⬡ Vulnerability Digest
Security Report
Total Findings
366
Critical
54
High
210
Actively Exploited
5
CISA-KEV5
NVD239
GitHub-GHSA122
Findings sorted by severity
CISA-KEV
CRITICAL
Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.
Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
CISA-KEV
CRITICAL
Ivanti Sentry OS Command Injection Vulnerability
Ivanti Sentry OS Command Injection Vulnerability
Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged stat…
Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
CISA-KEV
CRITICAL
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
Google Chromium V8 out-of-bounds read and write vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Ed…
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA-KEV
CRITICAL
Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA-KEV
CRITICAL
Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability
Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability
Cisco Catalyst SD-WAN Manager formerly SD-WAN vManage contains an improper encoding or escaping of output vulnerability. This vulnerability could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
NVD
CRITICAL
CVE-2026-47208
CVE-2026-47208
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4.
CWE: CWE-913
NVD
CRITICAL
CVE-2026-47140
CVE-2026-47140
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-si…
CWE: CWE-693
NVD
CRITICAL
CVE-2026-47137
CVE-2026-47137
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality (options.require === false), which is t…
CWE: CWE-913
NVD
CRITICAL
CVE-2026-47131
CVE-2026-47131
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor can be obtained, whic…
CWE: CWE-913
NVD
CRITICAL
CVE-2026-49261
CVE-2026-49261
MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 1…
CWE: CWE-78
NVD
CRITICAL
CVE-2026-50566
CVE-2026-50566
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a tenant with environments.fission.io create/update RBAC can run privileged / allowPrivilegeEscalation / dangerous-capability contain…
CWE: CWE-250, CWE-269
NVD
CRITICAL
CVE-2026-50564
CVE-2026-50564
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the Kubernetes pod specs for r…
CWE: CWE-269, CWE-284, CWE-693
NVD
CRITICAL
CVE-2026-50563
CVE-2026-50563
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Container Executor path lets a tenant supply Function.spec.podspec directly; the executor merges it into the executor-built…
CWE: CWE-269, CWE-284
NVD
CRITICAL
CVE-2026-50545
CVE-2026-50545
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough lacked validation, and MergePodSpec propagated dangerous fiel…
CWE: CWE-269, CWE-284, CWE-693
NVD
CRITICAL
CVE-2026-45558
CVE-2026-45558
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints (POST /api/service/haproxy/<server_id>/section/<section_type> and the PUT / global / defaults variants) accept a JSON option field that is not vali…
CWE: CWE-20, CWE-77, CWE-78, CWE-94
NVD
CRITICAL
CVE-2026-45556
CVE-2026-45556
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field that is passed straight through to config_mod.master_slave_upload_and_restart(…) as the de…
CWE: CWE-20, CWE-22, CWE-73, CWE-78
NVD
CRITICAL
CVE-2026-45552
CVE-2026-45552
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before_request → @jwt_required() (app/routes/install/routes.py:36-39). The individual endpoints install_exporter, install_waf, install_geoip,…
CWE: CWE-639, CWE-862, CWE-863
GitHub-GHSA
CRITICAL
nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation
nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation
The `/api/v1/*` route surface trusts the bearer token alone for authorisation on most endpoints. The codebase itself admits this at `internal/api/hosts.go:384`: *"API trusts the bearer token for authorisation; per-CA ownership is enforced only in the Web layer."*
The Web UI gates state-changing rou…
CVE-2026-47724
NVD
CRITICAL
CVE-2026-46442
CVE-2026-46442
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKE…
CWE: CWE-94
NVD
CRITICAL
CVE-2026-54133
CVE-2026-54133
jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when `JmesPath\CompilerRuntime` is used with an a…
CWE: CWE-20, CWE-94, CWE-116
NVD
CRITICAL
CVE-2026-47210
CVE-2026-47210
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI (WebAssembly.promising / WebAssembly.Suspending). …
CWE: CWE-913
NVD
CRITICAL
CVE-2026-48611
CVE-2026-48611
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.
CWE: CWE-287
NVD
CRITICAL
CVE-2026-11561
CVE-2026-11561
Improper neutralization of special elements used in an expression language statement ('expression language injection') vulnerability in Soagen Informatics Technologies Software and Consulting Inc. Apinizer allows Code Injection.
This issue affects Apinizer: from 2026.04.0 before 2026.04.6.
CWE: CWE-917
NVD
CRITICAL
CVE-2026-46614
CVE-2026-46614
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route — /fission-function/<name> and /fission-function/<ns>/<name> — for every Fun…
CWE: CWE-284, CWE-862
NVD
CRITICAL
CVE-2026-36721
CVE-2026-36721
A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.
CWE: CWE-347
NVD
CRITICAL
CVE-2026-52778
CVE-2026-52778
YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing…
CWE: CWE-94, CWE-1333
NVD
CRITICAL
CVE-2026-46289
CVE-2026-46289
In the Linux kernel, the following vulnerability has been resolved:
lib/scatterlist: fix length calculations in extract_kvec_to_sg
Patch series "Fix bugs in extract_iter_to_sg()", v3.
Fix bugs in the kvec and user variants of extract_iter_to_sg. This series
is growing due to useful remarks made …
NVD
CRITICAL
CVE-2026-39910
CVE-2026-39910
STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers…
CWE: CWE-862
NVD
CRITICAL
CVE-2026-44631
CVE-2026-44631
Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Users are recommended to upgrade to version 2.4.68, which fixes the issue.
CWE: CWE-124
NVD
CRITICAL
CVE-2026-46703
CVE-2026-46703
Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in …
CWE: CWE-22
NVD
CRITICAL
CVE-2026-53474
CVE-2026-53474
A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL Inj…
CWE: CWE-89
NVD
CRITICAL
CVE-2026-42904
CVE-2026-42904
Heap-based buffer overflow in Windows TCP/IP allows an unauthorized attacker to elevate privileges over an adjacent network.
CWE: CWE-122
NVD
CRITICAL
CVE-2026-11671
CVE-2026-11671
Use after free in Navigation in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
CRITICAL
CVE-2026-11659
CVE-2026-11659
Integer overflow in UI in Google Chrome on Linux prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-20
NVD
CRITICAL
CVE-2026-11654
CVE-2026-11654
Use after free in CameraCapture in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
CRITICAL
CVE-2026-11651
CVE-2026-11651
Use after free in Network in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
CRITICAL
CVE-2026-11638
CVE-2026-11638
Use after free in Printing in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
CRITICAL
CVE-2026-11634
CVE-2026-11634
Use after free in Gamepad in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
CRITICAL
CVE-2026-50090
CVE-2026-50090
The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R…
CWE: CWE-1289
NVD
CRITICAL
CVE-2026-46316
CVE-2026-46316
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
vgic_its_invalidate_cache() walks the per-ITS translation cache with
xa_for_each() and drops the cache's reference on each entry with
vgic_put_ir…
NVD
CRITICAL
CVE-2026-50083
CVE-2026-50083
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical). When combined with CVE-2026-50082, CVE-5008…
CWE: CWE-798
NVD
CRITICAL
CVE-2026-9648
CVE-2026-9648
The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to imperson…
GitHub-GHSA
CRITICAL
Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token
Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token
# Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token
| Field | Value |
| —————- | —– |
| Repository | pipeboard-co/meta-ads-mcp |
| Affected version | ≤ 1.0.101 (commit 496c988 ~ 7d14226); Versions 1.0.102–1.0.105 lack git tags, so patch statu…
CVE-2026-48039
NVD
CRITICAL
CVE-2026-45550
CVE-2026-45550
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() — which validates that the caller has some group, not that the target c…
CWE: CWE-639, CWE-862, CWE-863
GitHub-GHSA
CRITICAL
Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery
Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery
## Vulnerability: CWE-798 — Hardcoded JWT Secret + Broken Mitigation
### Affected Component
– `github.com/dhax/go-base` — Go REST API boilerplate (go-chi/jwtauth/v5, Viper, PostgreSQL/Bun)
– 1,685 stars on GitHub
### Vulnerability Locations
| File | Line | Role |
|——|——|——|
| `dev…
CVE-2026-48031
NVD
CRITICAL
CVE-2026-36727
CVE-2026-36727
An insecure authentication vulnerability in the /api/social-sign-in endpoint of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.
CWE: CWE-287
NVD
CRITICAL
CVE-2026-34182
CVE-2026-34182
Issue Summary: Cryptographic Message Services (CMS) processing fails to perform
sufficient input validation on the cipher and tag length fields of
AuthEnvelopedData containers, leading to various potential compromises.
sufficient input validation on the cipher and tag length fields of
AuthEnvelopedData containers, leading to various potential compromises.
Impact Summary: Attackers making use of these vulnerabilities may achieve
key-eq…
CWE: CWE-354
GitHub-GHSA
CRITICAL
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
## Summary
`/api/public/v1/roles/assign` is guarded by the `builderOrAdmin` middleware, which passes any user who is a builder for the app id in the `x-budibase-app-id` header. That check admits both global builders and workspace-scoped builders (`builder.apps` set but `builder.global` unset). The …
CVE-2026-48150
NVD
CRITICAL
CVE-2026-41005
CVE-2026-41005
Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from the Identity Provider (authenticity) in two SAML flows: the OAuth 2.0 SAML2 bearer grant (token endpoint) and browser SSO (ACS) when wantAssertionSigned is set to fa…
CWE: CWE-347
GitHub-GHSA
CRITICAL
Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin
Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin
# AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin
| Field | Value |
| —————- | —– |
| Repository | julien040/anyquery |
| Affected version | 0.4.4 (commit 0abd460) |
| Vulnerability | CWE-94 — Improper Control of Generation of Code |
| Seve…
CVE-2026-47252
NVD
CRITICAL
CVE-2026-11393
CVE-2026-11393
Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of another u…
CWE: CWE-94
GitHub-GHSA
CRITICAL
shell-quote quote() does not escape newlines in object .op values
shell-quote quote() does not escape newlines in object .op values
### Summary
`shell-quote`'s `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (`\n`, `\r`, U+2028, U+2029). A line ter…
CVE-2026-9277
GitHub-GHSA
CRITICAL
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload
### Impact
Any baileys session under the latest version (< 7.0.0-rc12, and < 6.7.22) can be sent a malicious payload via the placeholderResendMessage and trigger a fake `messages.upsert` event with a **fake message key and payload**. This allows anyone to spoof messages. The same exploit also allows…
Any baileys session under the latest version (< 7.0.0-rc12, and < 6.7.22) can be sent a malicious payload via the placeholderResendMessage and trigger a fake `messages.upsert` event with a **fake message key and payload**. This allows anyone to spoof messages. The same exploit also allows…
CVE-2026-48063
GitHub-GHSA
CRITICAL
Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews.
Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews.
## Summary
The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560–574`). Any web content loaded inside the InAppBrowser can fire any pending C…
CVE-2026-47430
NVD
HIGH
CVE-2026-46519
CVE-2026-46519
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) documented as access controls for restricting whi…
CWE: CWE-863
GitHub-GHSA
HIGH
OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri
OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri
## Summary
The OpenZeppelin Contracts Wizard generated Hardhat (`test/test.ts`) and Foundry (`test/<Name>.t.sol`) example test files that interpolated user-supplied strings (`opts.name`, `opts.uri`) into the test source without escaping. A crafted input could produce a generated test file in which …
CVE-2026-48054
NVD
HIGH
CVE-2026-46612
CVE-2026-46612
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers (/v1/archive GET / POST / DELETE and /v1/archives list) directly on …
CWE: CWE-306
NVD
HIGH
CVE-2026-20251
CVE-2026-20251
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power…
CWE: CWE-502
NVD
HIGH
CVE-2026-45564
CVE-2026-45564
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions/<service>/<server_ip>/<configver>/save interpolates the URL-path configver parameter directly into a config-version path that ends up at os.system(f"dos2unix -q…
CWE: CWE-78
NVD
HIGH
CVE-2026-45447
CVE-2026-45447
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could
trigger a use-after-free during PKCS#7 signature verification.
trigger a use-after-free during PKCS#7 signature verification.
Impact summary: A use-after-free may result in process crashes, heap
corruption, or potentially remote code execution.
When processing a PKCS#7 or S/MIME signed m…
CWE: CWE-416
NVD
HIGH
CVE-2026-32193
CVE-2026-32193
Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Azure Kubernetes Service allows an authorized attacker to execute code locally.
CWE: CWE-22
NVD
HIGH
CVE-2026-46317
CVE-2026-46317
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Reassign nested_mmus array behind mmu_lock
kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the
MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which
can run at any time. kvm_vc…
NVD
HIGH
CVE-2026-11681
CVE-2026-11681
Use after free in Ozone in Google Chrome on Linux prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11680
CVE-2026-11680
Use after free in Media in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11674
CVE-2026-11674
Use after free in Guest View in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11673
CVE-2026-11673
Use after free in InterestGroups in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11670
CVE-2026-11670
Use after free in PDF in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11664
CVE-2026-11664
Use after free in Payments in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11662
CVE-2026-11662
Type Confusion in Bindings in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-843
NVD
HIGH
CVE-2026-11657
CVE-2026-11657
Use after free in Payments in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11650
CVE-2026-11650
Use after free in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11649
CVE-2026-11649
Use after free in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11648
CVE-2026-11648
Use after free in FullScreen in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11646
CVE-2026-11646
Use after free in ViewTransitions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11645
CVE-2026-11645
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-125, CWE-787
NVD
HIGH
CVE-2026-11637
CVE-2026-11637
Use after free in Views in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-11633
CVE-2026-11633
Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-11630
CVE-2026-11630
Use after free in File Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-11629
CVE-2026-11629
Use after free in Ozone in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-46490
CVE-2026-46490
samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email,…
CWE: CWE-91
NVD
HIGH
CVE-2026-11523
CVE-2026-11523
A flaw has been found in Tenda W20E 15.11.0.6. This issue affects the function formPortalAuth of the file /goform/PortalAuth of the component Web Management Interface. Executing a manipulation of the argument gotoUrl can lead to stack-based buffer overflow. The attack can be launched remotely. The e…
CWE: CWE-119, CWE-121
NVD
HIGH
CVE-2026-47135
CVE-2026-47135
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox cod…
CWE: CWE-693
NVD
HIGH
CVE-2026-44494
CVE-2026-44494
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM)…
CWE: CWE-441, CWE-1321
GitHub-GHSA
HIGH
Dex: Token-exchange endpoint is missing AllowedConnectors enforcement
Dex: Token-exchange endpoint is missing AllowedConnectors enforcement
## Summary
`server/handlers.go::handleTokenExchange` (lines 1804-1893) does not call `isConnectorAllowed(client.AllowedConnectors, connID)` before issuing tokens, while sibling handlers do. This is a per-client connector ACL gap on the token-exchange endpoint; the redirect-flow paths enforce the sa…
GitHub-GHSA
HIGH
Netty has Insufficient Bailiwick Validation for NS Records
Netty has Insufficient Bailiwick Validation for NS Records
### Summary
Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`).
Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`).
### Details
In `io.netty.resolver.dns.DnsResolveC…
CVE-2026-47691
GitHub-GHSA
HIGH
Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records
Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records
### Summary
Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses.
Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses.
### Details
In `io.netty.resolver.dns.DnsResolveContext#buildAliasMap`, the resolver processes the ANSWER section of a DNS response and blindly caches all CNAME records it finds.
Accor…
CVE-2026-45674
NVD
HIGH
CVE-2026-47209
CVE-2026-47209
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy (e.g., when a child object inher…
CWE: CWE-693
NVD
HIGH
CVE-2026-47139
CVE-2026-47139
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes und…
CWE: CWE-693
NVD
HIGH
CVE-2026-44492
CVE-2026-44492
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe)…
CWE: CWE-918
NVD
HIGH
CVE-2026-50570
CVE-2026-50570
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Fission added PodSpec safety validation for tenant-facing Environment and Function CRDs (ValidatePodSpecSafety / ValidateContainerSaf…
CWE: CWE-269, CWE-732
NVD
HIGH
CVE-2026-49824
CVE-2026-49824
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Fission Function admission webhook (pkg/webhook/function.go) validated that spec.secrets[].namespace and spec.configmaps[].namesp…
CWE: CWE-284, CWE-863
NVD
HIGH
CVE-2026-45549
CVE-2026-45549
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/<action>') and @jwt_required() only — no role check, no group ownership check on the s…
CWE: CWE-862, CWE-863
NVD
HIGH
CVE-2026-46288
CVE-2026-46288
In the Linux kernel, the following vulnerability has been resolved:
of: unittest: fix use-after-free in of_unittest_changeset()
The variable 'parent' is assigned the value of 'nchangeset' earlier in the
function, meaning both point to the same struct device_node. The call to
of_node_put(nchangeset…
NVD
HIGH
CVE-2026-45567
CVE-2026-45567
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, there is an authentication bypass vulnerability via 'api' substring in URL + unauthenticated /api/gpt. At time of publication, there are no publicly available patches.
CWE: CWE-287, CWE-306, CWE-697
NVD
HIGH
CVE-2026-11682
CVE-2026-11682
Inappropriate implementation in Views in Google Chrome on Linux prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-20
NVD
HIGH
CVE-2026-11679
CVE-2026-11679
Use after free in Codecs in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11676
CVE-2026-11676
Insufficient validation of untrusted input in Dawn in Google Chrome on Linux and ChromeOS prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-20
NVD
HIGH
CVE-2026-11672
CVE-2026-11672
Heap buffer overflow in GPU in Google Chrome on Android prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-787
NVD
HIGH
CVE-2026-11663
CVE-2026-11663
Use after free in Skia in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11661
CVE-2026-11661
Use after free in Views in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11660
CVE-2026-11660
Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-20
NVD
HIGH
CVE-2026-11656
CVE-2026-11656
Use after free in ServiceWorker in Google Chrome prior to 149.0.7827.103 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11655
CVE-2026-11655
Integer overflow in Media in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-472
NVD
HIGH
CVE-2026-11652
CVE-2026-11652
Use after free in Extensions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11647
CVE-2026-11647
Use after free in Printing in Google Chrome on Android prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-11642
CVE-2026-11642
Use after free in Web Apps in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-11640
CVE-2026-11640
Integer overflow in libyuv in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-472
NVD
HIGH
CVE-2026-11635
CVE-2026-11635
Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-11631
CVE-2026-11631
Use after free in Aura in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-46481
CVE-2026-46481
OpenMetadata is a unified metadata platform. Prior to version 1.12.4, a non-admin SSO user can trigger a TEST_CONNECTION workflow for a Database Service and receive, in the HTTP 201 response of POST /api/v1/automations/workflows, both the cleartext database password in request.connection.config.pass…
CWE: CWE-201
NVD
HIGH
CVE-2026-46307
CVE-2026-46307
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath5k: do not access array OOB
Vincent reports:
> The ath5k driver seems to do an array-index-out-of-bounds access as
> shown by the UBSAN kernel message:
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/…
NVD
HIGH
CVE-2026-53721
CVE-2026-53721
Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4.7.
CWE: CWE-178, CWE-863
GitHub-GHSA
HIGH
MessagePack's LZ4 decompression may fail with AccessViolationException after dereferencing memory from bad input
MessagePack's LZ4 decompression may fail with AccessViolationException after dereferencing memory from bad input
### Impact
A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes `Lz4Block` and `Lz4BlockArray`.
The decoder implementation is based on a deprecated fast-decompression algorithm that does not take a source-length bound. A remote attacker can send a cra…
CVE-2026-48109
NVD
HIGH
CVE-2026-49982
CVE-2026-49982
tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring … It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('…
CWE: CWE-20, CWE-22
NVD
HIGH
CVE-2026-40998
CVE-2026-40998
Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML…
CWE: CWE-611
GitHub-GHSA
HIGH
FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading
FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading
## Summary
An unauthenticated attacker (Alice) connects to FUXA's Socket.IO endpoint and emits a `device-webapi-request` event whose `property.address` field names an arbitrary URL. FUXA's `DEVICE_WEBAPI_REQUEST` handler at `server/runtime/index.js:296` calls `axios.get(address)` server-side and br…
CVE-2026-47719
NVD
HIGH
CVE-2026-46303
CVE-2026-46303
In the Linux kernel, the following vulnerability has been resolved:
isofs: validate Rock Ridge CE continuation extent against volume size
rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE
record and passes it to sb_bread() without checking that the block
number is within the mo…
GitHub-GHSA
HIGH
esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY
esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY
### Summary
The esbuild Deno module (`lib/deno/mod.ts`) downloads native binary executables from an npm registry and writes them to disk with executable permissions (`0o755`) **without performing any integrity verification** (e.g., SHA-256 hash check). The Node.js equivalent (`lib/npm/node-install.…
GitHub-GHSA
HIGH
Appsmith: Configuration-dependent origin validation bypass in password reset and email verification link generation
Appsmith: Configuration-dependent origin validation bypass in password reset and email verification link generation
### Summary
A configuration-dependent origin validation bypass was identified in Appsmith’s password reset and email verification flows on current `release`.
A configuration-dependent origin validation bypass was identified in Appsmith’s password reset and email verification flows on current `release`.
Both flows derive the email-link base URL from the request `Origin` header. The current validation only enforces a trusted base URL when `A…
GitHub-GHSA
HIGH
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL
### Summary
Budibase stores external REST datasource credentials server-side and documents that database credentials are applied server-side and are not exposed in the UI. The REST datasource implementation redacts stored Basic/Bearer/OAuth2 auth secrets before returning datasource data to clients. …
Budibase stores external REST datasource credentials server-side and documents that database credentials are applied server-side and are not exposed in the UI. The REST datasource implementation redacts stored Basic/Bearer/OAuth2 auth secrets before returning datasource data to clients. …
CVE-2026-48152
GitHub-GHSA
HIGH
Appsmith Super User Creation Race Condition Allows Multiple Instance Administrators
Appsmith Super User Creation Race Condition Allows Multiple Instance Administrators
## Summary
The `/api/v1/users/super` endpoint enforces a restriction that only one super user (Instance Administrator) can be created during initial setup. However, due to a Time-of-Check-Time-of-Use (TOCTOU) race condition in the `signupAndLoginSuper()` method, concurrent requests can bypass this …
NVD
HIGH
CVE-2026-11816
CVE-2026-11816
Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in `keras/src/utils/file_utils.py`. The functions `filter_safe_tarinfos()` and `filter_safe_zipinfos()` validate archive member paths against the process current working directory (CWD…
CWE: CWE-22
GitHub-GHSA
HIGH
Litestar has HTML Injection Through its CSRF Token
Litestar has HTML Injection Through its CSRF Token
# Overview
Litestar instances which use a template engine in conjunction with CSRF protection are vulnerable to HTML Injection which can be escalated to Cross Site Scripting due to the contents of the CSRF cookie being excluded from automatic escaping by the template engine when configured inline w…
CVE-2026-48060
NVD
HIGH
CVE-2026-45569
CVE-2026-45569
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. in config_file_name and configver for improved security") added a line in app/modules/config/config.py:462. This is tuple-membership, n…
CWE: CWE-22, CWE-697
NVD
HIGH
CVE-2026-45565
CVE-2026-45565
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, EscapedString (app/modules/roxywi/class_models.py:16-30) is the centralised Pydantic validator used on dozens of fields including SSH credential name, username, description, etc. Its…
CWE: CWE-20, CWE-22, CWE-117
GitHub-GHSA
HIGH
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization
JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted hea…
CVE-2026-41731
NVD
HIGH
CVE-2026-41729
CVE-2026-41729
Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expres…
CWE: CWE-917
NVD
HIGH
CVE-2026-41717
CVE-2026-41717
Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder.
Affected versions:
Spring Data MongoDB 5.0.0 th…
CWE: CWE-917
NVD
HIGH
CVE-2026-7383
CVE-2026-7383
Issue summary: A signed integer overflow when sizing the destination
buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap
buffer overflow.
buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap
buffer overflow.
Impact summary: A heap buffer overflow may lead to a crash or possibly
attacker controlled code execution or other undefined behaviour.
In ASN…
CWE: CWE-787
NVD
HIGH
CVE-2026-42987
CVE-2026-42987
Use after free in Windows Deployment Services allows an unauthorized attacker to execute code over a network.
CWE: CWE-416
NVD
HIGH
CVE-2026-42981
CVE-2026-42981
Integer underflow (wrap or wraparound) in Windows Performance Monitor allows an unauthorized attacker to execute code over a network.
CWE: CWE-191
NVD
HIGH
CVE-2026-42974
CVE-2026-42974
Integer underflow (wrap or wraparound) in Windows Performance Monitor allows an unauthorized attacker to execute code over a network.
CWE: CWE-190
NVD
HIGH
CVE-2026-49948
CVE-2026-49948
Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or X-API-Key without validating …
CWE: CWE-862
NVD
HIGH
CVE-2026-11643
CVE-2026-11643
Use after free in Proxy in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-46484
CVE-2026-46484
Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3.
CWE: CWE-22, CWE-285
GitHub-GHSA
HIGH
Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking
Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking
### Summary
An attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions.
An attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions.
### Details
`io.netty.handler.ipfilter.IpSubnetFilterRule#compareTo(java.net.InetSocketAddress)` method performs a bit…
CVE-2026-44249
NVD
HIGH
CVE-2026-48165
CVE-2026-48165
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high-privileged MariaDB user could've used wsrep_sst_receive_address or wsrep_sst_donor global system var…
CWE: CWE-78
NVD
HIGH
CVE-2026-48163
CVE-2026-48163
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not a…
CWE: CWE-78
NVD
HIGH
CVE-2026-44168
CVE-2026-44168
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not a…
CWE: CWE-78
NVD
HIGH
CVE-2026-48612
CVE-2026-48612
Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’s account to be linked to an attacker-controlled account. This can result in unauthorized account linking and potential account takeover.
CWE: CWE-352
GitHub-GHSA
HIGH
AWS Advanced Go Wrapper has Privilege Escalation in Aurora PostgreSQL instance
AWS Advanced Go Wrapper has Privilege Escalation in Aurora PostgreSQL instance
Aurora PostgreSQL is a fully managed relational database engine that's compatible with PostgreSQL.
An issue in Aurora PostgreSQL using the AWS Go Wrapper waa identified, see CVE-2026-11401.
Impact
An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_supe…
CVE-2026-11401
GitHub-GHSA
HIGH
Jenkins: Stored XSS vulnerability in node offline cause description
Jenkins: Stored XSS vulnerability in node offline cause description
Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attac…
CVE-2026-53441
NVD
HIGH
CVE-2026-42851
CVE-2026-42851
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty to execute attacker-…
CWE: CWE-94, CWE-862
NVD
HIGH
CVE-2026-44802
CVE-2026-44802
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
CWE: CWE-416
NVD
HIGH
CVE-2026-42991
CVE-2026-42991
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
CWE: CWE-362, CWE-416
NVD
HIGH
CVE-2026-42983
CVE-2026-42983
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
CWE: CWE-416
NVD
HIGH
CVE-2026-42980
CVE-2026-42980
Integer underflow (wrap or wraparound) in Windows NT OS Kernel allows an authorized attacker to elevate privileges locally.
CWE: CWE-122, CWE-191
NVD
HIGH
CVE-2026-42979
CVE-2026-42979
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
CWE: CWE-362, CWE-416
NVD
HIGH
CVE-2026-42978
CVE-2026-42978
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
CWE: CWE-362, CWE-416
NVD
HIGH
CVE-2026-42977
CVE-2026-42977
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
CWE: CWE-362
NVD
HIGH
CVE-2026-42916
CVE-2026-42916
Integer underflow (wrap or wraparound) in Windows NT OS Kernel allows an authorized attacker to elevate privileges locally.
CWE: CWE-190
NVD
HIGH
CVE-2026-42910
CVE-2026-42910
Out-of-bounds write in Windows Hotpatch Monitoring Service allows an authorized attacker to elevate privileges locally.
CWE: CWE-787
NVD
HIGH
CVE-2026-42905
CVE-2026-42905
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
CWE: CWE-416
NVD
HIGH
CVE-2026-42837
CVE-2026-42837
Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally.
CWE: CWE-125
NVD
HIGH
CVE-2026-42829
CVE-2026-42829
Improper access control in Windows Administrator Protection allows an authorized attacker to bypass a security feature locally.
CWE: CWE-284
NVD
HIGH
CVE-2026-42828
CVE-2026-42828
Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally.
CWE: CWE-126
NVD
HIGH
CVE-2026-40409
CVE-2026-40409
Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability
CWE: CWE-197
NVD
HIGH
CVE-2026-40404
CVE-2026-40404
Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability
CWE: CWE-122, CWE-197
NVD
HIGH
CVE-2026-33828
CVE-2026-33828
Trust boundary violation in Windows Attestation allows an authorized attacker to elevate privileges locally.
CWE: CWE-501
NVD
HIGH
CVE-2026-8795
CVE-2026-8795
A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker providing a crafted co…
CWE: CWE-74, CWE-94, CWE-116
NVD
HIGH
CVE-2026-46311
CVE-2026-46311
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/userq: fix access to stale wptr mapping
Use drm_exec to take both locks i.e vm root bo and
wptr_obj bo to access the mapping data properly.
This fixes the security issue of unmap the wptr_obj while
a queue creation is …
NVD
HIGH
CVE-2026-46280
CVE-2026-46280
In the Linux kernel, the following vulnerability has been resolved:
lib: test_hmm: evict device pages on file close to avoid use-after-free
Patch series "Minor hmm_test fixes and cleanups".
Two bugfixes a cleanup for the HMM kernel selftests. These were mostly
reported by Zenghui Yu with special…
NVD
HIGH
CVE-2026-46277
CVE-2026-46277
In the Linux kernel, the following vulnerability has been resolved:
mm/zone_device: do not touch device folio after calling ->folio_free()
The contents of a device folio can immediately change after calling
->folio_free(), as the folio may be reallocated by a driver with a
different order. Instea…
NVD
HIGH
CVE-2026-46275
CVE-2026-46275
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
Vulnerabilities leading to Use-After-Free (UAF) and Null Pointer
Dereference (NPD) conditions were observed in the lifecycle management
of hci_uart.
The pr…
NVD
HIGH
CVE-2026-46274
CVE-2026-46274
In the Linux kernel, the following vulnerability has been resolved:
io-wq: check that the predecessor is hashed in io_wq_remove_pending()
io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled
work was the tail of its hash bucket. When doing this, it checks whether
the preceding e…
GitHub-GHSA
HIGH
Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs)
Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs)
# Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs)
## Summary
A configuration-validation issue in the Radius Kubernetes controller can cause it to issue a `DELETE` for the container resource referenced by a tampered `radapp.io/status` …
CVE-2026-53999
GitHub-GHSA
HIGH
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection
### Summary
The OAuth2 token fetch function in `packages/server/src/sdk/workspace/oauth2/utils.ts` (line 59) uses raw `fetch(config.url)` with **no SSRF protection**. The safe wrapper `fetchWithBlacklist()` exists in the same codebase and is used in every other outbound HTTP call (automation steps,…
CVE-2026-48146
NVD
HIGH
CVE-2026-50567
CVE-2026-50567
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Unarchive in pkg/utils/zip.go joined each archive entry name with the destination directory via filepath.Join and wrote the result wi…
CWE: CWE-22
NVD
HIGH
CVE-2026-49823
CVE-2026-49823
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a Fission Function spec carries three reference types — Secret, ConfigMap, and Package. The first two were namespace-validated by t…
CWE: CWE-284, CWE-863
NVD
HIGH
CVE-2026-49822
CVE-2026-49822
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a low-privilege developer who could create a KubernetesWatchTrigger (KWT) in their own namespace was able to establish a persistent s…
CWE: CWE-284, CWE-862
NVD
HIGH
CVE-2026-49821
CVE-2026-49821
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.meta…
CWE: CWE-441, CWE-862
GitHub-GHSA
HIGH
OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth
OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth
## Affected
Repository: github.com/open-telemetry/opentelemetry-operator
Component: cmd/otel-allocator (TargetAllocator)
Companion: Prometheus Operator API types (CRDs)
## Summary
OpenTelemetry Operator's TargetAllocator watches `ServiceMonitor` resources via the Prometheus Operator CR watcher an…
CVE-2026-47701
GitHub-GHSA
HIGH
File Browser has incorrect access control for public directory shares via rule path rebasing
File Browser has incorrect access control for public directory shares via rule path rebasing
### Summary
File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope.
File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope.
As a result,…
CVE-2026-54091
GitHub-GHSA
HIGH
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema
The webhook schema-building endpoint is registered under `builderRoutes`, but the generic authorization middleware skips authorization for all paths matching `/api/webhooks/schema`. As a result, an unauthenticated caller can update the body schema for a known webhook and mutate the corresponding aut…
CVE-2026-48151
NVD
HIGH
CVE-2026-50010
CVE-2026-50010
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X50…
CWE: CWE-347
NVD
HIGH
CVE-2026-45416
CVE-2026-45416
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().…
CWE: CWE-770
GitHub-GHSA
HIGH
Russh SSH message fields were decoded through allocation-first parsers before field-specific bounds
Russh SSH message fields were decoded through allocation-first parsers before field-specific bounds
# SSH message fields were decoded through allocation-first parsers before field-specific bounds
### Summary
Several `russh` client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote…
CVE-2026-48110
NVD
HIGH
CVE-2026-44496
CVE-2026-44496
Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who ca…
CWE: CWE-400, CWE-1333
NVD
HIGH
CVE-2026-44488
CVE-2026-44488
Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved t…
CWE: CWE-770
NVD
HIGH
CVE-2026-44487
CVE-2026-44487
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is se…
CWE: CWE-201
NVD
HIGH
CVE-2026-44486
CVE-2026-44486
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axio…
CWE: CWE-200
GitHub-GHSA
HIGH
@grpc/grpc-js: A malformed request can cause a server crash
@grpc/grpc-js: A malformed request can cause a server crash
### Impact
An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js.
An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js.
### Patches
The following version have fixes for this vulnerability:
– 1.9.16
– 1.10.12
– 1.11.4
– 1.12.7
– 1.13.5
– 1.14.4
### Workarounds
Ther…
CVE-2026-48068
GitHub-GHSA
HIGH
@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash
@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash
### Impact
An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js
An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js
### Patches
The following version have fixes for this vulnerability:
– 1.9.16
– 1.10.12
– 1.11.4
– 1.12.7
– 1.13.5
– 1.14.4
### Workar…
CVE-2026-48069
NVD
HIGH
CVE-2026-46679
CVE-2026-46679
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23.
CWE: CWE-20, CWE-400, CWE-401
NVD
HIGH
CVE-2026-45783
CVE-2026-45783
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all content validation. No …
CWE: CWE-20, CWE-400
GitHub-GHSA
HIGH
Acknowledgement extension out of memory
Acknowledgement extension out of memory
### Impact
Bad clients that always send a fixed batch value while the server is using the acknowledgement extension can cause the unacknowledged message queue to grow indefinitely, eventually resulting in an OutOfMemoryError.
Bad clients that always send a fixed batch value while the server is using the acknowledgement extension can cause the unacknowledged message queue to grow indefinitely, eventually resulting in an OutOfMemoryError.
Such bad clients would always send:
“`json
{
"channel": "/meta/connec…
CVE-2025-53114
NVD
HIGH
CVE-2025-71330
CVE-2025-71330
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to tri…
CWE: CWE-835
NVD
HIGH
CVE-2025-71329
CVE-2025-71329
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF…
CWE: CWE-835
NVD
HIGH
CVE-2026-46545
CVE-2026-46545
Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.5.0, a remote, unauthenticated denial-of-service vulnerability in MerkleRadixTrie::put_chunk allows any state-sync peer to crash any node performing state synchronizatio…
CWE: CWE-248
NVD
HIGH
CVE-2026-46541
CVE-2026-46541
Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, iIn handle_dht_get(), the DhtResults accumulator is only initialized when the first DHT record passes verification. If the first record fails (from a malicious DHT …
CWE: CWE-754
NVD
HIGH
CVE-2026-44716
CVE-2026-44716
Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability exists in Pipecat's development runner (src/pipecat/runner/run.py). When the runner is started with the –folder f…
CWE: CWE-22
NVD
HIGH
CVE-2025-71319
CVE-2025-71319
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF…
CWE: CWE-835
NVD
HIGH
CVE-2026-9076
CVE-2026-9076
Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap)
processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK
cipher can trigger a heap out-of-bounds read in kek_unwrap_key().
processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK
cipher can trigger a heap out-of-bounds read in kek_unwrap_key().
Impact summary: A heap buffer over-read may trigger a crash which leads to
Denial…
CWE: CWE-125
NVD
HIGH
CVE-2026-45445
CVE-2026-45445
Issue summary: When an application drives an AES-OCB context through the
public EVP_Cipher() one-shot interface, the application-supplied
initialisation vector (IV) is silently discarded.
public EVP_Cipher() one-shot interface, the application-supplied
initialisation vector (IV) is silently discarded.
Impact summary: Every message encrypted under the same key uses the
same effective nonce regardless of the IV s…
CWE: CWE-325
NVD
HIGH
CVE-2026-42908
CVE-2026-42908
Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
CWE: CWE-125
NVD
HIGH
CVE-2026-42765
CVE-2026-42765
Issue summary: When a partial-chain certificate verification is enabled
together with OCSP response checking for the whole chain, a NULL dereference
will happen if the verified chain does not have a self-signed trusted anchor,
crashing the process.
together with OCSP response checking for the whole chain, a NULL dereference
will happen if the verified chain does not have a self-signed trusted anchor,
crashing the process.
Impact summary: A NULL pointer dereference can tri…
CWE: CWE-476
NVD
HIGH
CVE-2026-42764
CVE-2026-42764
Issue summary: Receiving a QUIC initial packet with an invalid token may
trigger a NULL pointer dereference in the OpenSSL QUIC server with
address validation disabled.
trigger a NULL pointer dereference in the OpenSSL QUIC server with
address validation disabled.
Impact summary: NULL pointer dereference typically causes abnormal termination
of the affected QUIC server process and a Denial of…
CWE: CWE-476
NVD
HIGH
CVE-2026-34183
CVE-2026-34183
Issue summary: Remote peer may exhaust heap memory of the QUIC
server or client by flooding it with packets containing PATH_CHALLENGE
frames.
server or client by flooding it with packets containing PATH_CHALLENGE
frames.
Impact summary: A malicious remote peer can cause an unbounded
memory allocation which can lead to an abnormal termination of the
application acting as a QUI…
CWE: CWE-1325
NVD
HIGH
CVE-2026-34180
CVE-2026-34180
Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive
element whose content exceeds 2 gigabytes in length may cause a heap buffer
over-read on 64-bit Unix and Unix-like platforms.
element whose content exceeds 2 gigabytes in length may cause a heap buffer
over-read on 64-bit Unix and Unix-like platforms.
Impact summary: The heap buffer over-read may crash the application (Denial of
Service) or to l…
CWE: CWE-125
NVD
HIGH
CVE-2026-41850
CVE-2026-41850
Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation o…
CWE: CWE-407
NVD
HIGH
CVE-2026-41849
CVE-2026-41849
An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS).
Affected versions:
Spring Fr…
CWE: CWE-190
NVD
HIGH
CVE-2026-11667
CVE-2026-11667
Out of bounds read in WebRTC in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the GPU process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-125
NVD
HIGH
CVE-2026-11644
CVE-2026-11644
Use after free in Views in Google Chrome on Linux prior to 149.0.7827.103 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-11641
CVE-2026-11641
Use after free in Bluetooth in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-11639
CVE-2026-11639
Use after free in Compositing in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-11636
CVE-2026-11636
Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-11632
CVE-2026-11632
Use after free in TabStrip in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
GitHub-GHSA
HIGH
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections
### Impact
Puma is vulnerable to source IP spoofing when `set_remote_address proxy_protocol: :v1` is enabled and persistent connections are used.
PROXY protocol v1 is a connection-level protocol. [Support was added to Puma in v5.5.0](https://github.com/puma/puma/issues/2651). A proxy sends one PRO…
CVE-2026-47737
GitHub-GHSA
HIGH
Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
### Impact
[PROXY protocol support for Puma](https://github.com/puma/puma/issues/2651) was added in version 5.5.0.
When PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer. It waits for "\r\n" to determine whether a PROXY v1 line is present. If an attacker opens…
CVE-2026-47736
GitHub-GHSA
HIGH
Netty: SCTP reassembly nests buffers without bound
Netty: SCTP reassembly nests buffers without bound
For each non-complete SctpMessage fragment the handler does `fragments.put(streamId, Unpooled.wrappedBuffer(frag, byteBuf))`, wrapping the previous accumulator and the new slice into a *new* CompositeByteBuf every time. After N fragments the accumulator is an N-deep chain of composites, each holding…
CVE-2026-46340
GitHub-GHSA
HIGH
Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes
Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes
SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength > maxClientHelloLength && maxClientHelloLength != 0`, and the…
CVE-2026-45416
GitHub-GHSA
HIGH
Netty's Default QUIC token handler accepts any client-supplied token
Netty's Default QUIC token handler accepts any client-supplied token
NoQuicTokenHandler is the tokenHandler used when the application does not set one. Its writeToken() returns false (server will not send Retry — acceptable), but validateToken() unconditionally `return 0`. In QuicheQuicServerCodec.handlePacket(), a non-negative return from validateToken() is interp…
CVE-2026-44894
NVD
HIGH
CVE-2026-40519
CVE-2026-40519
Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary co…
CWE: CWE-78
GitHub-GHSA
HIGH
Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length
Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length
When decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsExc…
CVE-2026-44893
GitHub-GHSA
HIGH
Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size
Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size
### Summary
The default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This insecure default confi…
The default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This insecure default confi…
CVE-2026-44892
GitHub-GHSA
HIGH
Netty has Unbounded Direct Memory Consumption in its RedisDecoder
Netty has Unbounded Direct Memory Consumption in its RedisDecoder
### Summary
An attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts the server's direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed.
An attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts the server's direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed.
### Details
io.netty.handler.codec.redis.RedisDecoder d…
CVE-2026-44890
GitHub-GHSA
HIGH
Netty: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays
Netty: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays
### Summary
An attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError.
An attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError.
### Details
io.netty.handler.codec.redis.RedisArrayAggregat…
CVE-2026-44250
NVD
HIGH
CVE-2026-46306
CVE-2026-46306
In the Linux kernel, the following vulnerability has been resolved:
flow_dissector: do not dissect PPPoE PFC frames
RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the flow diss…
NVD
HIGH
CVE-2026-46304
CVE-2026-46304
In the Linux kernel, the following vulnerability has been resolved:
nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
nvmet_tcp_release_queue_work() runs on nvmet-wq and can drop the
final controller reference through nvmet_cq_put(). If that triggers
nvmet_ctrl_free(), the teardown path flu…
GitHub-GHSA
HIGH
Routinator crashes when sending a maliciously crafted select-asn query parameter
Routinator crashes when sending a maliciously crafted select-asn query parameter
When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes.
This only affects users who allow API access from untrusted networks.
CVE-2026-49234
NVD
HIGH
CVE-2026-34181
CVE-2026-34181
Issue Summary: The PKCS#12 file processing fails to perform sufficient input
validation for files that use Password-Based Message Authentication Code 1
(PBMAC1) integrity mechanism allowing a certificate and private key forgery.
validation for files that use Password-Based Message Authentication Code 1
(PBMAC1) integrity mechanism allowing a certificate and private key forgery.
Impact Summary: An attacker impersonating a user can cause a service r…
CWE: CWE-354
NVD
HIGH
CVE-2026-48546
CVE-2026-48546
KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code by exploiting the explicit passing of the global require function into a Node.js vm.runInNewContext() sandbox context in the issue-auto-respond.yml workflow. Attackers can submit a pull r…
CWE: CWE-693
NVD
HIGH
CVE-2026-11417
CVE-2026-11417
OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host run…
CWE: CWE-78
GitHub-GHSA
HIGH
Anyquery has Path Traversal through `clear_plugin_cache`, Allowing Arbitrary Directory Deletion
Anyquery has Path Traversal through `clear_plugin_cache`, Allowing Arbitrary Directory Deletion
# Path Traversal in `clear_plugin_cache` Allows Arbitrary Directory Deletion
| Field | Value |
| —————- | —– |
| Repository | julien040/anyquery |
| Affected version | 0.4.4 |
| Vulnerability | CWE-22 — Improper Limitation of a Pathname to a Restricted Directory |…
CVE-2026-47253
NVD
HIGH
CVE-2026-42306
CVE-2026-42306
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary ho…
CWE: CWE-61, CWE-367
GitHub-GHSA
HIGH
GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page
GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page
### Summary
A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to …
A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to …
CVE-2025-52465
NVD
HIGH
CVE-2026-53816
CVE-2026-53816
OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to the gateway, steering…
CWE: CWE-862
GitHub-GHSA
HIGH
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection
## Summary
Administrator can perform JNDI attack through specially crafted DB2 jdbc url leading to Remote Code Execution (RCE).
## Impact
If GeoServer has DB2 extension installed, this vulnerability can lead to executing arbitrary code.
## Details
Authenticated users can access Vector Data Sour…
CVE-2025-27511
GitHub-GHSA
HIGH
WsgiDAV encoded dot segments can escape filesystem share roots
WsgiDAV encoded dot segments can escape filesystem share roots
### Impact
WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout.
WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout.
### Patches
The issue is fixed with version 4.3.4.
### Preconditions
The practical impact depends on the deployment.
T…
CVE-2026-48099
GitHub-GHSA
HIGH
Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents
Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents
### Summary
The dashboard exposes the cron manual-trigger action as an authenticated `GET /api/v1/cron/:id/manual` endpoint. Dashboard JWTs are sent in the `nz-jwt` cookie and configured with `SameSite=Lax`, which browsers include on top-level cross-site GET navigations. Because this state-changing…
CVE-2026-49396
NVD
HIGH
CVE-2026-53674
CVE-2026-53674
BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mention…
CWE: CWE-943
NVD
HIGH
CVE-2026-44495
CVE-2026-44495
Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse, affecte…
CWE: CWE-94, CWE-1321
NVD
HIGH
CVE-2026-42984
CVE-2026-42984
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
CWE: CWE-416
NVD
HIGH
CVE-2026-42912
CVE-2026-42912
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
CWE: CWE-362
NVD
HIGH
CVE-2026-42911
CVE-2026-42911
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CWE: CWE-416
NVD
HIGH
CVE-2026-41108
CVE-2026-41108
Heap-based buffer overflow in Microsoft Windows DNS allows an authorized attacker to elevate privileges locally.
CWE: CWE-122
NVD
HIGH
CVE-2026-34335
CVE-2026-34335
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CWE: CWE-416
NVD
HIGH
CVE-2026-46299
CVE-2026-46299
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix held lock freed on hfsplus_fill_super()
hfsplus_fill_super() calls hfs_find_init() to initialize a search
structure, which acquires tree->tree_lock. If the subsequent call to
hfsplus_cat_build_key() fails, the functio…
GitHub-GHSA
HIGH
File Browser has a DoS Vulnerability via Public Login API
File Browser has a DoS Vulnerability via Public Login API
### Summary
Unchecked passwords maximums allow for an arbitrarily large password to be passed into the login API. This spikes CPU and memory, and after testing, crashes, heavily lags any container created, and has even made my docker daemon start to send errors with status code 500 even after the co…
Unchecked passwords maximums allow for an arbitrarily large password to be passed into the login API. This spikes CPU and memory, and after testing, crashes, heavily lags any container created, and has even made my docker daemon start to send errors with status code 500 even after the co…
CVE-2026-54092
GitHub-GHSA
HIGH
File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection
File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection
> [!NOTE]
> **This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations**. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this …
> **This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations**. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this …
CVE-2026-54090
GitHub-GHSA
HIGH
File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path
File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path
### Summary
This is similar vulnrability of **`CVE-2026-0035`**, which was fixed in Android `MediaProvider` with **high** severity. In the original Java issue, `MediaStore.createWriteRequest()` accepted attacker-controlled URIs and created a future grant even when the referenced media item did not e…
This is similar vulnrability of **`CVE-2026-0035`**, which was fixed in Android `MediaProvider` with **high** severity. In the original Java issue, `MediaStore.createWriteRequest()` accepted attacker-controlled URIs and created a future grant even when the referenced media item did not e…
CVE-2026-54096
GitHub-GHSA
HIGH
File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix
File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix
### Summary
A low-privileged authenticated user of filebrowser (with `create` + `delete` permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory…
A low-privileged authenticated user of filebrowser (with `create` + `delete` permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory…
CVE-2026-54097
GitHub-GHSA
HIGH
PyO3 has an Out-of-bounds Read in `nth` / `nth_back` for `PyList` and `PyTuple` iterators
PyO3 has an Out-of-bounds Read in `nth` / `nth_back` for `PyList` and `PyTuple` iterators
PyO3 0.24.0 added optimized implementations of `Iterator::nth` and `DoubleEndedIterator::nth_back` for the `BoundListIterator` and `BoundTupleIterator` types. These implementations computed the target index using unchecked `usize` addition (`index + n`) before bounds-checking against the sequence le…
GitHub-GHSA
HIGH
Chisel has an ACL Bypass via Post-Handshake SSH Channel ExtraData Injection
Chisel has an ACL Bypass via Post-Handshake SSH Channel ExtraData Injection
### Summary
Authenticated chisel clients can bypass `–authfile` ACL restrictions and tunnel traffic to arbitrary destinations reachable from the server. The ACL is enforced only during the initial handshake against declared remotes, but never on subsequent SSH channels that carry actual traffic. A…
CVE-2026-48113
GitHub-GHSA
HIGH
DevGuard has improper authorization on public assets
DevGuard has improper authorization on public assets
### Impact
On a DevGuard API instance with one or more **public assets**, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create, update, reapply, and delete **VEX rules** on those public assets. The same flaw a…
CVE-2026-48089
GitHub-GHSA
HIGH
Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion
Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion
### Impact
The HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exce…
The HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exce…
CVE-2026-48059
GitHub-GHSA
HIGH
Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS
Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS
### Summary
Arc registers Go's `net/http/pprof` handlers at `/debug/pprof/*` via `app.Use(pprof.New())` in `internal/api/server.go`, and `/debug/pprof` is added to `PublicPrefixes` in `cmd/arc/main.go`. The auth middleware short-circuits before the token check on prefix match, so the endpoints are …
CVE-2026-48050
GitHub-GHSA
HIGH
Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization
Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization
## Summary
There is a high severity vulnerability in Traefik's `StripPrefix` middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a `PathPrefix` rule and applies the `StripPrefix` middleware, a request path contai…
CVE-2026-48020
GitHub-GHSA
HIGH
Element Call reports full URLs of visited pages to analytics server
Element Call reports full URLs of visited pages to analytics server
### Impact
Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, when configured to by a `posthog` key in config.json or by the `posthogApiHost` and `posthogApiKey` URL parameters. Several fields of this data (`$initial_person_info`, `$session_entry_url`, and `$curr…
CVE-2026-48007
GitHub-GHSA
HIGH
Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator
Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator
### Impact
The RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (`depths` field) but defines no `channelInactive`, `handlerRemoved`, or …
The RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (`depths` field) but defines no `channelInactive`, `handlerRemoved`, or …
CVE-2026-48006
GitHub-GHSA
HIGH
PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing
PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing
## Summary
PDM automatically loads project-local plugin paths from `.pdm-plugins` during `Core` initialization. Because this path is added via `site.addsitedir()`, attacker-controlled `.pth` files inside the project plugin directory are processed and can execute Python code before normal CLI handli…
CVE-2026-47781
GitHub-GHSA
HIGH
PDM wheel installation leads to Path Traversal via overridden write_to_fs
PDM wheel installation leads to Path Traversal via overridden write_to_fs
InstallDestination.write_to_fs() in src/pdm/installers/installers.py overrides the base class to add symlink/hardlink support but replaces the safe _path_with_destdir() (which validates via Path.resolve() + is_relative_to()) with a bare os.path.join() that performs no path validation. A malicious wh…
CVE-2026-47764
GitHub-GHSA
HIGH
@hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts
@hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts
**Affected:** `@hulumi/drift` `< 1.4.0` — **Fixed in:** `1.4.0` — **Severity:** Medium — **CWE-755 (Improper Handling of Exceptional Conditions)**
#### Summary
`@hulumi/drift` runs four adapters that each ask a different question about whether a resource has drifted (Pulumi-state diff, provi…
CVE-2026-48036
GitHub-GHSA
HIGH
@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened
@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened
**Affected:** `@hulumi/baseline` `< 1.4.0` — **Fixed in:** `1.4.0` — **Severity:** High — **CWE-1059 (Insufficient Technical Documentation / Behavioral Inconsistency)**
#### Summary
The S3 bucket that `AccountFoundation` creates to receive CloudTrail and AWS Config audit logs is meant to be …
CVE-2026-48035
GitHub-GHSA
HIGH
@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket
@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket
**Affected:** `@hulumi/policies` `< 1.4.0` — **Fixed in:** `1.4.0` — **Severity:** High — **CWE-284 (Improper Access Control)**
#### Summary
HULUMI-H1 forbids raw `aws:s3:Bucket` outside of Hulumi's `SecureBucket` component, with one exemption: a raw bucket that's a child of a `SecureBucket`…
CVE-2026-48034
GitHub-GHSA
HIGH
@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name
@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name
**Affected:** `@hulumi/policies` `< 1.4.0` — **Fixed in:** `1.4.0` — **Severity:** High — **CWE-693 (Protection Mechanism Failure)**
#### Summary
Pulumi gives every cloud resource a structured URN that includes the resource's type chain (`hulumi:baseline:aws:SecureBucket$aws:s3/bucketV2:Buck…
CVE-2026-48033
GitHub-GHSA
HIGH
@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers
@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers
**Affected:** `@hulumi/policies` `< 1.4.0` — **Fixed in:** `1.4.0` — **Severity:** High — **CWE-697 (Incorrect Comparison)**
#### Summary
AWS IAM trust policies can list more than one federated identity provider — for example, a role that accepts BOTH GitHub Actions OIDC and Google's OIDC.…
CVE-2026-48032
GitHub-GHSA
HIGH
Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks
Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks
### Summary
Arc's user-SQL validator (`internal/api/query.go:ValidateSQLRequest`) blocked only `read_parquet(` and `arc_partition_agg(` via regex denylist. The broader DuckDB I/O function family — `read_csv_auto`, `read_csv`, `read_json`, `read_json_auto`, `read_text`, `read_blob`, `glob`, `parqu…
CVE-2026-47735
GitHub-GHSA
HIGH
nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator
nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator
`internal/api/audit.go:12` — `handleGetAuditLog` does no admin check. The route is bearer-auth gated only; any operator API key returns the full audit log via `store.ListAuditEntries` (up to limit=1000). This includes cross-tenant actor names, host/CA/operator IDs, action timestamps, and masked-IP…
CVE-2026-47726
GitHub-GHSA
HIGH
nebula-mesh's web UI lacks CSRF tokens on /ui/* mutating endpoints
nebula-mesh's web UI lacks CSRF tokens on /ui/* mutating endpoints
Every `/ui/*` POST / PUT / PATCH / DELETE route processes the request as soon as the session cookie validates. `SameSite=Lax` on the session cookie prevents most cross-site form submits but does not protect:
– top-level form-submit navigations from third-party pages (some browsers still send Lax co…
CVE-2026-47725
GitHub-GHSA
HIGH
nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)
nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)
None of the response paths in `internal/web/` or `internal/api/` set the standard browser-security headers. `grep` for `Content-Security-Policy`, `X-Frame-Options`, `Strict-Transport-Security`, `X-Content-Type-Options`, `Referrer-Policy` returns zero matches across the codebase.
## Impact
The admin…
CVE-2026-47723
GitHub-GHSA
HIGH
nebula-mesh: Host advanced overrides allow YAML injection into agent config.yml
nebula-mesh: Host advanced overrides allow YAML injection into agent config.yml
`internal/configgen/generator.go:86,108,119` interpolates the operator-supplied `ListenHost` and `TunDevice` fields raw into a `text/template` that produces the agent's `config.yml`. `internal/web/advanced.go:20-35` accepts both with only `strings.TrimSpace` — no character or shape validation.
##…
CVE-2026-47722
GitHub-GHSA
HIGH
Routinator has cache path traversal when processing the module component of rsync URIs
Routinator has cache path traversal when processing the module component of rsync URIs
Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.
CVE-2026-49233
GitHub-GHSA
HIGH
Routinator crashes when encountering maliciously crafted RRDP XML files
Routinator crashes when encountering maliciously crafted RRDP XML files
When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.
CVE-2026-49235
NVD
MEDIUM
CVE-2026-53523
CVE-2026-53523
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the getRedirectURL function in oauth2.go:22-29 constructs the OAuth2 callback URL by concatenating the request's Host header with a fixed path, with zero valida…
CWE: CWE-601
GitHub-GHSA
MEDIUM
File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope
File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope
## Summary
File Browser enforces per-user scope with `afero.NewBasePathFs(afero.NewOsFs(), scope)`, set up in `users/users.go`. This blocks lexical `../` traversal, but it does not stop the HTTP file handlers from following symbolic links before they open, serve, write, share, or list a file. As a …
CVE-2026-54094
GitHub-GHSA
MEDIUM
Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList()
Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList()
## Summary
`parseEfiSignatureList()` in `attest/internal/events.go` does not skip `SignatureHeaderSize` vendor bytes before reading `EFI_SIGNATURE_LIST` signature entries, violating UEFI specification section 31.4.1.
## Impact
For `hashSHA256SigGUID` lists, attacker-controlled vendor header bytes…
NVD
MEDIUM
CVE-2026-11628
CVE-2026-11628
Use after free in Ozone in Google Chrome prior to 149.0.7827.103 allowed a local attacker to potentially exploit heap corruption via physical access to the device. (Chromium security severity: Critical)
CWE: CWE-416
GitHub-GHSA
MEDIUM
Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port
Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port
### Summary
Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack).
Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack).
### Details
Two factors contribute to this vulnerability in io.n…
CVE-2026-45673
GitHub-GHSA
MEDIUM
LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access
LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access
## Summary
A NoSQL injection vulnerability existed in `MongoDBSaver` where checkpoint identifier fields from `config.configurable` were used in MongoDB queries without strict type enforcement. In vulnerable versions, attacker-controlled object payloads (for example MongoDB operators like `$gt` and …
CVE-2026-48121
GitHub-GHSA
MEDIUM
Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint
Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint
### Summary
A vulnerability in Fleet's Apple MDM commands listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract sensitive values from joined database tables — including host enrollment secrets and Apple Push Notification Service (APNS) tokens — through …
CVE-2026-46371
GitHub-GHSA
MEDIUM
Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint
Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint
### Summary
A vulnerability in Fleet's labels host-listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract host enrollment secrets (`node_key`, `orbit_node_key`) through a cursor-based binary search oracle. The endpoint accepted a user-supplied `order_key` pa…
CVE-2026-46370
GitHub-GHSA
MEDIUM
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
### Summary
The `buildMatcherRegex()` / `matches()` functions in `packages/backend-core/src/middleware/matchers.ts` share the same structural root cause as the recently patched CVE-2026-31816: route patterns are compiled into **unanchored regular expressions** and tested against `ctx.request.url`, …
CVE-2026-48147
GitHub-GHSA
MEDIUM
GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution
GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution
### Summary
A GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF).
A GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF).
### Details
This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0):
#…
CVE-2025-58175
NVD
MEDIUM
CVE-2026-50630
CVE-2026-50630
A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inje…
CWE: CWE-113
NVD
MEDIUM
CVE-2026-50623
CVE-2026-50623
An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that th…
CWE: CWE-287
GitHub-GHSA
MEDIUM
Russh: Unchecked keyboard-interactive prompt count in client auth path
Russh: Unchecked keyboard-interactive prompt count in client auth path
### Summary
In the `russh` client keyboard-interactive authentication path, a malicious SSH server could send a `USERAUTH_INFO_REQUEST` with an attacker-controlled prompt count, and the client would use that raw count directly in `Vec::with_capacity(…)` before validating that enough prompt data wa…
In the `russh` client keyboard-interactive authentication path, a malicious SSH server could send a `USERAUTH_INFO_REQUEST` with an attacker-controlled prompt count, and the client would use that raw count directly in `Vec::with_capacity(…)` before validating that enough prompt data wa…
CVE-2026-48107
NVD
MEDIUM
CVE-2026-47157
CVE-2026-47157
aiograpi is an asynchronous Instagram API for Python. aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. If an attacker can influence a challenge response, for example…
CWE: CWE-918
GitHub-GHSA
MEDIUM
python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood
python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood
### Impact
`AsyncListener.handle_query_or_defer` retained every truncated (TC-bit) incoming query in `self._deferred[addr]` and armed a per-addr timer in `self._timers[addr]` that flushed the reassembled query within ~500 ms (RFC 6762 §18.5). Neither the per-addr list nor the number of distinct `a…
CVE-2026-48045
GitHub-GHSA
MEDIUM
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
### Impact
Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP do…
Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP do…
CVE-2026-48022
GitHub-GHSA
MEDIUM
vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors
vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors
### Summary
vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies `–revision` or `–code-revision` can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config fro…
CVE-2026-47155
NVD
MEDIUM
CVE-2026-45561
CVE-2026-45561
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/{version,uptime,status,checks}/<server_ip> family of routes takes the URL path component verbatim into requests.get(f'http://{server_ip}:{agent_port}/…'). The path …
CWE: CWE-918
GitHub-GHSA
MEDIUM
In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header
In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header
When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError.
Affected versions:
Spring for Apache Kafka 4.0.0 th…
CVE-2026-41726
NVD
MEDIUM
CVE-2026-9741
CVE-2026-9741
A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of cip…
CWE: CWE-319
NVD
MEDIUM
CVE-2026-42907
CVE-2026-42907
Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information locally.
CWE: CWE-200
NVD
MEDIUM
CVE-2026-42903
CVE-2026-42903
Null pointer dereference in Windows Kerberos allows an authorized attacker to deny service over a network.
CWE: CWE-476
NVD
MEDIUM
CVE-2026-11658
CVE-2026-11658
Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-20
NVD
MEDIUM
CVE-2026-11653
CVE-2026-11653
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-20
NVD
MEDIUM
CVE-2026-39908
CVE-2026-39908
OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application at…
CWE: CWE-522
NVD
MEDIUM
CVE-2026-40985
CVE-2026-40985
Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions.
Affected versions:
Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
CWE: CWE-917
NVD
MEDIUM
CVE-2026-12210
CVE-2026-12210
A vulnerability was detected in universal-tool-calling-protocol python-utcp 1.1.0. This affects an unknown function of the component utcp-gql/utcp-websocket. Performing a manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be u…
CWE: CWE-918
GitHub-GHSA
MEDIUM
FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions
FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions
## Summary
An authorization issue in the Scheduler API allowed authenticated non-admin users to create or modify scheduled actions that should be restricted to administrators.
## Details
The Scheduler API did not correctly enforce administrator permissions when processing scheduler modifications.…
CVE-2026-47721
GitHub-GHSA
MEDIUM
GeoNode contains a server-side request forgery vulnerability in the service registration endpoint
GeoNode contains a server-side request forgery vulnerability in the service registration endpoint
GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during…
CVE-2026-39922
NVD
MEDIUM
CVE-2026-42771
CVE-2026-42771
Issue summary: When the X509_VERIFY_PARAM_set1_email is called by an
application to validate a crafted e-mail address, such as during S/MIME
message validation, an out of bounds read can happen.
application to validate a crafted e-mail address, such as during S/MIME
message validation, an out of bounds read can happen.
Impact summary: This out of bounds read will not directly exfiltrate
the data read to the attacker so th…
CWE: CWE-125
NVD
MEDIUM
CVE-2026-41568
CVE-2026-41568
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary …
CWE: CWE-81, CWE-367
NVD
MEDIUM
CVE-2026-47250
CVE-2026-47250
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.7.0, the kubectl_generic tool in mcp-server-kubernetes passes user-supplied flags directly to kubectl without any allowlist, enabling a privilege escalation attack within Kubernetes environ…
CWE: CWE-88
NVD
MEDIUM
CVE-2026-45566
CVE-2026-45566
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://{request.host}{next_url} and the JS client redirects via …
CWE: CWE-601
NVD
MEDIUM
CVE-2026-45560
CVE-2026-45560
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrap_line (app/modules/common/common.py:181-186) and highlight_word (app/modules/common/common.py:188-192) build raw HTML by string concatenation with no escaping. The frontend (app/…
CWE: CWE-79
NVD
MEDIUM
CVE-2026-41715
CVE-2026-41715
In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.
Affected versions:
Reactor Netty 1.0.0 through 1.0.51; 1.1…
CWE: CWE-522
GitHub-GHSA
MEDIUM
gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362)
gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362)
## Vulnerability: CWE-362 — Concurrent Map Access Race Condition in InMemorySecret2FA
**CWE:** CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization)
### Affected Component
– `github.com/pilinux/gorest` — Go REST API boilerplate
– InMemorySecret2FA — in-memory 2FA…
CVE-2026-48154
GitHub-GHSA
MEDIUM
Litestar: AllowedHostsMiddleware bypasses host validation via client-controlled X-Forwarded-Host header
Litestar: AllowedHostsMiddleware bypasses host validation via client-controlled X-Forwarded-Host header
### Summary
`AllowedHostsMiddleware` trusts the `X-Forwarded-Host` header as a fallback when the `Host` header is absent. Since `X-Forwarded-Host` is a client-controllable header, an attacker can bypass the allowed hosts validation by omitting the `Host` header and supplying an `X-Forwarded-Host` h…
CVE-2026-48061
NVD
MEDIUM
CVE-2026-41696
CVE-2026-41696
Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.
Affected versions:
Spring Data MongoDB 5.0.0 t…
CWE: CWE-943
NVD
MEDIUM
CVE-2026-42767
CVE-2026-42767
Issue summary: An attacker-controlled CMP (Certificate Management Protocol)
server could trigger a NULL pointer dereference in a CMP client application.
server could trigger a NULL pointer dereference in a CMP client application.
Impact summary: A NULL pointer dereference causes a crash of the
application and a Denial of Service.
An attacker controlling a CMP server (or ac…
CWE: CWE-476
NVD
MEDIUM
CVE-2026-42766
CVE-2026-42766
Issue summary: A specially crafted password-encrypted CMS message
can trigger a NULL pointer dereference during CMS decryption.
can trigger a NULL pointer dereference during CMS decryption.
Impact summary: This NULL pointer dereference leads to an application crash
and a Denial of Service.
The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined…
CWE: CWE-476
GitHub-GHSA
MEDIUM
Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset
Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset
## Summary
Several Kolibri API endpoints accept an unvalidated `baseurl` parameter and fetch attacker-controlled URLs from the Kolibri server, reflecting the response body back to the caller. The original report identified two endpoints on the `RemoteFacilityUser*` viewsets; remediation review foun…
CVE-2026-48053
NVD
MEDIUM
CVE-2026-53723
CVE-2026-53723
Guzzle Services provides an implementation of the Guzzle Command library that uses Guzzle service descriptions to describe web services, serialize requests, and parse responses into easy to use model structures. Versions prior ro 1.5.4 do not safely serialize scalar XML element values containing the…
CWE: CWE-20, CWE-91
NVD
MEDIUM
CVE-2026-42915
CVE-2026-42915
Incorrect calculation of buffer size in Windows TCP/IP allows an authorized attacker to deny service over an adjacent network.
CWE: CWE-131
GitHub-GHSA
MEDIUM
Dulwich has unbounded memory allocation in receive-pack from crafted thin packs
Dulwich has unbounded memory allocation in receive-pack from crafted thin packs
## Impact
An uncontrolled-resource-consumption (memory exhaustion) denial-of-service vulnerability (CWE-400 / CWE-789).
A client with push access could push a tiny crafted thin pack (~174 bytes) whose delta header declares a huge dest_size. When dulwich ingested it via add_thin_pack / apply_de…
CVE-2026-47734
GitHub-GHSA
MEDIUM
nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)
nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)
`internal/web/operators.go:251` — after `handleOperatorCreateAPIKey` mints a fresh 32-byte bearer token, the redirect points the operator's browser at:
/ui/operators/<id>?new_key=<raw-token>&key_name=<name>
The raw API key ends up:
– in the browser's URL history
– in the `Referer` header on …
CVE-2026-47768
NVD
MEDIUM
CVE-2026-42973
CVE-2026-42973
Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally.
CWE: CWE-200
NVD
MEDIUM
CVE-2026-42972
CVE-2026-42972
Exposure of sensitive information to an unauthorized actor in Windows Hyper-V allows an authorized attacker to disclose information locally.
CWE: CWE-200
NVD
MEDIUM
CVE-2026-42971
CVE-2026-42971
Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally.
CWE: CWE-200
NVD
MEDIUM
CVE-2026-42970
CVE-2026-42970
Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally.
CWE: CWE-200
NVD
MEDIUM
CVE-2026-42969
CVE-2026-42969
Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally.
CWE: CWE-908
NVD
MEDIUM
CVE-2026-42968
CVE-2026-42968
Out-of-bounds read in Windows Telephony Service allows an authorized attacker to disclose information locally.
CWE: CWE-125
NVD
MEDIUM
CVE-2026-42906
CVE-2026-42906
Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information locally.
CWE: CWE-200
NVD
MEDIUM
CVE-2026-45581
CVE-2026-45581
fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in pl…
CWE: CWE-532
GitHub-GHSA
MEDIUM
Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization
Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization
### Summary
A potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the `toSVG()` method.
Specifically, the `color` field within the `colorStops` array of a `fabric.Gradient` object is not properly esca…
CVE-2026-44311
NVD
MEDIUM
CVE-2026-53722
CVE-2026-53722
Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, <NuxtLink> did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. When an application binds attacker-controll…
CWE: CWE-79, CWE-83
NVD
MEDIUM
CVE-2026-11666
CVE-2026-11666
Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-20
GitHub-GHSA
MEDIUM
Authlib OAuth 2.0 has Open Redirect in Authorization API that allows attacker-controlled redirect_uri through unsupported response_type
Authlib OAuth 2.0 has Open Redirect in Authorization API that allows attacker-controlled redirect_uri through unsupported response_type
### Summary
Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and supplies an attacker-controlled redirect_uri.
Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and supplies an attacker-controlled redirect_uri.
The vulnerable behavior happens before client lookup and before any redirect URI validation. …
CVE-2026-41479
NVD
MEDIUM
CVE-2026-50629
CVE-2026-50629
The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade…
CWE: CWE-93
GitHub-GHSA
MEDIUM
Russh: SSH identification parsing accepted non-canonical client banners and did not bound pre-banner input
Russh: SSH identification parsing accepted non-canonical client banners and did not bound pre-banner input
### Summary
`russh` did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader used the same permissive path as the client, allowing pre-banner lines from clients, and the reader did not enforce a bounded number of pre-banner…
CVE-2026-48108
GitHub-GHSA
MEDIUM
@hapi/inert has a static-file confinement bypass via sibling-prefix path
@hapi/inert has a static-file confinement bypass via sibling-prefix path
### Impact
`@hapi/inert` serves static files from a directory configured with `path` (in the `directory` / `file` handlers) or `relativeTo` (for `h.file()`), with confinement enforced by the `confine` option (default `true`). Before the patch, the confinement check compared the resolved absolute pat…
`@hapi/inert` serves static files from a directory configured with `path` (in the `directory` / `file` handlers) or `relativeTo` (for `h.file()`), with confinement enforced by the `confine` option (default `true`). Before the patch, the confinement check compared the resolved absolute pat…
CVE-2026-48049
GitHub-GHSA
MEDIUM
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
### Impact
The `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `B…
CVE-2026-48043
GitHub-GHSA
MEDIUM
joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
### Impact
Denial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas.
Denial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas.
The blast radius depends on how the application invokes joi:
– Highest impact: `validate()` called without `try/catch` in a request handler would cause an unha…
CVE-2026-48038
NVD
MEDIUM
CVE-2026-48108
CVE-2026-48108
Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, russh did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader used the same permissive path as the client, allowing pre-banne…
CWE: CWE-20
GitHub-GHSA
MEDIUM
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
# Private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
**CWE**: CWE-285 (Improper Authorization) via CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-863 (Incorrect Authorization — inconsistent gating acr…
CVE-2026-49397
NVD
MEDIUM
CVE-2026-46543
CVE-2026-46543
Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.5.0, a remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler calls get_epoch_chunks which iterates ba…
CWE: CWE-617
NVD
MEDIUM
CVE-2026-42914
CVE-2026-42914
Windows Kerberos Denial of Service Vulnerability
CWE: CWE-125
NVD
MEDIUM
CVE-2026-42769
CVE-2026-42769
Issue Summary: An error in the callback used to verify the certificate
provided in a Root CA key update Certificate Management Protocol (CMP)
message response rendered the certificate validation ineffectual, which
could lead to escalation of credentials from the Registration Authority (RA)
level to …
provided in a Root CA key update Certificate Management Protocol (CMP)
message response rendered the certificate validation ineffectual, which
could lead to escalation of credentials from the Registration Authority (RA)
level to …
CWE: CWE-295
NVD
MEDIUM
CVE-2026-41851
CVE-2026-41851
Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 th…
CWE: CWE-770
NVD
MEDIUM
CVE-2026-11696
CVE-2026-11696
Uninitialized Use in Video in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-457
NVD
MEDIUM
CVE-2026-11669
CVE-2026-11669
Out of bounds read in Media in Google Chrome on ChromeOS prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-472
GitHub-GHSA
MEDIUM
FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString
FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString
## Summary
The TDengine DAQ storage connector's `escapeTdString` at `server/runtime/storage/tdengine/index.js:10` doubles single quotes but does not escape backslashes. TDengine's SQL parser treats `\'` as a literal single quote inside a string, so a tag id of the form `x\' OR 1=1–` escapes the fi…
CVE-2026-47720
GitHub-GHSA
MEDIUM
Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
### Impact
DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSe…
DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSe…
CVE-2026-47244
GitHub-GHSA
MEDIUM
OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning
OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning
### Description
In OpenFGA, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request.
In OpenFGA, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request.
### Preconditions
This applies if the following preconditions are present:
– FGA runs with SharedI…
CVE-2026-48096
NVD
MEDIUM
CVE-2026-35188
CVE-2026-35188
Issue summary: A malicious server can exploit TLS OCSP stapling by delivering
a crafted response through the status_request extension, triggering a
double-free in the client's certificate verification path.
a crafted response through the status_request extension, triggering a
double-free in the client's certificate verification path.
Impact summary: Successful exploitation allows an attacker to corrupt heap
memory via a doub…
CWE: CWE-415
NVD
MEDIUM
CVE-2026-50565
CVE-2026-50565
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false, so the kubelet…
CWE: CWE-250, CWE-269, CWE-538
NVD
MEDIUM
CVE-2026-45559
CVE-2026-45559
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, get_ldap_email (app/modules/roxywi/user.py:120-157) builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim — no checkAjaxInput,…
CWE: CWE-90
NVD
MEDIUM
CVE-2026-44490
CVE-2026-44490
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios silently picks up the p…
CWE: CWE-1321
NVD
MEDIUM
CVE-2026-45446
CVE-2026-45446
Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV
(RFC 8452) mishandle the authentication of AAD (Additional Authenticated
Data) with an empty ciphertext allowing a forgery of such messages.
(RFC 8452) mishandle the authentication of AAD (Additional Authenticated
Data) with an empty ciphertext allowing a forgery of such messages.
Impact summary: An attacker can forge empty messages with arbitrary AAD
to the victim…
CWE: CWE-325
NVD
MEDIUM
CVE-2026-50569
CVE-2026-50569
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, HTTPTriggerSpec.Validate() validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but silently skipped RelativeUR…
CWE: CWE-20
NVD
MEDIUM
CVE-2026-45563
CVE-2026-45563
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user — even a guest in a…
CWE: CWE-639, CWE-863
NVD
MEDIUM
CVE-2026-11668
CVE-2026-11668
Uninitialized Use in Codecs in Google Chrome on Linux, ChromeOS prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted video file. (Chromium security severity: High)
CWE: CWE-457
NVD
MEDIUM
CVE-2026-11665
CVE-2026-11665
Out of bounds read in Dawn in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-125
NVD
MEDIUM
CVE-2026-41714
CVE-2026-41714
Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://…") without also calling setUseSSL(true) get TLS encryption with no certificate validation and no hostname verification.
Affected versions:
Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.…
CWE: CWE-295
GitHub-GHSA
MEDIUM
Netty: Unix-socket fd receive leaks descriptors when peer sends two at once
Netty: Unix-socket fd receive leaks descriptors when peer sends two at once
netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process…
CVE-2026-45536
GitHub-GHSA
MEDIUM
pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams
pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with `/W [0 0 0]` values and large `/Size` values.
### Patches
This has been fixed in [pypdf==6.12.0](https://github.com/py-pdf/pypdf/releases/tag/6.12.0).
### W…
CVE-2026-48156
GitHub-GHSA
MEDIUM
File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames
File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames
### Summary
filebrowser builds the download-as-zip / download-as-tar archive entry names with `filepath.ToSlash`, which on a Linux host is a no-op for backslashes (`\` is only a path separator on Windows). A file whose name contains Windows-style traversal (`..\..\..\evil.txt`) is accepted by the re…
filebrowser builds the download-as-zip / download-as-tar archive entry names with `filepath.ToSlash`, which on a Linux host is a no-op for backslashes (`\` is only a path separator on Windows). A file whose name contains Windows-style traversal (`..\..\..\evil.txt`) is accepted by the re…
CVE-2026-54093
GitHub-GHSA
MEDIUM
ConnectBot SSH Client Library: Excessive allocation and integer overflow in DER private-key parsing
ConnectBot SSH Client Library: Excessive allocation and integer overflow in DER private-key parsing
## Summary
The DER parser used for application-supplied private keys did not safely validate encoded length values before converting them to `Int` values or allocating arrays.
A malformed private-key file could encode a length that overflowed or wrapped around, or request an allocation much larger…
GitHub-GHSA
MEDIUM
ConnectBot SSH Client Library: Unbounded SSH field lengths can cause excessive memory allocation
ConnectBot SSH Client Library: Unbounded SSH field lengths can cause excessive memory allocation
## Summary
The SSH protocol parser trusted attacker-controlled length and count fields without first checking that the declared values fit within the containing packet.
When a client connects to a malicious or compromised SSH server, the server can send a small, malformed packet containing an inne…
GitHub-GHSA
MEDIUM
PyO3 has a missing `Sync` bound on `PyCFunction::new_closure` closures
PyO3 has a missing `Sync` bound on `PyCFunction::new_closure` closures
`PyCFunction::new_closure` (and the temporary `new_closure_bound` complement in the 0.21–0.22 series) required the supplied closure to be `Send + 'static` but not `Sync`. The resulting `PyCFunction` is a Python callable that can be invoked from any Python thread, which means the closure may be cal…
GitHub-GHSA
MEDIUM
pypdf: Possible large memory usage for large offsets for layout mode text
pypdf: Possible large memory usage for large offsets for layout mode text
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets.
### Patches
This has been fixed in [pypdf==6.12.0](https://github.com/py-pdf/pypdf/releases/tag/6.12.0).
### Workaround…
CVE-2026-48155
GitHub-GHSA
MEDIUM
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF
### Summary
The VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access can supply an arbitrary host value such as `169.254.169.254` or localhos…
CVE-2026-48148
GitHub-GHSA
MEDIUM
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step
### Summary
The executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource configured to target internal infrastructure, this creates a server-sid…
CVE-2026-48128
GitHub-GHSA
MEDIUM
netty-incubator-codec-ohttp's Incorrect Native Pointer Derivation in Pooled Direct ByteBuf Fallback Leads to Out-of-Bounds Native Memory Access
netty-incubator-codec-ohttp's Incorrect Native Pointer Derivation in Pooled Direct ByteBuf Fallback Leads to Out-of-Bounds Native Memory Access
The netty-incubator-codec-ohttp library implements Oblivious HTTP (RFC 9458) using BoringSSL's HPKE C library via JNI. When deriving native memory addresses for cryptographic operations, provides a fallback path for direct ByteBufs that do not expose their memory address through `hasMemoryAddress()`…
CVE-2026-48040
GitHub-GHSA
MEDIUM
free5GC UDR has improper `ueId` validation in EE subscription handlers that allows arbitrary identifier persistence
free5GC UDR has improper `ueId` validation in EE subscription handlers that allows arbitrary identifier persistence
### Summary
The free5GC UDR accepts arbitrary non-3GPP ueId values in the EE subscription creation and query flows because the regular expression used for validation ends with the catch-all alternative |.+. This causes the validation logic to accept any non-empty string rather than restricting input…
The free5GC UDR accepts arbitrary non-3GPP ueId values in the EE subscription creation and query flows because the regular expression used for validation ends with the catch-all alternative |.+. This causes the validation logic to accept any non-empty string rather than restricting input…
CVE-2026-47780
GitHub-GHSA
MEDIUM
PDM: Project-Local State and Config Writes Follow Symlinks
PDM: Project-Local State and Config Writes Follow Symlinks
## Summary
PDM writes several project-local state or configuration files without symlink protection. If a malicious repository places those files as symlinks, local PDM operations can overwrite the symlink targets.
This creates an arbitrary file clobber primitive relative to the privileges of the …
CVE-2026-47763
GitHub-GHSA
MEDIUM
Incus has a Nil-Pointer Dereference Panic via Instance Backup Import (volume omitted)
Incus has a Nil-Pointer Dereference Panic via Instance Backup Import (volume omitted)
## Summary
`(*backend).CreateInstanceFromBackup` in [`internal/server/storage/backend.go`](https://github.com/lxc/incus/blob/1513600/internal/server/storage/backend.go) contains a nil-pointer dereference that an authenticated user with permission to create instances in any project can trigger remot…
CVE-2026-47753
GitHub-GHSA
MEDIUM
nebula-mesh: Session and OIDC state cookies lack the Secure attribute
nebula-mesh: Session and OIDC state cookies lack the Secure attribute
`internal/web/session.go` and `internal/web/oidc.go` set `HttpOnly` and `SameSite=Lax` on every cookie but never `Secure`. A single plaintext request to the origin (operator on a LAN, mistyped URL, HTTP→HTTPS not strictly enforced, reverse proxy misconfiguration) discloses the session.
## Affecte…
CVE-2026-48058
GitHub-GHSA
MEDIUM
nebula-mesh: Decrypted CA private key persists in heap after signing
nebula-mesh: Decrypted CA private key persists in heap after signing
`internal/pki/resolver.go:36-64` constructs a `CAManager` with the plaintext `ed25519.PrivateKey` after unwrapping via the master key; `internal/pki/ca.go:13-16` stores it. Callers at `internal/api/enroll.go:116`, `internal/api/updates.go:297`, and `internal/api/mobile_bundle.go:40` use the manager …
CVE-2026-48025
GitHub-GHSA
MEDIUM
@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture
@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture
**Affected:** `@hulumi/baseline` `< 1.4.0` — **Fixed in:** `1.4.0` — **Severity:** Medium — **CWE-693 (Protection Mechanism Failure)**
#### Summary
`AccountFoundation` can either create AWS detective services (GuardDuty for threat detection, Security Hub for compliance dashboards) or reuse p…
CVE-2026-48037
GitHub-GHSA
MEDIUM
Net::IMAP: Command Injection via ID command argument
Net::IMAP: Command Injection via ID command argument
### Summary
Two `Net::IMAP` commands, `#id` and `#enable`, do not validate their arguments. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands.
Please note that passing untrusted inputs to these commands is usually inappropriate and expected to be uncommon.…
CVE-2026-47242
GitHub-GHSA
MEDIUM
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
Several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals.
### Details
…
CVE-2026-47240
GitHub-GHSA
MEDIUM
actual Allows Electron to Run As Node
actual Allows Electron to Run As Node
## Summary
A electron run as node vulnerability was identified in `actual` (macOS application, version `25.x (Electron 39.2.7)`).
**Vulnerability Type:** Electron Run As Node
## Description
ELECTRON_RUN_AS_NODE fuse enabled (Electron 39.2.7) — app can be converted to Node.js REPL for arbitrary…
CVE-2026-42890