 https://www.netgear.com/support/product/rbr750 https://www.netgear.com/support/product/rbs750 https://www.netgear.com/support/product/rbr840 https://www.netgear.com/support/product/rbs840 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR–XR1000v2 | An insufficient input validation vulnerability in the NETGEAR XR1000v2 allows attackers connected to the router’s LAN to execute OS command injections. | 2026-01-13 | not yet calculated | CVE-2026-0406 | https://www.netgear.com/support/product/xr1000v2 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| Ollama–Ollama | Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. When processing base64-encoded image data via the /api/chat endpoint, the application fails to validate that the decoded data represents valid media before passing it to the mtmd_helper_bitmap_init_from_buf function. This function can return NULL for malformed input, but the code does not check this return value before dereferencing the pointer in subsequent operations. A remote attacker can exploit this by sending specially crafted base64 image data that decodes to invalid media, causing a segmentation fault and crashing the runner process. This results in a denial of service condition where the model becomes unavailable to all users until the service is restarted. | 2026-01-12 | not yet calculated | CVE-2025-15514 | https://huntr.com/bounties/172df98b-07cd-41ea-a628-366f8cd525c0 https://ollama.com/ https://https://github.com/ollama/ollama https://www.vulncheck.com/advisories/ollama-multi-modal-image-processing-null-pointer-dereference |
| Omnilogic–Omni Secure Files | Omni Secure Files plugin versions prior to 0.1.14 contain an arbitrary file upload vulnerability in the bundled plupload example endpoint. The /wp-content/plugins/omni-secure-files/plupload/examples/upload.php handler allows unauthenticated uploads without enforcing safe file type restrictions, enabling an attacker to place attacker-controlled files under the plugin’s uploads directory. This can lead to remote code execution if a server-executable file type is uploaded and subsequently accessed. | 2026-01-16 | not yet calculated | CVE-2012-10064 | https://wpscan.com/vulnerability/376fd666-6471-479c-9b74-1d8088a33e89/ https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/omni-secure-files/omni-secure-files-0113-arbitrary-file-upload https://wordpress.org/plugins/omni-secure-files/ https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-omni-secure-files-upload-php-arbitrary-file-upload-0-1-13/ https://web.archive.org/web/20121025112632/http%3A//secunia.com/advisories/49441 https://packetstorm.news/files/id/113411 https://www.exploit-db.com/exploits/19009 https://web.archive.org/web/20191021091221/https%3A//www.securityfocus.com/bid/53872/ https://www.vulncheck.com/advisories/omni-secure-files-unauthenticated-arbitrary-file-upload |
| Omnispace–Omnispace | Directory traversal vulnerability in Omnispace Agora Project before 25.10 allowing unauthenticated attackers to read files on the system via the misc controller and the ExternalGetFile action. Only files with an extension can be read. | 2026-01-15 | not yet calculated | CVE-2025-67076 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| Omnispace–Omnispace | File upload vulnerability in Omnispace Agora Project before 25.10 allowing authenticated, or under certain conditions also guest users, via the UploadTmpFile action. | 2026-01-15 | not yet calculated | CVE-2025-67077 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| Omnispace–Omnispace | Cross site scripting (XSS) vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute arbitrary code via the notify parameter of the file controller used to display errors. | 2026-01-15 | not yet calculated | CVE-2025-67078 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| Omnispace–Omnispace | File upload vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute code through the MSL engine of the Imagick library via crafted PDF file to the file upload and thumbnail functions. | 2026-01-15 | not yet calculated | CVE-2025-67079 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| orval-labs–orval | orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to “break out” of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0. | 2026-01-12 | not yet calculated | CVE-2026-22785 | https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d |
| Paessler–Paessler | Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the tag parameter. | 2026-01-14 | not yet calculated | CVE-2025-67833 | https://paessler.com https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032 |
| Paessler–Paessler | Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the filter parameter. | 2026-01-14 | not yet calculated | CVE-2025-67834 | https://paessler.com https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032 |
| Paessler–Paessler | Paessler PRTG Network Monitor before 25.4.114 allows Denial-of-Service (DoS) by an authenticated attacker via the Notification Contacts functionality. | 2026-01-14 | not yet calculated | CVE-2025-67835 | https://paessler.com https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032 |
| Palo Alto Networks–Cloud NGFW | A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode. | 2026-01-15 | not yet calculated | CVE-2026-0227 | https://security.paloaltonetworks.com/CVE-2025-4620 |
| Pegasystems–Pega Infinity | Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file. | 2026-01-13 | not yet calculated | CVE-2025-62182 | https://support.pega.com/support-doc/pega-security-advisory-l25-vulnerability-remediation-note |
| pH7Software–pH7Software | A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the user profile Description field. | 2026-01-14 | not yet calculated | CVE-2025-63644 | https://drive.google.com/drive/folders/1mYDvUTnlTPCGTB-7tHD3pmu_wHtlMVRP https://medium.com/@rudranshsinghrajpurohit/cve-2025-63644-stored-cross-site-scripting-xss-vulnerability-in-ph7-social-dating-cms-23ed0e7eb853 |
| phpgurukul–phpgurukul | phpgurukul News Portal Project V4.1 has an Arbitrary File Deletion Vulnerability in remove_file.php. The parameter file can cause any file to be deleted. | 2026-01-13 | not yet calculated | CVE-2025-69990 | https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/File%20deletion%20vulnerability.md |
| phpgurukul–phpgurukul | phpgurukul News Portal Project V4.1 is vulnerable to SQL Injection in check_availablity.php. | 2026-01-13 | not yet calculated | CVE-2025-69991 | https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/SQL%20Injection.md |
| phpgurukul–phpgurukul | phpgurukul News Portal Project V4.1 has File Upload Vulnerability via upload.php, which enables the upload of files of any format to the server without identity authentication. | 2026-01-13 | not yet calculated | CVE-2025-69992 | https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/File%20upload%20vulnerability.md |
| QloApps–QloApps | A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin’s email address via a crafted HTML document. | 2026-01-12 | not yet calculated | CVE-2021-41074 | https://qloapps.com/ https://github.com/dillonkirsch/CVE-2021-41074 |
| RIOT–RIOT OS | RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix ‘/dev/’ with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption. | 2026-01-12 | not yet calculated | CVE-2026-22213 | https://seclists.org/fulldisclosure/2026/Jan/15 https://www.riot-os.org/ https://github.com/RIOT-OS/RIOT https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-tapslip6-utility |
| RIOT–RIOT OS | RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer without verifying that the current write index remains within bounds. An attacker capable of sending crafted serial or TCP-framed input can cause the current write index to exceed the buffer size, resulting in a write past the end of the stack buffer. This condition leads to memory corruption and application crash. | 2026-01-12 | not yet calculated | CVE-2026-22214 | https://seclists.org/fulldisclosure/2026/Jan/16 https://www.riot-os.org/ https://github.com/RIOT-OS/RIOT https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-ethos-serial-frame-parser |
| run-llama–llama_index | LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk. | 2026-01-12 | not yet calculated | CVE-2024-14021 | https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12 https://www.llamaindex.ai/ https://github.com/run-llama/llama_index https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization |
| run-llama–llama_index | LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query(). | 2026-01-12 | not yet calculated | CVE-2024-58339 | https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f https://www.llamaindex.ai/ https://github.com/run-llama/llama_index https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion |
| RustCrypto–utils | RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. Prior to 0.4.4, the thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly when using cmovnz (portable version). This vulnerability is fixed in 0.4.4. | 2026-01-15 | not yet calculated | CVE-2026-23519 | https://github.com/RustCrypto/utils/security/advisories/GHSA-2gqc-6j2q-83qp https://github.com/RustCrypto/utils/commit/55977257e7c82a309d5e8abfdd380a774f0f9778 |
| rustfs–rustfs | RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80. | 2026-01-16 | not yet calculated | CVE-2026-22782 | https://github.com/rustfs/rustfs/security/advisories/GHSA-333v-68xh-8mmq https://github.com/rustfs/rustfs/commit/6b2eebee1d07399ef02c0863bd515b4412a5a560 https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122 |
| samrocketman–jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses PKCS1Encoding which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding). This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68698 | https://github.com/samrocketman/jervis/security/advisories/GHSA-mqw7-c5gg-xq97 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman–jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses deterministic AES IV derivation from a passphrase. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68701 | https://github.com/samrocketman/jervis/security/advisories/GHSA-crxp-chh4-9ghp https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman–jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses padLeft(32, ‘0’) when it should use padLeft(64, ‘0’) because SHA-256 produces 32 bytes which equates to 64 hex characters. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68702 | https://github.com/samrocketman/jervis/security/advisories/GHSA-67rj-pjg6-pq59 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman–jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68703 | https://github.com/samrocketman/jervis/security/advisories/GHSA-36h5-vrq6-pp34 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman–jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68704 | https://github.com/samrocketman/jervis/security/advisories/GHSA-c9q6-g3hr-8gww https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman–jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the code doesn’t validate that the JWT header specifies “alg”:”RS256″. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68925 | https://github.com/samrocketman/jervis/security/advisories/GHSA-5pq9-5mpr-jj85 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman–jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68931 | https://github.com/samrocketman/jervis/security/advisories/GHSA-gxp5-mv27-vjcj https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| Schneider Electric–EcoStruxure Power Build Rapsody | CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody. | 2026-01-15 | not yet calculated | CVE-2025-13844 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf |
| Schneider Electric–EcoStruxure Power Build Rapsody | CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody. | 2026-01-15 | not yet calculated | CVE-2025-13845 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf |
| Semantic–Semantic | An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints. | 2026-01-13 | not yet calculated | CVE-2025-66698 | http://veda.com http://semantic.com https://github.com/Perunchess/CVE-2025-66698 |
| ServiceNow–Now Assist AI Agents | A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform. ServiceNow has addressed this vulnerability by deploying a relevant security update to hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so. | 2026-01-12 | not yet calculated | CVE-2025-12420 | https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2587329 |
| siyuan-note–siyuan | SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2. | 2026-01-16 | not yet calculated | CVE-2026-23645 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j https://github.com/siyuan-note/siyuan/issues/16844 https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388 |
| Slab–Quill | A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS). This issue affects Quill: 2.0.3. | 2026-01-13 | not yet calculated | CVE-2025-15056 | https://fluidattacks.com/advisories/diomedes https://github.com/slab/quill |
| Sonatype–Nexus Repository | Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services and internal network resources. A workaround configuration is available starting in version 3.88.0, but the product remains vulnerable by default. | 2026-01-14 | not yet calculated | CVE-2026-0600 | https://support.sonatype.com/hc/en-us/articles/47928855816595 |
| Sonatype–Nexus Repository | A reflected cross-site scripting vulnerability exists in Nexus Repository 3 that allows unauthenticated attackers to execute arbitrary JavaScript in a victim’s browser through a specially crafted request requiring user interaction. | 2026-01-14 | not yet calculated | CVE-2026-0601 | https://help.sonatype.com/en/sonatype-nexus-repository-3-88-0-release-notes.html https://support.sonatype.com/hc/en-us/articles/47934334375955 |
| Sourcecodester–Sourcecodester | Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE (Remote Code Execution). The application receives a reverse shell (php) into imagem of the user enabling RCE. | 2026-01-12 | not yet calculated | CVE-2025-66802 | https://feedly.com/cve/CVE-2022-2746 https://github.com/mtgsjr/CVE-2025-66802 |
| SparkyFitness–SparkyFitness | SparkyFitness v0.15.8.2 is vulnerable to Cross Site Scripting (XSS) via user input and LLM output. | 2026-01-15 | not yet calculated | CVE-2025-65368 | https://github.com/CodeWithCJ/SparkyFitness https://github.com/CodeWithCJ/SparkyFitness/security/advisories/GHSA-j7x6-6678-2xqp#event-521570 |
| Stackideas.com–EasyDiscuss extension for Joomla | Lack of input filterung leads to a persistent XSS vulnerability in the forum post handling of the Easy Discuss component for Joomla. | 2026-01-16 | not yet calculated | CVE-2026-21623 | https://stackideas.com/easydiscuss |
| Stackideas.com–EasyDiscuss extension for Joomla | Lack of input filterung leads to a persistent XSS vulnerability in the user avatar text handling of the Easy Discuss component for Joomla. | 2026-01-16 | not yet calculated | CVE-2026-21624 | https://stackideas.com/easydiscuss |
| Stackideas.com–EasyDiscuss extension for Joomla | User provided uploads to the Easy Discuss component for Joomla aren’t properly validated. Uploads are purely checked by file extensions, no mime type checks are happening. | 2026-01-16 | not yet calculated | CVE-2026-21625 | https://stackideas.com/easydiscuss |
| SteelSeries–SteelSeries | SteelSeries Nahimic 3 1.10.7 allows Directory traversal. | 2026-01-16 | not yet calculated | CVE-2025-68921 | https://steelseries.gg https://steelseries.com/nahimic https://gist.github.com/ZeroMemoryEx/93208b7e57a5444de3654816857ddef4 |
| Steven–Uploadify | Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation. An unauthenticated remote attacker can upload arbitrary files to the affected WordPress site, which may allow remote code execution by uploading executable content to a web-accessible location. | 2026-01-15 | not yet calculated | CVE-2011-10041 | https://packetstorm.news/files/id/98652 https://wpscan.com/vulnerability/6946364c-9764-468e-87d5-2dd57e531985/ https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/uploadify/uploadify-10-arbitrary-file-upload https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-uploadify-remote-file-upload-1-0/ https://www.vulncheck.com/advisories/uploadify-unauthenticated-arbitrary-file-upload |
| Svelte–Svelte | An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users’ browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3. | 2026-01-15 | not yet calculated | CVE-2025-15265 | https://fluidattacks.com/advisories/lydian https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3 https://fluidattacks.com/advisories/lydian |
| sveltejs–kit | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5. | 2026-01-15 | not yet calculated | CVE-2025-67647 | https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4×62-9r35 https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226 |
| sveltejs–kit | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5. | 2026-01-15 | not yet calculated | CVE-2026-22803 | https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46 https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5 https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1 |
| Tenda–Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the mac parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-15 | not yet calculated | CVE-2025-70656 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/11/1.md |
| Tenda–Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the cloneType parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-15 | not yet calculated | CVE-2025-70744 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/10/1.md |
| Tenda–Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the timeZone parameter of the fromSetSysTime function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-16 | not yet calculated | CVE-2025-70746 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/4/1.md |
| Tenda–Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the serviceName parameter of the sub_65A28 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-14 | not yet calculated | CVE-2025-70747 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/6/1.md |
| Tenda–Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the security_5g parameter of the sub_4CA50 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-70753 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/8/1.md |
| Tenda–Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the wanSpeed parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-15 | not yet calculated | CVE-2025-71019 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/9/1.md |
| Tenda–Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the security parameter of the sub_4C408 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-16 | not yet calculated | CVE-2025-71020 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/5/1.md |
| Tenda–Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the serverName parameter of the sub_65A28 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-14 | not yet calculated | CVE-2025-71021 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/7/1.md |
| Tenda–Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the mac2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71023 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/11/1.md |
| Tenda–Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the serviceName2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71024 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/12/1.md |
| Tenda–Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the cloneType2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71025 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/10/1.md |
| Tenda–Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the wanSpeed2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71026 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/9/1.md |
| Tenda–Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the wanMTU2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71027 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/8/1.md |
| The GNU C Library–glibc | Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments. | 2026-01-14 | not yet calculated | CVE-2026-0861 | https://sourceware.org/bugzilla/show_bug.cgi?id=33796 https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001 |
| The GNU C Library–glibc | Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library’s DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver. | 2026-01-15 | not yet calculated | CVE-2026-0915 | https://sourceware.org/bugzilla/show_bug.cgi?id=33802 |
| The Nu Html Checker–The Nu Html Checker | Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.1, these controls can be bypassed using DNS rebinding techniques or domains that resolve to loopback addresses.This issue affects The Nu Html Checker (vnu): latest (commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd). | 2026-01-16 | not yet calculated | CVE-2025-15104 | https://fluidattacks.com/advisories/europe https://github.com/validator/validator |
| TheLibrarian–TheLibrarian.io | The Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure. The vendor has fixed the vulnerability in all versions of TheLibrarian. | 2026-01-16 | not yet calculated | CVE-2026-0612 | http://mindgard.ai/blog/thelibrarian-ios-ai-security- https://thelibrarian.io/ |
| TheLibrarian–TheLibrarian.io | The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fixed the vulnerability in all affected versions. | 2026-01-16 | not yet calculated | CVE-2026-0613 | https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure https://thelibrarian.io/ |
| TheLibrarian–TheLibrarian.io | The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions. | 2026-01-16 | not yet calculated | CVE-2026-0615 | http://mindgard.ai/blog/thelibrarian-ios-ai-security- https://thelibrarian.io/ |
| TheLibrarian–TheLibrarian.io | TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions. | 2026-01-16 | not yet calculated | CVE-2026-0616 | https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure https://thelibrarian.io/ |
| TinyOS–TinyOS | TinyOS versions up to and including 2.1.2 contain a global buffer overflow vulnerability in the printfUART formatted output implementation used within the ZigBee / IEEE 802.15.4 networking stack. The implementation formats output into a fixed-size global buffer and concatenates strings for %s format specifiers using strcat() without verifying remaining buffer capacity. When printfUART is invoked with a caller-controlled string longer than the available space, the unbounded sprintf/strcat sequence writes past the end of debugbuf, resulting in global memory corruption. This can cause denial of service, unintended behavior, or information disclosure via corrupted adjacent global state or UART output. | 2026-01-14 | not yet calculated | CVE-2026-22211 | https://seclists.org/fulldisclosure/2026/Jan/14 https://github.com/tinyos/tinyos-main https://www.vulncheck.com/advisories/tinyos-global-buffer-overflow-in-printfuart |
| TinyOS–TinyOS | TinyOS versions up to and including 2.1.2 contain a stack-based buffer overflow vulnerability in the mcp2200gpio utility. The vulnerability is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device discovery. A local attacker can exploit this by creating specially crafted filenames under /dev/usb/, leading to stack memory corruption and application crashes. | 2026-01-12 | not yet calculated | CVE-2026-22212 | https://seclists.org/fulldisclosure/2026/Jan/14 https://github.com/tinyos/tinyos-main https://www.vulncheck.com/advisories/tinyos-stack-based-buffer-overflow-in-mcp2200gpio |
| TOA Corporation–Multiple Network Cameras TRIFORA 3 series | OS Command Injection vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation, which may allow a logged-in user with the low(“monitoring user”) or higher privilege to execute an arbitrary OS command. | 2026-01-16 | not yet calculated | CVE-2026-20759 | https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf https://jvn.jp/en/jp/JVN08087148/ |
| TOA Corporation–Multiple Network Cameras TRIFORA 3 series | Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses the setting screen. | 2026-01-16 | not yet calculated | CVE-2026-20894 | https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf https://jvn.jp/en/jp/JVN08087148/ |
| TOA Corporation–Multiple Network Cameras TRIFORA 3 series | Path Traversal vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If this vulnerability is exploited, arbitrary files on the affected product may be retrieved by a logged-in user with the low(“monitoring user”) or higher privilege. | 2026-01-16 | not yet calculated | CVE-2026-22876 | https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf https://jvn.jp/en/jp/JVN08087148/ |
| Tongyu–Tongyu | An authentication bypass vulnerability in the Tongyu AX1800 Wi-Fi 6 Router with firmware 1.0.0 allows unauthenticated network-adjacent attackers to perform arbitrary configuration changes without providing credentials, as long as a valid admin session is active. This can result in full compromise of the device (i.e., via unauthenticated access to /boaform/formSaveConfig and /boaform/admin endpoints). | 2026-01-13 | not yet calculated | CVE-2025-68707 | https://www.tongyucom.com/product/ax1800.html https://github.com/actuator/cve/tree/main/Tongyu https://github.com/actuator/cve/blob/main/Tongyu/CVE-2025-68707.txt |
| TP-Link Systems Inc.–TL-WR841N v14 | A Null Pointer Dereference vulnerability exists in the referer header check of the web portal of TP-Link TL-WR841N v14, caused by improper input validation. A remote, unauthenticated attacker can exploit this flaw and cause Denial of Service on the web portal service.This issue affects TL-WR841N v14: before 250908. | 2026-01-15 | not yet calculated | CVE-2025-9014 | https://www.tp-link.com/us/support/faq/4894/ https://www.tp-link.com/jp/support/download/tl-wr841n/#Firmware https://www.tp-link.com/en/support/download/tl-wr841n/#Firmware https://www.tp-link.com/us/support/download/tl-wr841n/#Firmware |
| TP-Link Systems Inc.–VIGI InSight Sx45 Series (S245/S345/S445) | Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security. | 2026-01-16 | not yet calculated | CVE-2026-0629 | https://www.vigi.com/us/support/download/ https://www.vigi.com/en/support/download/ https://www.vigi.com/in/support/download/ https://www.tp-link.com/us/support/faq/4899/ |
| Typesetter–Typesetter | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim’s browser session. | 2026-01-14 | not yet calculated | CVE-2025-71164 | https://github.com/Typesetter/Typesetter https://github.com/Typesetter/Typesetter/issues/706 https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-editing-php |
| Typesetter–Typesetter | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user’s browser session. | 2026-01-14 | not yet calculated | CVE-2025-71165 | https://github.com/Typesetter/Typesetter https://github.com/Typesetter/Typesetter/issues/709 https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-status-php |
| Typesetter–Typesetter | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user’s browser session. | 2026-01-14 | not yet calculated | CVE-2025-71166 | https://github.com/Typesetter/Typesetter https://github.com/Typesetter/Typesetter/issues/707 https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-move-message-handling |
| TYPO3–TYPO3 CMS | By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2025-59020 | https://typo3.org/security/advisory/typo3-core-sa-2026-001 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| TYPO3–TYPO3 CMS | Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs – facilitating phishing or other malicious redirect attacks. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2025-59021 | https://typo3.org/security/advisory/typo3-core-sa-2026-002 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| TYPO3–TYPO3 CMS | Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA – regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2025-59022 | https://typo3.org/security/advisory/typo3-core-sa-2026-003 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| TYPO3–TYPO3 CMS | TYPO3’s mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2026-0859 | https://typo3.org/security/advisory/typo3-core-sa-2026-004 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| Vanilla OS–fabricators ltd | fabricators Ltd Vanilla OS 2 Core image v1.1.0 was discovered to contain static keys for the SSH service, allowing attackers to possibly execute a man-in-the-middle attack during connections with other hosts. | 2026-01-13 | not yet calculated | CVE-2024-54855 | http://vanilla.com http://fabricators.com https://github.com/Vanilla-OS/core-image/security/advisories/GHSA-67pc-hqr2-g34h |
| Viafirma–Inbox | IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user’s email addresses to be modified and, subsequently, using the password recovery functionality to access the application by impersonating any user, including those with administrative permissions. | 2026-01-12 | not yet calculated | CVE-2025-41077 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products |
| Viafirma–Viafirma Documents | Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deletion features, and escalate privileges by impersonating other users of the application in the generation and signing of documents. | 2026-01-12 | not yet calculated | CVE-2025-41078 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products |
| Vivotek–Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) vulnerability in Vivotek Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 (Firmware modules) allows OS Command Injection.This issue affects Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330: 0100a, 0106a, 0106b, 0107a, 0107b_1, 0109a, 0112a, 0113a, 0113d, 0117b, 0119e, 0120b, 0121, 0121d, 0121d_48573_1, 0122e, 0124d_48573_1, 012501, 012502, 0125c. | 2026-01-13 | not yet calculated | CVE-2026-22755 | http://www.vapidlabs.com/advisory.php?v=220 |
| WeblateOrg–weblate | Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2. | 2026-01-14 | not yet calculated | CVE-2026-21889 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3g2f-4rjg-9385 https://github.com/WeblateOrg/weblate/pull/17516 https://github.com/WeblateOrg/weblate/commit/a6eb5fd0299780eca286be8ff187dc2d10feec47 |
| WordPress–Dreamer Blog | The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check. | 2026-01-13 | not yet calculated | CVE-2025-10915 | https://wpscan.com/vulnerability/dab3a804-9027-4b4a-b61c-61b562045bc4/ |
| WordPress–E-xact | Hosted Payment | | The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. | 2026-01-13 | not yet calculated | CVE-2025-14829 | https://wpscan.com/vulnerability/872569bc-16fb-427f-accc-147f284137cd/ |
| WordPress–Quiz Maker | The Quiz Maker WordPress plugin before 6.7.0.89 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2026-01-12 | not yet calculated | CVE-2025-14579 | https://wpscan.com/vulnerability/1ff8ea2b-6513-4d5c-b7ea-9ab39c9ea9c6/ |
| WorkDo–eCommerceGo SaaS | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo’s eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to ‘/store-ticket’, using the ‘subject’ and ‘description’ parameters. | 2026-01-12 | not yet calculated | CVE-2025-40977 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| WorkDo–eCommerceGo SaaS | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo’s eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to ‘/ticket/x/conversion’, using the ‘reply_description’ parameter. | 2026-01-12 | not yet calculated | CVE-2025-40978 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| WorkDo–HRMGo | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo’s HRMGo, consisting of a lack of proper validation of user input by sending a POST request to ‘/hrmgo/ticket/changereply’, using the ‘description’ parameter. | 2026-01-12 | not yet calculated | CVE-2025-40975 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| WorkDo–TicketGo | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo’s TicketGo, consisting of a lack of proper validation of user input by sending a POST request to ‘/ticketgo-saas/home’, using the ‘description’ parameter. | 2026-01-12 | not yet calculated | CVE-2025-40976 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| xmall–xmall | Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users’ order details via manipulation of the query parameter userId. | 2026-01-12 | not yet calculated | CVE-2023-36331 | https://github.com/Exrick/xmall/issues/100 |
| yhirose–cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory. | 2026-01-12 | not yet calculated | CVE-2026-22776 | https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792 |
| YSoft–SafeQ 6 | Y Soft SafeQ 6 renders the Workflow Connector password field in a way that allows an administrator with UI access to reveal the value using browser developer/inspection tools. The affected customers are only those with a password-protected scan workflow connector. This issue affects Y Soft SafeQ 6 in versions before MU106. | 2026-01-14 | not yet calculated | CVE-2025-13175 | https://www.ysoft.com/safeq https://docs.ysoft.cloud/safeq6/latest/safeq6/release-notes-build-106 https://cert.pl/en/posts/2026/01/CVE-2025-13175 |
| Zhiyuan-Zhyuan | Cross site scripting vulnerability in seeyon Zhiyuan A8+ Collaborative Management Software 7.0 via the topValue parameter to the seeyon/main.do endpoint. | 2026-01-16 | not yet calculated | CVE-2025-56451 | https://www.yuque.com/076w/syst1m/zlp7c6hmowx6cg51?singleDoc https://gist.github.com/076w/b223381ba06b05845d919fb29619777b |