{"cves":[{"cve_id":"CVE-2026-6175","summary":"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-24T23:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42171","summary":"NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NSIS-Dev/nsis/blob/7359413009afd4f0fff472d841fc2f2cc0e0a5f8/Source/exehead/util.c#L475-L484","https://github.com/NSIS-Dev/nsis/commit/8e6f02205d5f22da6c7855dbfe59b2af667330ca","https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-gettempfilename","https://nsis.sourceforge.io/Docs/AppendixF.html#v3.12-cl"],"published_time":"2026-04-24T22:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41473","summary":"CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the database by sending requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints. Attackers can exploit the lack of authentication checks to cause denial of service through storage exhaustion, corrupt scan history records, and pollute database fields with malicious data.","cvss":8.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.8,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/usmannasir/cyberpanel/commit/0a099b1b193946555fbdd387a28486b1521f9961","https://itsrez.re/post/cyberpanel-rce","https://www.vulncheck.com/advisories/cyberpanel-unauthenticated-api-access-via-ai-scanner-endpoints"],"published_time":"2026-04-24T21:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41478","summary":"Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh"],"published_time":"2026-04-24T21:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41481","summary":"LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters\n 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default). Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server could redirect to internal, localhost, or cloud metadata endpoints, bypassing SSRF protections. The response body is parsed and returned as Document objects to the calling application code. Whether this constitutes a data exfiltration path depends on the application: if it exposes Document contents (or derivatives) back to the requester who supplied the URL, sensitive data from internal endpoints could be leaked. Applications that store or process Documents internally without returning raw content to the requester are not directly exposed to data exfiltration through this issue. This vulnerability is fixed in 1.1.2.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/langchain-ai/langchain/security/advisories/GHSA-fv5p-p927-qmxr"],"published_time":"2026-04-24T21:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41488","summary":"LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.","cvss":3.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r"],"published_time":"2026-04-24T21:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41248","summary":"Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/clerk/javascript/security/advisories/GHSA-vqx2-fgx2-5wq9"],"published_time":"2026-04-24T21:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41472","summary":"CyberPanel versions prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication and allows unauthenticated attackers to inject malicious JavaScript by overwriting the findings_json field of ScanHistory records. Attackers can inject JavaScript that executes in an administrator's authenticated session when they visit the AI Scanner dashboard, allowing them to issue same-origin requests to plant cron jobs and achieve remote code execution on the server.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/usmannasir/cyberpanel/commit/0a099b1b193946555fbdd387a28486b1521f9961","https://itsrez.re/post/cyberpanel-rce","https://www.vulncheck.com/advisories/cyberpanel-stored-xss-via-ai-scanner-dashboard"],"published_time":"2026-04-24T21:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6967","summary":"Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":7.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://aws.amazon.com/security/security-bulletins/2026-019-aws/","https://crates.io/crates/tough/0.22.0","https://crates.io/crates/tuftool/0.15.0","https://github.com/awslabs/tough/releases/tag/tough-v0.22.0","https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0","https://github.com/awslabs/tough/security/advisories/GHSA-4v58-8p28-2rq3"],"published_time":"2026-04-24T20:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6968","summary":"Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":7.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://aws.amazon.com/security/security-bulletins/2026-019-aws/","https://crates.io/crates/tough/0.22.0","https://crates.io/crates/tuftool/0.15.0","https://github.com/awslabs/tough/releases/tag/tough-v0.22.0","https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0","https://github.com/awslabs/tough/security/advisories/GHSA-v57p-gppj-p9vg"],"published_time":"2026-04-24T20:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41475","summary":"BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's WritePropertyMultiple service decoder allows unauthenticated remote attackers to read past allocated buffer boundaries by sending a truncated WPM request. The vulnerability stems from wpm_decode_object_property() calling the deprecated decode_tag_number_and_value() function, which performs no bounds checking on the input buffer. A crafted BACnet/IP packet with a truncated property payload causes the decoder to read 1-7 bytes past the end of the buffer, leading to crashes or information disclosure on embedded BACnet devices. This vulnerability is fixed in 1.4.3.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-cvv4-v3g6-4jmv"],"published_time":"2026-04-24T20:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41476","summary":"Deskflow is a keyboard and mouse sharing app.  Prior to 1.26.0.138, a remote memory-safety vulnerability in Deskflow's clipboard deserialization allows a connected peer to trigger an out-of-bounds read by sending a malformed clipboard update. The issue is in the implementation of src/lib/deskflow/IClipboard.cpp. This is reachable because ClipboardChunk::assemble() in src/lib/deskflow/ClipboardChunk.cpp validates only the outer clipboard transfer size. It does not validate the internal structure of the serialized clipboard blob, so malformed inner lengths reach IClipboard::unmarshall() unchanged. This vulnerability is fixed in 1.26.0.138.","cvss":7.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.4,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/deskflow/deskflow/security/advisories/GHSA-3jp5-g964-cgmh","https://github.com/deskflow/deskflow/security/advisories/GHSA-3jp5-g964-cgmh"],"published_time":"2026-04-24T20:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41477","summary":"Deskflow is a keyboard and mouse sharing app.  In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to execute arbitrary commands as SYSTEM. Affects both stable v1.20.0 + and Continuous v1.26.0.134 prerelease.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/deskflow/deskflow/security/advisories/GHSA-6rx5-g478-775c"],"published_time":"2026-04-24T20:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41502","summary":"BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an off-by-one out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service decoder allows unauthenticated remote attackers to read one byte past an allocated buffer boundary by sending a crafted RPM request with a truncated object identifier. The vulnerability is in rpm_decode_object_id(), which checks apdu_len < 5 but then accesses all 6 byte positions (indices 0-5) — consuming 1 byte for the context tag, 4 bytes for the object ID, then reading apdu[5] for the opening tag check. A 5-byte input passes the length check but causes a 1-byte OOB read, leading to crashes on embedded BACnet devices. The vulnerability exists in src/bacnet/rpm.c and affects any deployment that enables the ReadPropertyMultiple confirmed service handler (enabled by default in the reference server). This vulnerability is fixed in 1.4.3.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-7545-3fpx-4xw3"],"published_time":"2026-04-24T20:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41503","summary":"BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service property decoder allows unauthenticated remote attackers to read past allocated buffer boundaries by sending an RPM request with a truncated property list. The vulnerability stems from rpm_decode_object_property() calling the deprecated decode_tag_number_and_value() function at src/bacnet/rpm.c:344, which accepts no buffer length parameter and reads blindly from whatever pointer it receives. A crafted BACnet/IP packet with a 1-byte property payload containing an extended tag marker (0xF9) causes the decoder to read 1 byte past the end of the buffer, leading to crashes on embedded BACnet devices. The vulnerability exists in src/bacnet/rpm.c and affects any deployment that enables the ReadPropertyMultiple confirmed service handler (enabled by default in the reference server). This vulnerability is fixed in 1.4.3.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-5w2v-mwqj-pr2c"],"published_time":"2026-04-24T20:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6966","summary":"Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.","cvss":7.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":7.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://aws.amazon.com/security/security-bulletins/2026-019-aws/","https://crates.io/crates/tough/0.22.0","https://crates.io/crates/tuftool/0.15.0","https://github.com/awslabs/tough/releases/tag/tough-v0.22.0","https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0","https://github.com/awslabs/tough/security/advisories/GHSA-8m7c-8m39-rv4x"],"published_time":"2026-04-24T20:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41425","summary":"Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth.  This vulnerability is fixed in 1.6.11.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv"],"published_time":"2026-04-24T20:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41426","summary":"pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account display name. The most direct vector is the password-reset flow: the attacker registers an account with a malicious name, enters the victim's email address, and triggers a password reset. The resulting email is delivered from the event's legitimate sender address and passes SPF/DKIM/DMARC validation, making it a ready-made phishing vector. This vulnerability is fixed in 2026.1.0.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pretalx/pretalx/security/advisories/GHSA-jm8c-9f3j-4378"],"published_time":"2026-04-24T20:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41427","summary":"Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted — any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. This vulnerability is fixed in 1.6.5.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6"],"published_time":"2026-04-24T20:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41428","summary":"Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint by appending a public endpoint path as a query parameter. For example, POST /api/global/users/search?x=/api/system/status bypasses all authentication because the regex /api/system/status/ matches in the query string portion of the URL. This vulnerability is fixed in 3.35.4.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf","https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf"],"published_time":"2026-04-24T20:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41429","summary":"arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption issue in the NBNS packet handling path. When NetBIOS is enabled by calling NBNS.begin(...), the device listens on UDP port 137 and processes untrusted NBNS requests from the local network.\nThe request parser trusts the attacker-controlled name_len field without enforcing a bound consistent with the fixed-size destination buffers used later in the flow. This vulnerability is fixed in 3.3.8.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/espressif/arduino-esp32/security/advisories/GHSA-92j9-c75g-2c5f"],"published_time":"2026-04-24T20:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41433","summary":"OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From 0.4.0 to before 0.8.0, a flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbitrary host files when Java injection is enabled and OBI is running with elevated privileges. The injector trusted TMPDIR from the target process and used unsafe file creation semantics, enabling both filesystem boundary escape and symlink-based file clobbering. This vulnerability is fixed in 0.8.0.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.8.0","https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-8gmg-3w2q-65f4"],"published_time":"2026-04-24T20:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41244","summary":"Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack. This vulnerability is fixed in 2.1.4.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g","https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g"],"published_time":"2026-04-24T20:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41492","summary":"Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security \"token=...\" startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3","https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q","https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q"],"published_time":"2026-04-24T19:17:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41894","summary":"SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address the root cause — a redundant url.PathUnescape() call in serveExport(). An authenticated attacker can use double URL encoding (%252e%252e) to traverse directories and read arbitrary workspace files including the full SQLite database (siyuan.db), kernel log, and all user documents. This vulnerability is fixed in 3.6.5.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/siyuan-note/siyuan/commit/bb481e1290c4a34255652ede85a546504505d2a7","https://github.com/siyuan-note/siyuan/releases/tag/v3.6.5","https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hjh7-r5w8-5872"],"published_time":"2026-04-24T19:17:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41907","summary":"uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.","cvss":8.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq"],"published_time":"2026-04-24T19:17:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41414","summary":"Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/skim-rs/skim/commit/bf63404ad51985b00ed304690ba9d477860a5a75","https://github.com/skim-rs/skim/security/advisories/GHSA-9g93-rxr5-xhqw"],"published_time":"2026-04-24T19:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41415","summary":"PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an out-of-bounds read when parsing a malformed Content-ID URI in SIP multipart message body. Insufficient length validation can cause reads beyond the intended buffer bounds. This vulnerability is fixed in 2.17.","cvss":6.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pjsip/pjproject/commit/4225a93c16661538005017883fbc8f1ea1d5f4b0","https://github.com/pjsip/pjproject/security/advisories/GHSA-935m-fmf5-j4pm"],"published_time":"2026-04-24T19:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41416","summary":"PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an integer overflow in media stream buffer size calculation when processing SDP with asymmetric ptime configuration. The overflow may result in an undersized buffer allocation, which can lead to unexpected application termination or memory corruption This vulnerability is fixed in 2.17.","cvss":8.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pjsip/pjproject/commit/66fe416c96e957417621b7be16e9e587d159f9bb","https://github.com/pjsip/pjproject/security/advisories/GHSA-f33g-8hjq-62xr"],"published_time":"2026-04-24T19:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41418","summary":"4ga Boards is a boards system for realtime project management. Prior to 3.3.5, 4ga Boards is vulnerable to user enumeration via a timing side-channel in the login endpoint (POST /api/access-tokens). When an invalid username/email is provided, the server responds immediately (~17ms average). When a valid username/email is provided with an incorrect password, the server first performs a bcrypt.compareSync() operation (~74ms average) before responding. This ~4.4× timing difference is trivially detectable even over a network — a single request suffices. This vulnerability is fixed in 3.3.5.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/RARgames/4gaBoards/security/advisories/GHSA-8mj9-p99h-jhxp"],"published_time":"2026-04-24T19:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41419","summary":"4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbitrary host files as board attachments during BOARDS archive import. Once imported, the file can be downloaded through the normal application interface, resulting in unauthorized local file disclosure. This vulnerability is fixed in 3.3.5.","cvss":7.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/RARgames/4gaBoards/security/advisories/GHSA-rrjq-7x8g-cmgm"],"published_time":"2026-04-24T19:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41421","summary":"SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled msg value, forwards it through the backend broadcast layer, and the frontend inserts it into the DOM with insertAdjacentHTML(...) at message.ts. On desktop builds, this is not limited to ordinary XSS. Electron windows are created with nodeIntegration: true, contextIsolation: false, and webSecurity: false at main.js. As a result, JavaScript executed from the notification sink can directly access Node APIs and escalate to desktop code execution. This vulnerability is fixed in 3.6.5.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/siyuan-note/siyuan/security/advisories/GHSA-grjj-6f6g-cq8q"],"published_time":"2026-04-24T19:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41326","summary":"Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. From v3.4.0 to v3.28.0, an oversight in the CopyFile policy (and perhaps the CopyFile handler) allows untrusted hosts to write to arbitrary locations inside the guest workload image. This can be used to overwrite binaries inside the guest and exfiltrate data from containers; even those running inside CVMs. This vulnerability is fixed in v3.29.0.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/kata-containers/kata-containers/security/advisories/GHSA-q49m-57vm-c8cc"],"published_time":"2026-04-24T19:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41327","summary":"Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3","https://github.com/dgraph-io/dgraph/security/advisories/GHSA-mrxx-39g5-ph77","https://github.com/dgraph-io/dgraph/security/advisories/GHSA-mrxx-39g5-ph77"],"published_time":"2026-04-24T19:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41328","summary":"Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack requires two HTTP POSTs to port 8080. The first sets up a schema predicate with @unique @index(exact) @lang via /alter (also unauthenticated in default config). The second sends a crafted JSON mutation to /mutate?commitNow=true where a JSON key contains the predicate name followed by @ and a DQL injection payload in the language tag position. The injection exploits the addQueryIfUnique function in edgraph/server.go, which constructs DQL queries using fmt.Sprintf with unsanitized predicateName that includes the raw pred.Lang value. The Lang field is extracted from JSON mutation keys by x.PredicateLang(), which splits on @, and is never validated by any function in the codebase. The attacker injects a closing parenthesis to escape the eq() function, adds an arbitrary named query block, and uses a # comment to neutralize trailing template syntax. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/dgraph-io/dgraph/security/advisories/GHSA-x92x-px7w-4gx4","https://github.com/dgraph-io/dgraph/security/advisories/GHSA-x92x-px7w-4gx4"],"published_time":"2026-04-24T19:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33666","summary":"Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj"],"published_time":"2026-04-24T19:17:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33524","summary":"Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error (Denial of Service). This vulnerability is fixed in 2.18.1.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j"],"published_time":"2026-04-24T19:17:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33662","summary":"OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. From 3.8.0 to 4.10, in the function emsa_pkcs1_v1_5_encode() in core/drivers/crypto/crypto_api/acipher/rsassa.c, the amount of padding needed, \"PS size\", is calculated by subtracting the size of the digest and other fields required for the EMA-PKCS1-v1_5 encoding from the size of the modulus of the key. By selecting a small enough modulus, this subtraction can overflow. The padding is added as a string of 0xFF bytes with a call to memset(), and an underflowed integer will cause the memset() call to overwrite until OP-TEE crashes. This only affects platforms registering RSA acceleration.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4cf8-v5g3-73gr"],"published_time":"2026-04-24T19:17:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42041","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution \"Gadget\" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript's in operator — an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () => true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1.","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63","https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63"],"published_time":"2026-04-24T18:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42042","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy non-boolean value (via prototype pollution or misconfiguration), the same-origin check (isURLSameOrigin) is short-circuited, causing XSRF tokens to be sent to all request targets including cross-origin servers controlled by an attacker. This vulnerability is fixed in 1.15.1 and 0.31.1.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/axios/axios/security/advisories/GHSA-xx6v-rp6x-q39c"],"published_time":"2026-04-24T18:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42043","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7"],"published_time":"2026-04-24T18:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42044","summary":"Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution \"Gadget\" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23","https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"],"published_time":"2026-04-24T18:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42034","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits. This vulnerability is fixed in 1.15.1 and 0.31.1.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/axios/axios/security/advisories/GHSA-5c9x-8gcm-mpgx","https://github.com/axios/axios/security/advisories/GHSA-5c9x-8gcm-mpgx"],"published_time":"2026-04-24T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42035","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9","https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9"],"published_time":"2026-04-24T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42036","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. This vulnerability is fixed in 1.15.1 and 0.31.1.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/axios/axios/security/advisories/GHSA-vf2m-468p-8v99","https://github.com/axios/axios/security/advisories/GHSA-vf2m-468p-8v99"],"published_time":"2026-04-24T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42037","summary":"Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\\r\\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/axios/axios/security/advisories/GHSA-445q-vr5w-6q77"],"published_time":"2026-04-24T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42038","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it. The shouldBypassProxy() function does pure string matching — it does not resolve IP aliases or loopback equivalents. This vulnerability is fixed in 1.15.1 and 0.31.1.","cvss":6.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/axios/axios/security/advisories/GHSA-m7pr-hjqh-92cm"],"published_time":"2026-04-24T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42039","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9","https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"],"published_time":"2026-04-24T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42040","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw"],"published_time":"2026-04-24T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41676","summary":"rust-openssl provides OpenSSL bindings for the Rust programming language.  From 0.9.27 to before 0.10.78, Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out length to EVP_PKEY_derive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF-extract ignore the incoming *keylen, unconditionally writing the full shared secret (32/56/prime-size bytes). A caller passing a short slice gets a heap/stack overflow from safe code. OpenSSL 3.x providers do check, so this only impacts older OpenSSL. This vulnerability is fixed in 0.10.78.","cvss":7.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-pqf5-4pqq-29f5"],"published_time":"2026-04-24T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41677","summary":"rust-openssl provides OpenSSL bindings for the Rust programming language.  From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this. This vulnerability is fixed in 0.10.78.","cvss":1.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":1.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2"],"published_time":"2026-04-24T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41678","summary":"rust-openssl provides OpenSSL bindings for the Rust programming language.  From  to before 0.10.78, aes::unwrap_key() contains an incorrect assertion: it checks that out.len() + 8 <= in_.len(), but this condition is reversed. The intended invariant is out.len() >= in_.len() - 8, ensuring the output buffer is large enough. Because of the inverted check, the function only accepts buffers at or below the minimum required size and rejects larger ones. If a smaller buffer is provided the function will write past the end of out by in_.len() - 8 - out.len() bytes, causing an out-of-bounds write from a safe public function. This vulnerability is fixed in 0.10.78.","cvss":7.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-8c75-8mhr-p7r9"],"published_time":"2026-04-24T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41680","summary":"Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\\x09\\x0b\\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7","https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7"],"published_time":"2026-04-24T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41681","summary":"rust-openssl provides OpenSSL bindings for the Rust programming language.  From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller than that, MdCtxRef::digest_final() writes past its end, usually corrupting the stack. This is reachable from safe Rust. This vulnerability is fixed in 0.10.78.","cvss":8.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/rust-openssl/rust-openssl/commit/826c3888b77add418b394770e2b2e3a72d9f92fe","https://github.com/rust-openssl/rust-openssl/pull/2608","https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78","https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-ghm9-cr32-g9qj"],"published_time":"2026-04-24T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41898","summary":"rust-openssl provides OpenSSL bindings for the Rust programming language.  From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb forwarded the user closure's returned usize directly to OpenSSL without checking it against the &mut [u8] that was handed to the closure. This can lead to buffer overflows and other unintended consequences. This vulnerability is fixed in 0.10.78.","cvss":8.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/rust-openssl/rust-openssl/commit/1d109020d98fff2fb2e45c39a373af3dff99b24c","https://github.com/rust-openssl/rust-openssl/pull/2607","https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78","https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-hppc-g8h3-xhp3"],"published_time":"2026-04-24T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42033","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process. This vulnerability is fixed in 1.15.1 and 0.31.1.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf","https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf"],"published_time":"2026-04-24T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41140","summary":"Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data_filter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4. This vulnerability is fixed in 2.3.4.","cvss":0.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":0.6,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/python-poetry/poetry/security/advisories/GHSA-73h3-mf4w-8647"],"published_time":"2026-04-24T18:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41321","summary":"@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the isRemoteAllowed() domain allowlist check which only validates the initial URL. This vulnerabiity is caused by an incomplete fix for CVE-2025-58179. This vulnerability is fixed in 13.1.10.","cvss":2.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.2,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/withastro/astro/security/advisories/GHSA-88gm-j2wx-58h6","https://github.com/withastro/astro/security/advisories/GHSA-88gm-j2wx-58h6"],"published_time":"2026-04-24T18:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41322","summary":"@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all subsequent requests to that file, regardless of if-match header will be served a 5xx error instead of the file until the cache expires. This vulnerability is fixed in 10.0.5.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/withastro/astro/security/advisories/GHSA-c57f-mm3j-27q9"],"published_time":"2026-04-24T18:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41411","summary":"Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.","cvss":6.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb","https://github.com/vim/vim/releases/tag/v9.2.0357","https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8"],"published_time":"2026-04-24T17:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6911","summary":"Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint.\n\nTo remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://aws.amazon.com/security/security-bulletins/2026-018-aws/","https://github.com/aws/aws-ops-wheel/pull/164","https://github.com/aws/aws-ops-wheel/security/advisories/GHSA-v5vr-8w3c-37x2"],"published_time":"2026-04-24T17:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6912","summary":"Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute.\n\nTo remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://aws.amazon.com/security/security-bulletins/2026-018-aws/","https://github.com/aws/aws-ops-wheel/pull/165","https://github.com/aws/aws-ops-wheel/security/advisories/GHSA-qvfh-9cjw-8wwq"],"published_time":"2026-04-24T17:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41067","summary":"Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\\/script>/g to sanitize values injected into inline <script> tags via the define:vars directive. HTML parsers close <script> elements case-insensitively and also accept whitespace or / before the closing >, allowing an attacker to bypass the sanitization with payloads like </Script>, </script >, or </script/> and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/withastro/astro/security/advisories/GHSA-j687-52p2-xcff","https://github.com/withastro/astro/security/advisories/GHSA-j687-52p2-xcff"],"published_time":"2026-04-24T17:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41079","summary":"OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to 2.4.17, a network-adjacent attacker can send a crafted SNMP response to the CUPS SNMP backend that causes an out-of-bounds read of up to 176 bytes past a stack buffer. The leaked memory is converted from UTF-16 to UTF-8 and stored as printer supply description strings, which are subsequently visible to authenticated users via IPP Get-Printer-Attributes responses and the CUPS web interface. This vulnerability is fixed in 2.4.17.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080","https://github.com/OpenPrinting/cups/commit/d7fe0f521ff3b24676511e747b058362b9a20737","https://github.com/OpenPrinting/cups/security/advisories/GHSA-6wpw-g8g6-wvrv"],"published_time":"2026-04-24T17:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40897","summary":"Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. This vulnerability is fixed in 15.2.0.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad","https://github.com/josdejong/mathjs/pull/3656","https://github.com/josdejong/mathjs/security/advisories/GHSA-29qv-4j9f-fjw5"],"published_time":"2026-04-24T17:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41066","summary":"lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugs.launchpad.net/lxml/+bug/2146291","https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw"],"published_time":"2026-04-24T17:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39920","summary":"BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://axis.apache.org/axis2/java/core/docs/webadminguide.html","https://gist.github.com/VAMorales/9e6a13d7529c079a363930dff48be3ba","https://issues.apache.org/jira/browse/AXIS2-4279","https://www.bridgeheadsoftware.com/rapid-data-protection-product-updates/","https://www.vulncheck.com/advisories/bridgehead-filestore-24a-apache-axis2-default-credentials-rce"],"published_time":"2026-04-24T16:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40609","summary":"Rejected reason: This CVE is a duplicate of another CVE.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-24T16:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30368","summary":"A client-side authorization flaw in Lightspeed Classroom v5.1.2.1763770643 allows unauthenticated attackers to impersonate users by bypassing integrity checks and abusing client-generated authorization tokens, leading to unauthorized control and monitoring of student devices.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://tasty-hovercraft-9b9.notion.site/Enabling-Unauthorized-Remote-Control-of-Student-Devices-with-Lightspeed-Classroom-2ec5157f5b4a800c9eefc5526479820a","https://www.incognitotgt.me/blog/lightspeed"],"published_time":"2026-04-24T16:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-59308","summary":"In Mahara before 24.04.10 and 25 before 25.04.1, an institution administrator or institution support administrator on a multi-tenanted site can masquerade as an institution member in an institution for which they are not an administrator, if they also have the 'Site staff' role.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://mahara.org","https://mahara.org/interaction/forum/topic.php?id=9851"],"published_time":"2026-04-24T16:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-67259","summary":"A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged \"student\" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://drive.google.com/file/d/1G_IjEURNBcaSmBo4FdOo_27q-4H9MV34/view?usp=drive_link","https://github.com/classroomio/classroomio/issues/642","https://github.com/classroomio/classroomio/issues/642"],"published_time":"2026-04-24T16:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42095","summary":"bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL.","cvss":4.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/KDE/arianna/tags","https://invent.kde.org/graphics/arianna/-/commit/3cd56fce103ab62887c5592827d78a1197cd926a","https://invent.kde.org/graphics/arianna/-/commit/485851d25de279a9d2711d3780443530e9851300","https://kde.org/info/security/advisory-20260424-1.txt"],"published_time":"2026-04-24T15:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31672","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rt2x00usb: fix devres lifetime\n\nUSB drivers bind to USB interfaces and any device managed resources\nshould have their lifetime tied to the interface rather than parent USB\ndevice. This avoids issues like memory leaks when drivers are unbound\nwithout their devices being physically disconnected (e.g. on probe\ndeferral or configuration changes).\n\nFix the USB anchor lifetime so that it is released on driver unbind.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/15b233e33b35b927bd8d0044c15325564ea1ba24","https://git.kernel.org/stable/c/1de5c76bf40e9cdeebf54662f63011fb10fa452f","https://git.kernel.org/stable/c/25369b22223d1c56e42a0cd4ac9137349d5a898e","https://git.kernel.org/stable/c/64a457f6afbf15f984d95201a9a1e71eed3f9dd1","https://git.kernel.org/stable/c/65518a6965d527c53013947031f26754f6a4f6af","https://git.kernel.org/stable/c/b245db719bc7e57abf48bd5701662b270c3880f7","https://git.kernel.org/stable/c/c99f198841b41735796e2ddfcd573783fb552eb9","https://git.kernel.org/stable/c/e360d15fcb1e819eef49e3d4434d8050542eed16"],"published_time":"2026-04-24T15:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31664","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: clear trailing padding in build_polexpire()\n\nbuild_expire() clears the trailing padding bytes of struct\nxfrm_user_expire after setting the hard field via memset_after(),\nbut the analogous function build_polexpire() does not do this for\nstruct xfrm_user_polexpire.\n\nThe padding bytes after the __u8 hard field are left\nuninitialized from the heap allocation, and are then sent to\nuserspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,\nleaking kernel heap memory contents.\n\nAdd the missing memset_after() call, matching build_expire().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/71a98248c63c535eaa4d4c22f099b68d902006d0","https://git.kernel.org/stable/c/ac6985903db047eaff54db929e4bf6b06782788e","https://git.kernel.org/stable/c/b1dfd6b27df35ef4f87825aa5f607378d23ff0f2","https://git.kernel.org/stable/c/c221ed63a2769a0af8bd849dfe25740048f34ef4","https://git.kernel.org/stable/c/e1af65c669ebb1666c54576614c01a7f9ffcfff6","https://git.kernel.org/stable/c/eda30846ea54f8ed218468e5480c8305ca645e37"],"published_time":"2026-04-24T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31665","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: fix use-after-free in timeout object destroy\n\nnft_ct_timeout_obj_destroy() frees the timeout object with kfree()\nimmediately after nf_ct_untimeout(), without waiting for an RCU grace\nperiod. Concurrent packet processing on other CPUs may still hold\nRCU-protected references to the timeout object obtained via\nrcu_dereference() in nf_ct_timeout_data().\n\nAdd an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer\nfreeing until after an RCU grace period, matching the approach already\nused in nfnetlink_cttimeout.c.\n\nKASAN report:\n BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0\n Read of size 4 at addr ffff8881035fe19c by task exploit/80\n\n Call Trace:\n  nf_conntrack_tcp_packet+0x1381/0x29d0\n  nf_conntrack_in+0x612/0x8b0\n  nf_hook_slow+0x70/0x100\n  __ip_local_out+0x1b2/0x210\n  tcp_sendmsg_locked+0x722/0x1580\n  __sys_sendto+0x2d8/0x320\n\n Allocated by task 75:\n  nft_ct_timeout_obj_init+0xf6/0x290\n  nft_obj_init+0x107/0x1b0\n  nf_tables_newobj+0x680/0x9c0\n  nfnetlink_rcv_batch+0xc29/0xe00\n\n Freed by task 26:\n  nft_obj_destroy+0x3f/0xa0\n  nf_tables_trans_destroy_work+0x51c/0x5c0\n  process_one_work+0x2c4/0x5a0","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/070abdf1b04325b21a20a2a0c39a2208af107275","https://git.kernel.org/stable/c/aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77","https://git.kernel.org/stable/c/b42aca3660dc2627a29a38131597ca610dc451f9","https://git.kernel.org/stable/c/c458fc1c278a65ad5381083121d39a479973ebed","https://git.kernel.org/stable/c/c581e5c8f2b59158f62efe61c1a3dc36189081ff","https://git.kernel.org/stable/c/d0983b48c10d1509fd795c155f8b1e832e1369ff","https://git.kernel.org/stable/c/f16fe84879a5280f05ebbcea593a189ba0f3e79a","https://git.kernel.org/stable/c/f8dca15a1b190787bbd03285304b569631160eda"],"published_time":"2026-04-24T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31666","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref()\n\nAfter commit 1618aa3c2e01 (\"btrfs: simplify return variables in\nlookup_extent_data_ref()\"), the err and ret variables were merged into\na single ret variable. However, when btrfs_next_leaf() returns 0\n(success), ret is overwritten from -ENOENT to 0. If the first key in\nthe next leaf does not match (different objectid or type), the function\nreturns 0 instead of -ENOENT, making the caller believe the lookup\nsucceeded when it did not. This can lead to operations on the wrong\nextent tree item, potentially causing extent tree corruption.\n\nFix this by returning -ENOENT directly when the key does not match,\ninstead of relying on the ret variable.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/316fb1b3169efb081d2db910cbbfef445afa03b9","https://git.kernel.org/stable/c/4125a194db4a6cf91f619f38788272651cb97dce","https://git.kernel.org/stable/c/450e6a685d0cad95b15f8af152057bd0bf79f50b","https://git.kernel.org/stable/c/ab1e022379c3c811aa72da8eb0c7507859a1d0f5"],"published_time":"2026-04-24T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31667","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - fix circular locking dependency with ff-core\n\nA lockdep circular locking dependency warning can be triggered\nreproducibly when using a force-feedback gamepad with uinput (for\nexample, playing ELDEN RING under Wine with a Flydigi Vader 5\ncontroller):\n\n  ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex\n\nThe cycle is caused by four lock acquisition paths:\n\n1. ff upload: input_ff_upload() holds ff->mutex and calls\n   uinput_dev_upload_effect() -> uinput_request_submit() ->\n   uinput_request_send(), which acquires udev->mutex.\n\n2. device create: uinput_ioctl_handler() holds udev->mutex and calls\n   uinput_create_device() -> input_register_device(), which acquires\n   input_mutex.\n\n3. device register: input_register_device() holds input_mutex and\n   calls kbd_connect() -> input_register_handle(), which acquires\n   dev->mutex.\n\n4. evdev release: evdev_release() calls input_flush_device() under\n   dev->mutex, which calls input_ff_flush() acquiring ff->mutex.\n\nFix this by introducing a new state_lock spinlock to protect\nudev->state and udev->dev access in uinput_request_send() instead of\nacquiring udev->mutex.  The function only needs to atomically check\ndevice state and queue an input event into the ring buffer via\nuinput_dev_event() -- both operations are safe under a spinlock\n(ktime_get_ts64() and wake_up_interruptible() do not sleep).  This\nbreaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in\nthe lock ordering and cannot form cycles with mutexes.\n\nTo keep state transitions visible to uinput_request_send(), protect\nwrites to udev->state in uinput_create_device() and\nuinput_destroy_device() with the same state_lock spinlock.\n\nAdditionally, move init_completion(&request->done) from\nuinput_request_send() to uinput_request_submit() before\nuinput_request_reserve_slot().  Once the slot is allocated,\nuinput_flush_requests() may call complete() on it at any time from\nthe destroy path, so the completion must be initialised before the\nrequest becomes visible.\n\nLock ordering after the fix:\n\n  ff->mutex -> state_lock (spinlock, leaf)\n  udev->mutex -> state_lock (spinlock, leaf)\n  udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1534661043c434b81cfde26b97a2fb2460329cf0","https://git.kernel.org/stable/c/1e09dfbb4f5d20ee111f92325a00f85778a5f328","https://git.kernel.org/stable/c/271ee71a1917b89f6d73ec82dd091c33d92ee617","https://git.kernel.org/stable/c/4cda78d6f8bf2b700529f2fbccb994c3e826d7c2","https://git.kernel.org/stable/c/546c18a14924eb521fe168d916d7ce28f1e13c1d","https://git.kernel.org/stable/c/71a9729f412e2c692a35c542e14b706fb342927f","https://git.kernel.org/stable/c/974f7b138c3a96dd5cd53d1b33409cd7b2229dc6","https://git.kernel.org/stable/c/a3d6c9c053c9c605651508569230ead633b13f76"],"published_time":"2026-04-24T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31668","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: separate dst_cache for input and output paths in seg6 lwtunnel\n\nThe seg6 lwtunnel uses a single dst_cache per encap route, shared\nbetween seg6_input_core() and seg6_output_core(). These two paths\ncan perform the post-encap SID lookup in different routing contexts\n(e.g., ip rules matching on the ingress interface, or VRF table\nseparation). Whichever path runs first populates the cache, and the\nother reuses it blindly, bypassing its own lookup.\n\nFix this by splitting the cache into cache_input and cache_output,\nso each path maintains its own cached dst independently.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/17d87d42874f5d6c1a0ccc6d9190dfe82a9a7a6a","https://git.kernel.org/stable/c/1dec91d3b1cefb82635761b7812154af3ef46449","https://git.kernel.org/stable/c/57d0374d14fa667dec6952173b93e7e84486d5c9","https://git.kernel.org/stable/c/6305ad032b03d2ea4181b953a66e19a9a6ed053c","https://git.kernel.org/stable/c/750569d6987a0ff46317a4b86eb3907e296287bf","https://git.kernel.org/stable/c/84d458018b147176b259347103fccb7e93abd2b1","https://git.kernel.org/stable/c/c3812651b522fe8437ebb7063b75ddb95b571643","https://git.kernel.org/stable/c/fb56de5d99218de49d5d43ef3a99e062ecd0f9a1"],"published_time":"2026-04-24T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31669","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix slab-use-after-free in __inet_lookup_established\n\nThe ehash table lookups are lockless and rely on\nSLAB_TYPESAFE_BY_RCU to guarantee socket memory stability\nduring RCU read-side critical sections. Both tcp_prot and\ntcpv6_prot have their slab caches created with this flag\nvia proto_register().\n\nHowever, MPTCP's mptcp_subflow_init() copies tcpv6_prot into\ntcpv6_prot_override during inet_init() (fs_initcall, level 5),\nbefore inet6_init() (module_init/device_initcall, level 6) has\ncalled proto_register(&tcpv6_prot). At that point,\ntcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab\nremains NULL permanently.\n\nThis causes MPTCP v6 subflow child sockets to be allocated via\nkmalloc (falling into kmalloc-4k) instead of the TCPv6 slab\ncache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so\nwhen these sockets are freed without SOCK_RCU_FREE (which is\ncleared for child sockets by design), the memory can be\nimmediately reused. Concurrent ehash lookups under\nrcu_read_lock can then access freed memory, triggering a\nslab-use-after-free in __inet_lookup_established.\n\nFix this by splitting the IPv6-specific initialization out of\nmptcp_subflow_init() into a new mptcp_subflow_v6_init(), called\nfrom mptcp_proto_v6_init() before protocol registration. This\nensures tcpv6_prot_override.slab correctly inherits the\nSLAB_TYPESAFE_BY_RCU slab cache.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/15fa9ead4d5e6b6b9c794e84144146c917f2cb62","https://git.kernel.org/stable/c/3fd6547f5b8ac99687be6d937a0321efda760597","https://git.kernel.org/stable/c/9b55b253907e7431210483519c5ad711a37dafa1","https://git.kernel.org/stable/c/b313e9037d98c13938740e5ebda7852929366dff","https://git.kernel.org/stable/c/eb9c6aeb512f877cf397deb1e4526f646c70e4a7","https://git.kernel.org/stable/c/f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47","https://git.kernel.org/stable/c/fb1f54b7d16f393b8b65d328410f78b4beea8fcc"],"published_time":"2026-04-24T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31670","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rfkill: prevent unlimited numbers of rfkill events from being created\n\nUserspace can create an unlimited number of rfkill events if the system\nis so configured, while not consuming them from the rfkill file\ndescriptor, causing a potential out of memory situation.  Prevent this\nfrom bounding the number of pending rfkill events at a \"large\" number\n(i.e. 1000) to prevent abuses like this.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4bcd1615a4e2a185ae9edd27b4143d7dfa7134f4","https://git.kernel.org/stable/c/673d2a3eef6e0ee9736501a150c9e4024a4e60a6","https://git.kernel.org/stable/c/80ce4cb026f0a4c4532b6cad827b44debda6256a","https://git.kernel.org/stable/c/82843afc19012a29ba863961ef494165aa1a88f4","https://git.kernel.org/stable/c/a8c26800e0220e1550af012f5a20e50f5c78864d","https://git.kernel.org/stable/c/b1e0c8d3ab58a0161db487bf5fc47adfcaf5d5ca","https://git.kernel.org/stable/c/e3842779547c83150569071d9980517cc9029fc0","https://git.kernel.org/stable/c/ea245d78dec594372e27d8c79616baf49e98a4a1"],"published_time":"2026-04-24T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31671","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm_user: fix info leak in build_report()\n\nstruct xfrm_user_report is a __u8 proto field followed by a struct\nxfrm_selector which means there is three \"empty\" bytes of padding, but\nthe padding is never zeroed before copying to userspace.  Fix that up by\nzeroing the structure before setting individual member variables.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9","https://git.kernel.org/stable/c/0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72","https://git.kernel.org/stable/c/6c55714c931051cd7f4839c19ce0867179fd22fe","https://git.kernel.org/stable/c/716c546e88cfe49d841658240e10cb57bc50a2cc","https://git.kernel.org/stable/c/d10119968d0e1f2b669604baf2a8b5fdb72fa6b4","https://git.kernel.org/stable/c/d27c02eec529f78055a46a5c9e6c62684382b2d8","https://git.kernel.org/stable/c/e0c8542c3d097ed4205ded51868195d5d6ddac62","https://git.kernel.org/stable/c/ff5ee507302303b15859753c3e0d67d38fd12c88"],"published_time":"2026-04-24T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31656","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat\n\nA use-after-free / refcount underflow is possible when the heartbeat\nworker and intel_engine_park_heartbeat() race to release the same\nengine->heartbeat.systole request.\n\nThe heartbeat worker reads engine->heartbeat.systole and calls\ni915_request_put() on it when the request is complete, but clears\nthe pointer in a separate, non-atomic step. Concurrently, a request\nretirement on another CPU can drop the engine wakeref to zero, triggering\n__engine_park() -> intel_engine_park_heartbeat(). If the heartbeat\ntimer is pending at that point, cancel_delayed_work() returns true and\nintel_engine_park_heartbeat() reads the stale non-NULL systole pointer\nand calls i915_request_put() on it again, causing a refcount underflow:\n\n```\n<4> [487.221889] Workqueue: i915-unordered engine_retire [i915]\n<4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0\n...\n<4> [487.222707] Call Trace:\n<4> [487.222711]  <TASK>\n<4> [487.222716]  intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]\n<4> [487.223115]  intel_engine_park_heartbeat+0x25/0x40 [i915]\n<4> [487.223566]  __engine_park+0xb9/0x650 [i915]\n<4> [487.223973]  ____intel_wakeref_put_last+0x2e/0xb0 [i915]\n<4> [487.224408]  __intel_wakeref_put_last+0x72/0x90 [i915]\n<4> [487.224797]  intel_context_exit_engine+0x7c/0x80 [i915]\n<4> [487.225238]  intel_context_exit+0xf1/0x1b0 [i915]\n<4> [487.225695]  i915_request_retire.part.0+0x1b9/0x530 [i915]\n<4> [487.226178]  i915_request_retire+0x1c/0x40 [i915]\n<4> [487.226625]  engine_retire+0x122/0x180 [i915]\n<4> [487.227037]  process_one_work+0x239/0x760\n<4> [487.227060]  worker_thread+0x200/0x3f0\n<4> [487.227068]  ? __pfx_worker_thread+0x10/0x10\n<4> [487.227075]  kthread+0x10d/0x150\n<4> [487.227083]  ? __pfx_kthread+0x10/0x10\n<4> [487.227092]  ret_from_fork+0x3d4/0x480\n<4> [487.227099]  ? __pfx_kthread+0x10/0x10\n<4> [487.227107]  ret_from_fork_asm+0x1a/0x30\n<4> [487.227141]  </TASK>\n```\n\nFix this by replacing the non-atomic pointer read + separate clear with\nxchg() in both racing paths. xchg() is a single indivisible hardware\ninstruction that atomically reads the old pointer and writes NULL. This\nguarantees only one of the two concurrent callers obtains the non-NULL\npointer and performs the put, the other gets NULL and skips it.\n\n(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2af8b200cae3fdd0e917ecc2753b28bb40c876c1","https://git.kernel.org/stable/c/455d98ed527fc94eed90406f90ab2391464ca657","https://git.kernel.org/stable/c/4c71fd099513bfa8acab529b626e1f0097b76061","https://git.kernel.org/stable/c/70d3e622b10092fc483e28e57b4e8c49d9cc7f68","https://git.kernel.org/stable/c/8ce44d28a84fd5e053a88b04872a89d95c0779d4","https://git.kernel.org/stable/c/a00e92bf6583d019a4fb2c2df7007e6c9b269ce7","https://git.kernel.org/stable/c/ca3f48c3567dd49efdc55b80029ae74659c682ee"],"published_time":"2026-04-24T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31657","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: hold claim backbone gateways by reference\n\nbatadv_bla_add_claim() can replace claim->backbone_gw and drop the old\ngateway's last reference while readers still follow the pointer.\n\nThe netlink claim dump path dereferences claim->backbone_gw->orig and\ntakes claim->backbone_gw->crc_lock without pinning the underlying\nbackbone gateway. batadv_bla_check_claim() still has the same naked\npointer access pattern.\n\nReuse batadv_bla_claim_get_backbone_gw() in both readers so they operate\non a stable gateway reference until the read-side work is complete.\nThis keeps the dump and claim-check paths aligned with the lifetime\nrules introduced for the other BLA claim readers.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1f2dc36c297d27733f1b380ea644cf15a361bd7b","https://git.kernel.org/stable/c/2f55b58b5a0bbed192d60c444a45a49cdf1b545f","https://git.kernel.org/stable/c/4dee4c0688443aaf5bbec74aa203c851d1d53c35","https://git.kernel.org/stable/c/7962b522222628596ca9ecc8722efc95367aadbd","https://git.kernel.org/stable/c/82d8701b2c930d0e96b0dbc9115a218d791cb0d2","https://git.kernel.org/stable/c/f4858832ddef2f39f21e30b7226bbcd3c4b2bc96"],"published_time":"2026-04-24T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31658","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()\n\nWhen dma_map_single() fails in tse_start_xmit(), the function returns\nNETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the\nstack the packet was consumed, the skb is never freed, leaking memory\non every DMA mapping failure.\n\nAdd dev_kfree_skb_any() before returning to properly free the skb.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2eb9d67704ca8f1101f7435b85f113ede471f9f2","https://git.kernel.org/stable/c/3aca300e88afe56afb000cdc4c65383014fb17f9","https://git.kernel.org/stable/c/60f462cd2716d86bd2174f9d5e035c9278f30480","https://git.kernel.org/stable/c/6dede3967619b5944003227a5d09fdc21ed57d10","https://git.kernel.org/stable/c/9f3ec44aeb58501d11834048d5d0dbaeacb6d4e7","https://git.kernel.org/stable/c/ae2cd46f57f422b51aedd406ff5d75cbff401d5d","https://git.kernel.org/stable/c/cb1d318702fdf643061350d164250198df4116f2","https://git.kernel.org/stable/c/d5ec406f0543bd6cdfd563b08015fdec8c4d5712"],"published_time":"2026-04-24T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31659","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: reject oversized global TT response buffers\n\nbatadv_tt_prepare_tvlv_global_data() builds the allocation length for a\nglobal TT response in 16-bit temporaries. When a remote originator\nadvertises a large enough global TT, the TT payload length plus the VLAN\nheader offset can exceed 65535 and wrap before kmalloc().\n\nThe full-table response path still uses the original TT payload length when\nit fills tt_change, so the wrapped allocation is too small and\nbatadv_tt_prepare_tvlv_global_data() writes past the end of the heap object\nbefore the later packet-size check runs.\n\nFix this by rejecting TT responses whose TVLV value length cannot fit in\nthe 16-bit TVLV payload length field.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2997f4bd1f982e7013709946e00be89b507693fa","https://git.kernel.org/stable/c/3a359bf5c61d52e7f09754108309d637532164a6","https://git.kernel.org/stable/c/69d61639bc7e963c3b645e570279d731e7c89062","https://git.kernel.org/stable/c/7e5d007e0df946bffb8542fb112e0044014a5897","https://git.kernel.org/stable/c/95c71365a2222908441b54d6f2c315e0c79fcec3","https://git.kernel.org/stable/c/cf2199171ef799ca7270019125f4a91bd20ad4d9","https://git.kernel.org/stable/c/de6c1dc3c7d01a152607e6fcecee4d5288283f10","https://git.kernel.org/stable/c/f970646b9a39539d1bac86822ac78b5915455ea9"],"published_time":"2026-04-24T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31660","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: allocate rx skb before consuming bytes\n\npn532_receive_buf() reports the number of accepted bytes to the serdev\ncore. The current code consumes bytes into recv_skb and may already hand\na complete frame to pn533_recv_frame() before allocating a fresh receive\nbuffer.\n\nIf that alloc_skb() fails, the callback returns 0 even though it has\nalready consumed bytes, and it leaves recv_skb as NULL for the next\nreceive callback. That breaks the receive_buf() accounting contract and\ncan also lead to a NULL dereference on the next skb_put_u8().\n\nAllocate the receive skb lazily before consuming the next byte instead.\nIf allocation fails, return the number of bytes already accepted.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07cb6c72e66ba548679f22ac29ad588da8999279","https://git.kernel.org/stable/c/16649adc2e19509104245ea1f349b629d858f11f","https://git.kernel.org/stable/c/21ae2cda66a55c759607bbf1d23cbaa42019d2de","https://git.kernel.org/stable/c/2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb","https://git.kernel.org/stable/c/7e37da42eda45d7859d9273fc7e225d8df458038","https://git.kernel.org/stable/c/8b71299d587d9e4c830c18afb884c80ddb30ad28","https://git.kernel.org/stable/c/a9495069b43b8634c1ae0042e888766c34f66637","https://git.kernel.org/stable/c/c71ba669b570c7b3f86ec875be222ea11dacb352"],"published_time":"2026-04-24T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31661","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmsmac: Fix dma_free_coherent() size\n\ndma_alloc_consistent() may change the size to align it. The new size is\nsaved in alloced.\n\nChange the free size to match the allocation size.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01f1330d3d1bee07e0c42d40cc48b7be8b6dad84","https://git.kernel.org/stable/c/0f87777b74bcce29b966ec42d9aa8f9edd9b1667","https://git.kernel.org/stable/c/12cd7632757a54ce586e36040210b1a738a0fc53","https://git.kernel.org/stable/c/3c204a0fd079fa7a867151a47d830ad1c2db5177","https://git.kernel.org/stable/c/4bf41c2731a0549e21f66180ff780b1e036639ab","https://git.kernel.org/stable/c/77263f053963dea9f3962505ac0c768853d7dc59","https://git.kernel.org/stable/c/b27fa888e4a426a3bcf6f6ab24701d888d9bf5aa","https://git.kernel.org/stable/c/f449676bab54fea1440775c8c915dadb323fe015"],"published_time":"2026-04-24T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31662","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG\n\nThe GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements\nbc_ackers on every inbound group ACK, even when the same member has\nalready acknowledged the current broadcast round.\n\nBecause bc_ackers is a u16, a duplicate ACK received after the last\nlegitimate ACK wraps the counter to 65535. Once wrapped,\ntipc_group_bc_cong() keeps reporting congestion and later group\nbroadcasts on the affected socket stay blocked until the group is\nrecreated.\n\nFix this by ignoring duplicate or stale ACKs before touching bc_acked or\nbc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and\nprevents the underflow path.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b6f13f626665cac67ba5a012765427680518711","https://git.kernel.org/stable/c/36ec4fdd6250dcd5e73eb09ea92ed92e9cc28412","https://git.kernel.org/stable/c/3bcf7aca63f0bcd679ae28e9b99823c608e59ce3","https://git.kernel.org/stable/c/48a5fe38772b6f039522469ee6131a67838221a8","https://git.kernel.org/stable/c/575faea557f1a184a5f09661bd47ebd3ef3769f8","https://git.kernel.org/stable/c/a2ea1ef0167d7a84730638d05c20ccdc421b14b6","https://git.kernel.org/stable/c/a7db57ccca21f5801609065473c89a38229ecb92","https://git.kernel.org/stable/c/e0bb732eaf77f9ac2f2638bdac9e39b81e0a9682"],"published_time":"2026-04-24T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31663","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: hold dev ref until after transport_finish NF_HOOK\n\nAfter async crypto completes, xfrm_input_resume() calls dev_put()\nimmediately on re-entry before the skb reaches transport_finish.\nThe skb->dev pointer is then used inside NF_HOOK and its okfn,\nwhich can race with device teardown.\n\nRemove the dev_put from the async resumption entry and instead\ndrop the reference after the NF_HOOK call in transport_finish,\nusing a saved device pointer since NF_HOOK may consume the skb.\nThis covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip\nthe okfn.\n\nFor non-transport exits (decaps, gro, drop) and secondary\nasync return points, release the reference inline when\nasync is set.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0f451b43c88bf2b9c038b414be580efee42e031b","https://git.kernel.org/stable/c/1c428b03840094410c5fb6a5db30640486bbbfcb","https://git.kernel.org/stable/c/5002beda5cac69d522dc54da0d5d463ed9c963d2"],"published_time":"2026-04-24T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31647","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling\n\nSwitch from using the completion's raw spinlock to a local lock in the\nidpf_vc_xn struct. The conversion is safe because complete/_all() are\ncalled outside the lock and there is no reason to share the completion\nlock in the current logic. This avoids invalid wait context reported by\nthe kernel due to the async handler taking BH spinlock:\n\n[  805.726977] =============================\n[  805.726991] [ BUG: Invalid wait context ]\n[  805.727006] 7.0.0-rc2-net-devq-031026+ #28 Tainted: G S         OE\n[  805.727026] -----------------------------\n[  805.727038] kworker/u261:0/572 is trying to lock:\n[  805.727051] ff190da6a8dbb6a0 (&vport_config->mac_filter_list_lock){+...}-{3:3}, at: idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[  805.727099] other info that might help us debug this:\n[  805.727111] context-{5:5}\n[  805.727119] 3 locks held by kworker/u261:0/572:\n[  805.727132]  #0: ff190da6db3e6148 ((wq_completion)idpf-0000:83:00.0-mbx){+.+.}-{0:0}, at: process_one_work+0x4b5/0x730\n[  805.727163]  #1: ff3c6f0a6131fe50 ((work_completion)(&(&adapter->mbx_task)->work)){+.+.}-{0:0}, at: process_one_work+0x1e5/0x730\n[  805.727191]  #2: ff190da765190020 (&x->wait#34){+.+.}-{2:2}, at: idpf_recv_mb_msg+0xc8/0x710 [idpf]\n[  805.727218] stack backtrace:\n...\n[  805.727238] Workqueue: idpf-0000:83:00.0-mbx idpf_mbx_task [idpf]\n[  805.727247] Call Trace:\n[  805.727249]  <TASK>\n[  805.727251]  dump_stack_lvl+0x77/0xb0\n[  805.727259]  __lock_acquire+0xb3b/0x2290\n[  805.727268]  ? __irq_work_queue_local+0x59/0x130\n[  805.727275]  lock_acquire+0xc6/0x2f0\n[  805.727277]  ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[  805.727284]  ? _printk+0x5b/0x80\n[  805.727290]  _raw_spin_lock_bh+0x38/0x50\n[  805.727298]  ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[  805.727303]  idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[  805.727310]  idpf_recv_mb_msg+0x1c8/0x710 [idpf]\n[  805.727317]  process_one_work+0x226/0x730\n[  805.727322]  worker_thread+0x19e/0x340\n[  805.727325]  ? __pfx_worker_thread+0x10/0x10\n[  805.727328]  kthread+0xf4/0x130\n[  805.727333]  ? __pfx_kthread+0x10/0x10\n[  805.727336]  ret_from_fork+0x32c/0x410\n[  805.727345]  ? __pfx_kthread+0x10/0x10\n[  805.727347]  ret_from_fork_asm+0x1a/0x30\n[  805.727354]  </TASK>","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3bb632c6b6d8154e9019beda4a43a4b518ee3e8a","https://git.kernel.org/stable/c/591478118293c1bd628de330a99eb1eb2ef8d76b","https://git.kernel.org/stable/c/b448529f2f2921c6fe82fd4e985cc7c05cbf02a3","https://git.kernel.org/stable/c/e02c974fc331f04b5ba2007d4bc6862df8a43148"],"published_time":"2026-04-24T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31648","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: filemap: fix nr_pages calculation overflow in filemap_map_pages()\n\nWhen running stress-ng on my Arm64 machine with v7.0-rc3 kernel, I\nencountered some very strange crash issues showing up as \"Bad page state\":\n\n\"\n[  734.496287] BUG: Bad page state in process stress-ng-env  pfn:415735fb\n[  734.496427] page: refcount:0 mapcount:1 mapping:0000000000000000 index:0x4cf316 pfn:0x415735fb\n[  734.496434] flags: 0x57fffe000000800(owner_2|node=1|zone=2|lastcpupid=0x3ffff)\n[  734.496439] raw: 057fffe000000800 0000000000000000 dead000000000122 0000000000000000\n[  734.496440] raw: 00000000004cf316 0000000000000000 0000000000000000 0000000000000000\n[  734.496442] page dumped because: nonzero mapcount\n\"\n\nAfter analyzing this page’s state, it is hard to understand why the\nmapcount is not 0 while the refcount is 0, since this page is not where\nthe issue first occurred.  By enabling the CONFIG_DEBUG_VM config, I can\nreproduce the crash as well and captured the first warning where the issue\nappears:\n\n\"\n[  734.469226] page: refcount:33 mapcount:0 mapping:00000000bef2d187 index:0x81a0 pfn:0x415735c0\n[  734.469304] head: order:5 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[  734.469315] memcg:ffff000807a8ec00\n[  734.469320] aops:ext4_da_aops ino:100b6f dentry name(?):\"stress-ng-mmaptorture-9397-0-2736200540\"\n[  734.469335] flags: 0x57fffe400000069(locked|uptodate|lru|head|node=1|zone=2|lastcpupid=0x3ffff)\n......\n[  734.469364] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1),\nconst struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *:\n(struct folio *)_compound_head(page + nr_pages - 1))) != folio)\n[  734.469390] ------------[ cut here ]------------\n[  734.469393] WARNING: ./include/linux/rmap.h:351 at folio_add_file_rmap_ptes+0x3b8/0x468,\nCPU#90: stress-ng-mlock/9430\n[  734.469551]  folio_add_file_rmap_ptes+0x3b8/0x468 (P)\n[  734.469555]  set_pte_range+0xd8/0x2f8\n[  734.469566]  filemap_map_folio_range+0x190/0x400\n[  734.469579]  filemap_map_pages+0x348/0x638\n[  734.469583]  do_fault_around+0x140/0x198\n......\n[  734.469640]  el0t_64_sync+0x184/0x188\n\"\n\nThe code that triggers the warning is: \"VM_WARN_ON_FOLIO(page_folio(page +\nnr_pages - 1) != folio, folio)\", which indicates that set_pte_range()\ntried to map beyond the large folio’s size.\n\nBy adding more debug information, I found that 'nr_pages' had overflowed\nin filemap_map_pages(), causing set_pte_range() to establish mappings for\na range exceeding the folio size, potentially corrupting fields of pages\nthat do not belong to this folio (e.g., page->_mapcount).\n\nAfter above analysis, I think the possible race is as follows:\n\nCPU 0                                                  CPU 1\nfilemap_map_pages()                                   ext4_setattr()\n   //get and lock folio with old inode->i_size\n   next_uptodate_folio()\n\n                                                          .......\n                                                          //shrink the inode->i_size\n                                                          i_size_write(inode, attr->ia_size);\n\n   //calculate the end_pgoff with the new inode->i_size\n   file_end = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE) - 1;\n   end_pgoff = min(end_pgoff, file_end);\n\n   ......\n   //nr_pages can be overflowed, cause xas.xa_index > end_pgoff\n   end = folio_next_index(folio) - 1;\n   nr_pages = min(end, end_pgoff) - xas.xa_index + 1;\n\n   ......\n   //map large folio\n   filemap_map_folio_range()\n                                                          ......\n                                                          //truncate folios\n                                                          truncate_pagecache(inode, inode->i_size);\n\nTo fix this issue, move the 'end_pgoff' calculation before\nnext_uptodate_folio(), so the retrieved folio stays consistent with the\nfile end to avoid \n---truncated---","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/576543bedd616254032d4ebe54a90076f9e31740","https://git.kernel.org/stable/c/633ab680c405ac390e6bec5b74aaf46197c837b6","https://git.kernel.org/stable/c/88591194df736a508dd5461ab2167a61e98caac1","https://git.kernel.org/stable/c/9316a820b9aae07d44469d6485376dad824c5b3f","https://git.kernel.org/stable/c/f58df566524ebcdfa394329c64f47e3c9257516e"],"published_time":"2026-04-24T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31649","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix integer underflow in chain mode\n\nThe jumbo_frm() chain-mode implementation unconditionally computes\n\n    len = nopaged_len - bmax;\n\nwhere nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is\nBUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit()\ndecides to invoke jumbo_frm() based on skb->len (total length including\npage fragments):\n\n    is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);\n\nWhen a packet has a small linear portion (nopaged_len <= bmax) but a\nlarge total length due to page fragments (skb->len > bmax), the\nsubtraction wraps as an unsigned integer, producing a huge len value\n(~0xFFFFxxxx).  This causes the while (len != 0) loop to execute\nhundreds of thousands of iterations, passing skb->data + bmax * i\npointers far beyond the skb buffer to dma_map_single().  On IOMMU-less\nSoCs (the typical deployment for stmmac), this maps arbitrary kernel\nmemory to the DMA engine, constituting a kernel memory disclosure and\npotential memory corruption from hardware.\n\nFix this by introducing a buf_len local variable clamped to\nmin(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then\nalways safe: it is zero when the linear portion fits within a single\ndescriptor, causing the while (len != 0) loop to be skipped naturally,\nand the fragment loop in stmmac_xmit() handles page fragments afterward.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10d12b9240ebf96c785f0e2e4228318cd5f3a3eb","https://git.kernel.org/stable/c/275bdf762e82082f064e60a92448fa2ac43cf95b","https://git.kernel.org/stable/c/2c91b39912278d0878f9ba60ba04d2518b18a08d","https://git.kernel.org/stable/c/513e06735f5be575b409d195822195348b164e48","https://git.kernel.org/stable/c/51f4e090b9f87b40c21b6daadb5c06e6c0a07b67","https://git.kernel.org/stable/c/6fca757c20396dc2e604dcc61922264e9e3dc803","https://git.kernel.org/stable/c/a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f","https://git.kernel.org/stable/c/b7b8012193fd98236d7ae05d4b553f010a77b2ef"],"published_time":"2026-04-24T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31650","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: vub300: fix use-after-free on disconnect\n\nThe vub300 driver maintains an explicit reference count for the\ncontroller and its driver data and the last reference can in theory be\ndropped after the driver has been unbound.\n\nThis specifically means that the controller allocation must not be\ndevice managed as that can lead to use-after-free.\n\nNote that the lifetime is currently also incorrectly tied the parent USB\ndevice rather than interface, which can lead to memory leaks if the\ndriver is unbound without its device being physically disconnected (e.g.\non probe deferral).\n\nFix both issues by reverting to non-managed allocation of the controller.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/8f4d20a710225ec7a565f6a0459862d3b1f32330","https://git.kernel.org/stable/c/ea7468f61be033f4e18b95f2912010ed1d175d75","https://git.kernel.org/stable/c/ef0448c569b37ceabdd038e9faa311e5179127b0"],"published_time":"2026-04-24T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31651","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: vub300: fix NULL-deref on disconnect\n\nMake sure to deregister the controller before dropping the reference to\nthe driver data on disconnect to avoid NULL-pointer dereferences or\nuse-after-free.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/517b58e1d067115f80d198feee10192da4c424d0","https://git.kernel.org/stable/c/53f2642d77ab5f1f303388bff5500363c6cf962c","https://git.kernel.org/stable/c/6446516e626ce7c44bdadbcbb3d7677a2c52ce93","https://git.kernel.org/stable/c/6468cab1173f44f7a4b7a05ce8abfdfd1ce1557a","https://git.kernel.org/stable/c/8d09e75759cb2afc0732acfb5a14a93c03805a61","https://git.kernel.org/stable/c/ba3b9429de94958dc0060d9816a915dd75c34919","https://git.kernel.org/stable/c/c83a282615d8f7ba28cebddd54600b419d562d82","https://git.kernel.org/stable/c/dff34ef879c5e73298443956a8b391311ba78d57"],"published_time":"2026-04-24T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31652","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/stat: deallocate damon_call() failure leaking damon_ctx\n\ndamon_stat_start() always allocates the module's damon_ctx object\n(damon_stat_context).  Meanwhile, if damon_call() in the function fails,\nthe damon_ctx object is not deallocated.  Hence, if the damon_call() is\nfailed, and the user writes Y to “enabled” again, the previously\nallocated damon_ctx object is leaked.\n\nThis cannot simply be fixed by deallocating the damon_ctx object when\ndamon_call() fails.  That's because damon_call() failure doesn't guarantee\nthe kdamond main function, which accesses the damon_ctx object, is\ncompletely finished.  In other words, if damon_stat_start() deallocates\nthe damon_ctx object after damon_call() failure, the not-yet-terminated\nkdamond could access the freed memory (use-after-free).\n\nFix the leak while avoiding the use-after-free by keeping returning\ndamon_stat_start() without deallocating the damon_ctx object after\ndamon_call() failure, but deallocating it when the function is invoked\nagain and the kdamond is completely terminated.  If the kdamond is not yet\nterminated, simply return -EAGAIN, as the kdamond will soon be terminated.\n\nThe issue was discovered [1] by sashiko.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/16c92e9bf55fa049ddb5e894dc0623dacd46a620","https://git.kernel.org/stable/c/447f8870b484f6596d7a7130e72bd0a3f1e037bb","https://git.kernel.org/stable/c/4c04c6b47c361612b1d70cec8f7a60b1482d1400"],"published_time":"2026-04-24T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31653","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: dealloc repeat_call_control if damon_call() fails\n\ndamon_call() for repeat_call_control of DAMON_SYSFS could fail if somehow\nthe kdamond is stopped before the damon_call().  It could happen, for\nexample, when te damon context was made for monitroing of a virtual\naddress processes, and the process is terminated immediately, before the\ndamon_call() invocation.  In the case, the dyanmically allocated\nrepeat_call_control is not deallocated and leaked.\n\nFix the leak by deallocating the repeat_call_control under the\ndamon_call() failure.\n\nThis issue is discovered by sashiko [1].","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0199390a6b92fc21860e1b858abf525c7e73b956","https://git.kernel.org/stable/c/0655f5cf1735508394ef8af98ddcfab3ac1c1cc5","https://git.kernel.org/stable/c/b9dadf026a9fb681ed32a0646adc10ab485bf3b1"],"published_time":"2026-04-24T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31654","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vma: fix memory leak in __mmap_region()\n\ncommit 605f6586ecf7 (\"mm/vma: do not leak memory when .mmap_prepare\nswaps the file\") handled the success path by skipping get_file() via\nfile_doesnt_need_get, but missed the error path.\n\nWhen /dev/zero is mmap'd with MAP_SHARED, mmap_zero_prepare() calls\nshmem_zero_setup_desc() which allocates a new shmem file to back the\nmapping. If __mmap_new_vma() subsequently fails, this replacement\nfile is never fput()'d - the original is released by\nksys_mmap_pgoff(), but nobody releases the new one.\n\nAdd fput() for the swapped file in the error path.\n\nReproducible with fault injection.\n\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 1\nCPU: 2 UID: 0 PID: 366 Comm: syz.7.14 Not tainted 7.0.0-rc6 #2 PREEMPT(full)\nHardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x164/0x1f0\n should_fail_ex+0x525/0x650\n should_failslab+0xdf/0x140\n kmem_cache_alloc_noprof+0x78/0x630\n vm_area_alloc+0x24/0x160\n __mmap_region+0xf6b/0x2660\n mmap_region+0x2eb/0x3a0\n do_mmap+0xc79/0x1240\n vm_mmap_pgoff+0x252/0x4c0\n ksys_mmap_pgoff+0xf8/0x120\n __x64_sys_mmap+0x12a/0x190\n do_syscall_64+0xa9/0x580\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n </TASK>\n\nkmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nBUG: memory leak\nunreferenced object 0xffff8881118aca80 (size 360):\n  comm \"syz.7.14\", pid 366, jiffies 4294913255\n  hex dump (first 32 bytes):\n    00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........\n    ff ff ff ff ff ff ff ff c0 28 4d ae ff ff ff ff  .........(M.....\n  backtrace (crc db0f53bc):\n    kmem_cache_alloc_noprof+0x3ab/0x630\n    alloc_empty_file+0x5a/0x1e0\n    alloc_file_pseudo+0x135/0x220\n    __shmem_file_setup+0x274/0x420\n    shmem_zero_setup_desc+0x9c/0x170\n    mmap_zero_prepare+0x123/0x140\n    __mmap_region+0xdda/0x2660\n    mmap_region+0x2eb/0x3a0\n    do_mmap+0xc79/0x1240\n    vm_mmap_pgoff+0x252/0x4c0\n    ksys_mmap_pgoff+0xf8/0x120\n    __x64_sys_mmap+0x12a/0x190\n    do_syscall_64+0xa9/0x580\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFound by syzkaller.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/61fc8eaf2ab214b32c7bce52597c80cf0ca41ada","https://git.kernel.org/stable/c/894f99eb535edc4514f756818f3c4f688ba53a59"],"published_time":"2026-04-24T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31655","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled\n\nKeep the NOC_HDCP clock always enabled to fix the potential hang\ncaused by the NoC ADB400 port power down handshake.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3086374e8bc7fd65f2cc62ef52351c6d662f1543","https://git.kernel.org/stable/c/80fd0de89805a3f92dc320f5ab5a18007c260374","https://git.kernel.org/stable/c/d1ef779d02b5df4e8bff4083b20bfea587b43c4b","https://git.kernel.org/stable/c/e44919669f07b8f113ad49a248b44ca4f119bc94","https://git.kernel.org/stable/c/e91d5f94acf68618ea3ad9c92ac28614e791ae7d"],"published_time":"2026-04-24T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31637","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: reject undecryptable rxkad response tickets\n\nrxkad_decrypt_ticket() decrypts the RXKAD response ticket and then\nparses the buffer as plaintext without checking whether\ncrypto_skcipher_decrypt() succeeded.\n\nA malformed RESPONSE can therefore use a non-block-aligned ticket\nlength, make the decrypt operation fail, and still drive the ticket\nparser with attacker-controlled bytes.\n\nCheck the decrypt result and abort the connection with RXKADBADTICKET\nwhen ticket decryption fails.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/22f6258e7b31dba9bf88dce4e3ee7f0f20072e60","https://git.kernel.org/stable/c/47073aab8a3a5a7b41c9bd37d2a3dcbeeccd6c8a","https://git.kernel.org/stable/c/58fcd1b156152613ba00a064a129fb69507ddd7d","https://git.kernel.org/stable/c/a149dcae23309df9de1c3b6b5d468610ef5ab7de","https://git.kernel.org/stable/c/fe4447cd95623b1cfacc15f280aab73a6d7340b2"],"published_time":"2026-04-24T15:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31638","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Only put the call ref if one was acquired\n\nrxrpc_input_packet_on_conn() can process a to-client packet after the\ncurrent client call on the channel has already been torn down.  In that\ncase chan->call is NULL, rxrpc_try_get_call() returns NULL and there is\nno reference to drop.\n\nThe client-side implicit-end error path does not account for that and\nunconditionally calls rxrpc_put_call().  This turns a protocol error\npath into a kernel crash instead of rejecting the packet.\n\nOnly drop the call reference if one was actually acquired.  Keep the\nexisting protocol error handling unchanged.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c156aff8a2d4fa0d61db7837641975cf0e5452d","https://git.kernel.org/stable/c/6331f1b24a3e85465f6454e003a3e6c22005a5c5","https://git.kernel.org/stable/c/8299ca146489664e3c0c90a3b8900d8335b1ede4","https://git.kernel.org/stable/c/9fb09861e2b8d1abfe2efaf260c9f1d30080ea38","https://git.kernel.org/stable/c/b8f66447448d6c305a51413a67ec8ed26aa7d1dd"],"published_time":"2026-04-24T15:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31639","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix key reference count leak from call->key\n\nWhen creating a client call in rxrpc_alloc_client_call(), the code obtains\na reference to the key.  This is never cleaned up and gets leaked when the\ncall is destroyed.\n\nFix this by freeing call->key in rxrpc_destroy_call().\n\nBefore the patch, it shows the key reference counter elevated:\n\n$ cat /proc/keys | grep afs@54321\n1bffe9cd I--Q--i 8053480 4169w 3b010000  1000  1000 rxrpc     afs@54321: ka\n$\n\nAfter the patch, the invalidated key is removed when the code exits:\n\n$ cat /proc/keys | grep afs@54321\n$","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2e6ef713b1598f6acd7f302fa6b12b6731c89914","https://git.kernel.org/stable/c/978108902ee4ef2b348ff7ec36ad014dc5bc6dc6","https://git.kernel.org/stable/c/d666540d217e8d420544ebdfbadeedd623562733","https://git.kernel.org/stable/c/e6b7943c5dc875647499da09bf4d50a8557ab0c3","https://git.kernel.org/stable/c/f1a7a3ab0f35f83cf11bba906b9e948cf3788c28"],"published_time":"2026-04-24T15:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31640","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix use of wrong skb when comparing queued RESP challenge serial\n\nIn rxrpc_post_response(), the code should be comparing the challenge serial\nnumber from the cached response before deciding to switch to a newer\nresponse, but looks at the newer packet private data instead, rendering the\ncomparison always false.\n\nFix this by switching to look at the older packet.\n\nFix further[1] to substitute the new packet in place of the old one if\nnewer and also to release whichever we don't use.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/20386e7f8d97475b8d815873e246423317ec4260","https://git.kernel.org/stable/c/9132b1a7bf83b4a8042fffbc99d075b727a16742","https://git.kernel.org/stable/c/b33f5741bb187db8ff32e8f5b96def77cc94dfca"],"published_time":"2026-04-24T15:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31641","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix RxGK token loading to check bounds\n\nrxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length\nfrom the XDR token as u32 values and passes each through round_up(x, 4)\nbefore using the rounded value for validation and allocation.  When the raw\nlength is >= 0xfffffffd, round_up() wraps to 0, so the bounds check and\nkzalloc both use 0 while the subsequent memcpy still copies the original\n~4 GiB value, producing a heap buffer overflow reachable from an\nunprivileged add_key() call.\n\nFix this by:\n\n (1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket\n     lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with\n     the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX.\n\n (2) Sizing the flexible-array allocation from the validated raw key\n     length via struct_size_t() instead of the rounded value.\n\n (3) Caching the raw lengths so that the later field assignments and\n     memcpy calls do not re-read from the token, eliminating a class of\n     TOCTOU re-parse.\n\nThe control path (valid token with lengths within bounds) is unaffected.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3e04596cba8a86cbff9c3f4bf0a524a3a488773c","https://git.kernel.org/stable/c/49875b360c2b83a3c226e189c502e501d83e6445","https://git.kernel.org/stable/c/d179a868dd755b0cfcf7582e00943d702b9943b8"],"published_time":"2026-04-24T15:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31642","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix call removal to use RCU safe deletion\n\nFix rxrpc call removal from the rxnet->calls list to use list_del_rcu()\nrather than list_del_init() to prevent stuffing up reading\n/proc/net/rxrpc/calls from potentially getting into an infinite loop.\n\nThis, however, means that list_empty() no longer works on an entry that's\nbeen deleted from the list, making it harder to detect prior deletion.  Fix\nthis by:\n\nFirstly, make rxrpc_destroy_all_calls() only dump the first ten calls that\nare unexpectedly still on the list.  Limiting the number of steps means\nthere's no need to call cond_resched() or to remove calls from the list\nhere, thereby eliminating the need for rxrpc_put_call() to check for that.\n\nrxrpc_put_call() can then be fixed to unconditionally delete the call from\nthe list as it is the only place that the deletion occurs.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/146d4ab94cf129ee06cd467cb5c71368a6b5bad6","https://git.kernel.org/stable/c/3be718f659683ad89fad6f1eb66bee99727cae64","https://git.kernel.org/stable/c/93fc15be44a35b8e3c58d0238ac0d9b7c53465ff","https://git.kernel.org/stable/c/ac5f54691be06a32246179d41be2d73598036deb","https://git.kernel.org/stable/c/c63abf25203b50243fe228090526f9dbf37727bd"],"published_time":"2026-04-24T15:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31643","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix key parsing memleak\n\nIn rxrpc_preparse_xdr_yfs_rxgk(), the memory attached to token->rxgk can be\nleaked in a few error paths after it's allocated.\n\nFix this by freeing it in the \"reject_token:\" case.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01f51318feb626deee1d0c8a190198cd7857d599","https://git.kernel.org/stable/c/b555912b9b21075e8298015f888ffe3ff60b1a97","https://git.kernel.org/stable/c/d5f76f812d2c0ea6dd651b0586be49e85ecca085"],"published_time":"2026-04-24T15:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31644","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan966x: fix use-after-free and leak in lan966x_fdma_reload()\n\nWhen lan966x_fdma_reload() fails to allocate new RX buffers, the restore\npath restarts DMA using old descriptors whose pages were already freed\nvia lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can\nrelease pages back to the buddy allocator, the hardware may DMA into\nmemory now owned by other kernel subsystems.\n\nAdditionally, on the restore path, the newly created page pool (if\nallocation partially succeeded) is overwritten without being destroyed,\nleaking it.\n\nFix both issues by deferring the release of old pages until after the\nnew allocation succeeds. Save the old page array before the allocation\nso old pages can be freed on the success path. On the failure path, the\nold descriptors, pages and page pool are all still valid, making the\nrestore safe. Also ensure the restore path re-enables NAPI and wakes\nthe netdev, matching the success path.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/59c3d55a946cacdb4181600723c20ac4f4c20c84","https://git.kernel.org/stable/c/691082c0b93c13a5e068c0905f673060bddc204e","https://git.kernel.org/stable/c/92a673019943770930e2a8bfd52e1aad47a1fc1f","https://git.kernel.org/stable/c/9950e9199b3dfdfbde0b8d96ba947d7b11243801"],"published_time":"2026-04-24T15:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31645","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan966x: fix page pool leak in error paths\n\nlan966x_fdma_rx_alloc() creates a page pool but does not destroy it if\nthe subsequent fdma_alloc_coherent() call fails, leaking the pool.\n\nSimilarly, lan966x_fdma_init() frees the coherent DMA memory when\nlan966x_fdma_tx_alloc() fails but does not destroy the page pool that\nwas successfully created by lan966x_fdma_rx_alloc(), leaking it.\n\nAdd the missing page_pool_destroy() calls in both error paths.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/076344a6ad9d1308faaed1402fdcfdda68b604ab","https://git.kernel.org/stable/c/22e1ee9f22b5c3bb702bb6d4167d770002a85b2b","https://git.kernel.org/stable/c/4941e234cfd67ac911fb259642b453f9f76aac41","https://git.kernel.org/stable/c/73e940c4249dc5ec6422d1fae535d192fb125955"],"published_time":"2026-04-24T15:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31646","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()\n\npage_pool_create() can return an ERR_PTR on failure. The return value\nis used unconditionally in the loop that follows, passing the error\npointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(),\nwhich dereferences it, causing a kernel oops.\n\nAdd an IS_ERR check after page_pool_create() to return early on failure.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/305832c53551cfbe6e5b81ca7ee765e60f4fe8e9","https://git.kernel.org/stable/c/3fd0da4fd8851a7e62d009b7db6c4a05b092bc19","https://git.kernel.org/stable/c/7caf90d9ab97951a58d1de85ab7e7d7cca7a4513","https://git.kernel.org/stable/c/b5dcb41ba891b55157006cac79825c78a32b409e","https://git.kernel.org/stable/c/e63265f188ea39dcf5f546770650027528f3bd0f"],"published_time":"2026-04-24T15:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31627","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: s3c24xx: check the size of the SMBUS message before using it\n\nThe first byte of an i2c SMBUS message is the size, and it should be\nverified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX\nbefore processing it.\n\nThis is the same logic that was added in commit a6e04f05ce0b (\"i2c:\ntegra: check msg length in SMBUS block read\") to the i2c tegra driver.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/377fae22a137b6b89f3f32399a58c52cf2325416","https://git.kernel.org/stable/c/71b3c316b22c555d2769126a92b1244b15a9750d","https://git.kernel.org/stable/c/aaaaec39ddbcd06770dca7f1adebc3b1242ebe7b","https://git.kernel.org/stable/c/d87d5620125a03b1eadbd5df39748215d3db7ddb"],"published_time":"2026-04-24T15:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31628","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU: Fix FPDSS on Zen1\n\nZen1's hardware divider can leave, under certain circumstances, partial\nresults from previous operations.  Those results can be leaked by\nanother, attacker thread.\n\nFix that with a chicken bit.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0548529af20e68c6552817834b766646dd3bd7a7","https://git.kernel.org/stable/c/1272cfedf4cd1019ddf583917a99b62f2d3645bb","https://git.kernel.org/stable/c/546785c719418c6166834a47e372a88f5f7ae893","https://git.kernel.org/stable/c/91f02726b2203b71545713ecb7fb006e60a2d66f","https://git.kernel.org/stable/c/ad17f07e95e6e8505e2153e5b391f0d27eacce25","https://git.kernel.org/stable/c/b731aca06387b195058a9f6449a03b62efa1bd10","https://git.kernel.org/stable/c/e6af5286efe5a56128b34032572c9ce9ebeccda3","https://git.kernel.org/stable/c/ed7a3a246309ccc807238f1b4f159ee6d37ff9c4"],"published_time":"2026-04-24T15:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31629","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: add missing return after LLCP_CLOSED checks\n\nIn nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket\nstate is LLCP_CLOSED, the code correctly calls release_sock() and\nnfc_llcp_sock_put() but fails to return. Execution falls through to\nthe remainder of the function, which calls release_sock() and\nnfc_llcp_sock_put() again. This results in a double release_sock()\nand a refcount underflow via double nfc_llcp_sock_put(), leading to\na use-after-free.\n\nAdd the missing return statements after the LLCP_CLOSED branches\nin both functions to prevent the fall-through.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/796e0cac058252d0ad34ebe288e6f7979b5fc9b2","https://git.kernel.org/stable/c/8977fad2b3c6eefd414131168d597c5d1d5e1abf","https://git.kernel.org/stable/c/aba4712e8f0381cd5d196534ce2ad082626a5ab6","https://git.kernel.org/stable/c/ff3d9e8f7244293e303f7b6ef70774291c7c27e9"],"published_time":"2026-04-24T15:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31630","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: proc: size address buffers for %pISpc output\n\nThe AF_RXRPC procfs helpers format local and remote socket addresses into\nfixed 50-byte stack buffers with \"%pISpc\".\n\nThat is too small for the longest current-tree IPv6-with-port form the\nformatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a\ndotted-quad tail not only for v4mapped addresses, but also for ISATAP\naddresses via ipv6_addr_is_isatap().\n\nAs a result, a case such as\n\n  [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535\n\nis possible with the current formatter. That is 50 visible characters, so\n51 bytes including the trailing NUL, which does not fit in the existing\nchar[50] buffers used by net/rxrpc/proc.c.\n\nSize the buffers from the formatter's maximum textual form and switch the\ncall sites to scnprintf().\n\nChanges since v1:\n- correct the changelog to cite the actual maximum current-tree case\n  explicitly\n- frame the proof around the ISATAP formatting path instead of the earlier\n  mapped-v4 example","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10ebed83f9f6414af4e85bc85ffaeda7effdd874","https://git.kernel.org/stable/c/a44ce6aa2efb61fe44f2cfab72bb01544bbca272","https://git.kernel.org/stable/c/db297c78ce537c9ac96f0eda9b25ad72c8caefa9"],"published_time":"2026-04-24T15:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31631","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix buffer overread in rxgk_do_verify_authenticator()\n\nFix rxgk_do_verify_authenticator() to check the buffer size before checking\nthe nonce.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1c4422d8be81718ecb15d79aedff607323085201","https://git.kernel.org/stable/c/794586789800b16dcbe235452494f4223ac80413","https://git.kernel.org/stable/c/f564af387c8c28238f8ebc13314c589d7ba8475d"],"published_time":"2026-04-24T15:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31632","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix leak of rxgk context in rxgk_verify_response()\n\nFix rxgk_verify_response() to clean up the rxgk context it creates.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1bd3d01378c1f9ecd313d394b51c808c1f418615","https://git.kernel.org/stable/c/4b5e8365515f4409de7d3b92a439154ee4f90f6d","https://git.kernel.org/stable/c/7e1876caa8363056f58a21d3b31b82c2daf7e608"],"published_time":"2026-04-24T15:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31633","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix integer overflow in rxgk_verify_response()\n\nIn rxgk_verify_response(), there's a potential integer overflow due to\nrounding up token_len before checking it, thereby allowing the length check to\nbe bypassed.\n\nFix this by checking the unrounded value against len too (len is limited as\nthe response must fit in a single UDP packet).","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1f864d9daaf622aeaa774404fd51e7d6a435b046","https://git.kernel.org/stable/c/699e52180f4231c257821c037ed5c99d5eb0edb8","https://git.kernel.org/stable/c/c1e242beb6b1efc3c286f617e8d940c8fbf2ed41"],"published_time":"2026-04-24T15:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31634","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: fix reference count leak in rxrpc_server_keyring()\n\nThis patch fixes a reference count leak in rxrpc_server_keyring()\nby checking if rx->securities is already set.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/12de9e0e0b0b7058be7dfb8a5927eb565bc25780","https://git.kernel.org/stable/c/139c750bf06649097d98b0bc41e2a678b4627e27","https://git.kernel.org/stable/c/8ee931c3cd97f1c42b4fbf057f04b9dae45dfb7a","https://git.kernel.org/stable/c/9ce36d28f67c2a477a7e2f03480de3f6783fb363","https://git.kernel.org/stable/c/c6d9ea26cf8756ad6f162578e94a5f82f6fae3c2","https://git.kernel.org/stable/c/f125846ee79fcae537a964ce66494e96fa54a6de","https://git.kernel.org/stable/c/fc76d0bd00850b7372f0a4a319c0c60f80487632"],"published_time":"2026-04-24T15:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31635","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: fix oversized RESPONSE authenticator length check\n\nrxgk_verify_response() decodes auth_len from the packet and is supposed\nto verify that it fits in the remaining bytes. The existing check is\ninverted, so oversized RESPONSE authenticators are accepted and passed\nto rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an\nimpossible length and hit BUG_ON(len).\n\nDecoded from the original latest-net reproduction logs with\nscripts/decode_stacktrace.sh:\n\nRIP: __skb_to_sgvec()\n  [net/core/skbuff.c:5285 (discriminator 1)]\nCall Trace:\n skb_to_sgvec() [net/core/skbuff.c:5305]\n rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81]\n rxgk_verify_response() [net/rxrpc/rxgk.c:1268]\n rxrpc_process_connection()\n   [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364\n    net/rxrpc/conn_event.c:386]\n process_one_work() [kernel/workqueue.c:3281]\n worker_thread()\n   [kernel/workqueue.c:3353 kernel/workqueue.c:3440]\n kthread() [kernel/kthread.c:436]\n ret_from_fork() [arch/x86/kernel/process.c:164]\n\nReject authenticator lengths that exceed the remaining packet payload.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/a2567217ade970ecc458144b6be469bc015b23e5","https://git.kernel.org/stable/c/beee051f259acd286fed64c32c2b31e6f5097eb5","https://git.kernel.org/stable/c/e2f1a80d8b1ed6a5ae585a399c2b46500bdcc305"],"published_time":"2026-04-24T15:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31636","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: fix RESPONSE authenticator parser OOB read\n\nrxgk_verify_authenticator() copies auth_len bytes into a temporary\nbuffer and then passes p + auth_len as the parser limit to\nrxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the\nparser end pointer by a factor of four and lets malformed RESPONSE\nauthenticators read past the kmalloc() buffer.\n\nDecoded from the original latest-net reproduction logs with\nscripts/decode_stacktrace.sh:\n\nBUG: KASAN: slab-out-of-bounds in rxgk_verify_response()\nCall Trace:\n dump_stack_lvl() [lib/dump_stack.c:123]\n print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482]\n kasan_report() [mm/kasan/report.c:597]\n rxgk_verify_response()\n   [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167\n    net/rxrpc/rxgk.c:1274]\n rxrpc_process_connection()\n   [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364\n    net/rxrpc/conn_event.c:386]\n process_one_work() [kernel/workqueue.c:3281]\n worker_thread()\n   [kernel/workqueue.c:3353 kernel/workqueue.c:3440]\n kthread() [kernel/kthread.c:436]\n ret_from_fork() [arch/x86/kernel/process.c:164]\n\nAllocated by task 54:\n rxgk_verify_response()\n   [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155\n    net/rxrpc/rxgk.c:1274]\n rxrpc_process_connection()\n   [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364\n    net/rxrpc/conn_event.c:386]\n\nConvert the byte count to __be32 units before constructing the parser\nlimit.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/20a188775a9a9982d1987e12660d9b44b40a6c99","https://git.kernel.org/stable/c/3e3138007887504ee9206d0bfb5acb062c600025","https://git.kernel.org/stable/c/7875f3d9777bd4e9892c4db830571ab8ac2044c0"],"published_time":"2026-04-24T15:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31618","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO\n\nMuch like commit 19f953e74356 (\"fbdev: fb_pm2fb: Avoid potential divide\nby zero error\"), we also need to prevent that same crash from happening\nin the udlfb driver as it uses pixclock directly when dividing, which\nwill crash.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/53cb4e79a07124d2ebe502983c29800104080b47","https://git.kernel.org/stable/c/63dfb0b4741f46d65b667c4275132b3d1966acc8","https://git.kernel.org/stable/c/6567d3e1aaadfebf44ce7dc9ea2630323cd4c736","https://git.kernel.org/stable/c/fc386daa6846551a88d338ba9864fc2812cd9030"],"published_time":"2026-04-24T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31619","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: fireworks: bound device-supplied status before string array lookup\n\nThe status field in an EFW response is a 32-bit value supplied by the\nfirewire device.  efr_status_names[] has 17 entries so a status value\noutside that range goes off into the weeds when looking at the %s value.\n\nEven worse, the status could return EFR_STATUS_INCOMPLETE which is\n0x80000000, and is obviously not in that array of potential strings.\n\nFix this up by properly bounding the index against the array size and\nprinting \"unknown\" if it's not recognized.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/67cfd14074cdafab5de3f7cfc0952c1a9b653e5d","https://git.kernel.org/stable/c/682d8accf0d83a871e8c327b95c81f53902c922b","https://git.kernel.org/stable/c/cc624b3d2be13297100539b64ad950695188e046","https://git.kernel.org/stable/c/e103f98f6615ed2934e9cf340654f0cad9eb8a8a"],"published_time":"2026-04-24T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31620","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usx2y: us144mkii: fix NULL deref on missing interface 0\n\nA malicious USB device with the TASCAM US-144MKII device id can have a\nconfiguration containing bInterfaceNumber=1 but no interface 0.  USB\nconfiguration descriptors are not required to assign interface numbers\nsequentially, so usb_ifnum_to_if(dev, 0) returns will NULL, which will\nthen be dereferenced directly.\n\nFix this up by checking the return value properly.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09b145c1f1331c40dc955c0024d636f25417cddb","https://git.kernel.org/stable/c/d04dd67ab10dc978c6c843c6bd6a2a66a9444f51","https://git.kernel.org/stable/c/fbaf29ce00e7bce683f3faf4f2b326bd0a9e6602"],"published_time":"2026-04-24T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31621","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbnge: return after auxiliary_device_uninit() in error path\n\nWhen auxiliary_device_add() fails, the error block calls\nauxiliary_device_uninit() but does not return.  The uninit drops the\nlast reference and synchronously runs bnge_aux_dev_release(), which sets\nbd->auxr_dev = NULL and frees the underlying object.  The subsequent\nbd->auxr_dev->net = bd->netdev then dereferences NULL, which is not a\ngood thing to have happen when trying to clean up from an error.\n\nAdd the missing return, as the auxiliary bus documentation states is a\nrequirement (seems that LLM tools read documentation better than humans\ndo...)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/38c383ec6d37f4b5597f8e6a1f5c2ab31ea01d3a","https://git.kernel.org/stable/c/87bc3557c708110d83086bf091328271298a44e3"],"published_time":"2026-04-24T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31622","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: digital: Bounds check NFC-A cascade depth in SDD response handler\n\nThe NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3\nor 4 bytes to target->nfcid1 on each round, but the number of cascade\nrounds is controlled entirely by the peer device.  The peer sets the\ncascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the\ncascade-incomplete bit in the SEL_RES (deciding whether another round\nfollows).\n\nISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is\nsized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver\nactually enforces this.  This means a malicious peer can keep the\ncascade running, writing past the heap-allocated nfc_target with each\nround.\n\nFix this by rejecting the response when the accumulated UID would exceed\nthe buffer.\n\nCommit e329e71013c9 (\"NFC: nci: Bounds check struct nfc_target arrays\")\nfixed similar missing checks against the same field on the NCI path.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1bec5698b55aa2be5c3b983dba657c01d0fd3dbc","https://git.kernel.org/stable/c/5a59bf70c38ee1eb4be03bab830bbc3a6f0bd1f1","https://git.kernel.org/stable/c/8d9d9bf3565271ca7ab9c716a94e87296177e7ba","https://git.kernel.org/stable/c/cc024a3de265ef6c58957f4990eccb9f806208cb"],"published_time":"2026-04-24T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31623","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()\n\nA malicious USB device claiming to be a CDC Phonet modem can overflow\nthe skb_shared_info->frags[] array by sending an unbounded sequence of\nfull-page bulk transfers.\n\nDrop the skb and increment the length error when the frag limit is\nreached.  This matches the same fix that commit f0813bcd2d9d (\"net:\nwwan: t7xx: fix potential skb->frags overflow in RX path\") did for the\nt7xx driver.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/9989938d13cc5ba8447eeed5a61acfcf61bc6801","https://git.kernel.org/stable/c/a23b1b1aaf41e174181d5853a70e65d4d01e648c","https://git.kernel.org/stable/c/c183d5775129a0a7495bd61a6e57ec230dcf01e5","https://git.kernel.org/stable/c/ebf75c6301c4972a87542ebf2d994c6391eb5d46"],"published_time":"2026-04-24T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31624","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: clamp report_size in s32ton() to avoid undefined shift\n\ns32ton() shifts by n-1 where n is the field's report_size, a value that\ncomes directly from a HID device.  The HID parser bounds report_size\nonly to <= 256, so a broken HID device can supply a report descriptor\nwith a wide field that triggers shift exponents up to 256 on a 32-bit\ntype when an output report is built via hid_output_field() or\nhid_set_field().\n\nCommit ec61b41918587 (\"HID: core: fix shift-out-of-bounds in\nhid_report_raw_event\") added the same n > 32 clamp to the function\nsnto32(), but s32ton() was never given the same fix as I guess syzbot\nhadn't figured out how to fuzz a device the same way.\n\nFix this up by just clamping the max value of n, just like snto32()\ndoes.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/58386f00af710922cafb0fb69211497beddfaa95","https://git.kernel.org/stable/c/8a8333237f1f5caab8d4c3d2c2e7578c4263a97f","https://git.kernel.org/stable/c/97014719bb8fccb1ffcbbc299e84b1f11b114195","https://git.kernel.org/stable/c/ea363a34086ddb4231adc581a7f36c39ec154bfc"],"published_time":"2026-04-24T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31625","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: alps: fix NULL pointer dereference in alps_raw_event()\n\nCommit ecfa6f34492c (\"HID: Add HID_CLAIMED_INPUT guards in raw_event\ncallbacks missing them\") attempted to fix up the HID drivers that had\nmissed the previous fix that was done in 2ff5baa9b527 (\"HID: appleir:\nFix potential NULL dereference at raw event handle\"), but the alps\ndriver was missed.\n\nFix this up by properly checking in the hid-alps driver that it had been\nclaimed correctly before attempting to process the raw event.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0091dfa542a362c178a7e9393097138a57d327d1","https://git.kernel.org/stable/c/4b618248d2307a219d9431a730cfe1156c8e3386","https://git.kernel.org/stable/c/8eed7bce7a4c41ab28ee4891103623a12fd41611","https://git.kernel.org/stable/c/ee2cb3ddfdca949dbc0c3f796ed5a439f0efc9f6"],"published_time":"2026-04-24T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31626","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()\n\nInitialize le_tmp64 to zero in rtw_BIP_verify() to prevent using\nuninitialized data.\n\nSmatch warns that only 6 bytes are copied to this 8-byte (u64)\nvariable, leaving the last two bytes uninitialized:\n\ndrivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify()\nwarn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes)\n\nInitializing the variable at the start of the function fixes this\nwarning and ensures predictable behavior.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/b487a7754d874230299d5a9c2710ec4df8b2ed8a","https://git.kernel.org/stable/c/c2026c6b603ebec52f55015496703fe79077accf","https://git.kernel.org/stable/c/d5b8f5f8d6fc09a8af5ed139c688660f578ed732","https://git.kernel.org/stable/c/ef74ce5f0bc0e53ce702d8a794f3957884a26efc"],"published_time":"2026-04-24T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31608","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list()\n\nsmb_direct_flush_send_list() already calls smb_direct_free_sendmsg(),\nso we should not call it again after post_sendmsg()\nmoved it to the batch list.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2ba03f46132b0d1a7bafb86e1ef61951a2254023","https://git.kernel.org/stable/c/6968c91fab05b8fc4d6700e0cf34472bb422df25","https://git.kernel.org/stable/c/830de6eeb9db4cb7e758201fb99328ef4ca4b032"],"published_time":"2026-04-24T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31609","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush()\n\nsmbd_send_batch_flush() already calls smbd_free_send_io(),\nso we should not call it again after smbd_post_send()\nmoved it to the batch list.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/22b7c1c619d808aec4cad3dc42103345e370d107","https://git.kernel.org/stable/c/a9940dcbe5cb92482c04efc7341039ddf7dbf607","https://git.kernel.org/stable/c/f9a162c2bbcd0ac85bd07c5b37cf20286048b65c"],"published_time":"2026-04-24T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31610","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix mechToken leak when SPNEGO decode fails after token alloc\n\nThe kernel ASN.1 BER decoder calls action callbacks incrementally as it\nwalks the input.  When ksmbd_decode_negTokenInit() reaches the mechToken\n[2] OCTET STRING element, ksmbd_neg_token_alloc() allocates\nconn->mechToken immediately via kmemdup_nul().  If a later element in\nthe same blob is malformed, then the decoder will return nonzero after\nthe allocation is already live.  This could happen if mechListMIC [3]\noverrunse the enclosing SEQUENCE.\n\ndecode_negotiation_token() then sets conn->use_spnego = false because\nboth the negTokenInit and negTokenTarg grammars failed.  The cleanup at\nthe bottom of smb2_sess_setup() is gated on use_spnego:\n\n\tif (conn->use_spnego && conn->mechToken) {\n\t\tkfree(conn->mechToken);\n\t\tconn->mechToken = NULL;\n\t}\n\nso the kfree is skipped, causing the mechToken to never be freed.\n\nThis codepath is reachable pre-authentication, so untrusted clients can\ncause slow memory leaks on a server without even being properly\nauthenticated.\n\nFix this up by not checking check for use_spnego, as it's not required,\nso the memory will always be properly freed.  At the same time, always\nfree the memory in ksmbd_conn_free() incase some other failure path\nforgot to free it.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/269c800a7a7e363459291885b35f7bc72e231ed6","https://git.kernel.org/stable/c/6c8c44e6553b9f072f62d9875e567766eb293162","https://git.kernel.org/stable/c/dd53414e301beb915fe672dc4c4a51bafb917604","https://git.kernel.org/stable/c/dd577cb55588ec3fbc66af3621280306601c4192"],"published_time":"2026-04-24T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31611","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: require 3 sub-authorities before reading sub_auth[2]\n\nparse_dacl() compares each ACE SID against sid_unix_NFS_mode and on\nmatch reads sid.sub_auth[2] as the file mode.  If sid_unix_NFS_mode is\nthe prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares\nonly min(num_subauth, 2) sub-authorities so a client SID with\nnum_subauth = 2 and sub_auth = {88, 3} will match.\n\nIf num_subauth = 2 and the ACE is placed at the very end of the security\ndescriptor, sub_auth[2] will be  4 bytes past end_of_acl.  The\nout-of-band bytes will then be masked to the low 9 bits and applied as\nthe file's POSIX mode, probably not something that is good to have\nhappen.\n\nFix this up by forcing the SID to actually carry a third sub-authority\nbefore reading it at all.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/08f9e6d899b5c834bbcc239eae1bed58d9b15d2c","https://git.kernel.org/stable/c/46bbcd3ebfb3549c8da1838fc4493e79bd3241e7","https://git.kernel.org/stable/c/9401f86a224f37b50e6a3ccf1d46a70d5ef8af0a","https://git.kernel.org/stable/c/d2454f4a002d08560a60f214f392e6491cf11560"],"published_time":"2026-04-24T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31612","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate EaNameLength in smb2_get_ea()\n\nsmb2_get_ea() reads ea_req->EaNameLength from the client request and\npasses it directly to strncmp() as the comparison length without\nverifying that the length of the name really is the size of the input\nbuffer received.\n\nFix this up by properly checking the size of the name based on the value\nreceived and the overall size of the request, to prevent a later\nstrncmp() call to use the length as a \"trusted\" size of the buffer.\nWithout this check, uninitialized heap values might be slowly leaked to\nthe client.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/243b206bcb5a7137e8bddd57b2eec81e1ebd3859","https://git.kernel.org/stable/c/3363a770b193f555f29d76ddf4ced3305c0ccf6d","https://git.kernel.org/stable/c/551dfb15b182abad4600eaf7b37e6eb7000d5b1b","https://git.kernel.org/stable/c/dfc6878d14acafffbe670bf2576620757a10a3d8"],"published_time":"2026-04-24T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31613","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOB reads parsing symlink error response\n\nWhen a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()\nreturns success without any length validation, leaving the symlink\nparsers as the only defense against an untrusted server.\n\nsymlink_data() walks SMB 3.1.1 error contexts with the loop test \"p <\nend\", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset\n0.  When the server-controlled ErrorDataLength advances p to within 1-7\nbytes of end, the next iteration will read past it.  When the matching\ncontext is found, sym->SymLinkErrorTag is read at offset 4 from\np->ErrorContextData with no check that the symlink header itself fits.\n\nsmb2_parse_symlink_response() then bounds-checks the substitute name\nusing SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from\niov_base.  That value is computed as sizeof(smb2_err_rsp) +\nsizeof(smb2_symlink_err_rsp), which is correct only when\nErrorContextCount == 0.\n\nWith at least one error context the symlink data sits 8 bytes deeper,\nand each skipped non-matching context shifts it further by 8 +\nALIGN(ErrorDataLength, 8).  The check is too short, allowing the\nsubstitute name read to run past iov_len.  The out-of-bound heap bytes\nare UTF-16-decoded into the symlink target and returned to userspace via\nreadlink(2).\n\nFix this all up by making the loops test require the full context header\nto fit, rejecting sym if its header runs past end, and bound the\nsubstitute name against the actual position of sym->PathBuffer rather\nthan a fixed offset.\n\nBecause sub_offs and sub_len are 16bits, the pointer math will not\noverflow here with the new greater-than.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/781902e069f4ecb6c3b83502f181972c1446110a","https://git.kernel.org/stable/c/a66ef2e7ed837325c5600f8617d5ee0a0a149fdd","https://git.kernel.org/stable/c/e0dd90d14cbbf318157ea8e3fb62ee68a28655ed"],"published_time":"2026-04-24T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31614","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix off-by-8 bounds check in check_wsl_eas()\n\nThe bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA\nname and value, but ea_data sits at offset sizeof(struct\nsmb2_file_full_ea_info) = 8 from ea, not at offset 0.  The strncmp()\nlater reads ea->ea_data[0..nlen-1] and the value bytes follow at\nea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1\n+ vlen.  Isn't pointer math fun?\n\nThe earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the\n8-byte header is in bounds, but since the last EA is placed within 8\nbytes of the end of the response, the name and value bytes are read past\nthe end of iov.\n\nFix this mess all up by using ea->ea_data as the base for the bounds\ncheck.\n\nAn \"untrusted\" server can use this to leak up to 8 bytes of kernel heap\ninto the EA name comparison and influence which WSL xattr the data is\ninterpreted as.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5cc0574c84aa73946ade587c41e81757b8b01cb5","https://git.kernel.org/stable/c/a893f1757d9a4009e4a8d7ceb2312142fe29cea4","https://git.kernel.org/stable/c/b2b76d09a64c538c57006180103fc1841e8cfa66","https://git.kernel.org/stable/c/ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18"],"published_time":"2026-04-24T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31615","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: renesas_usb3: validate endpoint index in standard request handlers\n\nThe GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint\nnumber from the host-supplied wIndex without any sort of validation.\nFix this up by validating the number of endpoints actually match up with\nthe number the device has before attempting to dereference a pointer\nbased on this math.\n\nThis is just like what was done in commit ee0d382feb44 (\"usb: gadget:\naspeed_udc: validate endpoint index for ast udc\") for the aspeed driver.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/37f430b2240655e6b0199a92aa1057e4d621be51","https://git.kernel.org/stable/c/44216e3dd4455b798899b50eedb0ec3831dff8e0","https://git.kernel.org/stable/c/adb8014599fdf0818d3d93f1f74e06cd0bdec08d","https://git.kernel.org/stable/c/e3d42598f2995cdc07b7779874e7c5f8a1b773db"],"published_time":"2026-04-24T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31616","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()\n\nA broken/bored/mean USB host can overflow the skb_shared_info->frags[]\narray on a Linux gadget exposing a Phonet function by sending an\nunbounded sequence of full-page OUT transfers.\n\npn_rx_complete() finalizes the skb only when req->actual < req->length,\nwhere req->length is set to PAGE_SIZE by the gadget.  If the host always\nsends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be\nreset and each completion will add another fragment via\nskb_add_rx_frag().  Once nr_frags exceeds MAX_SKB_FRAGS (default 17),\nsubsequent frag stores overwrite memory adjacent to the shinfo on the\nheap.\n\nDrop the skb and account a length error when the frag limit is reached,\nmatching the fix applied in t7xx by commit f0813bcd2d9d (\"net: wwan:\nt7xx: fix potential skb->frags overflow in RX path\").","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4e476c25bfcab0535ba7c76a903ae77ca8747711","https://git.kernel.org/stable/c/66f7471c4042e4eb300e30b5b9d87d1406862673","https://git.kernel.org/stable/c/bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7","https://git.kernel.org/stable/c/c9315ce9da3632c591666a29de82d3e92d46bec1"],"published_time":"2026-04-24T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31617","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()\n\nThe block_len read from the host-supplied NTB header is checked against\nntb_max but has no lower bound. When block_len is smaller than\nopts->ndp_size, the bounds check of:\n\tndp_index > (block_len - opts->ndp_size)\nwill underflow producing a huge unsigned value that ndp_index can never\nexceed, defeating the check entirely.\n\nThe same underflow occurs in the datagram index checks against block_len\n- opts->dpe_size.  With those checks neutered, a malicious USB host can\nchoose ndp_index and datagram offsets that point past the actual\ntransfer, and the skb_put_data() copies adjacent kernel memory into the\nnetwork skb.\n\nFix this by rejecting block lengths that cannot hold at least the NTB\nheader plus one NDP.  This will make block_len - opts->ndp_size and\nblock_len - opts->dpe_size both well-defined.\n\nCommit 8d2b1a1ec9f5 (\"CDC-NCM: avoid overflow in sanity checking\") fixed\na related class of issues on the host side of NCM.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6762f8a95772265dd0c2ffe7f400493f3115b135","https://git.kernel.org/stable/c/74908b0318d1df1188457040b8714ff4d4b68126","https://git.kernel.org/stable/c/8757a2593631443648218244b9788e193ae0fdc1","https://git.kernel.org/stable/c/d58ba8f6546232f8414f396c189297dbee03f1a7"],"published_time":"2026-04-24T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31601","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/xe: Reorganize the init to decouple migration from reset\n\nAttempting to issue reset on VF devices that don't support migration\nleads to the following:\n\n  BUG: unable to handle page fault for address: 00000000000011f8\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 0 P4D 0\n  Oops: Oops: 0000 [#1] SMP NOPTI\n  CPU: 2 UID: 0 PID: 7443 Comm: xe_sriov_flr Tainted: G S   U              7.0.0-rc1-lgci-xe-xe-4588-cec43d5c2696af219-nodebug+ #1 PREEMPT(lazy)\n  Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\n  Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n  RIP: 0010:xe_sriov_vfio_wait_flr_done+0xc/0x80 [xe]\n  Code: ff c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 54 53 <83> bf f8 11 00 00 02 75 61 41 89 f4 85 f6 74 52 48 8b 47 08 48 89\n  RSP: 0018:ffffc9000f7c39b8 EFLAGS: 00010202\n  RAX: ffffffffa04d8660 RBX: ffff88813e3e4000 RCX: 0000000000000000\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffffc9000f7c39c8 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000000 R12: ffff888101a48800\n  R13: ffff88813e3e4150 R14: ffff888130d0d008 R15: ffff88813e3e40d0\n  FS:  00007877d3d0d940(0000) GS:ffff88890b6d3000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00000000000011f8 CR3: 000000015a762000 CR4: 0000000000f52ef0\n  PKRU: 55555554\n  Call Trace:\n   <TASK>\n   xe_vfio_pci_reset_done+0x49/0x120 [xe_vfio_pci]\n   pci_dev_restore+0x3b/0x80\n   pci_reset_function+0x109/0x140\n   reset_store+0x5c/0xb0\n   dev_attr_store+0x17/0x40\n   sysfs_kf_write+0x72/0x90\n   kernfs_fop_write_iter+0x161/0x1f0\n   vfs_write+0x261/0x440\n   ksys_write+0x69/0xf0\n   __x64_sys_write+0x19/0x30\n   x64_sys_call+0x259/0x26e0\n   do_syscall_64+0xcb/0x1500\n   ? __fput+0x1a2/0x2d0\n   ? fput_close_sync+0x3d/0xa0\n   ? __x64_sys_close+0x3e/0x90\n   ? x64_sys_call+0x1b7c/0x26e0\n   ? do_syscall_64+0x109/0x1500\n   ? __task_pid_nr_ns+0x68/0x100\n   ? __do_sys_getpid+0x1d/0x30\n   ? x64_sys_call+0x10b5/0x26e0\n   ? do_syscall_64+0x109/0x1500\n   ? putname+0x41/0x90\n   ? do_faccessat+0x1e8/0x300\n   ? __x64_sys_access+0x1c/0x30\n   ? x64_sys_call+0x1822/0x26e0\n   ? do_syscall_64+0x109/0x1500\n   ? tick_program_event+0x43/0xa0\n   ? hrtimer_interrupt+0x126/0x260\n   ? irqentry_exit+0xb2/0x710\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7877d5f1c5a4\n  Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d a5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89\n  RSP: 002b:00007fff48e5f908 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\n  RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007877d5f1c5a4\n  RDX: 0000000000000001 RSI: 00007877d621b0c9 RDI: 0000000000000009\n  RBP: 0000000000000001 R08: 00005fb49113b010 R09: 0000000000000007\n  R10: 0000000000000000 R11: 0000000000000202 R12: 00007877d621b0c9\n  R13: 0000000000000009 R14: 00007fff48e5fac0 R15: 00007fff48e5fac0\n   </TASK>\n\nThis is caused by the fact that some of the xe_vfio_pci_core_device\nmembers needed for handling reset are only initialized as part of\nmigration init.\n\nFix the problem by reorganizing the code to decouple VF init from\nmigration init.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/73e53ff144a538f1843b3dea1e2740a755031cdc","https://git.kernel.org/stable/c/8fa4113fc65b8b29a30fbbca5fd82221dc6e146e"],"published_time":"2026-04-24T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31602","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Limit PTP to a single page\n\nCommit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256\nplayback streams, but the additional pages are not used by the card\ncorrectly. The CT20K2 hardware already has multiple VMEM_PTPAL\nregisters, but using them separately would require refactoring the\nentire virtual memory allocation logic.\n\nct_vm_map() always uses PTEs in vm->ptp[0].area regardless of\nCT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When\naggregate memory allocations exceed this limit, ct_vm_map() tries to\naccess beyond the allocated space and causes a page fault:\n\n  BUG: unable to handle page fault for address: ffffd4ae8a10a000\n  Oops: Oops: 0002 [#1] SMP PTI\n  RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi]\n  Call Trace:\n  atc_pcm_playback_prepare+0x225/0x3b0\n  ct_pcm_playback_prepare+0x38/0x60\n  snd_pcm_do_prepare+0x2f/0x50\n  snd_pcm_action_single+0x36/0x90\n  snd_pcm_action_nonatomic+0xbf/0xd0\n  snd_pcm_ioctl+0x28/0x40\n  __x64_sys_ioctl+0x97/0xe0\n  do_syscall_64+0x81/0x610\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nRevert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count\nremain unchanged.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/365c36e1a126c6aa1aecedd3a351bcabc66f0c29","https://git.kernel.org/stable/c/3fd0685d7fef68c2d8a04876bcf9eaa0724ad6a5","https://git.kernel.org/stable/c/ad9011a795407093dcf507f6e5da1828987b4b47","https://git.kernel.org/stable/c/b7f5ecd13cce8c2f8fa5a84c9aab65997142577e"],"published_time":"2026-04-24T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31603","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: sm750fb: fix division by zero in ps_to_hz()\n\nps_to_hz() is called from hw_sm750_crtc_set_mode() without validating\nthat pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO\ncauses a division by zero.\n\nFix by rejecting zero pixclock in lynxfb_ops_check_var(), consistent\nwith other framebuffer drivers.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1412ba36597a82e928f20047f41d6c6582dafe8a","https://git.kernel.org/stable/c/2f640c6043aeab31a2f607d7605271860c3b11df","https://git.kernel.org/stable/c/6144895a4335a2491c282931f1f2fa610b86339f","https://git.kernel.org/stable/c/daf6733bd7c4c5015b431739ac29b0e29021096b"],"published_time":"2026-04-24T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31604","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: fix device leak on probe failure\n\nDriver core holds a reference to the USB interface and its parent USB\ndevice while the interface is bound to a driver and there is no need to\ntake additional references unless the structures are needed after\ndisconnect.\n\nThis driver takes a reference to the USB device during probe but does\nnot to release it on all probe errors (e.g. when descriptor parsing\nfails).\n\nDrop the redundant device reference to fix the leak, reduce cargo\nculting, make it easier to spot drivers where an extra reference is\nneeded, and reduce the risk of further memory leaks.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/25a827b7e1d5747a255bdc757f1d3e9e1e8a4e2a","https://git.kernel.org/stable/c/89a9c1bc7d797120bcc290864e0cb10a440a677f","https://git.kernel.org/stable/c/a4f4371d194dfa5473cc961f86194084b1b13a69","https://git.kernel.org/stable/c/af7307e96dad00bcc2675dac650d8558a52f2c6f"],"published_time":"2026-04-24T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31605","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO\n\nMuch like commit 19f953e74356 (\"fbdev: fb_pm2fb: Avoid potential divide\nby zero error\"), we also need to prevent that same crash from happening\nin the udlfb driver as it uses pixclock directly when dividing, which\nwill crash.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03797cdee38ef19c87785622d423aabaafb71c5f","https://git.kernel.org/stable/c/6de048d78f3029744778b7a2891745f3ca7c209a","https://git.kernel.org/stable/c/afaaaa38579f1252bb42b145f6e88a955c4f73f3","https://git.kernel.org/stable/c/cccbf9b7fdab48ce4feb69c24f7f928aa8e4e8b8"],"published_time":"2026-04-24T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31606","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_hid: don't call cdev_init while cdev in use\n\nWhen calling unbind, then bind again, cdev_init reinitialized the cdev,\neven though there may still be references to it. That's the case when\nthe /dev/hidg* device is still opened. This obviously unsafe behavior\nlike oopes.\n\nThis fixes this by using cdev_alloc to put the cdev on the heap. That\nway, we can simply allocate a new one in hidg_bind.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5a229016ca3ac551294ec59770be9da94ec4bf63","https://git.kernel.org/stable/c/75ecc46828ec377dd5692c677168ef6d64fd7123","https://git.kernel.org/stable/c/c6c0d13db5d0f8d465eabc14bd23d2b6a7247a43","https://git.kernel.org/stable/c/eb6ef6185f2054a341ec70d7e2165f5381744215"],"published_time":"2026-04-24T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31607","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusbip: validate number_of_packets in usbip_pack_ret_submit()\n\nWhen a USB/IP client receives a RET_SUBMIT response,\nusbip_pack_ret_submit() unconditionally overwrites\nurb->number_of_packets from the network PDU. This value is\nsubsequently used as the loop bound in usbip_recv_iso() and\nusbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible\narray whose size was fixed at URB allocation time based on the\n*original* number_of_packets from the CMD_SUBMIT.\n\nA malicious USB/IP server can set number_of_packets in the response\nto a value larger than what was originally submitted, causing a heap\nout-of-bounds write when usbip_recv_iso() writes to\nurb->iso_frame_desc[i] beyond the allocated region.\n\nKASAN confirmed this with kernel 7.0.0-rc5:\n\n  BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640\n  Write of size 4 at addr ffff888106351d40 by task vhci_rx/69\n\n  The buggy address is located 0 bytes to the right of\n   allocated 320-byte region [ffff888106351c00, ffff888106351d40)\n\nThe server side (stub_rx.c) and gadget side (vudc_rx.c) already\nvalidate number_of_packets in the CMD_SUBMIT path since commits\nc6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle\nmalicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden\nCMD_SUBMIT path to handle malicious input\"). The server side validates\nagainst USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.\nOn the client side we have the original URB, so we can use the tighter\nbound: the response must not exceed the original number_of_packets.\n\nThis mirrors the existing validation of actual_length against\ntransfer_buffer_length in usbip_recv_xbuff(), which checks the\nresponse value against the original allocation size.\n\nKelvin Mbogo's series (\"usb: usbip: fix integer overflow in\nusbip_recv_iso()\", v2) hardens the receive-side functions themselves;\nthis patch complements that work by catching the bad value at its\nsource -- in usbip_pack_ret_submit() before the overwrite -- and\nusing the tighter per-URB allocation bound rather than the global\nUSBIP_MAX_ISO_PACKETS limit.\n\nFix this by checking rpdu->number_of_packets against\nurb->number_of_packets in usbip_pack_ret_submit() before the\noverwrite. On violation, clamp to zero so that usbip_recv_iso() and\nusbip_pad_iso() safely return early.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3","https://git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384","https://git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4","https://git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033b"],"published_time":"2026-04-24T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31599","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections\n\nsyzbot reported a general protection fault in vidtv_psi_desc_assign [1].\n\nvidtv_psi_pmt_stream_init() can return NULL on memory allocation\nfailure, but vidtv_channel_pmt_match_sections() does not check for\nthis. When tail is NULL, the subsequent call to\nvidtv_psi_desc_assign(&tail->descriptor, desc) dereferences a NULL\npointer offset, causing a general protection fault.\n\nAdd a NULL check after vidtv_psi_pmt_stream_init(). On failure, clean\nup the already-allocated stream chain and return.\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nRIP: 0010:vidtv_psi_desc_assign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:629\nCall Trace:\n <TASK>\n vidtv_channel_pmt_match_sections drivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline]\n vidtv_channel_si_init+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtv_channel.c:479\n vidtv_mux_init+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:519\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]\n vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07c1e474cf9acf777f09d14a8f8dfcef5b84e46f","https://git.kernel.org/stable/c/2dff11fb5098ae453651f8f77e94ad499c078022","https://git.kernel.org/stable/c/b832cfd516b8504e95884622cee60bf9a39b7945","https://git.kernel.org/stable/c/e589de36da106ef739ba98f66f5a5c2023370706"],"published_time":"2026-04-24T15:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31600","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mm: Handle invalid large leaf mappings correctly\n\nIt has been possible for a long time to mark ptes in the linear map as\ninvalid. This is done for secretmem, kfence, realm dma memory un/share,\nand others, by simply clearing the PTE_VALID bit. But until commit\na166563e7ec37 (\"arm64: mm: support large block mapping when\nrodata=full\") large leaf mappings were never made invalid in this way.\n\nIt turns out various parts of the code base are not equipped to handle\ninvalid large leaf mappings (in the way they are currently encoded) and\nI've observed a kernel panic while booting a realm guest on a\nBBML2_NOABORT system as a result:\n\n[   15.432706] software IO TLB: Memory encryption is active and system is using DMA bounce buffers\n[   15.476896] Unable to handle kernel paging request at virtual address ffff000019600000\n[   15.513762] Mem abort info:\n[   15.527245]   ESR = 0x0000000096000046\n[   15.548553]   EC = 0x25: DABT (current EL), IL = 32 bits\n[   15.572146]   SET = 0, FnV = 0\n[   15.592141]   EA = 0, S1PTW = 0\n[   15.612694]   FSC = 0x06: level 2 translation fault\n[   15.640644] Data abort info:\n[   15.661983]   ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\n[   15.694875]   CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n[   15.723740]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[   15.755776] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000081f3f000\n[   15.800410] [ffff000019600000] pgd=0000000000000000, p4d=180000009ffff403, pud=180000009fffe403, pmd=00e8000199600704\n[   15.855046] Internal error: Oops: 0000000096000046 [#1]  SMP\n[   15.886394] Modules linked in:\n[   15.900029] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-rc4-dirty #4 PREEMPT\n[   15.935258] Hardware name: linux,dummy-virt (DT)\n[   15.955612] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[   15.986009] pc : __pi_memcpy_generic+0x128/0x22c\n[   16.006163] lr : swiotlb_bounce+0xf4/0x158\n[   16.024145] sp : ffff80008000b8f0\n[   16.038896] x29: ffff80008000b8f0 x28: 0000000000000000 x27: 0000000000000000\n[   16.069953] x26: ffffb3976d261ba8 x25: 0000000000000000 x24: ffff000019600000\n[   16.100876] x23: 0000000000000001 x22: ffff0000043430d0 x21: 0000000000007ff0\n[   16.131946] x20: 0000000084570010 x19: 0000000000000000 x18: ffff00001ffe3fcc\n[   16.163073] x17: 0000000000000000 x16: 00000000003fffff x15: 646e612065766974\n[   16.194131] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[   16.225059] x11: 0000000000000000 x10: 0000000000000010 x9 : 0000000000000018\n[   16.256113] x8 : 0000000000000018 x7 : 0000000000000000 x6 : 0000000000000000\n[   16.287203] x5 : ffff000019607ff0 x4 : ffff000004578000 x3 : ffff000019600000\n[   16.318145] x2 : 0000000000007ff0 x1 : ffff000004570010 x0 : ffff000019600000\n[   16.349071] Call trace:\n[   16.360143]  __pi_memcpy_generic+0x128/0x22c (P)\n[   16.380310]  swiotlb_tbl_map_single+0x154/0x2b4\n[   16.400282]  swiotlb_map+0x5c/0x228\n[   16.415984]  dma_map_phys+0x244/0x2b8\n[   16.432199]  dma_map_page_attrs+0x44/0x58\n[   16.449782]  virtqueue_map_page_attrs+0x38/0x44\n[   16.469596]  virtqueue_map_single_attrs+0xc0/0x130\n[   16.490509]  virtnet_rq_alloc.isra.0+0xa4/0x1fc\n[   16.510355]  try_fill_recv+0x2a4/0x584\n[   16.526989]  virtnet_open+0xd4/0x238\n[   16.542775]  __dev_open+0x110/0x24c\n[   16.558280]  __dev_change_flags+0x194/0x20c\n[   16.576879]  netif_change_flags+0x24/0x6c\n[   16.594489]  dev_change_flags+0x48/0x7c\n[   16.611462]  ip_auto_config+0x258/0x1114\n[   16.628727]  do_one_initcall+0x80/0x1c8\n[   16.645590]  kernel_init_freeable+0x208/0x2f0\n[   16.664917]  kernel_init+0x24/0x1e0\n[   16.680295]  ret_from_fork+0x10/0x20\n[   16.696369] Code: 927cec03 cb0e0021 8b0e0042 a9411c26 (a900340c)\n[   16.723106] ---[ end trace 0000000000000000 ]---\n[   16.752866] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\n[   16.792556] Kernel Offset: 0x3396ea200000 from 0xffff8000800000\n---truncated---","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/747b6482e4e227fd351197dde6f64a97107a9e52","https://git.kernel.org/stable/c/8140b21d19015227a28c255404462f2d3e6edc9a","https://git.kernel.org/stable/c/cbea627ea634f41c79d18f0c6d20db66fa93514c"],"published_time":"2026-04-24T15:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31594","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown\n\nepf_ntb_epc_destroy() duplicates the teardown that the caller is\nsupposed to perform later. This leads to an oops when .allow_link fails\nor when .drop_link is performed. The following is an example oops of the\nformer case:\n\n  Unable to handle kernel paging request at virtual address dead000000000108\n  [...]\n  [dead000000000108] address between user and kernel address ranges\n  Internal error: Oops: 0000000096000044 [#1]  SMP\n  [...]\n  Call trace:\n   pci_epc_remove_epf+0x78/0xe0 (P)\n   pci_primary_epc_epf_link+0x88/0xa8\n   configfs_symlink+0x1f4/0x5a0\n   vfs_symlink+0x134/0x1d8\n   do_symlinkat+0x88/0x138\n   __arm64_sys_symlinkat+0x74/0xe0\n  [...]\n\nRemove the helper, and drop pci_epc_put(). EPC device refcounting is\ntied to the configfs EPC group lifetime, and pci_epc_put() in the\n.drop_link path is sufficient.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/478e776101592eb63298714e96823ef78a3295ec","https://git.kernel.org/stable/c/a7a3cab4d33fd8a8aed864c447d0d7c99e85404e","https://git.kernel.org/stable/c/cec9ead73ab154a7953f6ab8dd5127e0d6bbf95a"],"published_time":"2026-04-24T15:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31595","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup\n\nDisable the delayed work before clearing BAR mappings and doorbells to\navoid running the handler after resources have been torn down.\n\n  Unable to handle kernel paging request at virtual address ffff800083f46004\n  [...]\n  Internal error: Oops: 0000000096000007 [#1]  SMP\n  [...]\n  Call trace:\n   epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P)\n   process_one_work+0x154/0x3b0\n   worker_thread+0x2c8/0x400\n   kthread+0x148/0x210\n   ret_from_fork+0x10/0x20","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5999067140c67530a6cb6f41a8471596e60452cb","https://git.kernel.org/stable/c/6773cc24c004930903a57761132c1e7728907f8f","https://git.kernel.org/stable/c/9921cce25bfe4021f6e55ca995351eb967165297","https://git.kernel.org/stable/c/fbb6c353fa2fb5f5f990eda034a1074b0356127e"],"published_time":"2026-04-24T15:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31596","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: handle invalid dinode in ocfs2_group_extend\n\n[BUG]\nkernel BUG at fs/ocfs2/resize.c:308!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nRIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308\nCode: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe\nCall Trace:\n ...\n ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583\n x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ...\n\n[CAUSE]\nocfs2_group_extend() assumes that the global bitmap inode block\nreturned from ocfs2_inode_lock() has already been validated and\nBUG_ONs when the signature is not a dinode. That assumption is too\nstrong for crafted filesystems because the JBD2-managed buffer path\ncan bypass structural validation and return an invalid dinode to the\nresize ioctl.\n\n[FIX]\nValidate the dinode explicitly in ocfs2_group_extend(). If the global\nbitmap buffer does not contain a valid dinode, report filesystem\ncorruption with ocfs2_error() and fail the resize operation instead of\ncrashing the kernel.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10fb72c47aac446f12a4ccd962c7daa60cc890a1","https://git.kernel.org/stable/c/41c6e9bc3a09539deab43957a3211d902a4818f0","https://git.kernel.org/stable/c/911b557dd7817460881fd51a03069b539c674d0e","https://git.kernel.org/stable/c/e384a850a3370d89a7a446cdeccd964bfba2a302"],"published_time":"2026-04-24T15:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31597","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY\n\nfilemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,\nas documented in mm/filemap.c:\n\n  \"If our return value has VM_FAULT_RETRY set, it's because the mmap_lock\n  may be dropped before doing I/O or by lock_folio_maybe_drop_mmap().\"\n\nWhen this happens, a concurrent munmap() can call remove_vma() and free\nthe vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then\nbecomes a dangling pointer, and the subsequent trace_ocfs2_fault() call\ndereferences it -- a use-after-free.\n\nFix this by saving ip_blkno as a plain integer before calling\nfilemap_fault(), and removing vma from the trace event. Since\nip_blkno is copied by value before the lock can be dropped, it\nremains valid regardless of what happens to the vma or inode\nafterward.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d","https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0","https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2","https://git.kernel.org/stable/c/d45ff441b416d4aa1af72b1db23d959601c04da2"],"published_time":"2026-04-24T15:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31598","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix possible deadlock between unlink and dio_end_io_write\n\nocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem,\nwhile in ocfs2_dio_end_io_write, it acquires these locks in reverse order.\nThis creates an ABBA lock ordering violation on lock classes\nocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] and\nocfs2_file_ip_alloc_sem_key.\n\nLock Chain #0 (orphan dir inode_lock -> ip_alloc_sem):\nocfs2_unlink\n  ocfs2_prepare_orphan_dir\n    ocfs2_lookup_lock_orphan_dir\n      inode_lock(orphan_dir_inode) <- lock A\n    __ocfs2_prepare_orphan_dir\n      ocfs2_prepare_dir_for_insert\n        ocfs2_extend_dir\n\t  ocfs2_expand_inline_dir\n\t    down_write(&oi->ip_alloc_sem) <- Lock B\n\nLock Chain #1 (ip_alloc_sem -> orphan dir inode_lock):\nocfs2_dio_end_io_write\n  down_write(&oi->ip_alloc_sem) <- Lock B\n  ocfs2_del_inode_from_orphan()\n    inode_lock(orphan_dir_inode) <- Lock A\n\nDeadlock Scenario:\n  CPU0 (unlink)                     CPU1 (dio_end_io_write)\n  ------                            ------\n  inode_lock(orphan_dir_inode)\n                                    down_write(ip_alloc_sem)\n  down_write(ip_alloc_sem)\n                                    inode_lock(orphan_dir_inode)\n\nSince ip_alloc_sem is to protect allocation changes, which is unrelated\nwith operations in ocfs2_del_inode_from_orphan.  So move\nocfs2_del_inode_from_orphan out of ip_alloc_sem to fix the deadlock.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2b884d52273c60c298bd570163e8053657bbaff6","https://git.kernel.org/stable/c/bc0fb5c7d54c78be43a536df0e20dee32adb27d3","https://git.kernel.org/stable/c/e049f7a9bd80b7319590789ea5e1c523d6339d91","https://git.kernel.org/stable/c/f9fb1a7b635849322e1d7b7b6b26389778ec8e82"],"published_time":"2026-04-24T15:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31590","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION\n\nDrop the WARN in sev_pin_memory() on npages overflowing an int, as the\nWARN is comically trivially to trigger from userspace, e.g. by doing:\n\n  struct kvm_enc_region range = {\n          .addr = 0,\n          .size = -1ul,\n  };\n\n  __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);\n\nNote, the checks in sev_mem_enc_register_region() that presumably exist to\nverify the incoming address+size are completely worthless, as both \"addr\"\nand \"size\" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater\nthan ULONG_MAX.  That wart will be cleaned up in the near future.\n\n\tif (range->addr > ULONG_MAX || range->size > ULONG_MAX)\n\t\treturn -EINVAL;\n\nOpportunistically add a comment to explain why the code calculates the\nnumber of pages the \"hard\" way, e.g. instead of just shifting @ulen.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1cba4dcd795daf6d257122779fb6a349edf03914","https://git.kernel.org/stable/c/28cc13ca20431b127d42d84ba10898d03e2c8267","https://git.kernel.org/stable/c/ab423e5892826202a660b5ac85d1125b0e8301a5","https://git.kernel.org/stable/c/c29ff288a2d97a6f4640a498a367cf0eb91312eb"],"published_time":"2026-04-24T15:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31591","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish\n\nLock all vCPUs when synchronizing and encrypting VMSAs for SNP guests, as\nallowing userspace to manipulate and/or run a vCPU while its state is being\nsynchronized would at best corrupt vCPU state, and at worst crash the host\nkernel.\n\nOpportunistically assert that vcpu->mutex is held when synchronizing its\nVMSA (the SEV-ES path already locks vCPUs).","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/30fd9d8c82087742168db779929d8be0459b0716","https://git.kernel.org/stable/c/4df77742e8b9a6b935bdf46f02fd0aca4d4ee7f5","https://git.kernel.org/stable/c/c87938fc7d99a06a7e5477c45b4e5a4148f85d66"],"published_time":"2026-04-24T15:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31592","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock\n\nTake and hold kvm->lock for before checking sev_guest() in\nsev_mem_enc_register_region(), as sev_guest() isn't stable unless kvm->lock\nis held (or KVM can guarantee KVM_SEV_INIT{2} has completed and can't\nrollack state).  If KVM_SEV_INIT{2} fails, KVM can end up trying to add to\na not-yet-initialized sev->regions_list, e.g. triggering a #GP\n\n  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n  CPU: 110 UID: 0 PID: 72717 Comm: syz.15.11462 Tainted: G     U  W  O        6.16.0-smp-DEV #1 NONE\n  Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE\n  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024\n  RIP: 0010:sev_mem_enc_register_region+0x3f0/0x4f0 ../include/linux/list.h:83\n  Code: <41> 80 3c 04 00 74 08 4c 89 ff e8 f1 c7 a2 00 49 39 ed 0f 84 c6 00\n  RSP: 0018:ffff88838647fbb8 EFLAGS: 00010256\n  RAX: dffffc0000000000 RBX: 1ffff92015cf1e0b RCX: dffffc0000000000\n  RDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff888367870000\n  RBP: ffffc900ae78f050 R08: ffffea000d9e0007 R09: 1ffffd4001b3c000\n  R10: dffffc0000000000 R11: fffff94001b3c001 R12: 0000000000000000\n  R13: ffff8982ab0bde00 R14: ffffc900ae78f058 R15: 0000000000000000\n  FS:  00007f34e9dc66c0(0000) GS:ffff89ee64d33000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007fe180adef98 CR3: 000000047210e000 CR4: 0000000000350ef0\n  Call Trace:\n   <TASK>\n   kvm_arch_vm_ioctl+0xa72/0x1240 ../arch/x86/kvm/x86.c:7371\n   kvm_vm_ioctl+0x649/0x990 ../virt/kvm/kvm_main.c:5363\n   __se_sys_ioctl+0x101/0x170 ../fs/ioctl.c:51\n   do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0x6f/0x1f0 ../arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7f34e9f7e9a9\n  Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007f34e9dc6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 00007f34ea1a6080 RCX: 00007f34e9f7e9a9\n  RDX: 0000200000000280 RSI: 000000008010aebb RDI: 0000000000000007\n  RBP: 00007f34ea000d69 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 0000000000000000 R14: 00007f34ea1a6080 R15: 00007ffce77197a8\n   </TASK>\n\nwith a syzlang reproducer that looks like:\n\n  syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000040)={0x0, &(0x7f0000000180)=ANY=[], 0x70}) (async)\n  syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000080)={0x0, &(0x7f0000000180)=ANY=[@ANYBLOB=\"...\"], 0x4f}) (async)\n  r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0)\n  r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)\n  r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)\n  r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)\n  ioctl$KVM_SET_CLOCK(r3, 0xc008aeba, &(0x7f0000000040)={0x1, 0x8, 0x0, 0x5625e9b0}) (async)\n  ioctl$KVM_SET_PIT2(r3, 0x8010aebb, &(0x7f0000000280)={[...], 0x5}) (async)\n  ioctl$KVM_SET_PIT2(r1, 0x4070aea0, 0x0) (async)\n  r4 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0)\n  openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async)\n  ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000001000/0x2000)=nil}) (async)\n  r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)\n  close(r0) (async)\n  openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x8000, 0x0) (async)\n  ioctl$KVM_SET_GUEST_DEBUG(r5, 0x4048ae9b, &(0x7f0000000300)={0x4376ea830d46549b, 0x0, [0x46, 0x0, 0x0, 0x0, 0x0, 0x1000]}) (async)\n  ioctl$KVM_RUN(r5, 0xae80, 0x0)\n\nOpportunistically use guard() to avoid having to define a new error label\nand goto usage.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ff93ff0ba82e9511770e175fa50682a1ab14fb6","https://git.kernel.org/stable/c/35a0963d361f98bba798fd15d229dcb166c04684","https://git.kernel.org/stable/c/ab725ac3022469ecd4d7aa7d5646712e98b249d8"],"published_time":"2026-04-24T15:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31593","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU\n\nReject synchronizing vCPU state to its associated VMSA if the vCPU has\nalready been launched, i.e. if the VMSA has already been encrypted.  On a\nhost with SNP enabled, accessing guest-private memory generates an RMP #PF\nand panics the host.\n\n  BUG: unable to handle page fault for address: ff1276cbfdf36000\n  #PF: supervisor write access in kernel mode\n  #PF: error_code(0x80000003) - RMP violation\n  PGD 5a31801067 P4D 5a31802067 PUD 40ccfb5063 PMD 40e5954063 PTE 80000040fdf36163\n  SEV-SNP: PFN 0x40fdf36, RMP entry: [0x6010fffffffff001 - 0x000000000000001f]\n  Oops: Oops: 0003 [#1] SMP NOPTI\n  CPU: 33 UID: 0 PID: 996180 Comm: qemu-system-x86 Tainted: G           OE\n  Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n  Hardware name: Dell Inc. PowerEdge R7625/0H1TJT, BIOS 1.5.8 07/21/2023\n  RIP: 0010:sev_es_sync_vmsa+0x54/0x4c0 [kvm_amd]\n  Call Trace:\n   <TASK>\n   snp_launch_update_vmsa+0x19d/0x290 [kvm_amd]\n   snp_launch_finish+0xb6/0x380 [kvm_amd]\n   sev_mem_enc_ioctl+0x14e/0x720 [kvm_amd]\n   kvm_arch_vm_ioctl+0x837/0xcf0 [kvm]\n   kvm_vm_ioctl+0x3fd/0xcc0 [kvm]\n   __x64_sys_ioctl+0xa3/0x100\n   x64_sys_call+0xfe0/0x2350\n   do_syscall_64+0x81/0x10f0\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7ffff673287d\n   </TASK>\n\nNote, the KVM flaw has been present since commit ad73109ae7ec (\"KVM: SVM:\nProvide support to launch and run an SEV-ES guest\"), but has only been\nactively dangerous for the host since SNP support was added.  With SEV-ES,\nKVM would \"just\" clobber guest state, which is totally fine from a host\nkernel perspective since userspace can clobber guest state any time before\nsev_launch_update_vmsa().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/692fdf05e55fa03960a1278afdc2478c12daea13","https://git.kernel.org/stable/c/6ef109e01e1d35199e1a97ea68bdfd3cf3fbf9ab","https://git.kernel.org/stable/c/8f85a4885eee8cb495961ffa371a91828afb9445","https://git.kernel.org/stable/c/c9609847ae65ca36233077c2b6cb2bc0fb37c77a"],"published_time":"2026-04-24T15:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31589","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: call ->free_folio() directly in folio_unmap_invalidate()\n\nWe can only call filemap_free_folio() if we have a reference to (or hold a\nlock on) the mapping.  Otherwise, we've already removed the folio from the\nmapping so it no longer pins the mapping and the mapping can be removed,\ncausing a use-after-free when accessing mapping->a_ops.\n\nFollow the same pattern as __remove_mapping() and load the free_folio\nfunction pointer before dropping the lock on the mapping.  That lets us\nmake filemap_free_folio() static as this was the only caller outside\nfilemap.c.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/b667df39d98a7a24be7c2a40ff0863dac1ad2cd7","https://git.kernel.org/stable/c/c330e65ea59c4805d6ab6757c4ddfe8c63acef31"],"published_time":"2026-04-24T15:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31583","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: em28xx: fix use-after-free in em28xx_v4l2_open()\n\nem28xx_v4l2_open() reads dev->v4l2 without holding dev->lock,\ncreating a race with em28xx_v4l2_init()'s error path and\nem28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct\nand set dev->v4l2 to NULL under dev->lock.\n\nThis race leads to two issues:\n - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler,\n   since the video_device is embedded in the freed em28xx_v4l2 struct.\n - NULL pointer dereference in em28xx_resolution_set() when accessing\n   v4l2->norm, since dev->v4l2 has been set to NULL.\n\nFix this by moving the mutex_lock() before the dev->v4l2 read and\nadding a NULL check for dev->v4l2 under the lock.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5fb2940327722b4684d2f964b54c1c90aa277324","https://git.kernel.org/stable/c/6b9e66437cc6123ddedac141e1b8b6fcf57d2972","https://git.kernel.org/stable/c/871b8ea8ef39a6c253594649f4339378fad3d0dd","https://git.kernel.org/stable/c/dd2b888e08d3b3d6aacd65d76cd44fac11da750f"],"published_time":"2026-04-24T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31584","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: fix use-after-free in encoder release path\n\nThe fops_vcodec_release() function frees the context structure (ctx)\nwithout first cancelling any pending or running work in ctx->encode_work.\nThis creates a race window where the workqueue handler (mtk_venc_worker)\nmay still be accessing the context memory after it has been freed.\n\nRace condition:\n\n    CPU 0 (release path)               CPU 1 (workqueue)\n    ---------------------               ------------------\n    fops_vcodec_release()\n      v4l2_m2m_ctx_release()\n        v4l2_m2m_cancel_job()\n        // waits for m2m job \"done\"\n                                        mtk_venc_worker()\n                                          v4l2_m2m_job_finish()\n                                          // m2m job \"done\"\n                                          // BUT worker still running!\n                                          // post-job_finish access:\n                                        other ctx dereferences\n                                          // UAF if ctx already freed\n        // returns (job \"done\")\n      kfree(ctx)  // ctx freed\n\nRoot cause: The v4l2_m2m_ctx_release() only waits for the m2m job\nlifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle.\nAfter v4l2_m2m_job_finish() is called, the m2m framework considers\nthe job complete and v4l2_m2m_ctx_release() returns, but the worker\nfunction continues executing and may still access ctx.\n\nThe work is queued during encode operations via:\n  queue_work(ctx->dev->encode_workqueue, &ctx->encode_work)\nThe worker function accesses ctx->m2m_ctx, ctx->dev, and other ctx\nfields even after calling v4l2_m2m_job_finish().\n\nThis vulnerability was confirmed with KASAN by running an instrumented\ntest module that widens the post-job_finish race window. KASAN detected:\n\n  BUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180\n  Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12\n\n  Workqueue: mtk_vcodec_enc_wq mtk_venc_worker\n\n  Allocated by task 47:\n    __kasan_kmalloc+0x7f/0x90\n    fops_vcodec_open+0x85/0x1a0\n\n  Freed by task 47:\n    __kasan_slab_free+0x43/0x70\n    kfree+0xee/0x3a0\n    fops_vcodec_release+0xb7/0x190\n\nFix this by calling cancel_work_sync(&ctx->encode_work) before kfree(ctx).\nThis ensures the workqueue handler is both cancelled (if pending) and\nsynchronized (waits for any running handler to complete) before the\ncontext is freed.\n\nPlacement rationale: The fix is placed after v4l2_ctrl_handler_free()\nand before list_del_init(&ctx->list). At this point, all m2m operations\nare done (v4l2_m2m_ctx_release() has returned), and we need to ensure\nthe workqueue is synchronized before removing ctx from the list and\nfreeing it.\n\nNote: The open error path does NOT need cancel_work_sync() because\nINIT_WORK() only initializes the work structure - it does not schedule\nit. Work is only scheduled later during device_run() operations.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/93d9a58961a9e09306857e999b3ee76aa4be67f0","https://git.kernel.org/stable/c/a8a55913552aed45108525d1851c65e1db0cc25b","https://git.kernel.org/stable/c/f1692337c6fa26e04f89b22a4d84bf5b7ada50d1","https://git.kernel.org/stable/c/f99353cd0e9f58bf17889049137b8d65fb44ebf1"],"published_time":"2026-04-24T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31585","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix nfeeds state corruption on start_streaming failure\n\nsyzbot reported a memory leak in vidtv_psi_service_desc_init [1].\n\nWhen vidtv_start_streaming() fails inside vidtv_start_feed(), the\nnfeeds counter is left incremented even though no feed was actually\nstarted. This corrupts the driver state: subsequent start_feed calls\nsee nfeeds > 1 and skip starting the mux, while stop_feed calls\neventually try to stop a non-existent stream.\n\nThis state corruption can also lead to memory leaks, since the mux\nand channel resources may be partially allocated during a failed\nstart_streaming but never cleaned up, as the stop path finds\ndvb->streaming == false and returns early.\n\nFix by decrementing nfeeds back when start_streaming fails, keeping\nthe counter in sync with the actual number of active feeds.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff888145b50820 (size 32):\n comm \"syz.0.17\", pid 6068, jiffies 4294944486\n backtrace (crc 90a0c7d4):\n  vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288\n  vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83\n  vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524\n  vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518\n  vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]\n  vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/25f19e476ab15defe698504212899fdb9f7cd61b","https://git.kernel.org/stable/c/4bf95f797edd63c93330eafb6d6e670982344b9b","https://git.kernel.org/stable/c/83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd","https://git.kernel.org/stable/c/98c22210aeadce67d9d20059f0dbbd01ba7fdbba"],"published_time":"2026-04-24T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31586","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: blk-cgroup: fix use-after-free in cgwb_release_workfn()\n\ncgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses\nwb->blkcg_css again via blkcg_unpin_online().  If css_put() drops the last\nreference, the blkcg can be freed asynchronously (css_free_rwork_fn ->\nblkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the\npointer to access blkcg->online_pin, resulting in a use-after-free:\n\n  BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n  Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531\n   Workqueue: cgwb_release cgwb_release_workfn\n   Call Trace:\n    <TASK>\n     blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n     cgwb_release_workfn (mm/backing-dev.c:629)\n     process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)\n\n   Freed by task 1016:\n    kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)\n    css_free_rwork_fn (kernel/cgroup/cgroup.c:5542)\n    process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)\n\n** Stack based on commit 66672af7a095 (\"Add linux-next specific files\nfor 20260410\")\n\nI am seeing this crash sporadically in Meta fleet across multiple kernel\nversions.  A full reproducer is available at:\nhttps://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh\n\n(The race window is narrow.  To make it easily reproducible, inject a\nmsleep(100) between css_put() and blkcg_unpin_online() in\ncgwb_release_workfn().  With that delay and a KASAN-enabled kernel, the\nreproducer triggers the splat reliably in less than a second.)\n\nFix this by moving blkcg_unpin_online() before css_put(), so the\ncgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online()\naccesses it.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/50879a3c1faf06e661090015d59e2127255cff27","https://git.kernel.org/stable/c/67cb119d32f35e32acd0393bbeb318b2bb1fdafe","https://git.kernel.org/stable/c/dfc8292a1d6782c76b626315605e0585a5a18447","https://git.kernel.org/stable/c/ea3af09eb87d8f8708c66747fcf1a2762902e839"],"published_time":"2026-04-24T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31587","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: q6apm: move component registration to unmanaged version\n\nq6apm component registers dais dynamically from ASoC toplology, which\nare allocated using device managed version apis. Allocating both\ncomponent and dynamic dais using managed version could lead to incorrect\nfree ordering, dai will be freed while component still holding references\nto it.\n\nFix this issue by moving component to unmanged version so\nthat the dai pointers are only freeded after the component is removed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\nRead of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426\nTainted: [W]=WARN\nHardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024\nWorkqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]\nCall trace:\n show_stack+0x28/0x7c (C)\n dump_stack_lvl+0x60/0x80\n print_report+0x160/0x4b4\n kasan_report+0xac/0xfc\n __asan_report_load8_noabort+0x20/0x34\n snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\n snd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core]\n devm_component_release+0x30/0x5c [snd_soc_core]\n devres_release_all+0x13c/0x210\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x350/0x468\n device_release_driver+0x18/0x30\n bus_remove_device+0x1a0/0x35c\n device_del+0x314/0x7f0\n device_unregister+0x20/0xbc\n apr_remove_device+0x5c/0x7c [apr]\n device_for_each_child+0xd8/0x160\n apr_pd_status+0x7c/0xa8 [apr]\n pdr_notifier_work+0x114/0x240 [pdr_interface]\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20\n\nAllocated by task 77:\n kasan_save_stack+0x40/0x68\n kasan_save_track+0x20/0x40\n kasan_save_alloc_info+0x44/0x58\n __kasan_kmalloc+0xbc/0xdc\n __kmalloc_node_track_caller_noprof+0x1f4/0x620\n devm_kmalloc+0x7c/0x1c8\n snd_soc_register_dai+0x50/0x4f0 [snd_soc_core]\n soc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core]\n snd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core]\n audioreach_tplg_init+0x124/0x1fc [snd_q6apm]\n q6apm_audio_probe+0x10/0x1c [snd_q6apm]\n snd_soc_component_probe+0x5c/0x118 [snd_soc_core]\n soc_probe_component+0x44c/0xaf0 [snd_soc_core]\n snd_soc_bind_card+0xad0/0x2370 [snd_soc_core]\n snd_soc_register_card+0x3b0/0x4c0 [snd_soc_core]\n devm_snd_soc_register_card+0x50/0xc8 [snd_soc_core]\n x1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100]\n platform_probe+0xc0/0x188\n really_probe+0x188/0x804\n __driver_probe_device+0x158/0x358\n driver_probe_device+0x60/0x190\n __device_attach_driver+0x16c/0x2a8\n bus_for_each_drv+0x100/0x194\n __device_attach+0x174/0x380\n device_initial_probe+0x14/0x20\n bus_probe_device+0x124/0x154\n deferred_probe_work_func+0x140/0x220\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20\n\nFreed by task 3426:\n kasan_save_stack+0x40/0x68\n kasan_save_track+0x20/0x40\n __kasan_save_free_info+0x4c/0x80\n __kasan_slab_free+0x78/0xa0\n kfree+0x100/0x4a4\n devres_release_all+0x144/0x210\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x350/0x468\n device_release_driver+0x18/0x30\n bus_remove_device+0x1a0/0x35c\n device_del+0x314/0x7f0\n device_unregister+0x20/0xbc\n apr_remove_device+0x5c/0x7c [apr]\n device_for_each_child+0xd8/0x160\n apr_pd_status+0x7c/0xa8 [apr]\n pdr_notifier_work+0x114/0x240 [pdr_interface]\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/30383b7780ffa140bc124de5b66cae7c84133dbb","https://git.kernel.org/stable/c/a561a55b79a9c55f0443377f2d4dcf6149d057af","https://git.kernel.org/stable/c/b7412ed789ffb1e59c8d6f5ab6a6a718963c85e2","https://git.kernel.org/stable/c/f7b790531cdad3b2075ab937aa06d7b802403be4"],"published_time":"2026-04-24T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31588","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Use scratch field in MMIO fragment to hold small write values\n\nWhen exiting to userspace to service an emulated MMIO write, copy the\nto-be-written value to a scratch field in the MMIO fragment if the size\nof the data payload is 8 bytes or less, i.e. can fit in a single chunk,\ninstead of pointing the fragment directly at the source value.\n\nThis fixes a class of use-after-free bugs that occur when the emulator\ninitiates a write using an on-stack, local variable as the source, the\nwrite splits a page boundary, *and* both pages are MMIO pages.  Because\nKVM's ABI only allows for physically contiguous MMIO requests, accesses\nthat split MMIO pages are separated into two fragments, and are sent to\nuserspace one at a time.  When KVM attempts to complete userspace MMIO in\nresponse to KVM_RUN after the first fragment, KVM will detect the second\nfragment and generate a second userspace exit, and reference the on-stack\nvariable.\n\nThe issue is most visible if the second KVM_RUN is performed by a separate\ntask, in which case the stack of the initiating task can show up as truly\nfreed data.\n\n  ==================================================================\n  BUG: KASAN: use-after-free in complete_emulated_mmio+0x305/0x420\n  Read of size 1 at addr ffff888009c378d1 by task syz-executor417/984\n\n  CPU: 1 PID: 984 Comm: syz-executor417 Not tainted 5.10.0-182.0.0.95.h2627.eulerosv2r13.x86_64 #3\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Call Trace:\n  dump_stack+0xbe/0xfd\n  print_address_description.constprop.0+0x19/0x170\n  __kasan_report.cold+0x6c/0x84\n  kasan_report+0x3a/0x50\n  check_memory_region+0xfd/0x1f0\n  memcpy+0x20/0x60\n  complete_emulated_mmio+0x305/0x420\n  kvm_arch_vcpu_ioctl_run+0x63f/0x6d0\n  kvm_vcpu_ioctl+0x413/0xb20\n  __se_sys_ioctl+0x111/0x160\n  do_syscall_64+0x30/0x40\n  entry_SYSCALL_64_after_hwframe+0x67/0xd1\n  RIP: 0033:0x42477d\n  Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007faa8e6890e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 00000000004d7338 RCX: 000000000042477d\n  RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005\n  RBP: 00000000004d7330 R08: 00007fff28d546df R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d733c\n  R13: 0000000000000000 R14: 000000000040a200 R15: 00007fff28d54720\n\n  The buggy address belongs to the page:\n  page:0000000029f6a428 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9c37\n  flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)\n  raw: 000fffffc0000000 0000000000000000 ffffea0000270dc8 0000000000000000\n  raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected\n\n  Memory state around the buggy address:\n  ffff888009c37780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n  ffff888009c37800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n  >ffff888009c37880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n                                                   ^\n  ffff888009c37900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n  ffff888009c37980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n  ==================================================================\n\nThe bug can also be reproduced with a targeted KVM-Unit-Test by hacking\nKVM to fill a large on-stack variable in complete_emulated_mmio(), i.e. by\noverwrite the data value with garbage.\n\nLimit the use of the scratch fields to 8-byte or smaller accesses, and to\njust writes, as larger accesses and reads are not affected thanks to\nimplementation details in the emulator, but add a sanity check to ensure\nthose details don't change in the future.  Specifically, KVM never uses\non-stack variables for accesses larger that 8 bytes, e.g. uses an operand\nin the emulator context, and *al\n---truncated---","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/22d2ff69d487a32a8b88f9c970120fc2daa08a77","https://git.kernel.org/stable/c/2b83d91e9ae92fe1258d7040a32430bbb3bb7d6e","https://git.kernel.org/stable/c/3a7b6d75c8f85b09dea893f64a85a356bcf6c3fe","https://git.kernel.org/stable/c/b5a02d37eb0739f462fa12df449ab9b3480c783b"],"published_time":"2026-04-24T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31574","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nclockevents: Add missing resets of the next_event_forced flag\n\nThe prevention mechanism against timer interrupt starvation missed to reset\nthe next_event_forced flag in a couple of places:\n\n    - When the clock event state changes. That can cause the flag to be\n      stale over a shutdown/startup sequence\n\n    - When a non-forced event is armed, which then prevents rearming before\n      that event. If that event is far out in the future this will cause\n      missed timer interrupts.\n\n    - In the suspend wakeup handler.\n\nThat led to stalls which have been reported by several people.\n\nAdd the missing resets, which fixes the problems for the reporters.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/9401b593fa48218d2667df1610b0ebc518554880"],"published_time":"2026-04-24T15:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31575","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/userfaultfd: fix hugetlb fault mutex hash calculation\n\nIn mfill_atomic_hugetlb(), linear_page_index() is used to calculate the\npage index for hugetlb_fault_mutex_hash().  However, linear_page_index()\nreturns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash()\nexpects the index in huge page units.  This mismatch means that different\naddresses within the same huge page can produce different hash values,\nleading to the use of different mutexes for the same huge page.  This can\ncause races between faulting threads, which can corrupt the reservation\nmap and trigger the BUG_ON in resv_map_release().\n\nFix this by introducing hugetlb_linear_page_index(), which returns the\npage index in huge page granularity, and using it in place of\nlinear_page_index().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/08282b1bf74c69fc8ecd25493e7fdb5460f01290","https://git.kernel.org/stable/c/574501ede47ac439afd67ba9812bc66722d500ba","https://git.kernel.org/stable/c/f4689fc089765d36c026063fb22d23533e883eb6"],"published_time":"2026-04-24T15:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31576","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: hackrf: fix to not free memory after the device is registered in hackrf_probe()\n\nIn hackrf driver, the following race condition occurs:\n```\n\t\tCPU0\t\t\t\t\t\tCPU1\nhackrf_probe()\n  kzalloc(); // alloc hackrf_dev\n  ....\n  v4l2_device_register();\n  ....\n\t\t\t\t\t\tfd = sys_open(\"/path/to/dev\"); // open hackrf fd\n\t\t\t\t\t\t....\n  v4l2_device_unregister();\n  ....\n  kfree(); // free hackrf_dev\n  ....\n\t\t\t\t\t\tsys_ioctl(fd, ...);\n\t\t\t\t\t\t  v4l2_ioctl();\n\t\t\t\t\t\t    video_is_registered() // UAF!!\n\t\t\t\t\t\t....\n\t\t\t\t\t\tsys_close(fd);\n\t\t\t\t\t\t  v4l2_release() // UAF!!\n\t\t\t\t\t\t    hackrf_video_release()\n\t\t\t\t\t\t      kfree(); // DFB!!\n```\n\nWhen a V4L2 or video device is unregistered, the device node is removed so\nnew open() calls are blocked.\n\nHowever, file descriptors that are already open-and any in-flight I/O-do\nnot terminate immediately; they remain valid until the last reference is\ndropped and the driver's release() is invoked.\n\nTherefore, freeing device memory on the error path after hackrf_probe()\nhas registered dev it will lead to a race to use-after-free vuln, since\nthose already-open handles haven't been released yet.\n\nAnd since release() free memory too, race to use-after-free and\ndouble-free vuln occur.\n\nTo prevent this, if device is registered from probe(), it should be\nmodified to free memory only through release() rather than calling\nkfree() directly.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07e9e674b6146b1f6fc41b1f54b8968bf2802824","https://git.kernel.org/stable/c/2145c71a8044362e82e9923f001ba2aeb771b848","https://git.kernel.org/stable/c/98a0a81ce78020c2522e0046f49d200de9778cb9","https://git.kernel.org/stable/c/fcd1d70792a35c8a97414fe429f48311e41269c2"],"published_time":"2026-04-24T15:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31577","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map\n\nThe DAT inode's btree node cache (i_assoc_inode) is initialized lazily\nduring btree operations. However, nilfs_mdt_save_to_shadow_map()\nassumes i_assoc_inode is already initialized when copying dirty pages\nto the shadow map during GC.\n\nIf NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before\nany btree operation has occurred on the DAT inode, i_assoc_inode is\nNULL leading to a general protection fault.\n\nFix this by calling nilfs_attach_btree_node_cache() on the DAT inode\nin nilfs_dat_read() at mount time, ensuring i_assoc_inode is always\ninitialized before any GC operation can use it.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/41de342278ae025c99cc8d33648773f05e306cf1","https://git.kernel.org/stable/c/449ec5fc99f45974525ba9eea16b6670c45cd363","https://git.kernel.org/stable/c/97fb7afec404912d967a7d4715f37742666b3084","https://git.kernel.org/stable/c/c36e206f302f1ddefed92d09ecbba070e1ae079e"],"published_time":"2026-04-24T15:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31578","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: as102: fix to not free memory after the device is registered in as102_usb_probe()\n\nIn as102_usb driver, the following race condition occurs:\n```\n\t\tCPU0\t\t\t\t\t\tCPU1\nas102_usb_probe()\n  kzalloc(); // alloc as102_dev_t\n  ....\n  usb_register_dev();\n\t\t\t\t\t\tfd = sys_open(\"/path/to/dev\"); // open as102 fd\n\t\t\t\t\t\t....\n  usb_deregister_dev();\n  ....\n  kfree(); // free as102_dev_t\n  ....\n\t\t\t\t\t\tsys_close(fd);\n\t\t\t\t\t\t  as102_release() // UAF!!\n\t\t\t\t\t\t    as102_usb_release()\n\t\t\t\t\t\t      kfree(); // DFB!!\n```\n\nWhen a USB character device registered with usb_register_dev() is later\nunregistered (via usb_deregister_dev() or disconnect), the device node is\nremoved so new open() calls fail. However, file descriptors that are\nalready open do not go away immediately: they remain valid until the last\nreference is dropped and the driver's .release() is invoked.\n\nIn as102, as102_usb_probe() calls usb_register_dev() and then, on an\nerror path, does usb_deregister_dev() and frees as102_dev_t right away.\nIf userspace raced a successful open() before the deregistration, that\nopen FD will later hit as102_release() --> as102_usb_release() and access\nor free as102_dev_t again, occur a race to use-after-free and\ndouble-free vuln.\n\nThe fix is to never kfree(as102_dev_t) directly once usb_register_dev()\nhas succeeded. After deregistration, defer freeing memory to .release().\n\nIn other words, let release() perform the last kfree when the final open\nFD is closed.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09e9206008b887aa553733bd915d73131071a086","https://git.kernel.org/stable/c/2eeae47a438694408189138048a786be99954032","https://git.kernel.org/stable/c/582fbecb3756330006fe1950762412a68c2cacd2","https://git.kernel.org/stable/c/7e5aedf6059cba2a669d86caeaf5a51f33ec85a1"],"published_time":"2026-04-24T15:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31579","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit\n\nwg_netns_pre_exit() manually acquires rtnl_lock() inside the\npernet .pre_exit callback.  This causes a hung task when another\nthread holds rtnl_mutex - the cleanup_net workqueue (or the\nsetup_net failure rollback path) blocks indefinitely in\nwg_netns_pre_exit() waiting to acquire the lock.\n\nConvert to .exit_rtnl, introduced in commit 7a60d91c690b (\"net:\nAdd ->exit_rtnl() hook to struct pernet_operations.\"), where the\nframework already holds RTNL and batches all callbacks under a\nsingle rtnl_lock()/rtnl_unlock() pair, eliminating the contention\nwindow.\n\nThe rcu_assign_pointer(wg->creating_net, NULL) is safe to move\nfrom .pre_exit to .exit_rtnl (which runs after synchronize_rcu())\nbecause all RCU readers of creating_net either use maybe_get_net()\n- which returns NULL for a dying namespace with zero refcount - or\naccess net->user_ns which remains valid throughout the entire\nops_undo_list sequence.\n\n[ Jason: added __net_exit and __read_mostly annotations that were missing. ]","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1c52ef00e391144334f10995985c2f256d4be982","https://git.kernel.org/stable/c/9a9e69155b2091b8297afaf1533b8d68a3096841","https://git.kernel.org/stable/c/a1d0f6cbb962af29586e3e65a4bced1a5e39221f"],"published_time":"2026-04-24T15:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31580","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix cached_dev.sb_bio use-after-free and crash\n\nIn our production environment, we have received multiple crash reports\nregarding libceph, which have caught our attention:\n\n```\n[6888366.280350] Call Trace:\n[6888366.280452]  blk_update_request+0x14e/0x370\n[6888366.280561]  blk_mq_end_request+0x1a/0x130\n[6888366.280671]  rbd_img_handle_request+0x1a0/0x1b0 [rbd]\n[6888366.280792]  rbd_obj_handle_request+0x32/0x40 [rbd]\n[6888366.280903]  __complete_request+0x22/0x70 [libceph]\n[6888366.281032]  osd_dispatch+0x15e/0xb40 [libceph]\n[6888366.281164]  ? inet_recvmsg+0x5b/0xd0\n[6888366.281272]  ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph]\n[6888366.281405]  ceph_con_process_message+0x79/0x140 [libceph]\n[6888366.281534]  ceph_con_v1_try_read+0x5d7/0xf30 [libceph]\n[6888366.281661]  ceph_con_workfn+0x329/0x680 [libceph]\n```\n\nAfter analyzing the coredump file, we found that the address of\ndc->sb_bio has been freed. We know that cached_dev is only freed when it\nis stopped.\n\nSince sb_bio is a part of struct cached_dev, rather than an alloc every\ntime.  If the device is stopped while writing to the superblock, the\nreleased address will be accessed at endio.\n\nThis patch hopes to wait for sb_write to complete in cached_dev_free.\n\nIt should be noted that we analyzed the cause of the problem, then tell\nall details to the QWEN and adopted the modifications it made.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2d6965581e164fa2ba3f7652ddae5535f6336576","https://git.kernel.org/stable/c/383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9","https://git.kernel.org/stable/c/4f71c8ba2dc009042493021d94a9718fbe2ebf27","https://git.kernel.org/stable/c/add4982510f3b7c318a2dd7438bdc9c63171e753"],"published_time":"2026-04-24T15:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31581","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: 6fire: fix use-after-free on disconnect\n\nIn usb6fire_chip_abort(), the chip struct is allocated as the card's\nprivate data (via snd_card_new with sizeof(struct sfire_chip)).  When\nsnd_card_free_when_closed() is called and no file handles are open, the\ncard and embedded chip are freed synchronously.  The subsequent\nchip->card = NULL write then hits freed slab memory.\n\nCall trace:\n  usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]\n  usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182\n  usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458\n  ...\n  hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953\n\nFix by moving the card lifecycle out of usb6fire_chip_abort() and into\nusb6fire_chip_disconnect().  The card pointer is saved in a local\nbefore any teardown, snd_card_disconnect() is called first to prevent\nnew opens, URBs are aborted while chip is still valid, and\nsnd_card_free_when_closed() is called last so chip is never accessed\nafter the card may be freed.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3dc20d1981d6a67d8184498a5da272942dde1e65","https://git.kernel.org/stable/c/51f6532790b74ffdd6970bc848358a2838c1c185","https://git.kernel.org/stable/c/af75b486f7e883e3422ece23c8d727e6815144a0","https://git.kernel.org/stable/c/d21e8a2af4869b5890b34e081d5aeadc93e9cd5c"],"published_time":"2026-04-24T15:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31582","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (powerz) Fix use-after-free on USB disconnect\n\nAfter powerz_disconnect() frees the URB and releases the mutex, a\nsubsequent powerz_read() call can acquire the mutex and call\npowerz_read_data(), which dereferences the freed URB pointer.\n\nFix by:\n - Setting priv->urb to NULL in powerz_disconnect() so that\n   powerz_read_data() can detect the disconnected state.\n - Adding a !priv->urb check at the start of powerz_read_data()\n   to return -ENODEV on a disconnected device.\n - Moving usb_set_intfdata() before hwmon registration so the\n   disconnect handler can always find the priv pointer.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/61f2aa23b0ce8d7aa5071ed25a7471e246a4fdd4","https://git.kernel.org/stable/c/7003ae4810ca83f0ddca85b768500e313c4b998c","https://git.kernel.org/stable/c/9e1b798257f96d2e2a2639830eb71add545ce749","https://git.kernel.org/stable/c/c78e1d4e48f23792adaa7c94251e22b0d9700a39"],"published_time":"2026-04-24T15:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31566","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib\n\namdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence\nfrom amdgpu_ib_schedule(). This fence is used to wait for job\ncompletion.\n\nCurrently, the code drops the fence reference using dma_fence_put()\nbefore calling dma_fence_wait().\n\nIf dma_fence_put() releases the last reference, the fence may be\nfreed before dma_fence_wait() is called. This can lead to a\nuse-after-free.\n\nFix this by waiting on the fence first and releasing the reference\nonly after dma_fence_wait() completes.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib() warn: passing freed memory 'f' (line 696)\n\n(cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/138e42be35ff2ce6572ae744de851ea286cf3c69","https://git.kernel.org/stable/c/39820864eacd886f1a6f817414fb8f9ea3e9a2b4","https://git.kernel.org/stable/c/42d248726a0837640452b71c5a202ca3d35239ec","https://git.kernel.org/stable/c/7150850146ebfa4ca998f653f264b8df6f7f85be","https://git.kernel.org/stable/c/bc7760c107dc08ef3e231d72c492e67b0a86848b","https://git.kernel.org/stable/c/e23602eb0779760544314ed3905fa6a89a4e4070"],"published_time":"2026-04-24T15:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31567","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nPM: sleep: Drop spurious WARN_ON() from pm_restore_gfp_mask()\n\nCommit 35e4a69b2003f (\"PM: sleep: Allow pm_restrict_gfp_mask()\nstacking\") introduced refcount-based GFP mask management that warns\nwhen pm_restore_gfp_mask() is called with saved_gfp_count == 0.\n\nSome hibernation paths call pm_restore_gfp_mask() defensively where\nthe GFP mask may or may not be restricted depending on the execution\npath. For example, the uswsusp interface invokes it in\nSNAPSHOT_CREATE_IMAGE, SNAPSHOT_UNFREEZE, and snapshot_release().\nBefore the stacking change this was a silent no-op; it now triggers\na spurious WARNING.\n\nRemove the WARN_ON() wrapper from the !saved_gfp_count check while\nretaining the check itself, so that defensive calls remain harmless\nwithout producing false warnings.\n\n[ rjw: Subject tweak ]","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3025ca5daa9d682b629c0c958b538e41deeb559d","https://git.kernel.org/stable/c/a8d51efb5929ae308895455a3e496b5eca2cd143","https://git.kernel.org/stable/c/f19d1323aa3dd7ead469aef47d9085f8939565d9"],"published_time":"2026-04-24T15:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31568","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ns390/mm: Add missing secure storage access fixups for donated memory\n\nThere are special cases where secure storage access exceptions happen\nin a kernel context for pages that don't have the PG_arch_1 bit\nset. That bit is set for non-exported guest secure storage (memory)\nbut is absent on storage donated to the Ultravisor since the kernel\nisn't allowed to export donated pages.\n\nPrior to this patch we would try to export the page by calling\narch_make_folio_accessible() which would instantly return since the\narch bit is absent signifying that the page was already exported and\nno further action is necessary. This leads to secure storage access\nexception loops which can never be resolved.\n\nWith this patch we unconditionally try to export and if that fails we\nfixup.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/43ac2d18db1131df0a89993f709131ebfc29f3bd","https://git.kernel.org/stable/c/b00be77302d7ec4ad0367bb236494fce7172b730","https://git.kernel.org/stable/c/b36b0e804aee5f20c6798dbeaeaa7cfdb7c6cf88"],"published_time":"2026-04-24T15:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31569","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Handle the case that EIOINTC's coremap is empty\n\nEIOINTC's coremap in eiointc_update_sw_coremap() can be empty, currently\nwe get a cpuid with -1 in this case, but we actually need 0 because it's\nsimilar as the case that cpuid >= 4.\n\nThis fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/126053d0a685bf1f2e98db8966386f38b2336338","https://git.kernel.org/stable/c/2a0cbcd28ecf6e0b88fa498bebb94bd1be61a7c3","https://git.kernel.org/stable/c/b97bd69eb0f67b5f961b304d28e9ba45e202d841"],"published_time":"2026-04-24T15:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31570","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gw: fix OOB heap access in cgw_csum_crc8_rel()\n\ncgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():\n\n    int from = calc_idx(crc8->from_idx, cf->len);\n    int to   = calc_idx(crc8->to_idx,   cf->len);\n    int res  = calc_idx(crc8->result_idx, cf->len);\n\n    if (from < 0 || to < 0 || res < 0)\n        return;\n\nHowever, the loop and the result write then use the raw s8 fields directly\ninstead of the computed variables:\n\n    for (i = crc8->from_idx; ...)        /* BUG: raw negative index */\n    cf->data[crc8->result_idx] = ...;    /* BUG: raw negative index */\n\nWith from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,\ncalc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with\ni = -64, reading cf->data[-64], and the write goes to cf->data[-64].\nThis write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the\nstart of the canfd_frame on the heap.\n\nThe companion function cgw_csum_xor_rel() uses `from`/`to`/`res`\ncorrectly throughout; fix cgw_csum_crc8_rel() to match.\n\nConfirmed with KASAN on linux-7.0-rc2:\n  BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0\n  Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62\n\nTo configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/54ecdf76a55e75c1f5085e440f8ab671a3283ef5","https://git.kernel.org/stable/c/66b689efd08227da2c5ca49b58b30a95d23c695a","https://git.kernel.org/stable/c/84f8b76d24273175a22713e83e90874e1880d801","https://git.kernel.org/stable/c/999ca48d55a8a46da21519db7e834e5867200379","https://git.kernel.org/stable/c/a025283d7f7404c739225e457fb99db2368bb544","https://git.kernel.org/stable/c/b9c310d72783cc2f30d103eed83920a5a29c671a","https://git.kernel.org/stable/c/c4e8eaa75fa0b6bcbfa5356d6195c4ad0e05e57a","https://git.kernel.org/stable/c/e7c99348b0612b2bc02d5ce6ff9873261cc7605f"],"published_time":"2026-04-24T15:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31571","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Unlink NV12 planes earlier\n\nunlink_nv12_plane() will clobber parts of the plane state\npotentially already set up by plane_atomic_check(), so we\nmust make sure not to call the two in the wrong order.\nThe problem happens when a plane previously selected as\na Y plane is now configured as a normal plane by user space.\nplane_atomic_check() will first compute the proper plane\nstate based on the userspace request, and unlink_nv12_plane()\nlater clears some of the state.\n\nThis used to work on account of unlink_nv12_plane() skipping\nthe state clearing based on the plane visibility. But I removed\nthat check, thinking it was an impossible situation. Now when\nthat situation happens unlink_nv12_plane() will just WARN\nand proceed to clobber the state.\n\nRather than reverting to the old way of doing things, I think\nit's more clear if we unlink the NV12 planes before we even\ncompute the new plane state.\n\n(cherry picked from commit 017ecd04985573eeeb0745fa2c23896fb22ee0cc)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/12f3b6cbab8fbeb95097685b40f0147406cf9746","https://git.kernel.org/stable/c/70e2eb91cb6310a3508439f6f2539dfffa0abf77","https://git.kernel.org/stable/c/bfa71b7a9dc6b5b8af157686e03308291141d00c"],"published_time":"2026-04-24T15:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31572","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: designware: amdisp: Fix resume-probe race condition issue\n\nIdentified resume-probe race condition in kernel v7.0 with the commit\n38fa29b01a6a (\"i2c: designware: Combine the init functions\"),but this\nissue existed from the beginning though not detected.\n\nThe amdisp i2c device requires ISP to be in power-on state for probe\nto succeed. To meet this requirement, this device is added to genpd\nto control ISP power using runtime PM. The pm_runtime_get_sync() called\nbefore i2c_dw_probe() triggers PM resume, which powers on ISP and also\ninvokes the amdisp i2c runtime resume before the probe completes resulting\nin this race condition and a NULL dereferencing issue in v7.0\n\nFix this race condition by using the genpd APIs directly during probe:\n  - Call dev_pm_genpd_resume() to Power ON ISP before probe\n  - Call dev_pm_genpd_suspend() to Power OFF ISP after probe\n  - Set the device to suspended state with pm_runtime_set_suspended()\n  - Enable runtime PM only after the device is fully initialized","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/83bcea9da91965484df64a6492b89e65d41ab31c","https://git.kernel.org/stable/c/e2f1ada8e089dd5a331bcd8b88125ae2af8d188f","https://git.kernel.org/stable/c/e81f0341754c309e33babea2821eda8f98f0b44c"],"published_time":"2026-04-24T15:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31573","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: verisilicon: Fix kernel panic due to __initconst misuse\n\nFix a kernel panic when probing the driver as a module:\n\n  Unable to handle kernel paging request at virtual address\n  ffffd9c18eb05000\n  of_find_matching_node_and_match+0x5c/0x1a0\n  hantro_probe+0x2f4/0x7d0 [hantro_vpu]\n\nThe imx8mq_vpu_shared_resources array is referenced by variant\nstructures through their shared_devices field. When built as a\nmodule, __initconst causes this data to be freed after module\ninit, but it's later accessed during probe, causing a page fault.\n\nThe imx8mq_vpu_shared_resources is referenced from non-init code,\nso keeping __initconst or __initconst_or_module here is wrong.\n\nDrop the __initconst annotation and let it live in the normal .rodata\nsection.\n\nA bug of __initconst called from regular non-init probe code\nleading to bugs during probe deferrals or during unbind-bind cycles.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1e7e9119cf9b0d8585b27653b1a6dc31397c252e","https://git.kernel.org/stable/c/e8d97c270cb46a2a88739019d0f8547adc7d97da"],"published_time":"2026-04-24T15:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31557","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: move async event work off nvmet-wq\n\nFor target nvmet_ctrl_free() flushes ctrl->async_event_work.\nIf nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue\ncompletion for the same worker:-\n\nA. Async event work queued on nvmet-wq (prior to disconnect):\n  nvmet_execute_async_event()\n     queue_work(nvmet_wq, &ctrl->async_event_work)\n\n  nvmet_add_async_event()\n     queue_work(nvmet_wq, &ctrl->async_event_work)\n\nB. Full pre-work chain (RDMA CM path):\n  nvmet_rdma_cm_handler()\n     nvmet_rdma_queue_disconnect()\n       __nvmet_rdma_queue_disconnect()\n         queue_work(nvmet_wq, &queue->release_work)\n           process_one_work()\n             lock((wq_completion)nvmet-wq)  <--------- 1st\n             nvmet_rdma_release_queue_work()\n\nC. Recursive path (same worker):\n  nvmet_rdma_release_queue_work()\n     nvmet_rdma_free_queue()\n       nvmet_sq_destroy()\n         nvmet_ctrl_put()\n           nvmet_ctrl_free()\n             flush_work(&ctrl->async_event_work)\n               __flush_work()\n                 touch_wq_lockdep_map()\n                 lock((wq_completion)nvmet-wq) <--------- 2nd\n\nLockdep splat:\n\n  ============================================\n  WARNING: possible recursive locking detected\n  6.19.0-rc3nvme+ #14 Tainted: G                 N\n  --------------------------------------------\n  kworker/u192:42/44933 is trying to acquire lock:\n  ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90\n\n  but task is already holding lock:\n  ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660\n\n  3 locks held by kworker/u192:42/44933:\n   #0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660\n   #1: ffffc9000e6cbe28 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660\n   #2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530\n\n  Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma]\n  Call Trace:\n   __flush_work+0x268/0x530\n   nvmet_ctrl_free+0x140/0x310 [nvmet]\n   nvmet_cq_put+0x74/0x90 [nvmet]\n   nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma]\n   nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma]\n   process_one_work+0x206/0x660\n   worker_thread+0x184/0x320\n   kthread+0x10c/0x240\n   ret_from_fork+0x319/0x390\n\nMove async event work to a dedicated nvmet-aen-wq to avoid reentrant\nflush on nvmet-wq.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/25ceffc1dabec3b93f458b437aae26f4da293f87","https://git.kernel.org/stable/c/2922e3507f6d5caa7f1d07f145e186fc6f317a4e","https://git.kernel.org/stable/c/49c7c50ee6325a084216e94395e067ecde8088fa","https://git.kernel.org/stable/c/ca111c9d8d6c9d5735878d933a1716c4be86c2d1"],"published_time":"2026-04-24T15:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31558","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust\n\nkvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so\ncpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this\ncase so as to make it more robust.\n\nThis fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2db06c15d8c7a0ccb6108524e16cd9163753f354","https://git.kernel.org/stable/c/47857b05bd50db01e211a1b6f513d57901cd3e6b","https://git.kernel.org/stable/c/596c3f8069c4792f22fce8c4452f44410032d910","https://git.kernel.org/stable/c/878cf6acb4fd8ab4126cf9d369a5bb0e23123418"],"published_time":"2026-04-24T15:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31559","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Fix missing NULL checks for kstrdup()\n\n1. Replace \"of_find_node_by_path(\"/\")\" with \"of_root\" to avoid multiple\ncalls to \"of_node_put()\".\n\n2. Fix a potential kernel oops during early boot when memory allocation\nfails while parsing CPU model from device tree.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3a28daa9b7d7c2ddf2c722e9e95d7e0928bf0cd1","https://git.kernel.org/stable/c/5e7fde2c551f86e6c3de3fd7a9b1f52806ac8db0","https://git.kernel.org/stable/c/a1da957c25cf751a2dce8fb7777f82ccbac0cb3e","https://git.kernel.org/stable/c/b61a309743322fb57fb9afa9aa3495ac758e4f5e"],"published_time":"2026-04-24T15:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31560","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-dw-dma: fix print error log when wait finish transaction\n\nIf an error occurs, the device may not have a current message. In this\ncase, the system will crash.\n\nIn this case, it's better to use dev from the struct ctlr (struct spi_controller*).","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/184f5aaf72f1f1c73e66bae0b8d28e81c2f2a72f","https://git.kernel.org/stable/c/3b46d61890632c8f8b117147b6923bff4b42ccb7"],"published_time":"2026-04-24T15:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31561","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask\n\nCommit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so\nthat whenever something else modifies CR4, that bit remains set. Which\nin itself is a perfectly fine idea.\n\nHowever, there's an issue when during boot FRED is initialized: first on\nthe BSP and later on the APs. Thus, there's a window in time when\nexceptions cannot be handled.\n\nThis becomes particularly nasty when running as SEV-{ES,SNP} or TDX\nguests which, when they manage to trigger exceptions during that short\nwindow described above, triple fault due to FRED MSRs not being set up\nyet.\n\nSee Link tag below for a much more detailed explanation of the\nsituation.\n\nSo, as a result, the commit in that Link URL tried to address this\nshortcoming by temporarily disabling CR4 pinning when an AP is not\nonline yet.\n\nHowever, that is a problem in itself because in this case, an attack on\nthe kernel needs to only modify the online bit - a single bit in RW\nmemory - and then disable CR4 pinning and then disable SM*P, leading to\nmore and worse things to happen to the system.\n\nSo, instead, remove the FRED bit from the CR4 pinning mask, thus\nobviating the need to temporarily disable CR4 pinning.\n\nIf someone manages to disable FRED when poking at CR4, then\nidt_invalidate() would make sure the system would crash'n'burn on the\nfirst exception triggered, which is a much better outcome security-wise.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00d956dafa76f86a73424fe5cce3d604a8be2e4b","https://git.kernel.org/stable/c/411df123c017169922cc767affce76282b8e6c85","https://git.kernel.org/stable/c/a6e14114684d2324e5401617d6d01acb4a4e0e22","https://git.kernel.org/stable/c/d7853d9fe94abf43b46c57b0b7f8418198b7615a"],"published_time":"2026-04-24T15:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31562","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register\n\nThe call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,\nwhich uses dev_get_drvdata to retrieve the mtk_dsi struct, so this\nstructure needs to be stored inside the driver data before invoking it.\n\nAs drvdata is currently uninitialized it leads to a crash when\nregistering the DSI DRM encoder right after acquiring\nthe mode_config.idr_mutex, blocking all subsequent DRM operations.\n\nFixes the following crash during mediatek-drm probe (tested on Xiaomi\nSmart Clock x04g):\n\nUnable to handle kernel NULL pointer dereference at virtual address\n 0000000000000040\n[...]\nModules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib\n drm_dma_helper drm_kms_helper panel_simple\n[...]\nCall trace:\n drm_mode_object_add+0x58/0x98 (P)\n __drm_encoder_init+0x48/0x140\n drm_encoder_init+0x6c/0xa0\n drm_simple_encoder_init+0x20/0x34 [drm_kms_helper]\n mtk_dsi_bind+0x34/0x13c [mediatek_drm]\n component_bind_all+0x120/0x280\n mtk_drm_bind+0x284/0x67c [mediatek_drm]\n try_to_bring_up_aggregate_device+0x23c/0x320\n __component_add+0xa4/0x198\n component_add+0x14/0x20\n mtk_dsi_host_attach+0x78/0x100 [mediatek_drm]\n mipi_dsi_attach+0x2c/0x50\n panel_simple_dsi_probe+0x4c/0x9c [panel_simple]\n mipi_dsi_drv_probe+0x1c/0x28\n really_probe+0xc0/0x3dc\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x40/0x120\n __device_attach_driver+0xbc/0x17c\n bus_for_each_drv+0x88/0xf0\n __device_attach+0x9c/0x1cc\n device_initial_probe+0x54/0x60\n bus_probe_device+0x34/0xa0\n device_add+0x5b0/0x800\n mipi_dsi_device_register_full+0xdc/0x16c\n mipi_dsi_host_register+0xc4/0x17c\n mtk_dsi_probe+0x10c/0x260 [mediatek_drm]\n platform_probe+0x5c/0xa4\n really_probe+0xc0/0x3dc\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x40/0x120\n __driver_attach+0xc8/0x1f8\n bus_for_each_dev+0x7c/0xe0\n driver_attach+0x24/0x30\n bus_add_driver+0x11c/0x240\n driver_register+0x68/0x130\n __platform_register_drivers+0x64/0x160\n mtk_drm_init+0x24/0x1000 [mediatek_drm]\n do_one_initcall+0x60/0x1d0\n do_init_module+0x54/0x240\n load_module+0x1838/0x1dc0\n init_module_from_file+0xd8/0xf0\n __arm64_sys_finit_module+0x1b4/0x428\n invoke_syscall.constprop.0+0x48/0xc8\n do_el0_svc+0x3c/0xb8\n el0_svc+0x34/0xe8\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\nCode: 52800022 941004ab 2a0003f3 37f80040 (29005a80)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4cfdfeb6ac06079f92fccd977fa742d6c5b8dd3a","https://git.kernel.org/stable/c/9a709b7e36324dfc1e6728eb81405470b7ae84e5","https://git.kernel.org/stable/c/df03f5ac1eae7c5a2c01846e3e64dfc2870eec6b"],"published_time":"2026-04-24T15:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31563","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: Use dev_consume_skb_any() to free TX SKBs\n\nThe napi_consume_skb() function is not intended to be called in an IRQ\ndisabled context. However, after commit 6bc8a5098bf4 (\"net: macb: Fix\ntx_ptr_lock locking\"), the freeing of TX SKBs is performed with IRQs\ndisabled. To resolve the following call trace, use dev_consume_skb_any()\nfor freeing TX SKBs:\n   WARNING: kernel/softirq.c:430 at __local_bh_enable_ip+0x174/0x188, CPU#0: ksoftirqd/0/15\n   Modules linked in:\n   CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 7.0.0-rc4-next-20260319-yocto-standard-dirty #37 PREEMPT\n   Hardware name: ZynqMP ZCU102 Rev1.1 (DT)\n   pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n   pc : __local_bh_enable_ip+0x174/0x188\n   lr : local_bh_enable+0x24/0x38\n   sp : ffff800082b3bb10\n   x29: ffff800082b3bb10 x28: ffff0008031f3c00 x27: 000000000011ede0\n   x26: ffff000800a7ff00 x25: ffff800083937ce8 x24: 0000000000017a80\n   x23: ffff000803243a78 x22: 0000000000000040 x21: 0000000000000000\n   x20: ffff000800394c80 x19: 0000000000000200 x18: 0000000000000001\n   x17: 0000000000000001 x16: ffff000803240000 x15: 0000000000000000\n   x14: ffffffffffffffff x13: 0000000000000028 x12: ffff000800395650\n   x11: ffff8000821d1528 x10: ffff800081c2bc08 x9 : ffff800081c1e258\n   x8 : 0000000100000301 x7 : ffff8000810426ec x6 : 0000000000000000\n   x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000\n   x2 : 0000000000000008 x1 : 0000000000000200 x0 : ffff8000810428dc\n   Call trace:\n    __local_bh_enable_ip+0x174/0x188 (P)\n    local_bh_enable+0x24/0x38\n    skb_attempt_defer_free+0x190/0x1d8\n    napi_consume_skb+0x58/0x108\n    macb_tx_poll+0x1a4/0x558\n    __napi_poll+0x50/0x198\n    net_rx_action+0x1f4/0x3d8\n    handle_softirqs+0x16c/0x560\n    run_ksoftirqd+0x44/0x80\n    smpboot_thread_fn+0x1d8/0x338\n    kthread+0x120/0x150\n    ret_from_fork+0x10/0x20\n   irq event stamp: 29751\n   hardirqs last  enabled at (29750): [<ffff8000813be184>] _raw_spin_unlock_irqrestore+0x44/0x88\n   hardirqs last disabled at (29751): [<ffff8000813bdf60>] _raw_spin_lock_irqsave+0x38/0x98\n   softirqs last  enabled at (29150): [<ffff8000800f1aec>] handle_softirqs+0x504/0x560\n   softirqs last disabled at (29153): [<ffff8000800f2fec>] run_ksoftirqd+0x44/0x80","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/647b8a2fe474474704110db6bd07f7a139e621eb","https://git.kernel.org/stable/c/78c8b090a3d5c1689dc989861b0163180db2b3f8","https://git.kernel.org/stable/c/92e7081f0c79d9073087e54bab745bb184192c2e","https://git.kernel.org/stable/c/984350b37372f79f71d4f0a5264c640e40daf9ce","https://git.kernel.org/stable/c/ca4d05afb4683d685bb2c6fccae4386c478f524a","https://git.kernel.org/stable/c/f4bc91398b579730284328322365afa77a9d568f"],"published_time":"2026-04-24T15:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31564","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Fix base address calculation in kvm_eiointc_regs_access()\n\nIn function kvm_eiointc_regs_access(), the register base address is\ncaculated from array base address plus offset, the offset is absolute\nvalue from the base address. The data type of array base address is\nu64, it should be converted into the \"void *\" type and then plus the\noffset.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6bcfb7f46d667b04bd1a1169ccedf5fb699c60df","https://git.kernel.org/stable/c/c4f0a9481cf0dd7c71a07484bc98f2570fdb3a82"],"published_time":"2026-04-24T15:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31565","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix deadlock during netdev reset with active connections\n\nResolve deadlock that occurs when user executes netdev reset while RDMA\napplications (e.g., rping) are active. The netdev reset causes ice\ndriver to remove irdma auxiliary driver, triggering device_delete and\nsubsequent client removal. During client removal, uverbs_client waits\nfor QP reference count to reach zero while cma_client holds the final\nreference, creating circular dependency and indefinite wait in iWARP\nmode. Skip QP reference count wait during device reset to prevent\ndeadlock.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/009831768faeca3fb5950ce63f1b49594ec82389","https://git.kernel.org/stable/c/464bbb844ba5b68e038220c34019069a0a9f1581","https://git.kernel.org/stable/c/6f52370970ac07d352a7af4089e55e0e6425f827","https://git.kernel.org/stable/c/a8a1c7621127a15a02494b96ee376406c064237b","https://git.kernel.org/stable/c/acb060bc2609c2eab49263968be59c7d59d497bc","https://git.kernel.org/stable/c/adf0de36e52a48681eb58cbd7cbf6c8d200caa2b","https://git.kernel.org/stable/c/cd8bcec2de5e24e05c34c9391940fda6f50e79b4"],"published_time":"2026-04-24T15:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31549","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: cp2615: fix serial string NULL-deref at probe\n\nThe cp2615 driver uses the USB device serial string as the i2c adapter\nname but does not make sure that the string exists.\n\nVerify that the device has a serial number before accessing it to avoid\ntriggering a NULL-pointer dereference (e.g. with malicious devices).","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/13ccf9b106bba121728f1625c4375a1bd8f5c5a3","https://git.kernel.org/stable/c/4a22af879172336370ae3e81e7f65fb2f69472ee","https://git.kernel.org/stable/c/69aece634a7eebafd9a596e5494d52facf6f26ec","https://git.kernel.org/stable/c/a9778298f47036866ea15eeb17242e8a4612580f","https://git.kernel.org/stable/c/aa79f996eb41e95aed85a1bd7f56bcd6a3842008","https://git.kernel.org/stable/c/e68c267787778bcdf3d91b06f794faaba7f0d1d1","https://git.kernel.org/stable/c/efe996bcfe50c2dcc6cf65c574285713b722ced7"],"published_time":"2026-04-24T15:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31550","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: bcm: bcm2835-power: Increase ASB control timeout\n\nThe bcm2835_asb_control() function uses a tight polling loop to wait\nfor the ASB bridge to acknowledge a request. During intensive workloads,\nthis handshake intermittently fails for V3D's master ASB on BCM2711,\nresulting in \"Failed to disable ASB master for v3d\" errors during\nruntime PM suspend. As a consequence, the failed power-off leaves V3D in\na broken state, leading to bus faults or system hangs on later accesses.\n\nAs the timeout is insufficient in some scenarios, increase the polling\ntimeout from 1us to 5us, which is still negligible in the context of a\npower domain transition. Also, replace the open-coded ktime_get_ns()/\ncpu_relax() polling loop with readl_poll_timeout_atomic().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0e84e74849d2d7e9b23a09c2d5e0d9357db1ca59","https://git.kernel.org/stable/c/18605b1b936b66b1f34dcf8e9ad4f1fbcf7a7c13","https://git.kernel.org/stable/c/572f17180f26619809b8e0593d926762aa8660ff","https://git.kernel.org/stable/c/622ab02e955c35c125ff2b65d8327b2c52db8758","https://git.kernel.org/stable/c/9443202d91388026dbf7312972a74fbfd27ee82f","https://git.kernel.org/stable/c/b826d2c0b0ecb844c84431ba6b502e744f5d919a","https://git.kernel.org/stable/c/c5e734f6a0740dce92e7c919e632cb43fa5d4e53","https://git.kernel.org/stable/c/ea4fa54b83bb2e4a21e9026824bfe271b1a6ee1e"],"published_time":"2026-04-24T15:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31551","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Fix static_branch_dec() underflow for aql_disable.\n\nsyzbot reported static_branch_dec() underflow in aql_enable_write(). [0]\n\nThe problem is that aql_enable_write() does not serialise concurrent\nwrite()s to the debugfs.\n\naql_enable_write() checks static_key_false(&aql_disable.key) and\nlater calls static_branch_inc() or static_branch_dec(), but the\nstate may change between the two calls.\n\naql_disable does not need to track inc/dec.\n\nLet's use static_branch_enable() and static_branch_disable().\n\n[0]:\nval == 0\nWARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288\nModules linked in:\nCPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G     U       L      syzkaller #0 PREEMPT(full)\nTainted: [U]=USER, [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026\nRIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311\nCode: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00\nRSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4\nRDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000\nRBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a\nR13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98\nFS:  00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0\nCall Trace:\n <TASK>\n __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline]\n __static_key_slow_dec kernel/jump_label.c:321 [inline]\n static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336\n aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343\n short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383\n vfs_write+0x2aa/0x1070 fs/read_write.c:684\n ksys_pwrite64 fs/read_write.c:793 [inline]\n __do_sys_pwrite64 fs/read_write.c:801 [inline]\n __se_sys_pwrite64 fs/read_write.c:798 [inline]\n __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f530cf9aeb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012\nRAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9\nRDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010\nRBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000\nR10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978\n </TASK>","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/256f7d4c11235d0569f78413c41dc89d2dc1557c","https://git.kernel.org/stable/c/29a1a350afcd28a2150bd73b8bd83eac3480f13e","https://git.kernel.org/stable/c/5ba05436f15d16ae7ab04b880e8bf8d440be892b","https://git.kernel.org/stable/c/787152497ac763deab16f6f4b7ce79aaeb3eb7e8","https://git.kernel.org/stable/c/8bb90ff77326c34e75b573b1febdd9586fec5aba","https://git.kernel.org/stable/c/b24763d32d5b4ada766deca4b42d6766272fef0c","https://git.kernel.org/stable/c/b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828"],"published_time":"2026-04-24T15:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31552","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom\n\nSince upstream commit e75665dd0968 (\"wifi: wlcore: ensure skb headroom\nbefore skb_push\"), wl1271_tx_allocate() and with it\nwl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.\nHowever, in wlcore_tx_work_locked(), a return value of -EAGAIN from\nwl1271_prepare_tx_frame() is interpreted as the aggregation buffer being\nfull. This causes the code to flush the buffer, put the skb back at the\nhead of the queue, and immediately retry the same skb in a tight while\nloop.\n\nBecause wlcore_tx_work_locked() holds wl->mutex, and the retry happens\nimmediately with GFP_ATOMIC, this will result in an infinite loop and a\nCPU soft lockup. Return -ENOMEM instead so the packet is dropped and\nthe loop terminates.\n\nThe problem was found by an experimental code review agent based on\ngemini-3.1-pro while reviewing backports into v6.18.y.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/12f9eef39e49716c763714bfda835a733d5f6dea","https://git.kernel.org/stable/c/46c670ff1ff466e5eccb3940f726586473dc053c","https://git.kernel.org/stable/c/980f793645540ca7a6318165cc12f49d5febeb99","https://git.kernel.org/stable/c/a6dc74209462c4fe5a88718d2f3a5286886081c8","https://git.kernel.org/stable/c/ceb46b40b021d21911ff8608ce4ed33c1264ad2f","https://git.kernel.org/stable/c/cfa64e2b3717be1da7c4c1aff7268a009e8c1610","https://git.kernel.org/stable/c/deb353d9bb009638b7762cae2d0b6e8fdbb41a69","https://git.kernel.org/stable/c/f2c06d718a7b85cbc59ceaa2ff3f46b178ac709c"],"published_time":"2026-04-24T15:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31553","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix the descriptor address in __kvm_at_swap_desc()\n\nUsing \"(u64 __user *)hva + offset\" to get the virtual addresses of S1/S2\ndescriptors looks really wrong, if offset is not zero. What we want to get\nfor swapping is hva + offset, not hva + offset*8. ;-)\n\nFix it.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0496acc42fb51eee040b5170cec05cec41385540","https://git.kernel.org/stable/c/4307e05e568782fc92eff651b09ee5dee88a058d"],"published_time":"2026-04-24T15:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31554","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Require sys_futex_requeue() to have identical flags\n\nNicholas reported that his LLM found it was possible to create a UaF\nwhen sys_futex_requeue() is used with different flags. The initial\nmotivation for allowing different flags was the variable sized futex,\nbut since that hasn't been merged (yet), simply mandate the flags are\nidentical, as is the case for the old style sys_futex() requeue\noperations.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/027145ace09fad4c7cbcd6c61fe9b429c63eb0e5","https://git.kernel.org/stable/c/18b7d09c2b794c71d4252f3ea2cf84ad12b73d6a","https://git.kernel.org/stable/c/19f94b39058681dec64a10ebeb6f23fe7fc3f77a","https://git.kernel.org/stable/c/e2f78c7ec1655fedd945366151ba54fcb9580508"],"published_time":"2026-04-24T15:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31555","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Clear stale exiting pointer in futex_lock_pi() retry path\n\nFuzzying/stressing futexes triggered:\n\n    WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524\n\nWhen futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY\nand stores a refcounted task pointer in 'exiting'.\n\nAfter wait_for_owner_exiting() consumes that reference, the local pointer\nis never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a\ndifferent error, the bogus pointer is passed to wait_for_owner_exiting().\n\n  CPU0\t\t\t     CPU1\t\t       CPU2\n  futex_lock_pi(uaddr)\n  // acquires the PI futex\n  exit()\n    futex_cleanup_begin()\n      futex_state = EXITING;\n\t\t\t     futex_lock_pi(uaddr)\n\t\t\t       futex_lock_pi_atomic()\n\t\t\t\t attach_to_pi_owner()\n\t\t\t\t   // observes EXITING\n\t\t\t\t   *exiting = owner;  // takes ref\n\t\t\t\t   return -EBUSY\n\t\t\t       wait_for_owner_exiting(-EBUSY, owner)\n\t\t\t\t put_task_struct();   // drops ref\n\t\t\t       // exiting still points to owner\n\t\t\t       goto retry;\n\t\t\t       futex_lock_pi_atomic()\n\t\t\t\t lock_pi_update_atomic()\n\t\t\t\t   cmpxchg(uaddr)\n\t\t\t\t\t*uaddr ^= WAITERS // whatever\n\t\t\t\t   // value changed\n\t\t\t\t return -EAGAIN;\n\t\t\t       wait_for_owner_exiting(-EAGAIN, exiting) // stale\n\t\t\t\t WARN_ON_ONCE(exiting)\n\nFix this by resetting upon retry, essentially aligning it with requeue_pi.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83","https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa","https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa","https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23","https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293","https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d","https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da","https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85"],"published_time":"2026-04-24T15:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31556","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: scrub: unlock dquot before early return in quota scrub\n\nxchk_quota_item can return early after calling xchk_fblock_process_error.\nWhen that helper returns false, the function returned immediately without\ndropping dq->q_qlock, which can leave the dquot lock held and risk lock\nleaks or deadlocks in later quota operations.\n\nFix this by unlocking dq->q_qlock before the early return.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/268378b6ad20569af0d1957992de1c8b16c6e900","https://git.kernel.org/stable/c/3b0c3414b308e6822cda90bf99f7eac94d4cca2b","https://git.kernel.org/stable/c/d128fc0c5c2b19224927d4fd2a46c2fe6a1f606f","https://git.kernel.org/stable/c/e822f535273af0e8968eab7acc0cea0b90dd25af"],"published_time":"2026-04-24T15:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31541","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix trace_marker copy link list updates\n\nWhen the \"copy_trace_marker\" option is enabled for an instance, anything\nwritten into /sys/kernel/tracing/trace_marker is also copied into that\ninstances buffer. When the option is set, that instance's trace_array\ndescriptor is added to the marker_copies link list. This list is protected\nby RCU, as all iterations uses an RCU protected list traversal.\n\nWhen the instance is deleted, all the flags that were enabled are cleared.\nThis also clears the copy_trace_marker flag and removes the trace_array\ndescriptor from the list.\n\nThe issue is after the flags are called, a direct call to\nupdate_marker_trace() is performed to clear the flag. This function\nreturns true if the state of the flag changed and false otherwise. If it\nreturns true here, synchronize_rcu() is called to make sure all readers\nsee that its removed from the list.\n\nBut since the flag was already cleared, the state does not change and the\nsynchronization is never called, leaving a possible UAF bug.\n\nMove the clearing of all flags below the updating of the copy_trace_marker\noption which then makes sure the synchronization is performed.\n\nAlso use the flag for checking the state in update_marker_trace() instead\nof looking at if the list is empty.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7","https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e","https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1"],"published_time":"2026-04-24T15:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31542","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/platform/uv: Handle deconfigured sockets\n\nWhen a socket is deconfigured, it's mapped to SOCK_EMPTY (0xffff). This causes\na panic while allocating UV hub info structures.\n\nFix this by using NUMA_NO_NODE, allowing UV hub info structures to be\nallocated on valid nodes.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1f6aa5bbf1d0f81a8a2aafc16136e7dd9a609ff3","https://git.kernel.org/stable/c/79f0faf81d3bbbe5f07bf6892450d3740a1b290d","https://git.kernel.org/stable/c/9956d4892e78812246336c7ea51f5aa62018049e","https://git.kernel.org/stable/c/c1cf2218d2fa40a49921a7460981e5faab26f04e","https://git.kernel.org/stable/c/c51957601d32c0d195bce0b9345dfe93ef5728cc"],"published_time":"2026-04-24T15:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31543","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrash_dump: don't log dm-crypt key bytes in read_key_from_user_keying\n\nWhen debug logging is enabled, read_key_from_user_keying() logs the first\n8 bytes of the key payload and partially exposes the dm-crypt key.  Stop\nlogging any key bytes.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/36f46b0e36892eba08978eef7502ff3c94ddba77","https://git.kernel.org/stable/c/4897bd307ba8757c31a3325ba6730961be606016","https://git.kernel.org/stable/c/ed8d91f469845d62d44c565a55d2ab1767969357"],"published_time":"2026-04-24T15:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31544","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix NULL dereference on notify error path\n\nSince commit b5daf93b809d1 (\"firmware: arm_scmi: Avoid notifier\nregistration for unsupported events\") the call chains leading to the helper\n__scmi_event_handler_get_ops expect an ERR_PTR to be returned on failure to\nget an handler for the requested event key, while the current helper can\nstill return a NULL when no handler could be found or created.\n\nFix by forcing an ERR_PTR return value when the handler reference is NULL.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/555317d6100164748f7d09f80142739bd29f0cda","https://git.kernel.org/stable/c/70d9bd9a2e683afe6200b0c20af22f06f1a199a4","https://git.kernel.org/stable/c/8414d2800c34528467df23ce6192c254a73e4459"],"published_time":"2026-04-24T15:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31545","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: nxp-nci: allow GPIOs to sleep\n\nAllow the firmware and enable GPIOs to sleep.\n\nThis fixes a `WARN_ON' and allows the driver to operate GPIOs which are\nconnected to I2C GPIO expanders.\n\n-- >8 --\nkernel: WARNING: CPU: 3 PID: 2636 at drivers/gpio/gpiolib.c:3880 gpiod_set_value+0x88/0x98\n-- >8 --","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c2320c3c860d281cbc2f49fc574c1947a6b9e2a","https://git.kernel.org/stable/c/2a175bc3c338c6b2bc55004e93dd35a2467bdca2","https://git.kernel.org/stable/c/4de9ed2ea22d611b4149969266b45a86ea8daf35","https://git.kernel.org/stable/c/548a1bfe591364e63bce4af7c5802bb434efdaf8","https://git.kernel.org/stable/c/55dc632ab2ac2889b15995a9eef56c753d48ebc7","https://git.kernel.org/stable/c/70662874f646871c2f08ef1cf2544ba9a5f71b96","https://git.kernel.org/stable/c/783f05e560d761dee7ff602b97edb0e54f2e9727","https://git.kernel.org/stable/c/c24dcac1a9d1b4fd164898df0c2f5b0adbf81a78"],"published_time":"2026-04-24T15:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31546","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix NULL deref in bond_debug_rlb_hash_show\n\nrlb_clear_slave intentionally keeps RLB hash-table entries on\nthe rx_hashtbl_used_head list with slave set to NULL when no\nreplacement slave is available. However, bond_debug_rlb_hash_show\nvisites client_info->slave without checking if it's NULL.\n\nOther used-list iterators in bond_alb.c already handle this NULL-slave\nstate safely:\n\n- rlb_update_client returns early on !client_info->slave\n- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance\ncompare slave values before visiting\n- lb_req_update_subnet_clients continues if slave is NULL\n\nThe following NULL deref crash can be trigger in\nbond_debug_rlb_hash_show:\n\n[    1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[    1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)\n[    1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286\n[    1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204\n[    1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078\n[    1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000\n[    1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0\n[    1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8\n[    1.294864] FS:  0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000\n[    1.295239] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0\n[    1.295897] Call Trace:\n[    1.296134]  seq_read_iter (fs/seq_file.c:231)\n[    1.296341]  seq_read (fs/seq_file.c:164)\n[    1.296493]  full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))\n[    1.296658]  vfs_read (fs/read_write.c:572)\n[    1.296981]  ksys_read (fs/read_write.c:717)\n[    1.297132]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n[    1.297325]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nAdd a NULL check and print \"(none)\" for entries with no assigned slave.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/017d674cf6930e9586a29ee808c7ca09d1396d07","https://git.kernel.org/stable/c/0a3f8cd3f370247ded14d38d216b49dd30eade76","https://git.kernel.org/stable/c/19f0fd87df0e5746b24f5caa465a66a8c6e6e241","https://git.kernel.org/stable/c/2ec2c777f357a83c3d503d8d9370c90b60f0ae63","https://git.kernel.org/stable/c/605b52497bf89b3b154674deb135da98f916e390","https://git.kernel.org/stable/c/6a3bb74e25d79cbb15f67ef80f71e2b2bfe27ff4","https://git.kernel.org/stable/c/ec9762f0df2f9fbe3f40a3bfa8aab8b2f721466c","https://git.kernel.org/stable/c/edacf1613f7b26423ebfa8b2892e7453c4235354"],"published_time":"2026-04-24T15:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31547","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix missing runtime PM reference in ccs_mode_store\n\nccs_mode_store() calls xe_gt_reset() which internally invokes\nxe_pm_runtime_get_noresume(). That function requires the caller\nto already hold an outer runtime PM reference and warns if none\nis held:\n\n  [46.891177] xe 0000:03:00.0: [drm] Missing outer runtime PM protection\n  [46.891178] WARNING: drivers/gpu/drm/xe/xe_pm.c:885 at\n  xe_pm_runtime_get_noresume+0x8b/0xc0\n\nFix this by protecting xe_gt_reset() with the scope-based\nguard(xe_pm_runtime)(xe), which is the preferred form when\nthe reference lifetime matches a single scope.\n\nv2:\n- Use scope-based guard(xe_pm_runtime)(xe) (Shuicheng)\n- Update commit message accordingly\n\n(cherry picked from commit 7937ea733f79b3f25e802a0c8360bf7423856f36)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/65d046b2d8e0d6d855379a981869005fd6b6a41b","https://git.kernel.org/stable/c/c409ecce9adcf815e86bc2f68834982e5a9c4e76"],"published_time":"2026-04-24T15:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31548","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down\n\nWhen the nl80211 socket that originated a PMSR request is\nclosed, cfg80211_release_pmsr() sets the request's nl_portid\nto zero and schedules pmsr_free_wk to process the abort\nasynchronously. If the interface is concurrently torn down\nbefore that work runs, cfg80211_pmsr_wdev_down() calls\ncfg80211_pmsr_process_abort() directly. However, the already-\nscheduled pmsr_free_wk work item remains pending and may run\nafter the interface has been removed from the driver. This\ncould cause the driver's abort_pmsr callback to operate on a\ntorn-down interface, leading to undefined behavior and\npotential crashes.\n\nCancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()\nbefore calling cfg80211_pmsr_process_abort(). This ensures any\npending or in-progress work is drained before interface teardown\nproceeds, preventing the work from invoking the driver abort\ncallback after the interface is gone.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/28d3551f8d8cb3aec7497894d94150fe84d20e5e","https://git.kernel.org/stable/c/37e776e2e0a523731e2470dce6d563f0e8632a40","https://git.kernel.org/stable/c/6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09","https://git.kernel.org/stable/c/72b7ea786b8e570ae11149e9089859a4a8634a13","https://git.kernel.org/stable/c/a1b7a843f12a0c3e9d3a2ca607ce451916ef42cf","https://git.kernel.org/stable/c/d32c07ef1880fe20cf4ab223dbfedc9c0b2816aa"],"published_time":"2026-04-24T15:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31051","summary":"An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to cause a denial of service via the Client Balance component","cvss":3.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/","https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Business%20Logic%20Vulnerability/Business%20Logic%20Vulnerability","https://hostbillapp.com/changelog","https://hostbillapp.com/release-notes/11-27-2025.html","https://hostbillapp.com/release-notes/12-01-2025.html","https://hostbillapp.com/responsible-disclosure","https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Business%20Logic%20Vulnerability/Business%20Logic%20Vulnerability"],"published_time":"2026-04-24T15:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31052","summary":"An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to cause a denial of service via the Checkout Authentication Flow component","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/","https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Rate%20Limit%20Bypass/Description","https://hostbillapp.com/changelog","https://hostbillapp.com/release-notes/11-27-2025.html","https://hostbillapp.com/responsible-disclosure","https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Rate%20Limit%20Bypass/Description"],"published_time":"2026-04-24T15:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31534","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: let send_done handle a completion without IB_SEND_SIGNALED\n\nWith smbdirect_send_batch processing we likely have requests without\nIB_SEND_SIGNALED, which will be destroyed in the final request\nthat has IB_SEND_SIGNALED set.\n\nIf the connection is broken all requests are signaled\neven without explicit IB_SEND_SIGNALED.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/16c8be3d55441287ddd334e25df4cc376450dec9","https://git.kernel.org/stable/c/86d9742c3f7ed7eba677517c80b4597822750e65","https://git.kernel.org/stable/c/cf74fcdc43b322b6188a0750b5ee79e38be6d078"],"published_time":"2026-04-24T15:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31535","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: make use of smbdirect_socket.recv_io.credits.available\n\nThe logic off managing recv credits by counting posted recv_io and\ngranted credits is racy.\n\nThat's because the peer might already consumed a credit,\nbut between receiving the incoming recv at the hardware\nand processing the completion in the 'recv_done' functions\nwe likely have a window where we grant credits, which\ndon't really exist.\n\nSo we better have a decicated counter for the\navailable credits, which will be incremented\nwhen we posted new recv buffers and drained when\nwe grant the credits to the peer.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/9911b1ed187a770a43950bf51f340ad4b7beecba","https://git.kernel.org/stable/c/be8845ad5d6558703d20567d8702155598325db8","https://git.kernel.org/stable/c/f664e6e8a81103cb45c8802a9bc7499e0902c458"],"published_time":"2026-04-24T15:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31536","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: let send_done handle a completion without IB_SEND_SIGNALED\n\nWith smbdirect_send_batch processing we likely have requests without\nIB_SEND_SIGNALED, which will be destroyed in the final request\nthat has IB_SEND_SIGNALED set.\n\nIf the connection is broken all requests are signaled\neven without explicit IB_SEND_SIGNALED.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/24082642654f3e5149913946e89c00a297a8868f","https://git.kernel.org/stable/c/9da82dc73cb03e85d716a2609364572367a5ff47","https://git.kernel.org/stable/c/e38b415c024bc3b6321bf8650dbf3f4aab8e74b3"],"published_time":"2026-04-24T15:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31537","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: make use of smbdirect_socket.send_io.bcredits\n\nIt turns out that our code will corrupt the stream of\nreassabled data transfer messages when we trigger an\nimmendiate (empty) send.\n\nIn order to fix this we'll have a single 'batch' credit per\nconnection. And code getting that credit is free to use\nas much messages until remaining_length reaches 0, then\nthe batch credit it given back and the next logical send can\nhappen.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/34abd408c8ba24d7c97bd02ba874d8c714f49db1","https://git.kernel.org/stable/c/5ef18a2e66f2f33fdac64437bddfb9fe6389fdc7","https://git.kernel.org/stable/c/79242e7b6bc63efec28b7c235bc320806afce6c0"],"published_time":"2026-04-24T15:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31538","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: make use of smbdirect_socket.recv_io.credits.available\n\nThe logic off managing recv credits by counting posted recv_io and\ngranted credits is racy.\n\nThat's because the peer might already consumed a credit,\nbut between receiving the incoming recv at the hardware\nand processing the completion in the 'recv_done' functions\nwe likely have a window where we grant credits, which\ndon't really exist.\n\nSo we better have a decicated counter for the\navailable credits, which will be incremented\nwhen we posted new recv buffers and drained when\nwe grant the credits to the peer.\n\nThis fixes regression Namjae reported with\nthe 6.18 release.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/26ad87a2cfb8c1384620d1693a166ed87303046e","https://git.kernel.org/stable/c/66c082e3d4651e8629a393a9e182b01eb50fb0a3","https://git.kernel.org/stable/c/809cbd31aa4f87a1b889532244c9cf30eb022385"],"published_time":"2026-04-24T15:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31539","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: smbdirect: introduce smbdirect_socket.recv_io.credits.available\n\nThe logic off managing recv credits by counting posted recv_io and\ngranted credits is racy.\n\nThat's because the peer might already consumed a credit,\nbut between receiving the incoming recv at the hardware\nand processing the completion in the 'recv_done' functions\nwe likely have a window where we grant credits, which\ndon't really exist.\n\nSo we better have a decicated counter for the\navailable credits, which will be incremented\nwhen we posted new recv buffers and drained when\nwe grant the credits to the peer.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6e3c5052f9686192e178806e017b7377155f4bab","https://git.kernel.org/stable/c/e811e60e1cc79923c4388146eb1fa26a7482731e","https://git.kernel.org/stable/c/f99996870222b598914a1f49d7375dc23752c237"],"published_time":"2026-04-24T15:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31540","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Check set_default_submission() before deferencing\n\nWhen the i915 driver firmware binaries are not present, the\nset_default_submission pointer is not set. This pointer is\ndereferenced during suspend anyways.\n\nAdd a check to make sure it is set before dereferencing.\n\n[   23.289926] PM: suspend entry (deep)\n[   23.293558] Filesystems sync: 0.000 seconds\n[   23.298010] Freezing user space processes\n[   23.302771] Freezing user space processes completed (elapsed 0.000 seconds)\n[   23.309766] OOM killer disabled.\n[   23.313027] Freezing remaining freezable tasks\n[   23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)\n[   23.342038] serial 00:05: disabled\n[   23.345719] serial 00:02: disabled\n[   23.349342] serial 00:01: disabled\n[   23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache\n[   23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache\n[   23.361635] ata1.00: Entering standby power mode\n[   23.368863] ata2.00: Entering standby power mode\n[   23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[   23.452194] #PF: supervisor instruction fetch in kernel mode\n[   23.457896] #PF: error_code(0x0010) - not-present page\n[   23.463065] PGD 0 P4D 0\n[   23.465640] Oops: Oops: 0010 [#1] SMP NOPTI\n[   23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S      W           6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary)\n[   23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN\n[   23.496511] Workqueue: async async_run_entry_fn\n[   23.501087] RIP: 0010:0x0\n[   23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[   23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246\n[   23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f\n[   23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000\n[   23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff\n[   23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8\n[   23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68\n[   23.551457] FS:  0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000\n[   23.559588] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0\n[   23.572539] PKRU: 55555554\n[   23.575281] Call Trace:\n[   23.577770]  <TASK>\n[   23.579905]  intel_engines_reset_default_submission+0x42/0x60\n[   23.585695]  __intel_gt_unset_wedged+0x191/0x200\n[   23.590360]  intel_gt_unset_wedged+0x20/0x40\n[   23.594675]  gt_sanitize+0x15e/0x170\n[   23.598290]  i915_gem_suspend_late+0x6b/0x180\n[   23.602692]  i915_drm_suspend_late+0x35/0xf0\n[   23.607008]  ? __pfx_pci_pm_suspend_late+0x10/0x10\n[   23.611843]  dpm_run_callback+0x78/0x1c0\n[   23.615817]  device_suspend_late+0xde/0x2e0\n[   23.620037]  async_suspend_late+0x18/0x30\n[   23.624082]  async_run_entry_fn+0x25/0xa0\n[   23.628129]  process_one_work+0x15b/0x380\n[   23.632182]  worker_thread+0x2a5/0x3c0\n[   23.635973]  ? __pfx_worker_thread+0x10/0x10\n[   23.640279]  kthread+0xf6/0x1f0\n[   23.643464]  ? __pfx_kthread+0x10/0x10\n[   23.647263]  ? __pfx_kthread+0x10/0x10\n[   23.651045]  ret_from_fork+0x131/0x190\n[   23.654837]  ? __pfx_kthread+0x10/0x10\n[   23.658634]  ret_from_fork_asm+0x1a/0x30\n[   23.662597]  </TASK>\n[   23.664826] Modules linked in:\n[   23.667914] CR2: 0000000000000000\n[   23.671271] ------------[ cut here ]------------\n\n(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0162ab3220bac870e43e229e6e3024d1a21c3f26","https://git.kernel.org/stable/c/1a16150729db8d997e39519f9d58e6b435c4c087","https://git.kernel.org/stable/c/2e20a886b443a71b573ceaed3ca7053d15380916","https://git.kernel.org/stable/c/cf4b224ffb9a58181be32b64130fc36cf59c3192","https://git.kernel.org/stable/c/da6552d67012a1cf0585f2eb401d0c4abcf108c9","https://git.kernel.org/stable/c/db8b1bebe81ffb410ddd746b6869f72e22420850","https://git.kernel.org/stable/c/df1f4a7d9cf689b4e96c95255228896505f44c31"],"published_time":"2026-04-24T15:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31050","summary":"Cross Site Scripting vulnerability in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/","https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Stored%20Cross-Site%20Scripting%20%28XSS%29%20Vulnerability/admin%20and%20client%20interfaces","https://hostbillapp.com/changelog","https://hostbillapp.com/release-notes/11-27-2025.html","https://hostbillapp.com/release-notes/12-01-2025.html","https://hostbillapp.com/responsible-disclosure","https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Stored%20Cross-Site%20Scripting%20%28XSS%29%20Vulnerability/admin%20and%20client%20interfaces"],"published_time":"2026-04-24T15:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-61872","summary":"Mahara before 25.04.2 and 24.04.11 are vulnerable to displaying results that can trigger XSS via a malicious search query string. This occurs in the 'search site' feature when using the Elasticsearch7 search plugin. The Elasticsearch function does not properly sanitize input in the query parameter.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://mahara.org","https://mahara.org/interaction/forum/topic.php?id=9851"],"published_time":"2026-04-24T15:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25660","summary":"CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. \nAuthentication bypass occurs when the URL ends with Authentication with certain function calls.  This bypass allows assigning arbitrary permission to any user existing in CodeChecker.\n\nThis issue affects CodeChecker: through 6.27.3.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Ericsson/codechecker/security/advisories/GHSA-4v9x-cqc5-j645"],"published_time":"2026-04-24T14:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38743","summary":"The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts (including their request parameters) and full TaskInstance details for DAGs outside their authorized scope. Because HITL prompts and TaskInstance fields routinely carry operator parameters and free-form context attached to a task, the leak widens visibility of DAG-run data beyond the intended per-DAG RBAC boundary for every authenticated user.\n\nUsers are recommended to upgrade to version 3.2.1 , which fixes this issue.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/apache/airflow/pull/64822","https://lists.apache.org/thread/sk2wj0x48o8qb4p7c47gvnhjbm0mg396","http://www.openwall.com/lists/oss-security/2026/04/24/3"],"published_time":"2026-04-24T13:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40690","summary":"The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/apache/airflow/pull/65273","https://lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndl","http://www.openwall.com/lists/oss-security/2026/04/24/4"],"published_time":"2026-04-24T13:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5265","summary":"When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-5265","https://bugzilla.redhat.com/show_bug.cgi?id=2453458","http://www.openwall.com/lists/oss-security/2026/04/20/2","http://www.openwall.com/lists/oss-security/2026/04/20/4"],"published_time":"2026-04-24T13:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5367","summary":"A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-5367","https://bugzilla.redhat.com/show_bug.cgi?id=2455863","http://www.openwall.com/lists/oss-security/2026/04/20/3","http://www.openwall.com/lists/oss-security/2026/04/20/5"],"published_time":"2026-04-24T13:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-21515","summary":"Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21515"],"published_time":"2026-04-24T13:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4313","summary":"AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim's browser.\nCritically, this may allow the attacker to obtain the administrator authentication token and perform arbitrary actions with administrative privileges, which could lead to further compromise.\n\nThis issue occurs in versions released before December 2025.","cvss":2.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.4,"epss":0.00097,"ranking_epss":0.26574,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://adaptivegrc.com/pl/wszystkie-procesy-grc-w-jednym-narzedziu/","https://cert.pl/posts/2026/04/CVE-2026-4313"],"published_time":"2026-04-24T12:17:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6043","summary":"P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in 'remote' user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release, expected in May 2026, enforces secure-by-default configurations on upgrade and new installations","cvss":8.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.8,"epss":0.00061,"ranking_epss":0.19007,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://help.perforce.com/helix-core/server-apps/p4sag/current/Content/P4SAG/security-configurables.html","https://portal.perforce.com/s/cve/a91Qi000002wRUvIAM/insecure-default-configuration-in-p4-server"],"published_time":"2026-04-24T12:17:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23902","summary":"Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.\n\nThis issue affects Apache DolphinScheduler versions prior to 3.4.1. \n\nUsers are recommended to upgrade to version 3.4.1, which fixes this issue.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.03936,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/hy4ntb2gys8150zfmnxhsd5ph0hoh7s9","http://www.openwall.com/lists/oss-security/2026/04/24/1"],"published_time":"2026-04-24T12:17:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40466","summary":"Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.\n\n\n\nAn authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath.\nA malicious HTTP endpoint can return a VM transport through the HTTP URI which will bypass the validation added in CVE-2026-34197. The attacker can then use the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.\nBecause Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().\n\n\nThis issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5.\n\nUsers are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the issue.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.0006,"ranking_epss":0.18751,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt"],"published_time":"2026-04-24T11:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41043","summary":"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.\n\nAn authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field.\n\nThis issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5.\n\nUsers are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06342,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://activemq.apache.org/security-advisories.data/CVE-2026-41043-announcement.txt","http://www.openwall.com/lists/oss-security/2026/04/23/5"],"published_time":"2026-04-24T11:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41044","summary":"Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All.\n\nAn authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application.\nThe attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file.\n\n\nBecause Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().\n\nThis issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5.\n\nUsers are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.0006,"ranking_epss":0.18751,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://activemq.apache.org/security-advisories.data/CVE-2026-41044-announcement.txt","http://www.openwall.com/lists/oss-security/2026/04/23/6"],"published_time":"2026-04-24T11:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-62233","summary":"Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.\n\nThis issue affects Apache DolphinScheduler: \n\nVersion >= 3.2.0 and < 3.3.1.\n\nAttackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.\nUsers are recommended to upgrade to version [3.3.1], which fixes the issue.","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06668,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/79s80h51r4z5d4l2xs5xy364rmmo1bw0","http://www.openwall.com/lists/oss-security/2026/04/24/2"],"published_time":"2026-04-24T11:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6272","summary":"A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest.\n\n1. Obtain any valid token with only read scope.\n2. Connect to the normal production gRPC API (kuksa.val.v2).\n3. Open OpenProviderStream.\n4. Send ProvideSignalRequest for a target signal ID.\n5. Wait for the broker to forward GetProviderValueRequest.\n6. Reply with attacker-controlled GetProviderValueResponse.\n7. Other clients performing GetValue / GetValues for that signal receive forged data.","cvss":8.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.5,"epss":0.00038,"ranking_epss":0.11521,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.eclipse.org/security/cve-assignment/-/issues/98","https://gitlab.eclipse.org/security/cve-assignment/-/issues/98"],"published_time":"2026-04-24T09:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-21728","summary":"Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.\n\nMitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02106,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://grafana.com/security/security-advisories/cve-2026-21728"],"published_time":"2026-04-24T09:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3565","summary":"The Taqnix plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to a missing nonce verification in the taqnix_delete_my_account() function, where the check_ajax_referer() call is explicitly commented out on line 883. This makes it possible for unauthenticated attackers to trick a logged-in non-administrator user into deleting their own account via a forged request granted they can trick the user into performing an action such as clicking a link or visiting a malicious page.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00019,"ranking_epss":0.05084,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/taqnix/tags/1.0.3/public/class-taqnix-user.php#L67","https://plugins.trac.wordpress.org/browser/taqnix/tags/1.0.3/public/class-taqnix-user.php#L883","https://plugins.trac.wordpress.org/browser/taqnix/tags/1.0.3/public/class-taqnix-user.php#L916","https://plugins.trac.wordpress.org/browser/taqnix/trunk/public/class-taqnix-user.php#L67","https://plugins.trac.wordpress.org/browser/taqnix/trunk/public/class-taqnix-user.php#L883","https://plugins.trac.wordpress.org/browser/taqnix/trunk/public/class-taqnix-user.php#L916","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3491080%40taqnix&new=3491080%40taqnix&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/82aeab24-3467-4cb0-b71f-b7f97c26dc80?source=cve"],"published_time":"2026-04-24T08:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3569","summary":"The Liaison Site Prober plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 1.2.1 via the /wp-json/site-prober/v1/logs REST API endpoint. The permissions_read() permission callback unconditionally returns true (via __return_true()) instead of checking for appropriate capabilities. This makes it possible for unauthenticated attackers to retrieve sensitive audit log data including IP addresses, user IDs, usernames, login/logout events, failed login attempts, and detailed activity descriptions.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07132,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/liaison-site-prober/tags/1.2.1/includes/class-liaison-rest-controller.php#L19","https://plugins.trac.wordpress.org/browser/liaison-site-prober/tags/1.2.1/includes/class-liaison-rest-controller.php#L50","https://plugins.trac.wordpress.org/browser/liaison-site-prober/tags/1.2.1/includes/class-liaison-rest-controller.php#L90","https://plugins.trac.wordpress.org/browser/liaison-site-prober/trunk/includes/class-liaison-rest-controller.php#L19","https://plugins.trac.wordpress.org/browser/liaison-site-prober/trunk/includes/class-liaison-rest-controller.php#L50","https://plugins.trac.wordpress.org/browser/liaison-site-prober/trunk/includes/class-liaison-rest-controller.php#L90","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3481019%40liaison-site-prober&new=3481019%40liaison-site-prober&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/eda5addb-40e2-4187-b803-34500b36be0a?source=cve"],"published_time":"2026-04-24T08:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4078","summary":"The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) in all versions up to and including 1.8.2. This is due to insufficient input sanitization and output escaping in the combine_attributes() function. The function directly concatenates shortcode attribute values into JavaScript code within <script> tags using double-quoted string interpolation (line 489: '\"'.$key.'\": \"'.$value.'\"') without any escaping. An attacker can break out of the JavaScript string context by including a double-quote character in a shortcode attribute value and inject arbitrary JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.12916,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L489","https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L511","https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L519","https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L527","https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L551","https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L561","https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L489","https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L511","https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L519","https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L527","https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L551","https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L561","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3507724%40iteras&new=3507724%40iteras&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/bd034f43-370c-4ad9-ad02-4cae0f48d781?source=cve"],"published_time":"2026-04-24T08:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-11762","summary":"The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.33/public/admin/class-adminconstants.php","https://research.cleantalk.org/CVE-2025-11762","https://www.wordfence.com/threat-intel/vulnerabilities/id/2a8c62e6-f459-433a-b0c4-c79285ea7fe9?source=cve"],"published_time":"2026-04-24T08:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1951","summary":"Delta Electronics AS320T has no checking of the length of the buffer with the directory name\n\n vulnerability.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03273,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00006_AS320T%20Multiple%20vulnerabilities%20(CVE-2026-1949,%201950,%201951,%201952).pdf"],"published_time":"2026-04-24T07:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1952","summary":"Delta Electronics AS320T has denial of service via the undocumented subfunction vulnerability.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12603,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00006_AS320T%20Multiple%20vulnerabilities%20(CVE-2026-1949,%201950,%201951,%201952).pdf"],"published_time":"2026-04-24T07:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1950","summary":"Delta Electronics AS320T has \nNo checking of the length of the buffer with the file name vulnerability.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00043,"ranking_epss":0.13024,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00006_AS320T%20Multiple%20vulnerabilities%20(CVE-2026-1949,%201950,%201951,%201952).pdf"],"published_time":"2026-04-24T07:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5364","summary":"The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00112,"ranking_epss":0.29416,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L147","https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L158","https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L181","https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/frontend/index.php#L15","https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L147","https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L158","https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L181","https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/frontend/index.php#L15","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3498020%40drag-and-drop-file-upload-for-contact-form-7&new=3498020%40drag-and-drop-file-upload-for-contact-form-7&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/0548608d-17d5-46f4-9d64-6e3b0552bf9d?source=cve"],"published_time":"2026-04-24T06:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5428","summary":"The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for the alt attribute context. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the malicious image displayed in the media grid widget.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01664,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/media-grid/widgets/wpr-media-grid.php#L6752","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/media-grid/widgets/wpr-media-grid.php#L6755","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/media-grid/widgets/wpr-media-grid.php#L6752","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/media-grid/widgets/wpr-media-grid.php#L6755","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3503209%40royal-elementor-addons&new=3503209%40royal-elementor-addons&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/ba7b8fe5-aa49-4a70-89c9-1b95a30b1142?source=cve"],"published_time":"2026-04-24T06:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6810","summary":"The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01855,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf.php#L608","https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L38","https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L71","https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L608","https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L38","https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L71","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3512197%40booking-calendar-contact-form&new=3512197%40booking-calendar-contact-form&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/a3977d10-239d-4b83-ab0c-ad165485498d?source=cve"],"published_time":"2026-04-24T06:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5347","summary":"The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce verification in the admin_init hook that handles the permalink settings update at line 205-209 of wp-books-gallery.php. The vulnerable code checks only for the presence of the 'permalink_structure' POST parameter before updating the 'wbg_cpt_slug' option, without verifying that the request comes from an authenticated administrator. This makes it possible for unauthenticated attackers to modify the custom post type slug for the books gallery, which changes the URL structure for all book entries and can break existing links and SEO rankings.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.02932,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wp-books-gallery/tags/4.7.8/wp-books-gallery.php#L206","https://plugins.trac.wordpress.org/browser/wp-books-gallery/tags/4.7.8/wp-books-gallery.php#L207","https://plugins.trac.wordpress.org/browser/wp-books-gallery/tags/4.8.1/wp-books-gallery.php#L207","https://plugins.trac.wordpress.org/browser/wp-books-gallery/trunk/wp-books-gallery.php#L206","https://plugins.trac.wordpress.org/browser/wp-books-gallery/trunk/wp-books-gallery.php#L207","https://www.wordfence.com/threat-intel/vulnerabilities/id/12bf1cd8-cd55-4771-b2bb-597797b1b949?source=cve"],"published_time":"2026-04-24T06:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1949","summary":"Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00019,"ranking_epss":0.05075,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00006_AS320T%20Multiple%20vulnerabilities%20(CVE-2026-1949,%201950,%201951,%201952).pdf"],"published_time":"2026-04-24T06:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6947","summary":"DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Protection Bypass vulnerability, allowing unauthenticated adjacent network attackers to bypass login attempt limits to perform brute-force attacks to gain control over the device.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.00042,"ranking_epss":0.12627,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.twcert.org.tw/en/cp-139-10865-de323-2.html","https://www.twcert.org.tw/tw/cp-132-10864-944b1-1.html"],"published_time":"2026-04-24T04:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5488","summary":"The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_experience() AJAX handlers. While the mi-admin-nonce is localized on all admin pages (including profile.php which subscribers can access), and while other similar AJAX endpoints in the same class properly check for the exactmetrics_save_settings capability, these two endpoints only verify the nonce. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve valid Google Ads access tokens and reset Google Ads integration settings.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10154,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.0.3/includes/admin/admin-assets.php#L196","https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.0.3/includes/ppc/google/class-exactmetrics-google-ads.php#L167","https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.0.3/includes/ppc/google/class-exactmetrics-google-ads.php#L243","https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/admin-assets.php#L196","https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/ppc/google/class-exactmetrics-google-ads.php#L167","https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/ppc/google/class-exactmetrics-google-ads.php#L243","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3513041%40google-analytics-dashboard-for-wp&new=3513041%40google-analytics-dashboard-for-wp&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/6a4359e4-5843-4d2c-b288-5c35f819241a?source=cve"],"published_time":"2026-04-24T04:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6393","summary":"The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger OpenAI API calls using the site's configured API key with arbitrary user-controlled prompts, leading to unauthorized consumption of the site owner's paid AI API quota.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06573,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/betterdocs/tags/4.3.6/includes/Core/WriteWithAI.php#L138","https://plugins.trac.wordpress.org/browser/betterdocs/tags/4.3.6/includes/Core/WriteWithAI.php#L31","https://plugins.trac.wordpress.org/browser/betterdocs/trunk/includes/Core/WriteWithAI.php#L138","https://plugins.trac.wordpress.org/browser/betterdocs/trunk/includes/Core/WriteWithAI.php#L31","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3512640%40betterdocs&new=3512640%40betterdocs&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/432b11be-174d-45d6-aa3b-2fbfa85ec17a?source=cve"],"published_time":"2026-04-24T04:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41430","summary":"Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only.","cvss":1.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":1.3,"epss":0.00047,"ranking_epss":0.14493,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/frappe/press/commit/16d1b6ca2559f858a1de77bcb03fd7f1b81671c6","https://github.com/frappe/press/security/advisories/GHSA-mpww-rq79-8r2c"],"published_time":"2026-04-24T04:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41485","summary":"Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected. Versions 1.17.2 and 1.16.4 fix the issue.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":0.00037,"ranking_epss":0.11149,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/kyverno/kyverno/commit/76c8fdbe87328722e099e1fd44c3f21c9f7809cb","https://github.com/kyverno/kyverno/commit/80e728c2283a0c65e5adb02d8a907106e6ebe7e3","https://github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcv","https://github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcv"],"published_time":"2026-04-24T04:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41318","summary":"AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's `alt` text into an HTML `alt=\"...\"` attribute without any HTML encoding. Every call-site in the app wraps `renderMarkdown(...)` with `DOMPurify.sanitize(...)` as defense-in-depth — except the `Chartable` component, which renders chart captions with no sanitization. The chart caption is the natural-language text the LLM emits around a `create-chart` tool call, so any attacker who can influence the LLM's output — most cheaply via indirect prompt injection in a shared workspace document, or directly if they can create a chart record in a multi-user workspace — can trigger stored DOM-level XSS in every other user's browser when they open that conversation. AnythingLLM chat history is loaded server-side via `GET /api/workspace/:slug/chats` and rendered directly into the chat UI. Version 1.12.1 contains a patch for this issue.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.09244,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Mintplex-Labs/anything-llm/commit/f5fa03f4728e483949f6360093bc3ea1ef555535","https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-4q6m-qh3w-9gf5","https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-4q6m-qh3w-9gf5"],"published_time":"2026-04-24T04:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41319","summary":"MailKit is a cross-platform mail client library built on top of MimeKit. A STARTTLS Response Injection vulnerability in versions prior to 4.16.0 allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary, enabling SASL authentication mechanism downgrade (e.g., forcing PLAIN instead of SCRAM-SHA-256). The internal read buffer in `SmtpStream`, `ImapStream`, and `Pop3Stream` is not flushed when the underlying stream is replaced with `SslStream` during STARTTLS upgrade, causing pre-TLS attacker-injected data to be processed as trusted post-TLS responses. Version 4.16.0 patches the issue.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.0903,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jstedfast/MailKit/security/advisories/GHSA-9j88-vvj5-vhgr"],"published_time":"2026-04-24T04:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41323","summary":"Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions to patch webhook configurations, a stolen token leads to full cluster compromise. Versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4 patch the issue.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.0585,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/kyverno/kyverno/commit/bc4f91c4801b1eaa2edc0a14e2f1b0af8cf0c1f5","https://github.com/kyverno/kyverno/commit/c2eab00033e635bda4e4efb58c1b472b41728bb6","https://github.com/kyverno/kyverno/commit/f70e8ac1e7acd2e3844f9553e4a884f07f953de0","https://github.com/kyverno/kyverno/security/advisories/GHSA-f9g8-6ppc-pqq4","https://github.com/kyverno/kyverno/security/advisories/GHSA-f9g8-6ppc-pqq4"],"published_time":"2026-04-24T04:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41324","summary":"basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to `Client.list()`, causing the client process to consume memory until it becomes unstable or crashes. Version 5.3.0 fixes the issue.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12051,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rp42-5vxx-qpwr","https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rp42-5vxx-qpwr"],"published_time":"2026-04-24T04:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41068","summary":"Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulnerability — the `configMap.namespace` field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. An updated fix is available in version 1.17.2.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.08023,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/kyverno/kyverno/commit/bbf3e5c01391d612968440659028ae98e565a777","https://github.com/kyverno/kyverno/security/advisories/GHSA-cvq5-hhx3-f99p","https://github.com/kyverno/kyverno/security/advisories/GHSA-cvq5-hhx3-f99p"],"published_time":"2026-04-24T04:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2028","summary":"The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00037,"ranking_epss":0.11166,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/maxi-blocks/maxi-blocks/commit/3dff1db57bfb4e6c14fa7fd42037178d1d0ce199","https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.7/core/class-maxi-image-crop.php#L44","https://plugins.trac.wordpress.org/browser/maxi-blocks/trunk/core/class-maxi-image-crop.php#L44","https://plugins.trac.wordpress.org/changeset/3476709/maxi-blocks/trunk/core/class-maxi-image-crop.php","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3476709%40maxi-blocks&new=3476709%40maxi-blocks&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/f50c31df-56d0-4c34-a93c-56198fe91b36?source=cve"],"published_time":"2026-04-24T04:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41317","summary":"Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST.","cvss":6.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.6,"epss":0.00019,"ranking_epss":0.05141,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/frappe/press/commit/52ea2f2d1b587be0807557e96f025f47897d00fd","https://github.com/frappe/press/security/advisories/GHSA-q4wg-jrr8-vpwf"],"published_time":"2026-04-24T03:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33317","summary":"OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, missing checks in `entry_get_attribute_value()`  in `ta/pkcs11/src/object.c` can lead to out-of-bounds read from the PKCS#11 TA heap or a crash. When chained with the OOB read, the PKCS#11 TA function `PKCS11_CMD_GET_ATTRIBUTE_VALUE`  or `entry_get_attribute_value()` can, with a bad template parameter, be tricked into reading at most 7 bytes beyond the end of the template buffer and writing beyond the end of the template buffer with the content of an attribute value of a PKCS#11 object. Commits e031c4e562023fd9f199e39fd2e85797e4cbdca9, 16926d5a46934c46e6656246b4fc18385a246900, and 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca contain patches and are anticipated to be part of version 4.11.0.","cvss":8.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.7,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02283,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca","https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900","https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9","https://github.com/OP-TEE/optee_os/security/advisories/GHSA-8cqw-mg7v-c9p9"],"published_time":"2026-04-24T03:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33318","summary":"Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /account/change-password` has no authorization check, allowing any session to overwrite the password hash; the inactive password `auth` row is never removed on migration; and the login endpoint accepts a client-supplied `loginMethod` that bypasses the server's active auth configuration. Together these allow an attacker to set a known password and authenticate as the anonymous admin account created during the multiuser migration. The three weaknesses form a single, sequential exploit chain — none produces privilege escalation on its own. Missing authorization on POST /change-password allows overwriting a password hash, but only matters if there is an orphaned row to target. Orphaned password row persisting after migration provides the target row, but is harmless without the ability to authenticate using it. Client-controlled loginMethod: \"password\" allows forcing password-based auth, but is useless without a known hash established by step 1. All three must be chained in sequence to achieve the impact. No single weakness independently results in privilege escalation. The single root cause is the missing authorization check on /change-password; the other two are preconditions that make it exploitable. Version 26.4.0 contains a fix.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00069,"ranking_epss":0.20975,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://actualbudget.org/blog/release-26.4.0","https://github.com/actualbudget/actual/security/advisories/GHSA-prp4-2f49-fcgp"],"published_time":"2026-04-24T03:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40254","summary":"FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.078,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx","https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx"],"published_time":"2026-04-24T03:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41305","summary":"PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `</style>` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08281,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/postcss/postcss/releases/tag/8.5.10","https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93","https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93"],"published_time":"2026-04-24T03:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41309","summary":"Open Source Social Network (OSSN) is open-source social networking software developed in PHP. Versions prior to 9.0 are vulnerable to resource exhaustion. An attacker can upload a specially crafted image with extreme pixel dimensions (e.g., $10000 \\times 10000$ pixels). While the compressed file size on disk may be small, the server attempts to allocate significant memory and CPU cycles during the decompression and resizing process, leading to a Denial of Service (DoS) condition. It is highly recommended to upgrade to OSSN 9.0. This version introduces stricter validation of image dimensions and improved resource management during the processing phase. Those who cannot upgrade immediately can mitigate the risk by adjusting their `php.ini` settings to strictly limit `memory_limit` and `max_execution_time` and/or implementing a client-side and server-side check on image headers to reject files exceeding reasonable pixel dimensions (e.g., $4000 \\times 4000$ pixels) before processing begins.","cvss":8.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.2,"cvss_v4":null,"epss":0.00057,"ranking_epss":0.17647,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/opensource-socialnetwork/opensource-socialnetwork/commit/12357113b3be189da7f6e429979a464e4f982117","https://github.com/opensource-socialnetwork/opensource-socialnetwork/issues/2535","https://github.com/opensource-socialnetwork/opensource-socialnetwork/security/advisories/GHSA-72qf-xrcw-fhr2"],"published_time":"2026-04-24T03:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41316","summary":"ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00083,"ranking_epss":0.24107,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv"],"published_time":"2026-04-24T03:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33076","summary":"Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote code execution due to path traversal and writing into scheduled tasks. Version 8.2.6.4 fixes the issue.","cvss":8.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.9,"epss":0.00492,"ranking_epss":0.6567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/roxy-wi/roxy-wi/commit/aecc7971959092fa93e93531f1ffcde33524b031","https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmgm-p9x9-h33j","https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmgm-p9x9-h33j"],"published_time":"2026-04-24T03:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33077","summary":"Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the oldconfig parameter in the haproxy_section_save interface has an arbitrary file read vulnerability. Version 8.2.6.4 fixes the issue.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.7,"epss":0.00046,"ranking_epss":0.14211,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/roxy-wi/roxy-wi/commit/aecc7971959092fa93e93531f1ffcde33524b031","https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-c799-4ww6-q93w"],"published_time":"2026-04-24T03:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33078","summary":"Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/config/routes.py. The server_ip parameter, sourced from the URL path, is passed unsanitized through multiple function calls and ultimately interpolated into a SQL query string using Python string formatting, allowing attackers to execute arbitrary SQL commands. Version 8.2.6.4 fixes the issue.","cvss":8.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.9,"epss":0.0003,"ranking_epss":0.08675,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/roxy-wi/roxy-wi/commit/aecc7971959092fa93e93531f1ffcde33524b031","https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jmj9-2c4q-849j","https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jmj9-2c4q-849j"],"published_time":"2026-04-24T03:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33208","summary":"Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ < service > /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a remote managed server via SSH. An authenticated attacker can inject arbitrary shell metacharacters to break out of the intended grep command context and execute arbitrary OS commands with sudo privileges on the target server, resulting in full Remote Code Execution (RCE). Version 8.2.6.4 patches the issue.","cvss":7.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.4,"epss":0.00407,"ranking_epss":0.61168,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/roxy-wi/roxy-wi/commit/02f147d567a3cc8cf61a4b58ea4c2b7866a544de","https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-7m2h-gmvj-cjx2","https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-7m2h-gmvj-cjx2"],"published_time":"2026-04-24T03:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32952","summary":"go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patches the issue.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00057,"ranking_epss":0.17825,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Azure/go-ntlmssp/releases/tag/v0.1.1","https://github.com/Azure/go-ntlmssp/security/advisories/GHSA-pjcq-xvwq-hhpj"],"published_time":"2026-04-24T03:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34587","summary":"Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). In affected releases, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has updated the `Options` logic to no longer double-resolve queries in option values coming from `OptionsQuery` or `OptionsApi` sources. Kirby now only resolves queries that are directly configured in the blueprints.","cvss":7.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.6,"epss":0.00036,"ranking_epss":0.10658,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/getkirby/kirby/releases/tag/4.9.0","https://github.com/getkirby/kirby/releases/tag/5.4.0","https://github.com/getkirby/kirby/security/advisories/GHSA-jcjw-58rv-c452"],"published_time":"2026-04-24T01:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40099","summary":"Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). Prior to versions 4.9.0 and 5.4.0, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.0003,"ranking_epss":0.08542,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/getkirby/kirby/releases/tag/4.9.0","https://github.com/getkirby/kirby/releases/tag/5.4.0","https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r"],"published_time":"2026-04-24T01:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41325","summary":"Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. Kirby provides the `pages.create`, `files.create` and `users.create` permissions (among others). These permissions can again be set in the user blueprint and/or in the blueprint of the target model via `options`. Prior to versions 4.9.0 and 5.4.0, Kirby allowed to override the `options` during the creation of pages, files and users by injecting custom dynamic blueprint configuration into the model data. The injected `options` could include `'create' => true`, which then caused an override of the permissions and options configured by the site developer in the user and model blueprints. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. The patched versions have updated the normalization code that is used during the creation of pages, files and users to include a filter for the `blueprint` property. This prevents the injection of dynamic blueprint configuration into the creation request.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.1,"epss":0.0003,"ranking_epss":0.08542,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/getkirby/kirby/releases/tag/4.9.0","https://github.com/getkirby/kirby/releases/tag/5.4.0","https://github.com/getkirby/kirby/security/advisories/GHSA-6gqr-mx34-wh8r"],"published_time":"2026-04-24T01:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31953","summary":"Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 allows an authenticated user with notification creation permissions to inject arbitrary JavaScript into the notification body. When the notification is set as an \"interrupt,\" the payload executes automatically in the browser of any targeted user upon login, requiring zero user interaction. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Access to the Notification Centre to view past notifications, and include \"Add Notification\" button to allow for the creation of new notifications. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.0647,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1","https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-85w9-c833-q4w2"],"published_time":"2026-04-24T01:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31955","summary":"Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.4.1 allows users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be exploited to scan internal infrastructure, access local cloud metadata endpoints (e.g., AWS IMDS), interact with internal services that lack authentication, or exfiltrate data. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include \"Add DataSet\" button to allow for additional DataSets to be created independently to Layouts. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.09415,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1","https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-5q58-9vhx-xg2p"],"published_time":"2026-04-24T01:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31956","summary":"Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized user who has any of the following privileges: Page which shows all Layouts that have been created for the purposes of Layout Management; page which shows all Campaigns that have been created for the purposes of Campaign Management; and page which shows all Reports that have been Saved. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.07007,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1","https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-q6rv-8hhj-3fr8"],"published_time":"2026-04-24T01:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32870","summary":"Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check into allowing values that only contained a valid `CDATA` block but also contained other structured data outside of the `CDATA` block. This structured data would then also be allowed to pass through, circumventing the value protection. The `Xml::value()` method is used in `Xml::tag()`, `Xml::create()` and in the `Xml` data handler (e.g. `Data::encode($string, 'xml')`). Both the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system's behavior is possible. Kirby sites that don't use XML generation in site or plugin code are not affected. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. In all of the mentioned releases, Kirby has added additional checks that only allow unchanged `CDATA` passthrough if the entire string is made up of valid `CDATA` blocks and no structured data. This protects all uses of the method against the described vulnerability.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00045,"ranking_epss":0.13604,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/getkirby/kirby/releases/tag/4.9.0","https://github.com/getkirby/kirby/releases/tag/5.4.0","https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr"],"published_time":"2026-04-24T01:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40630","summary":"A vulnerability in \nSenseLive \n\nX3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly interact with sensitive configuration functions.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00093,"ranking_epss":0.25825,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json","https://senselive.io/contact","https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12"],"published_time":"2026-04-24T00:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35503","summary":"A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these exposed parameters and gain unauthorized access to administrative functionality.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00061,"ranking_epss":0.18997,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json","https://senselive.io/contact","https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12"],"published_time":"2026-04-24T00:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39462","summary":"A vulnerability exists in SenseLive X3050’s web management interface in which password updates are not reliably applied due to improper handling of credential changes on the backend. After the device undergoes a factory restore using the SenseLive Config 2.0 tool, the interface may indicate that the password update was successful; however, the system may continue to accept the previous or default credentials, demonstrating that the password-change process is not consistently enforced. Even after a factory reset, attempted password changes may fail to propagate correctly.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":9.3,"epss":0.00039,"ranking_epss":0.11779,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json","https://senselive.io/contact","https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12"],"published_time":"2026-04-24T00:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40431","summary":"A vulnerability exists in SenseLive X3050’s web management interface due to its reliance on unencrypted HTTP for all administrative communication. Because management traffic, including authentication attempts and configuration data, is transmitted in cleartext, an attacker with access to the same network segment could intercept or observe sensitive operational information.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00034,"ranking_epss":0.10126,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json","https://senselive.io/contact","https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12"],"published_time":"2026-04-24T00:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40620","summary":"A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management connections from any reachable host, enabling unrestricted modification of critical configuration parameters, operational modes, and device state through a vendor-supplied or compatible client.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00067,"ranking_epss":0.20588,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json","https://senselive.io/contact","https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12"],"published_time":"2026-04-24T00:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40623","summary":"A vulnerability in SenseLive X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due to inadequate enforcement of constraints on sensitive functions, parameters such as IP addressing, watchdog timers, reconnect intervals, and service ports can be set to unsupported or unsafe values. These configuration changes directly affect core device behaviour and recovery mechanisms. The lack of proper validation and safeguards allows critical system functions to be altered in a manner that can destabilize device operation or render the device persistently unavailable.","cvss":7.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":7.2,"epss":0.00034,"ranking_epss":0.10137,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json","https://senselive.io/contact","https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12"],"published_time":"2026-04-24T00:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27843","summary":"A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying unsupported or disruptive values to recovery mechanisms and network settings, an attacker can induce a persistent lockout state. Because the device lacks a physical reset button, recovery requires specialized technical access via the console to perform a factory reset, resulting in a total denial-of-service for the gateway and its connected RS-485 downstream systems.","cvss":9.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":9.2,"epss":0.00068,"ranking_epss":0.20824,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json","https://senselive.io/contact","https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12"],"published_time":"2026-04-24T00:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-29050","summary":"melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set `pipeline[].uses` to a value containing `../` sequences or an absolute path. The `(*Compiled).compilePipeline` function in `pkg/build/compile.go` passed `uses` directly to `filepath.Join(pipelineDir, uses + \".yaml\")` without validating the value, so the resolved path could escape each `--pipeline-dir` and read an arbitrary YAML-parseable file visible to the melange process. Because the loaded file is subsequently interpreted as a melange pipeline and its `runs:` block is executed via `/bin/sh -c` in the build sandbox, this additionally allowed shell commands sourced from an out-of-tree file to run during the build, bypassing the review boundary that normally covers the in-tree pipeline definition. The issue is fixed in melange v0.43.4 via commit 5829ca4. The fix rejects `uses` values that are absolute paths or contain `..`, and verifies (via `filepath.Rel` after `filepath.Clean`) that the resolved target remains within the pipeline directory. As a workaround, only run `melange build` against configuration files from trusted sources. In CI systems that build user-supplied melange configs, gate builds behind manual review of `pipeline[].uses` values and reject any containing `..` or leading `/`.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01558,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chainguard-dev/melange/security/advisories/GHSA-98f2-w9h9-7fp9"],"published_time":"2026-04-24T00:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-29051","summary":"melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--out-dir` with the `arch` and `pkgname` values read from the `.PKGINFO` control file of the APK being linted. In affected versions these values were not validated for path separators or `..` sequences, so an attacker who can supply an APK to a melange-based lint/build pipeline (e.g. CI that lints third-party APKs, or build-as-a-service) could cause melange to write `lint-<pkgname>-<pkgver>-r<epoch>.json` to an arbitrary `.json` path reachable by the melange process. The written file is a JSON lint report whose content is partially attacker-influenced. There is no direct code-execution path, but the write can clobber other JSON artifacts on the filesystem. The issue only affects deployments that explicitly pass `--persist-lint-results`; the flag is off by default. The issue is fixed in melange v0.43.4 by validating `arch` and `pkgname` for `..`, `/`, and `filepath.Separator` before path construction in `pkg/linter/results.go` (commit 84f3b45). As a workaround, do not pass `--persist-lint-results` when linting or building APKs whose `.PKGINFO` contents are not fully trusted. Running melange as a low-privileged user and confining writes to an isolated directory also limits impact.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04062,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chainguard-dev/melange/commit/84f3b450ce6e472c4abb8dc4c26d0ce8ac1259ac","https://github.com/chainguard-dev/melange/security/advisories/GHSA-q2pw-xx38-p64j"],"published_time":"2026-04-24T00:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-29197","summary":"In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02598,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/RocketChat/Rocket.Chat/pull/40125","https://hackerone.com/reports/3589551"],"published_time":"2026-04-24T00:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31952","summary":"Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8.","cvss":7.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.6,"cvss_v4":null,"epss":0.00055,"ranking_epss":0.17115,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/dasgarner/xibo-cms/commit/b8d25fe6cb0232b645c3850afdc2499b0e46c1e6","https://github.com/xibosignage/xibo-cms/commit/87e0a26b0c06e349561a6becdc00f3bb01259736","https://github.com/xibosignage/xibo-cms/commit/ed213cb4f42d4f50cf8012e01e95bb70127fc6a4","https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1","https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-rq92-f6fv-3629"],"published_time":"2026-04-24T00:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35064","summary":"A vulnerability in SenseLive X3050’s management ecosystem allows unauthenticated discovery of deployed units through the vendor’s management protocol, enabling identification of device presence, identifiers, and management interfaces without requiring credentials. Because discovery functions are exposed by the underlying service rather than gated by authentication, an attacker on the same network segment can rapidly enumerate targeted devices.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.0005,"ranking_epss":0.1557,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json","https://senselive.io/contact","https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12"],"published_time":"2026-04-24T00:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1789","summary":"A vulnerability in the browser-based remote management interface may allow an administrator to access sensitive information on the device via crafted requests, affecting certain production printers and office/small office multifunction printers.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":6.9,"epss":0.00047,"ranking_epss":0.1436,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://canon.jp/support/support-info/260423vulnerability-response","https://psirt.canon/advisory-information/cp2026-003/","https://www.canon-europe.com/support/product-security/","https://www.usa.canon.com/about-us/to-our-customers/cpa2026-003-vulnerability-mitigation-remediation-for-production-printers-and-office-multifunction-printers"],"published_time":"2026-04-24T00:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25720","summary":"A vulnerability exists in SenseLive\n\nX3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker with access to a previously authenticated session could continue interacting with administrative functions long after legitimate user activity has ceased.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":6.9,"epss":0.00043,"ranking_epss":0.12958,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json","https://senselive.io/contact","https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12"],"published_time":"2026-04-24T00:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25775","summary":"A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host and does not verify user privileges, integrity of uploaded images, or the authenticity of provided firmware.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00067,"ranking_epss":0.20588,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json","https://senselive.io/contact","https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12"],"published_time":"2026-04-24T00:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27841","summary":"A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections. Because the application does not enforce server-side validation of request origin or implement CSRF tokens, a malicious external webpage could cause a user's browser to submit unauthorized configuration requests to the device.","cvss":8.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":8.4,"epss":0.00014,"ranking_epss":0.02834,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json","https://senselive.io/contact","https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12"],"published_time":"2026-04-24T00:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6732","summary":"A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03393,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-6732","https://bugzilla.redhat.com/show_bug.cgi?id=2461300","https://gitlab.gnome.org/GNOME/libxml2/-/issues/1097","https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/411"],"published_time":"2026-04-23T23:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41356","summary":"OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":2.3,"epss":0.00025,"ranking_epss":0.06951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d","https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x","https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate"],"published_time":"2026-04-23T22:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41357","summary":"OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leveraging non-default SSH environment forwarding configurations to leak sensitive environment variables from parent processes to SSH child processes.","cvss":2.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":2.0,"epss":0.00011,"ranking_epss":0.0146,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/cfe14459531e002a1c61c27d97ec7dc8aecddc1f","https://github.com/openclaw/openclaw/security/advisories/GHSA-j9pv-rrcj-6pfx","https://www.vulncheck.com/advisories/openclaw-unsanitized-environment-variable-leakage-in-ssh-sandbox-backends"],"published_time":"2026-04-23T22:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41358","summary":"OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":2.3,"epss":0.00014,"ranking_epss":0.02499,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/ac5bc4fb37becc64a2ec314864cca1565e921f2d","https://github.com/openclaw/openclaw/security/advisories/GHSA-qm77-8qjp-4vcm","https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-slack-thread-context"],"published_time":"2026-04-23T22:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41359","summary":"OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":7.1,"epss":0.0002,"ranking_epss":0.05641,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/b7d70ade3b9900dbe97bd73be9c02e924ff3c986","https://github.com/openclaw/openclaw/security/advisories/GHSA-767m-xrhc-fxm7","https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-operator-write-to-admin-class-telegram-config-and-cron-persistence"],"published_time":"2026-04-23T22:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41360","summary":"OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scripts before execution without invalidating the approval plan, allowing execution of modified script contents.","cvss":5.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":5.4,"epss":0.00011,"ranking_epss":0.01365,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/176c059b05357df1bc09d4328a2380670859eeff","https://github.com/openclaw/openclaw/security/advisories/GHSA-w6wx-jq6j-6mcj","https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-in-pnpm-dlx-local-script-binding"],"published_time":"2026-04-23T22:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41361","summary":"OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable IPv6 addresses to bypass SSRF protections.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":5.1,"epss":0.0004,"ranking_epss":0.12015,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/security/advisories/GHSA-g86v-f9qv-rh6m","https://www.vulncheck.com/advisories/openclaw-ssrf-guard-bypass-via-ipv6-special-use-ranges"],"published_time":"2026-04-23T22:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41350","summary":"OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke session_status without sandbox constraints to bypass session-policy controls and access restricted session information.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00025,"ranking_epss":0.06951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/4d369a3400dc9b737fbe8daa63f09d909ce7beb8","https://github.com/openclaw/openclaw/security/advisories/GHSA-fwjq-xwfj-gv75","https://www.vulncheck.com/advisories/openclaw-session-visibility-bypass-via-session-status-in-unsandboxed-invocations"],"published_time":"2026-04-23T22:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41351","summary":"OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass replay detection while maintaining valid signature verification.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.3,"epss":0.00028,"ranking_epss":0.07933,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/ad77666054651c1fd77b1dc60fd6a8db6600a29a","https://github.com/openclaw/openclaw/security/advisories/GHSA-37v6-fxx8-xjmx","https://www.vulncheck.com/advisories/openclaw-webhook-replay-detection-bypass-via-base64-signature-re-encoding"],"published_time":"2026-04-23T22:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41352","summary":"OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":7.7,"epss":0.0037,"ranking_epss":0.58872,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/3886b65ef21d02808c1a106fa1f9f69e22f71c32","https://github.com/openclaw/openclaw/security/advisories/GHSA-xj9w-5r6q-x6v4","https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-node-scope-gate-bypass"],"published_time":"2026-04-23T22:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41353","summary":"OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profiles at runtime to access restricted profiles and bypass intended access controls.","cvss":7.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":7.6,"epss":0.00042,"ranking_epss":0.12855,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/eac93507c36ccd0c359fba18fa466ef6448be8a5","https://github.com/openclaw/openclaw/security/advisories/GHSA-h5hg-h7rr-gpf3","https://www.vulncheck.com/advisories/openclaw-allowprofiles-bypass-via-profile-mutation-and-runtime-selection"],"published_time":"2026-04-23T22:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41354","summary":"OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows across chat sessions.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":6.3,"epss":0.00037,"ranking_epss":0.10944,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412","https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4","https://www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys"],"published_time":"2026-04-23T22:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41355","summary":"OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute arbitrary code on the host during gateway startup by exploiting enabled workspace hooks.","cvss":5.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":5.4,"epss":0.00012,"ranking_epss":0.01722,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1","https://github.com/openclaw/openclaw/security/advisories/GHSA-42mx-vp8m-j7qh","https://www.vulncheck.com/advisories/openshell-arbitrary-code-execution-via-mirror-mode-sandbox-file-conversion"],"published_time":"2026-04-23T22:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41345","summary":"OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by crafting malicious cross-origin redirect chains to intercept sensitive authorization credentials intended for legitimate requests.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.0,"epss":0.0003,"ranking_epss":0.08592,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/e704323ff388ed21f6963f9b8e0b1b8dfaaabc5f","https://github.com/openclaw/openclaw/security/advisories/GHSA-68v4-hmwv-f43h","https://www.vulncheck.com/advisories/openclaw-authorization-header-leak-via-cross-origin-redirect-in-media-download"],"published_time":"2026-04-23T22:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41346","summary":"OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.3,"epss":0.00095,"ranking_epss":0.26271,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/9bc1f896c8cd325dd4761681e9bdb8c425f69785","https://github.com/openclaw/openclaw/security/advisories/GHSA-wwfp-w96m-c6x8","https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-improper-pending-pairing-request-cap-enforcement"],"published_time":"2026-04-23T22:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41347","summary":"OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized actions on HTTP operator endpoints.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":2.3,"epss":0.00014,"ranking_epss":0.02726,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/6b3f99a11f4d070fa5ed2533abbb3d7329ea4f0d","https://github.com/openclaw/openclaw/security/advisories/GHSA-mhr7-2xmv-4c4q","https://www.vulncheck.com/advisories/openclaw-cross-site-request-forgery-via-missing-browser-origin-validation-in-http-operator-endpoints"],"published_time":"2026-04-23T22:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41348","summary":"OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted group DM channels.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":2.3,"epss":0.00025,"ranking_epss":0.06951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/8fdb19676ab44cf85d47ee13c578195f2e527591","https://github.com/openclaw/openclaw/security/advisories/GHSA-rvvf-6vh3-9j43","https://www.vulncheck.com/advisories/openclaw-group-dm-channel-allowlist-bypass-via-discord-slash-commands"],"published_time":"2026-04-23T22:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41349","summary":"OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00106,"ranking_epss":0.28451,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/76411b2afc4ae721e36c12e0ea24fd23e2fed61e","https://github.com/openclaw/openclaw/security/advisories/GHSA-v3qc-wrwx-j3pw","https://www.vulncheck.com/advisories/openclaw-agentic-consent-bypass-via-config-patch"],"published_time":"2026-04-23T22:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41339","summary":"OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00027,"ranking_epss":0.07609,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/676b748056b5efca6f1255708e9dd9469edf5e2e","https://github.com/openclaw/openclaw/security/advisories/GHSA-2f7j-rp58-mr42","https://www.vulncheck.com/advisories/openclaw-information-disclosure-via-gateway-connect-snapshot"],"published_time":"2026-04-23T22:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41340","summary":"OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this trust propagation to bypass authentication controls and gain unauthorized access to named accounts.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":6.3,"epss":0.0006,"ranking_epss":0.18523,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/d8c68c8d4265ea6fa5e8c5e056534c351bddef37","https://github.com/openclaw/openclaw/security/advisories/GHSA-f693-58pc-2gfr","https://www.vulncheck.com/advisories/openclaw-authentication-boundary-bypass-via-telegram-legacy-allowfrom-migration"],"published_time":"2026-04-23T22:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41341","summary":"OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":2.3,"epss":0.00014,"ranking_epss":0.02424,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/8c83128fc38d5a3642b8ccbea58550755fdbbbaf","https://github.com/openclaw/openclaw/security/advisories/GHSA-6336-qqw9-v6x6","https://www.vulncheck.com/advisories/openclaw-component-interaction-misclassification-in-discord-extension"],"published_time":"2026-04-23T22:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41342","summary":"OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to redirect onboarding toward malicious gateways and capture gateway credentials or traffic.","cvss":7.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":7.4,"epss":9e-05,"ranking_epss":0.00932,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/security/advisories/GHSA-3cw3-5vxw-g2h3","https://www.vulncheck.com/advisories/openclaw-unauthenticated-discovery-endpoint-credential-exfiltration-via-remote-onboarding"],"published_time":"2026-04-23T22:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41343","summary":"OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00088,"ranking_epss":0.24973,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/57c47d8c7fbf5a2e70cc4dec2380977968903cad","https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc3-jqwp-5vh2","https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency"],"published_time":"2026-04-23T22:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41344","summary":"OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":5.3,"epss":0.00046,"ranking_epss":0.1406,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2w-qmfp-ggp6","https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-verbose-parameter"],"published_time":"2026-04-23T22:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41333","summary":"OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":6.3,"epss":0.00041,"ranking_epss":0.12565,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/af0c0862f22ca4492406a3103d05e3628f94cbe9","https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f","https://www.vulncheck.com/advisories/openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken"],"published_time":"2026-04-23T22:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41334","summary":"OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by uploading oversized images to cause denial of service through excessive memory consumption.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00032,"ranking_epss":0.09272,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/0ed4f8a72bb140045962e97ab01c94c076b758a4","https://github.com/openclaw/openclaw/security/advisories/GHSA-w85g-3h6x-4xh2","https://www.vulncheck.com/advisories/openclaw-decompression-bomb-denial-of-service-via-image-pixel-limit-guard-bypass"],"published_time":"2026-04-23T22:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41335","summary":"OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Control UI bootstrap payload to identify system versions and agent configurations.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00027,"ranking_epss":0.0769,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/c5c10adc022f42eb75ebb3bf364dd607738683b3","https://github.com/openclaw/openclaw/security/advisories/GHSA-hr8g-2q7x-3f4w","https://www.vulncheck.com/advisories/openclaw-information-disclosure-via-control-ui-bootstrap-json"],"published_time":"2026-04-23T22:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41336","summary":"OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted workspaces to execute arbitrary code.","cvss":8.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":8.5,"epss":0.00013,"ranking_epss":0.02219,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/330a9f98cb29c79b1c16a2117e03d6276a0d6289","https://github.com/openclaw/openclaw/security/advisories/GHSA-3qpv-xf3v-mm45","https://www.vulncheck.com/advisories/openclaw-arbitrary-hook-code-execution-via-openclaw-bundled-hooks-dir-environment-variable-override"],"published_time":"2026-04-23T22:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41337","summary":"OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live calls can exploit this to manipulate callback origins during the replay process.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.3,"epss":0.00025,"ranking_epss":0.06847,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/efe9183f9d2fd5e01c8068fa01f4a07a58a63c0b","https://github.com/openclaw/openclaw/security/advisories/GHSA-89r3-6x4j-v7wf","https://www.vulncheck.com/advisories/openclaw-callback-origin-mutation-in-plivo-voice-call-replay"],"published_time":"2026-04-23T22:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41338","summary":"OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act patterns in apply_patch, remove, and mkdir operations to manipulate files between validation and execution.","cvss":4.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":4.3,"epss":0.00011,"ranking_epss":0.01397,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/32a4a47d602e0618f87b3e59f94d8c142767f860","https://github.com/openclaw/openclaw/security/advisories/GHSA-rm5c-4rmf-vvhw","https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-toctou-vulnerability-in-sandbox-file-operations"],"published_time":"2026-04-23T22:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35431","summary":"Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":null,"epss":0.00065,"ranking_epss":0.20075,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35431"],"published_time":"2026-04-23T22:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41274","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.00078,"ranking_epss":0.22965,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc","https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc"],"published_time":"2026-04-23T22:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41332","summary":"OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through attacker-controlled configuration files to execute untrusted code or load malicious credentials.","cvss":5.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":5.8,"epss":0.00015,"ranking_epss":0.03253,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/security/advisories/GHSA-m866-6qv5-p2fg","https://www.vulncheck.com/advisories/openclaw-code-execution-via-missing-environment-variable-blocklist"],"published_time":"2026-04-23T22:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33102","summary":"Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":0.00044,"ranking_epss":0.13362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33102"],"published_time":"2026-04-23T22:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33819","summary":"Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":null,"epss":0.00275,"ranking_epss":0.50929,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33819"],"published_time":"2026-04-23T22:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32210","summary":"Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":0.00044,"ranking_epss":0.13362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32210"],"published_time":"2026-04-23T22:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32172","summary":"Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network.","cvss":8.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.0,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.1278,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32172"],"published_time":"2026-04-23T22:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2708","summary":"A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker to send HTTP requests containing multiple Content-Length headers with differing values.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08266,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-2708","https://bugzilla.redhat.com/show_bug.cgi?id=2440743","https://gitlab.gnome.org/GNOME/libsoup/-/issues/500","https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/513"],"published_time":"2026-04-23T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26210","summary":"KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without validation. Attackers can send a crafted pickle payload to the exposed ZMQ socket to execute arbitrary code on the server with the privileges of the ktransformers process.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00036,"ranking_epss":0.10506,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chocapikk.com/posts/2026/ktransformers-pickle-rce/","https://github.com/kvcache-ai/ktransformers/pull/1944","https://www.vulncheck.com/advisories/ktransformers-unsafe-deserialization-rce-via-balance-serve"],"published_time":"2026-04-23T22:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26150","summary":"Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18903,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26150"],"published_time":"2026-04-23T22:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-24303","summary":"Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00044,"ranking_epss":0.13512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24303"],"published_time":"2026-04-23T22:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6375","summary":"A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.0005,"ranking_epss":0.15431,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-04"],"published_time":"2026-04-23T21:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6376","summary":"A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who can obtain or guess those basic inputs. The issue arises from improper access control on a sensitive data retrieval function.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.0006,"ranking_epss":0.18776,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-04"],"published_time":"2026-04-23T21:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6940","summary":"radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":6.9,"epss":0.00016,"ranking_epss":0.03718,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/radareorg/radare2/pull/25830","https://github.com/radareorg/radare2/pull/25830/commits","https://www.vulncheck.com/advisories/radare2-project-deletion-path-traversal-directory-deletion"],"published_time":"2026-04-23T21:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6941","summary":"radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.6,"cvss_v4":6.9,"epss":0.00011,"ranking_epss":0.01414,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/radareorg/radare2/commit/4bcdee725ff0754ed721a98789c0af371c5f32a4","https://github.com/radareorg/radare2/pull/25831","https://www.vulncheck.com/advisories/radare2-project-notes-path-traversal-via-symlink"],"published_time":"2026-04-23T21:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6942","summary":"radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2_cmd_str(). Attackers can inject shell metacharacters through the jsonrpc interface parameters to achieve remote code execution on the host running radare2-mcp without requiring authentication.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00271,"ranking_epss":0.50509,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/radareorg/radare2-mcp/commit/482cde6500009112a8bc0b3fa8d2ef6180581ec0","https://github.com/radareorg/radare2-mcp/issues/45","https://www.vulncheck.com/advisories/radare2-mcp-os-command-injection-via-shell-metacharacter-bypass"],"published_time":"2026-04-23T21:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-28525","summary":"SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read that writes data beyond the allocated receive buffer to a local IPC socket.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":8.2,"epss":0.00035,"ranking_epss":0.10347,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sbabic/swupdate/commit/beee2dc0feef1cfe84f1aa6fc980e104b2e47a74","https://www.vulncheck.com/advisories/swupdate-integer-underflow-in-multipart-upload-parser"],"published_time":"2026-04-23T21:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41275","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle (MITM) attack, where an attacker on the same network as the user (e.g., public Wi-Fi) can intercept the reset link and gain unauthorized access to the victim’s account. This vulnerability is fixed in 3.1.0.","cvss":7.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":7.5,"epss":0.00035,"ranking_epss":0.10233,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x5w6-38gp-mrqh","https://hackerone.com/reports/1888915"],"published_time":"2026-04-23T20:16:16","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41276","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the resetPassword method of the AccountService class. There is no check performed to ensure that a password reset token has actually been generated for a user account. By default the value of the reset token stored in a users account is null, or an empty string if they've reset their password before. An attacker with knowledge of the user's email address can submit a request to the \"/api/v1/account/reset-password\" endpoint containing a null or empty string reset token value and reset that user's password to a value of their choosing. This vulnerability is fixed in 3.1.0.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":7.7,"epss":0.00146,"ranking_epss":0.34731,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-f6hc-c5jr-878p","https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-f6hc-c5jr-878p"],"published_time":"2026-04-23T20:16:16","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41277","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore entities. Because the service uses repository.save() with a client-supplied primary key, the POST create endpoint behaves as an implicit UPSERT operation. This enables overwriting existing DocumentStore objects. In multi-workspace or multi-tenant deployments, this can lead to cross-workspace object takeover and broken object-level authorization (IDOR), allowing an attacker to reassign or modify DocumentStore objects belonging to other workspaces. This vulnerability is fixed in 3.1.0.","cvss":7.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":7.6,"epss":0.00049,"ranking_epss":0.15042,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3prp-9gf7-4rxx"],"published_time":"2026-04-23T20:16:16","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41278","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image. Both public-chatflows AND public-chatbotConfig return completely raw flowData including credential IDs, plaintext API keys, and password-type fields. This vulnerability is fixed in 3.1.0.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.00042,"ranking_epss":0.12865,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-w47f-j8rh-wx87"],"published_time":"2026-04-23T20:16:16","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41279","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech. This vulnerability is fixed in 3.1.0.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.2,"epss":0.00041,"ranking_epss":0.12439,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5fw2-mwhh-9947"],"published_time":"2026-04-23T20:16:16","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41266","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more. This vulnerability is fixed in 3.1.0.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":7.7,"epss":0.0005,"ranking_epss":0.15328,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-4jpm-cgx2-8h37"],"published_time":"2026-04-23T20:16:15","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41267","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata, timestamps, organization association, and role mappings, breaking trust boundaries in a multi-tenant environment. This vulnerability is fixed in 3.1.0.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00044,"ranking_epss":0.13323,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-48m6-ch88-55mj","https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-48m6-ch88-55mj"],"published_time":"2026-04-23T20:16:15","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41268","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance. This vulnerability is fixed in 3.1.0.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":0.00172,"ranking_epss":0.38386,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cvrr-qhgw-2mm6","https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cvrr-qhgw-2mm6"],"published_time":"2026-04-23T20:16:15","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41269","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18866,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr","https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr"],"published_time":"2026-04-23T20:16:15","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41270","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js http, https, and net modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services) This vulnerability is fixed in 3.1.0.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11333,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-xhmj-rg95-44hv"],"published_time":"2026-04-23T20:16:15","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41271","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration. This vulnerability is fixed in 3.1.0.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00049,"ranking_epss":0.15002,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6r77-hqx7-7vw8","https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6r77-hqx7-7vw8"],"published_time":"2026-04-23T20:16:15","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41272","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of-Use) or by exploiting the default configuration which fails to enforce any deny list. This vulnerability is fixed in 3.1.0.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11333,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-2x8m-83vc-6wv4","https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-2x8m-83vc-6wv4"],"published_time":"2026-04-23T20:16:15","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41273","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. This vulnerability is fixed in 3.1.0.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.2,"cvss_v4":7.7,"epss":0.00087,"ranking_epss":0.24797,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6f7g-v4pp-r667","https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6f7g-v4pp-r667"],"published_time":"2026-04-23T20:16:15","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41137","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.","cvss":9.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":9.4,"epss":0.0062,"ranking_epss":0.7011,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv","https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv"],"published_time":"2026-04-23T20:16:14","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41138","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’s input is directly applied to the question parameter within the prompt template and it is reflected to the Python code without any sanitization. This vulnerability is fixed in 3.1.0.","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00434,"ranking_epss":0.62856,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-f228-chmx-v6j6","https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-f228-chmx-v6j6"],"published_time":"2026-04-23T20:16:14","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41264","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the Flowise server. This vulnerability is fixed in 3.1.0.","cvss":9.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.2,"epss":0.00109,"ranking_epss":0.29058,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3hjv-c53m-58jj","https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3hjv-c53m-58jj"],"published_time":"2026-04-23T20:16:14","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-41265","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0.","cvss":9.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.2,"epss":0.00062,"ranking_epss":0.19145,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f","https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f"],"published_time":"2026-04-23T20:16:14","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-25874","summary":"LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.00062,"ranking_epss":0.19278,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chocapikk.com/posts/2026/lerobot-pickle-rce/","https://github.com/huggingface/lerobot/issues/3047","https://github.com/huggingface/lerobot/issues/3134","https://github.com/huggingface/lerobot/pull/3048","https://www.vulncheck.com/advisories/lerobot-unsafe-deserialization-remote-code-execution-via-grpc"],"published_time":"2026-04-23T20:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41259","summary":"Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":0.00042,"ranking_epss":0.12865,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/mastodon/mastodon/security/advisories/GHSA-5r37-qpwq-2jhh"],"published_time":"2026-04-23T19:17:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6074","summary":"A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface without authentication. Successful exploitation of this vulnerability could allow a user to read, modify, or delete files.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.00168,"ranking_epss":0.37699,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-06"],"published_time":"2026-04-23T19:17:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41173","summary":"The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory.  AWSXRaySamplerClient.DoRequestAsync called HttpClient.SendAsync followed by ReadAsStringAsync(), which materializes the entire HTTP response body into a single in-memory string with no size limit. The sampling endpoint is configurable via AWSXRayRemoteSamplerBuilder.SetEndpoint (default: http://localhost:2000). An attacker who controls the configured endpoint, or who can intercept traffic to it (MitM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. This vulnerability is fixed in 0.1.0-alpha.8.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01894,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4100","https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-28xm-prxc-5866"],"published_time":"2026-04-23T19:17:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41205","summary":"Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.7,"epss":0.00046,"ranking_epss":0.14211,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sqlalchemy/mako/security/advisories/GHSA-v92g-xgxw-vvmm"],"published_time":"2026-04-23T19:17:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41213","summary":"@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00047,"ranking_epss":0.1439,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf"],"published_time":"2026-04-23T19:17:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41241","summary":"pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser's browser when the organiser's search query matched the malicious record. This vulnerability is fixed in 2026.1.0.","cvss":8.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.7,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.09421,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pretalx/pretalx/security/advisories/GHSA-cjcx-jfp2-f7m2"],"published_time":"2026-04-23T19:17:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41246","summary":"Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in spec.routes[].cookieRewritePolicies[].pathRewrite.value or spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value that results in arbitrary code execution in the Envoy proxy. The cookie rewriting feature is internally implemented using Envoy's HTTP Lua filter. User-controlled values are interpolated into Lua source code using Go text/template without sufficient sanitization. The injected code only executes when processing traffic on the attacker's own route, which they already control. However, since Envoy runs as shared infrastructure, the injected code can also read Envoy's xDS client credentials from the filesystem or cause denial of service for other tenants sharing the Envoy instance. This vulnerability is fixed in v1.33.4, v1.32.5, and v1.31.6.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00072,"ranking_epss":0.21762,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/projectcontour/contour/releases/tag/v1.31.6","https://github.com/projectcontour/contour/releases/tag/v1.32.5","https://github.com/projectcontour/contour/releases/tag/v1.33.4","https://github.com/projectcontour/contour/security/advisories/GHSA-x4mj-7f9g-29h4"],"published_time":"2026-04-23T19:17:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41247","summary":"elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user. This vulnerability is fixed in 2.1.67.","cvss":8.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.9,"epss":0.00436,"ranking_epss":0.63043,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Studio-42/elFinder/security/advisories/GHSA-8q4h-8crm-5cvc"],"published_time":"2026-04-23T19:17:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33694","summary":"This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code execution, whereby an attacker may exploit the vulnerability to execute malicious code with elevated SYSTEM privileges.","cvss":7.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.4,"epss":0.00015,"ranking_epss":0.02861,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://tenable.com/security/tns-2026-12","https://tenable.com/security/tns-2026-13"],"published_time":"2026-04-23T19:17:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40886","summary":"Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine (outside the controller's recover() scope), it crashes the entire controller process. The poisoned pod persists across restarts, causing a crash loop that halts all workflow processing until the pod is manually deleted. This vulnerability is fixed in 4.0.5 and 3.7.14.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12002,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/argoproj/argo-workflows/security/advisories/GHSA-5jv8-h7qh-rf5p"],"published_time":"2026-04-23T19:17:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40894","summary":"OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05856,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048","https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244","https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309","https://github.com/open-telemetry/opentelemetry-dotnet/pull/533","https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061","https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j"],"published_time":"2026-04-23T19:17:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41078","summary":"OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12051,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47"],"published_time":"2026-04-23T19:17:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31169","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the week parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-week-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-week-cmd-injection"],"published_time":"2026-04-23T19:17:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31173","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the interval parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-interval-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-interval-cmd-injection"],"published_time":"2026-04-23T19:17:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31162","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the ttlWay parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-ttl-way-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-ttl-way-cmd-injection"],"published_time":"2026-04-23T19:17:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31163","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the dhcpMtu parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-dhcp-mtu-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-dhcp-mtu-cmd-injection"],"published_time":"2026-04-23T19:17:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31166","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the hour parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03064,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-hour-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-hour-cmd-injection"],"published_time":"2026-04-23T19:17:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31167","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the mode parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-mode-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-mode-cmd-injection"],"published_time":"2026-04-23T19:17:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31168","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the recHour parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-rechour-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-rechour-cmd-injection"],"published_time":"2026-04-23T19:17:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5039","summary":"TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in default configuration. A network-adjacent attacker can exploit this weakness to gain unauthorized access to the protocol, read debug data, modify certain device configuration values, and trigger device reboot, resulting in loss of integrity and a denial-of-service condition.","cvss":6.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.1,"epss":0.00013,"ranking_epss":0.02051,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.tp-link.com/us/support/download/tl-wr841n/v13/#Firmware"],"published_time":"2026-04-23T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6919","summary":"Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10315,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html","https://issues.chromium.org/issues/493652473"],"published_time":"2026-04-23T18:16:30","vendor":"google","product":"chrome","version":null},{"cve_id":"CVE-2026-6919","summary":"Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10315,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html","https://issues.chromium.org/issues/493652473"],"published_time":"2026-04-23T18:16:30","vendor":"google","product":"android","version":null},{"cve_id":"CVE-2026-6919","summary":"Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10315,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html","https://issues.chromium.org/issues/493652473"],"published_time":"2026-04-23T18:16:30","vendor":"linux","product":"linux_kernel","version":null},{"cve_id":"CVE-2026-6919","summary":"Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10315,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html","https://issues.chromium.org/issues/493652473"],"published_time":"2026-04-23T18:16:30","vendor":"microsoft","product":"windows","version":null},{"cve_id":"CVE-2026-6920","summary":"Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00068,"ranking_epss":0.2068,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html","https://issues.chromium.org/issues/499891888"],"published_time":"2026-04-23T18:16:30","vendor":"google","product":"chrome","version":null},{"cve_id":"CVE-2026-6920","summary":"Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00068,"ranking_epss":0.2068,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html","https://issues.chromium.org/issues/499891888"],"published_time":"2026-04-23T18:16:30","vendor":"google","product":"android","version":null},{"cve_id":"CVE-2026-6920","summary":"Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00068,"ranking_epss":0.2068,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html","https://issues.chromium.org/issues/499891888"],"published_time":"2026-04-23T18:16:30","vendor":"linux","product":"linux_kernel","version":null},{"cve_id":"CVE-2026-6920","summary":"Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00068,"ranking_epss":0.2068,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html","https://issues.chromium.org/issues/499891888"],"published_time":"2026-04-23T18:16:30","vendor":"microsoft","product":"windows","version":null},{"cve_id":"CVE-2026-6921","summary":"Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18948,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html","https://issues.chromium.org/issues/493315759"],"published_time":"2026-04-23T18:16:30","vendor":"google","product":"chrome","version":null},{"cve_id":"CVE-2026-6921","summary":"Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18948,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html","https://issues.chromium.org/issues/493315759"],"published_time":"2026-04-23T18:16:30","vendor":"google","product":"android","version":null},{"cve_id":"CVE-2026-6921","summary":"Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18948,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html","https://issues.chromium.org/issues/493315759"],"published_time":"2026-04-23T18:16:30","vendor":"linux","product":"linux_kernel","version":null},{"cve_id":"CVE-2026-6921","summary":"Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18948,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html","https://issues.chromium.org/issues/493315759"],"published_time":"2026-04-23T18:16:30","vendor":"microsoft","product":"windows","version":null},{"cve_id":"CVE-2026-41908","summary":"OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":2.3,"epss":0.00025,"ranking_epss":0.06951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/99ef3a63c58440d53f8e45ad861b846032fcb036","https://github.com/openclaw/openclaw/security/advisories/GHSA-v8qf-fr4g-28p2","https://www.vulncheck.com/advisories/openclaw-scope-enforcement-bypass-in-assistant-media-route"],"published_time":"2026-04-23T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41909","summary":"OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on unrelated pending device requests within the same gateway scope.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":5.3,"epss":0.00025,"ranking_epss":0.06951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/5a12f30441d5b0b151f550daa2c5c9e8db61e2e6","https://github.com/openclaw/openclaw/security/advisories/GHSA-xrq9-jm7v-g9h7","https://www.vulncheck.com/advisories/openclaw-improper-authorization-in-paired-device-pairing-actions"],"published_time":"2026-04-23T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40182","summary":"OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03403,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564","https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017","https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933","https://github.com/open-telemetry/opentelemetry-proto/pull/781"],"published_time":"2026-04-23T18:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40891","summary":"OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02657,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980","https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064","https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p"],"published_time":"2026-04-23T18:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31533","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix use-after-free in -EBUSY error path of tls_do_encryption\n\nThe -EBUSY handling in tls_do_encryption(), introduced by commit\n859054147318 (\"net: tls: handle backlogging of crypto requests\"), has\na use-after-free due to double cleanup of encrypt_pending and the\nscatterlist entry.\n\nWhen crypto_aead_encrypt() returns -EBUSY, the request is enqueued to\nthe cryptd backlog and the async callback tls_encrypt_done() will be\ninvoked upon completion. That callback unconditionally restores the\nscatterlist entry (sge->offset, sge->length) and decrements\nctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an\nerror, the synchronous error path in tls_do_encryption() performs the\nsame cleanup again, double-decrementing encrypt_pending and\ndouble-restoring the scatterlist.\n\nThe double-decrement corrupts the encrypt_pending sentinel (initialized\nto 1), making tls_encrypt_async_wait() permanently skip the wait for\npending async callbacks. A subsequent sendmsg can then free the\ntls_rec via bpf_exec_tx_verdict() while a cryptd callback is still\npending, resulting in a use-after-free when the callback fires on the\nfreed record.\n\nFix this by skipping the synchronous cleanup when the -EBUSY async\nwait returns an error, since the callback has already handled\nencrypt_pending and sge restoration.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02659,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/02f3ecadb23558bbe068e6504118f1b712d4ece0","https://git.kernel.org/stable/c/0e43e0a3c94044acc74b8e0927c27972eb5a59e8","https://git.kernel.org/stable/c/2694d408b0e595024e0fc1d64ff9db0358580f74","https://git.kernel.org/stable/c/414fc5e5a5aff776c150f1b86770e0a25a35df3a","https://git.kernel.org/stable/c/5d70eb25b41e9b010828cd12818b06a0c3b04412","https://git.kernel.org/stable/c/a9b8b18364fffce4c451e6f6fd218fa4ab646705","https://git.kernel.org/stable/c/aa9facde6c5005205874c37db3fd25799d741baf"],"published_time":"2026-04-23T18:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31178","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18803,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-max-alive-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-max-alive-cmd-injection"],"published_time":"2026-04-23T18:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31179","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunPort parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-port-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-port-cmd-injection"],"published_time":"2026-04-23T18:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31181","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18803,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-server-addr-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-server-addr-cmd-injection"],"published_time":"2026-04-23T18:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31159","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the password parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-password-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-password-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r_firmware","version":null},{"cve_id":"CVE-2026-31159","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the password parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-password-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-password-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r","version":null},{"cve_id":"CVE-2026-31160","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the provider parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-provider-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-provider-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r_firmware","version":null},{"cve_id":"CVE-2026-31160","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the provider parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-provider-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-provider-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r","version":null},{"cve_id":"CVE-2026-31164","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeMtu parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-pppoe-mtu-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-pppoe-mtu-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r_firmware","version":null},{"cve_id":"CVE-2026-31164","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeMtu parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-pppoe-mtu-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-pppoe-mtu-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r","version":null},{"cve_id":"CVE-2026-31165","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeServiceName parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-pppoe-service-name-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-pppoe-service-name-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r_firmware","version":null},{"cve_id":"CVE-2026-31165","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeServiceName parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-pppoe-service-name-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-pppoe-service-name-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r","version":null},{"cve_id":"CVE-2026-31171","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the url parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-url-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-url-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r_firmware","version":null},{"cve_id":"CVE-2026-31171","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the url parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-url-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-url-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r","version":null},{"cve_id":"CVE-2026-31172","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the user parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-user-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-user-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r_firmware","version":null},{"cve_id":"CVE-2026-31172","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the user parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-user-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-user-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r","version":null},{"cve_id":"CVE-2026-31174","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the informEnable parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-inform-enable-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-inform-enable-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r_firmware","version":null},{"cve_id":"CVE-2026-31174","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the informEnable parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-inform-enable-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-inform-enable-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r","version":null},{"cve_id":"CVE-2026-31175","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunEnable parameter to /cgi-bin/cstecgi.cgi.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18803,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-enable-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-enable-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r_firmware","version":null},{"cve_id":"CVE-2026-31175","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunEnable parameter to /cgi-bin/cstecgi.cgi.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18803,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-enable-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-enable-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r","version":null},{"cve_id":"CVE-2026-31176","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun_user parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-user-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-user-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r_firmware","version":null},{"cve_id":"CVE-2026-31176","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun_user parameter to /cgi-bin/cstecgi.cgi.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-user-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-user-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":"totolink","product":"a3300r","version":null},{"cve_id":"CVE-2026-31177","summary":"An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMinAlive parameter to /cgi-bin/cstecgi.cgi.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18803,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-min-alive-cmd-injection","https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-min-alive-cmd-injection"],"published_time":"2026-04-23T18:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41238","summary":"DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution gadget can inject permissive `tagNameCheck` and `attributeNameCheck` regex values into `Object.prototype`, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes — including event handlers — through sanitization. Version 3.4.0 fixes the issue.","cvss":6.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.9,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.09722,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cure53/DOMPurify/releases/tag/3.4.0","https://github.com/cure53/DOMPurify/security/advisories/GHSA-v9jr-rg53-9pgp","https://github.com/cure53/DOMPurify/security/advisories/GHSA-v9jr-rg53-9pgp"],"published_time":"2026-04-23T16:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41239","summary":"DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating frameworks like Vue 2. Version 3.4.0 patches the issue.","cvss":6.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":null,"epss":0.00048,"ranking_epss":0.14871,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cure53/DOMPurify/releases/tag/3.4.0","https://github.com/cure53/DOMPurify/security/advisories/GHSA-crv5-9vww-q3g8"],"published_time":"2026-04-23T16:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41240","summary":"DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive sanitization with their attributes intact. Version 3.4.0 patches the issue.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.0,"epss":0.00045,"ranking_epss":0.13604,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cure53/DOMPurify/commit/c361baa18dbdcb3344a41110f4c48ad85bf48f80","https://github.com/cure53/DOMPurify/releases/tag/3.4.0","https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m","https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m"],"published_time":"2026-04-23T16:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39087","summary":"An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00246,"ranking_epss":0.47906,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://ntfy.com","http://ntfysh.com","https://gist.github.com/MightyNawaf/5d41d6e8ead16e217f86b016002ecae5"],"published_time":"2026-04-23T16:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40470","summary":"A critical XSS vulnerability affected hackage-server and\nhackage.haskell.org.  HTML and JavaScript files provided in source\npackages or via the documentation upload facility were served\nas-is on the main hackage.haskell.org domain.  As a consequence,\nwhen a user with latent HTTP credentials browses to the package\npages or documentation uploaded by a malicious package maintainer,\ntheir session can be hijacked to upload packages or\ndocumentation, amend maintainers or other package metadata, or\nperform any other action the user is authorised to do.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.00046,"ranking_epss":0.14124,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://osv.dev/vulnerability/HSEC-2024-0004"],"published_time":"2026-04-23T16:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40471","summary":"hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.0429,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://osv.dev/vulnerability/HSEC-2026-0002"],"published_time":"2026-04-23T16:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40472","summary":"In hackage-server, user-controlled metadata from .cabal files are rendered into HTML\nhref attributes without proper sanitization, enabling stored\nCross-Site Scripting (XSS) attacks.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.00046,"ranking_epss":0.14124,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://osv.dev/vulnerability/HSEC-2026-0004"],"published_time":"2026-04-23T16:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-62373","summary":"Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Versions 0.0.41 through 0.0.93 have a vulnerability in `LivekitFrameSerializer` – an optional, non-default, undocumented frame serializer class (now deprecated) intended for LiveKit integration. The class's `deserialize()` method uses Python's `pickle.loads()` on data received from WebSocket clients without any validation or sanitization. This means that a malicious WebSocket client can send a crafted pickle payload to execute arbitrary code on the Pipecat server. The vulnerable code resides in `src/pipecat/serializers/livekit.py` (around line 73), where untrusted WebSocket message data is passed directly into `pickle.loads()` for deserialization. If a Pipecat server is configured to use LivekitFrameSerializer and is listening on an external interface (e.g. 0.0.0.0), an attacker on the network (or the internet, if the service is exposed) could achieve remote code execution (RCE) on the server by sending a malicious pickle payload. Version 0.0.94 contains a fix. Users of Pipecat should avoid or replace unsafe deserialization and improve network security configuration. The best mitigation is to stop using the vulnerable LivekitFrameSerializer altogether. Those who require LiveKit functionality should upgrade to the latest Pipecat version and switch to the recommended `LiveKitTransport` or another secure method provided by the framework. Additionally, always follow secure coding practices: never trust client-supplied data, and avoid Python pickle (or similar unsafe deserialization) in network-facing components.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00304,"ranking_epss":0.53656,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pipecat-ai/pipecat/security/advisories/GHSA-c2jg-5cp7-6wc7","https://github.com/pipecat-ai/pipecat/security/advisories/GHSA-c2jg-5cp7-6wc7"],"published_time":"2026-04-23T16:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23751","summary":"Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00161,"ranking_epss":0.36676,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docshield.tungstenautomation.com/Portal/Products/en_US/KC/11.1.0-40hy9nfk91/KC.htm","https://gist.github.com/VAMorales/3888941d6e5efdd4b2e673e999f68ca2","https://www.vulncheck.com/advisories/kofax-capture-unauthenticated-file-read-write-smb-coercion-via-net-remoting"],"published_time":"2026-04-23T16:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33999","summary":"A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger a buffer read overrun. This can lead to memory-safety violations and potentially a denial of service (DoS) or other severe impacts.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01781,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-33999","https://bugzilla.redhat.com/show_bug.cgi?id=2451106"],"published_time":"2026-04-23T16:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34001","summary":"A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially enabling memory corruption. This could result in a denial of service or further compromise of the system.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02741,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-34001","https://bugzilla.redhat.com/show_bug.cgi?id=2451109"],"published_time":"2026-04-23T16:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34003","summary":"A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sensitive information or cause the server to crash, leading to a Denial of Service (DoS). In certain configurations, higher impact outcomes may be possible.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01752,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-34003","https://bugzilla.redhat.com/show_bug.cgi?id=2451113"],"published_time":"2026-04-23T16:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-50229","summary":"Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02188,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://jizhicms.cn","https://gist.github.com/4iFei/14ad89c3b44348dd575bf5ae0ed5a19c","https://github.com/Cherry-toto/jizhicms","https://github.com/Cherry-toto/jizhicms/issues/105","https://github.com/Cherry-toto/jizhicms/issues/105"],"published_time":"2026-04-23T16:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41460","summary":"SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, potentially enabling remote code execution.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00171,"ranking_epss":0.3814,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://karmainsecurity.com/KIS-2026-08","https://socialengine.com","https://www.vulncheck.com/advisories/socialengine-sql-injection-via-activity-index-get-memberall","https://karmainsecurity.com/KIS-2026-08","https://karmainsecurity.com/pocs/CVE-2026-41460.php"],"published_time":"2026-04-23T15:37:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41461","summary":"SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can supply arbitrary URLs including internal network addresses and loopback addresses to cause the server to issue HTTP requests to attacker-controlled destinations, enabling internal network enumeration and access to services not intended to be externally reachable.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.5,"cvss_v4":6.3,"epss":0.00036,"ranking_epss":0.1074,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://karmainsecurity.com/KIS-2026-07","https://socialengine.com","https://www.vulncheck.com/advisories/socialengine-blind-ssrf-via-core-link-preview"],"published_time":"2026-04-23T15:37:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35225","summary":"An unauthenticated remote attacker is able to exhaust all available TCP connections in the CODESYS EtherNet/IP adapter stack, preventing legitimate clients from establishing new connections.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.00141,"ranking_epss":0.33973,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2026/advisory2026-04_vde-2026-040.json","https://www.certvde.com/en/advisories/VDE-2026-040/"],"published_time":"2026-04-23T15:37:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-70994","summary":"Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08842,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ktauchathuranga/CVE-2025-70994","https://github.com/ktauchathuranga/ghost-keys","https://github.com/ktauchathuranga/CVE-2025-70994"],"published_time":"2026-04-23T15:36:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-66286","summary":"An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the\nWebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07933,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2025-66286","https://bugs.webkit.org/show_bug.cgi?id=259787","https://bugzilla.redhat.com/show_bug.cgi?id=2424652"],"published_time":"2026-04-23T13:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39440","summary":"Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04348,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/funnelforms-pro/vulnerability/wordpress-funnelformspro-plugin-3-8-1-remote-code-execution-rce-vulnerability?_s_id=cve"],"published_time":"2026-04-23T13:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-13763","summary":"Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs","cvss":5.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.7,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04836,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2025-13763","https://bugzilla.redhat.com/show_bug.cgi?id=2417581","https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv","https://github.com/OpenSC/OpenSC/wiki/CVE-2025-13763","https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv"],"published_time":"2026-04-23T13:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-62104","summary":"Missing Authorization vulnerability in Navneil Naicker ACF Galerie 4 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ACF Galerie 4: from n/a through 1.4.2.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07357,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/acf-galerie-4/vulnerability/wordpress-acf-galerie-4-plugin-1-4-2-broken-access-control-vulnerability?_s_id=cve"],"published_time":"2026-04-23T12:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-62110","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rescue Themes Rescue Shortcodes allows Stored XSS.This issue affects Rescue Shortcodes: from n/a through 3.3.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.09675,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/rescue-shortcodes/vulnerability/wordpress-rescue-shortcodes-plugin-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve"],"published_time":"2026-04-23T12:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-28040","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Stored XSS.This issue affects Taxi Booking Manager for WooCommerce: from n/a through 2.0.0.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.09675,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/ecab-taxi-booking-manager/vulnerability/wordpress-taxi-booking-manager-for-woocommerce-plugin-2-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve"],"published_time":"2026-04-23T12:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31531","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()\n\nWhen querying a nexthop object via RTM_GETNEXTHOP, the kernel currently\nallocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for\nsingle nexthops and small Equal-Cost Multi-Path groups, this fixed\nallocation fails for large nexthop groups like 512 nexthops.\n\nThis results in the following warning splat:\n\n WARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20: rep/4608\n [...]\n RIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395)\n [...]\n Call Trace:\n  <TASK>\n  rtnetlink_rcv_msg (net/core/rtnetlink.c:6989)\n  netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n  netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n  netlink_sendmsg (net/netlink/af_netlink.c:1894)\n  ____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585)\n  ___sys_sendmsg (net/socket.c:2641)\n  __sys_sendmsg (net/socket.c:2671)\n  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n  </TASK>\n\nFix this by allocating the size dynamically using nh_nlmsg_size() and\nusing nlmsg_new(), this is consistent with nexthop_notify() behavior. In\naddition, adjust nh_nlmsg_size_grp() so it calculates the size needed\nbased on flags passed. While at it, also add the size of NHA_FDB for\nnexthop group size calculation as it was missing too.\n\nThis cannot be reproduced via iproute2 as the group size is currently\nlimited and the command fails as follows:\n\naddattr_l ERROR: message exceeded bound of 1048","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.0117,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/14cf0cd35361f4e94824bf8a42f72713d7702a73","https://git.kernel.org/stable/c/40bd39e383a0478fd5c221f393df05fd9d70cfbc","https://git.kernel.org/stable/c/615517f3f8d53b0cf41507c7599971e17adfdfa5","https://git.kernel.org/stable/c/635038fe19db391117e66b46bdc2b6e447ac801d"],"published_time":"2026-04-23T12:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31532","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: raw: fix ro->uniq use-after-free in raw_rcv()\n\nraw_release() unregisters raw CAN receive filters via can_rx_unregister(),\nbut receiver deletion is deferred with call_rcu(). This leaves a window\nwhere raw_rcv() may still be running in an RCU read-side critical section\nafter raw_release() frees ro->uniq, leading to a use-after-free of the\npercpu uniq storage.\n\nMove free_percpu(ro->uniq) out of raw_release() and into a raw-specific\nsocket destructor. can_rx_unregister() takes an extra reference to the\nsocket and only drops it from the RCU callback, so freeing uniq from\nsk_destruct ensures the percpu area is not released until the relevant\ncallbacks have drained.\n\n[mkl: applied manually]","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06619,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0","https://git.kernel.org/stable/c/34c1741254ff972e8375faf176678a248826fe3a","https://git.kernel.org/stable/c/572f0bf536ebc14f6e7da3d21a85cf076de8358e","https://git.kernel.org/stable/c/7201a531b9a5ed892bfda5ded9194ef622de8ffa"],"published_time":"2026-04-23T12:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5464","summary":"The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint — which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00178,"ranking_epss":0.3913,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/admin/admin-assets.php#L932","https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/admin/class-exactmetrics-onboarding.php#L109","https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/connect.php#L219","https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/connect.php#L27","https://www.wordfence.com/threat-intel/vulnerabilities/id/09127277-9e71-484d-b674-52af693c995b?source=cve"],"published_time":"2026-04-23T10:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6885","summary":"Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00191,"ranking_epss":0.40923,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.twcert.org.tw/en/cp-139-10863-2f48e-2.html","https://www.twcert.org.tw/tw/cp-132-10861-b8709-1.html"],"published_time":"2026-04-23T10:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6886","summary":"Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a Authentication Bypass vulnerability, allowing unauthenticated remote attackers to log into the system as any user.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00159,"ranking_epss":0.36539,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.twcert.org.tw/en/cp-139-10863-2f48e-2.html","https://www.twcert.org.tw/tw/cp-132-10861-b8709-1.html"],"published_time":"2026-04-23T10:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6887","summary":"Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00081,"ranking_epss":0.23669,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.twcert.org.tw/en/cp-139-10863-2f48e-2.html","https://www.twcert.org.tw/tw/cp-132-10861-b8709-1.html"],"published_time":"2026-04-23T10:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6903","summary":"The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read arbitrary files on the host system that are accessible to the operating system user running the LabOne software.\n\nAdditionally, the Web Server does not sufficiently restrict cross-origin requests, which could allow a remote attacker to trigger file access from a victim's browser by directing the victim to a malicious website.\n\nThe vulnerability is only exploitable when the LabOne Web Server is running. Installations using only the LabOne APIs without starting the Web Server are not exposed.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.00025,"ranking_epss":0.06847,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zhinst.com/support/download-center/","https://www.zhinst.com/support/security/2026/zi-sa-2026-001/"],"published_time":"2026-04-23T10:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3960","summary":"A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00193,"ranking_epss":0.41092,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/h2oai/h2o-3/commit/b9ae2d3c5220db2dc53753357a783e590364d044","https://huntr.com/bounties/6954fe04-b905-453f-8c53-205ac8377e0d"],"published_time":"2026-04-23T10:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3259","summary":"A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process.\n\nThis vulnerability was patched on 29 January 2026, and no customer action is needed.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.1,"epss":0.00042,"ranking_epss":0.12734,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.cloud.google.com/bigquery/docs/release-notes/#April_15_2026"],"published_time":"2026-04-23T10:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41564","summary":"CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking.\n\nThe Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519 and Crypt::PK::X25519 modules seed a per-object PRNG state in their constructors and reuse it without fork detection. A Crypt::PK::* object created before `fork()` shares byte-identical PRNG state with every child process, and any randomized operation they perform can produce identical output, including key generation. Two ECDSA or DSA signatures from different processes are enough to recover the signing private key through nonce-reuse key recovery.\n\nThis affects preforking services such as the Starman web server, where a Crypt::PK::* object loaded at startup is inherited by every worker process.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08752,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/DCIT/perl-CryptX/commit/9a1dd3e0c27d68e32450be5538b864c2b115ee15.patch","https://github.com/DCIT/perl-CryptX/security/advisories/GHSA-24c2-gp6c-24c6","https://metacpan.org/release/MIK/CryptX-0.088","http://www.openwall.com/lists/oss-security/2026/04/23/2","https://github.com/DCIT/perl-CryptX/security/advisories/GHSA-24c2-gp6c-24c6"],"published_time":"2026-04-23T08:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41040","summary":"GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via a crafted input string.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.00043,"ranking_epss":0.1318,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://growi.co.jp/news/44/","https://jvn.jp/en/jp/JVN46728373/"],"published_time":"2026-04-23T07:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4106","summary":"The HT Mega Addons for Elementor  WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00547,"ranking_epss":0.67914,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/9477ead2-3990-4aae-8e66-09ee2f4daa3e/"],"published_time":"2026-04-23T07:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4512","summary":"The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptcha_js() function. This allows administrators on multisite installations (who do not have the unfiltered_html capability) to inject arbitrary JavaScript that executes for all visitors to the WordPress login page.","cvss":3.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.5,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.00892,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/6dfb4378-fe6a-4462-af10-8e7504e3d593/"],"published_time":"2026-04-23T07:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34488","summary":"IP Setting Software contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with administrative privileges.","cvss":7.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":7.0,"epss":0.00013,"ranking_epss":0.0235,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://i-pro.com/products_and_solutions/en/surveillance/solutions/technologies/cyber-security/psirt/security-advisories","https://jvn.jp/en/jp/JVN42090270/"],"published_time":"2026-04-23T07:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-10549","summary":"EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\\SYSTEM.","cvss":5.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.1,"cvss_v4":null,"epss":4e-05,"ranking_epss":0.00191,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://kb.controlio.net/hc/en-us/articles/45777908471185-Client-Update-April-15-2026-ver-1-3-95","https://r.sec-consult.com/controlio"],"published_time":"2026-04-23T07:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41232","summary":"Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent \"domains,\" allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06953,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a","https://github.com/froxlor/froxlor/releases/tag/2.3.6","https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6","https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6"],"published_time":"2026-04-23T05:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41233","summary":"Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's `domains_used` counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes the issue.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00034,"ranking_epss":0.09817,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/froxlor/froxlor/commit/bf47ba15329506e9f9662f9462463932aa80dff5","https://github.com/froxlor/froxlor/releases/tag/2.3.6","https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4","https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4"],"published_time":"2026-04-23T05:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41988","summary":"uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue.","cvss":3.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.2,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01931,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34","https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq","https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq"],"published_time":"2026-04-23T05:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41989","summary":"Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01672,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://dev.gnupg.org/T8211","https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html","https://www.openwall.com/lists/oss-security/2026/04/21/1"],"published_time":"2026-04-23T05:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41990","summary":"Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.","cvss":4.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.0,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01739,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://dev.gnupg.org/T8208","https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html","https://www.openwall.com/lists/oss-security/2026/04/21/1"],"published_time":"2026-04-23T05:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40529","summary":"CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":5.1,"epss":0.00026,"ranking_epss":0.07382,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://jvn.jp/en/jp/JVN08026319/"],"published_time":"2026-04-23T05:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41228","summary":"Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.00055,"ranking_epss":0.1717,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c","https://github.com/froxlor/froxlor/releases/tag/2.3.6","https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7","https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7"],"published_time":"2026-04-23T04:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41229","summary":"Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12556,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/froxlor/froxlor/commit/3589ddf93ab59eb2a8971f0f56cbf6266d03c4ae","https://github.com/froxlor/froxlor/releases/tag/2.3.6","https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8","https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8"],"published_time":"2026-04-23T04:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41230","summary":"Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue.","cvss":8.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.5,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12371,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/froxlor/froxlor/commit/47a8af5d9523cb6ec94567405cfc2e294d3a1442","https://github.com/froxlor/froxlor/releases/tag/2.3.6","https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c","https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c"],"published_time":"2026-04-23T04:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41231","summary":"Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00047,"ranking_epss":0.1453,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d","https://github.com/froxlor/froxlor/releases/tag/2.3.6","https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r","https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r"],"published_time":"2026-04-23T04:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3361","summary":"The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and opens an injected map marker info window.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08201,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3482539/wp-store-locator","https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b6cbb5-d82d-4035-b0c8-5c1aaee31993?source=cve"],"published_time":"2026-04-23T04:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3007","summary":"Successful exploitation of the stored cross-site scripting (XSS) vulnerability could allow an attacker to execute arbitrary JavaScript on any user account that has access to Koollab LMS’ courselet feature.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00027,"ranking_epss":0.07689,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-042/"],"published_time":"2026-04-23T04:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3844","summary":"The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if \"Host Files Locally - Gravatars\" is enabled, which is disabled by default.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00059,"ranking_epss":0.18484,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/breeze/tags/2.4.1/inc/class-breeze-cache-cronjobs.php#L119","https://plugins.trac.wordpress.org/browser/breeze/tags/2.4.1/inc/class-breeze-cache-cronjobs.php#L89","https://plugins.trac.wordpress.org/changeset/3511463/breeze","https://www.wordfence.com/threat-intel/vulnerabilities/id/e342b1c0-6e7f-4e2c-8a52-018df12c12a0?source=cve"],"published_time":"2026-04-23T03:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2951","summary":"The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01084,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3495930/gutentor","https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c639b8-35f5-4eaf-a663-1adab3ba2a16?source=cve"],"published_time":"2026-04-23T03:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41243","summary":"OpenLearn is open-source educational forum software. Prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab, when `safeMode` is enabled, unapproved forum posts are hidden from the public list, but the direct post-read procedure still returns the full post to anyone with the post UUID. Commit 844b2a40a69d0c4911580fe501923f0b391313ab fixes the issue.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00041,"ranking_epss":0.12439,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/siemvk/OpenLearn/commit/844b2a40a69d0c4911580fe501923f0b391313ab","https://github.com/siemvk/OpenLearn/security/advisories/GHSA-4rv3-hfh6-vqvm","https://github.com/siemvk/OpenLearn/security/advisories/GHSA-4rv3-hfh6-vqvm"],"published_time":"2026-04-23T02:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41679","summary":"Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in `authenticated` mode with default configuration. No user interaction, no credentials, just the target's address. The chain consists of six API calls. The attack is fully automated, requires no user interaction, and works against the default deployment configuration. Version 2026.416.0 patches the issue.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":null,"epss":0.00172,"ranking_epss":0.38212,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/paperclipai/paperclip/security/advisories/GHSA-68qg-g8mg-6pr7","https://github.com/paperclipai/paperclip/security/advisories/GHSA-68qg-g8mg-6pr7"],"published_time":"2026-04-23T02:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41197","summary":"Noir is a Domain Specific Language for SNARK proving systems that is designed to use any ACIR compatible proving system, and Brillig is the bytecode ACIR uses for non-determinism. Noir programs can invoke external functions through foreign calls. When compiling to Brillig bytecode, the SSA instructions are processed block-by-block in `BrilligBlock::compile_block()`. When the compiler encounters an `Instruction::Call` with a `Value::ForeignFunction` target, it invokes `codegen_call()` in `brillig_call/code_gen_call.rs`, which dispatches to `convert_ssa_foreign_call()`. Before emitting the foreign call opcode, the compiler must pre-allocate memory for any array results the call will return. This happens through `allocate_external_call_results()`, which iterates over the result types. For `Type::Array` results, it delegates to `allocate_foreign_call_result_array()` to recursively allocate memory on the heap for nested arrays. The `BrilligArray` struct is the internal representation of a Noir array in Brillig IR. Its `size` field represents the semi-flattened size, the total number of memory slots the array occupies, accounting for the fact that composite types like tuples consume multiple slots per element. This size is computed by `compute_array_length()` in `brillig_block_variables.rs`. For the outer array, `allocate_external_call_results()` correctly uses `define_variable()`, which internally calls `allocate_value_with_type()`. This function applies the formula above, producing the correct semi-flattened size. However, for nested arrays, `allocate_foreign_call_result_array()` contains a bug. The pattern `Type::Array(_, nested_size)` discards the inner types with `_` and uses only `nested_size`, the semantic length of the nested array (the number of logical elements), not the semi-flattened size. For simple element types this works correctly, but for composite element types it under-allocates. Foreign calls returning nested arrays of tuples or other composite types corrupt the Brillig VM heap. Version 1.0.0-beta.19 fixes this issue.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.00042,"ranking_epss":0.12865,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/noir-lang/noir/releases/tag/v1.0.0-beta.19","https://github.com/noir-lang/noir/security/advisories/GHSA-jj7c-x25r-r8r3"],"published_time":"2026-04-23T02:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41200","summary":"STIG Manager is an API and web client for managing  Security Technical Implementation Guides (STIG) assessments of Information Systems. Versions 1.5.10 through 1.6.7 have a reflected Cross-Site Scripting (XSS) vulnerability in the OIDC authentication error handling code in `src/init.js` and `public/reauth.html`. During the OIDC redirect flow, the `error` and `error_description` query parameters returned by the OIDC provider are written directly to the DOM via `innerHTML` without HTML escaping. An attacker who can craft a malicious redirect URL and convince a user to follow it can execute arbitrary JavaScript in the application's origin context. The vulnerability is most severe when the targeted user has an active STIG Manager session running in another browser tab — injected code executes in the same origin and can communicate with the SharedWorker managing the active access token, enabling authenticated API requests on behalf of the victim including reading and modifying collection data. The vulnerability is patched in version 1.6.8. There is no workaround short of upgrading. Deployments behind a web application firewall that filters reflected XSS payloads in query parameters may have partial mitigation, but this is not a substitute for patching.","cvss":8.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.5,"epss":0.0005,"ranking_epss":0.15346,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NUWCDIVNPT/stig-manager/security/advisories/GHSA-wg33-j3rv-jq72"],"published_time":"2026-04-23T02:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41206","summary":"PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. Prior to version 0.1.8, the blocklist implemented in `PluginSecurity.validate_plugin_code` is incomplete and can be bypassed using several Python constructs that are not checked. An attacker who can supply a plugin file can achieve arbitrary code execution within the PySpector process when that plugin is installed and executed. Version 0.1.8 fixes the issue.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00023,"ranking_epss":0.06234,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ParzivalHack/PySpector/commit/3c9547157fc07396f22b26b3484a9a91eba98555","https://github.com/ParzivalHack/PySpector/commit/4e279e078c53d760fd321ff9b698d683c65ccb8e","https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-vp22-38m5-r39r","https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-vp22-38m5-r39r"],"published_time":"2026-04-23T02:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41208","summary":"Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host. An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host. The vulnerability occurs because agents are allowed to update their own adapterConfig via the /agents/:id API endpoint. The configuration field adapterConfig.workspaceStrategy.provisionCommand is later executed by the server runtime. As a result, an attacker controlling an agent credential can inject arbitrary shell commands which are executed by the Paperclip server during workspace provisioning. This breaks the intended trust boundary between agent runtime configuration and server host execution, allowing a compromised or malicious agent to escalate privileges and run commands on the host system. This vulnerability allows remote code execution on the server host. @paperclipai/server version 2026.416.0 fixes the issue.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00229,"ranking_epss":0.45548,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4","https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4"],"published_time":"2026-04-23T02:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41211","summary":"Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape the `VP_HOME/package_manager/<pm>/` cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch.","cvss":8.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.4,"epss":0.00014,"ranking_epss":0.02846,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2","https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2"],"published_time":"2026-04-23T02:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41196","summary":"Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing `builtin/init.lua` and adding the line `getfenv = nil` at the end. Note that this will break mods relying on this function (which is not inherently unsafe).","cvss":9.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.0,"epss":0.00069,"ranking_epss":0.21129,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/luanti-org/luanti/commit/8a929dfb97aa08337f49ba1bb96a56d6557dc896","https://github.com/luanti-org/luanti/security/advisories/GHSA-g596-mf82-w8c3"],"published_time":"2026-04-23T02:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41182","summary":"LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK, the LangSmith SDK's output redaction controls (hideOutputs in JS, hide_outputs in Python) do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a new_token event containing the raw token value. These events bypass the redaction pipeline entirely — prepareRunCreateOrUpdateInputs (JS) and _hide_run_outputs (Python) only process the inputs and outputs fields on a run, never the events array. As a result, applications relying on output redaction to prevent sensitive LLM output from being stored in LangSmith will still leak the full streamed content via run events. Version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK fix the issue.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.078,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-rr7j-v2q5-chgv"],"published_time":"2026-04-23T02:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1923","summary":"The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08201,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3467694/social-rocket","https://www.wordfence.com/threat-intel/vulnerabilities/id/d92fc04e-201e-4fc3-bbf0-4f2f3de3ee95?source=cve"],"published_time":"2026-04-23T02:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41180","summary":"PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.<NODE_ENV>.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10308,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6","https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3","https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586","https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586"],"published_time":"2026-04-23T02:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6874","summary":"A vulnerability was determined in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header Handler. Executing a manipulation of the argument Host can lead to reliance on reverse dns resolution. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.3,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":5.3,"epss":8e-05,"ranking_epss":0.00835,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/August829/CVEP/issues/32","https://vuldb.com/submit/795212","https://vuldb.com/vuln/359039","https://vuldb.com/vuln/359039/cti"],"published_time":"2026-04-23T00:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6878","summary":"A vulnerability was identified in ByteDance verl up to 0.7.0. Affected is the function math_equal of the file prime_math/grader.py. The manipulation leads to sandbox issue. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":6.3,"cvss_version":4.0,"cvss_v2":5.1,"cvss_v3":5.6,"cvss_v4":6.3,"epss":0.00039,"ranking_epss":0.11725,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/zast-ai/vulnerability-reports/blob/main/bytedance/verl_rce.md","https://vuldb.com/submit/795257","https://vuldb.com/vuln/359040","https://vuldb.com/vuln/359040/cti"],"published_time":"2026-04-23T00:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4917","summary":"IBM Guardium Data Protection 12.1 could allow an administrative user to traverse directories on the system. An attacker could send a specially crafted URL request containing \"dot dot\" sequences (/../) to write arbitrary files on the system.","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02211,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7270422"],"published_time":"2026-04-23T00:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4918","summary":"IBM Guardium Data Protection 12.1 is vulnerable to stored cross-site scripting. This vulnerability allows an administrative user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.0659,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7270422"],"published_time":"2026-04-23T00:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4919","summary":"IBM Guardium Data Protection 12.1 is vulnerable to cross-site scripting. This vulnerability allows an administrative user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.0659,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7270422"],"published_time":"2026-04-23T00:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5926","summary":"IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00019,"ranking_epss":0.05166,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7269372"],"published_time":"2026-04-23T00:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5935","summary":"IBM Total Storage Service Console (TSSC) / TS4500 IMC 9.2, 9.3, 9.4, 9.5, 9.6 TSSC/IMC could allow an unauthenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":null,"epss":0.00047,"ranking_epss":0.14337,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7270127"],"published_time":"2026-04-23T00:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-29198","summary":"In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08795,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/RocketChat/Rocket.Chat/pull/39492","https://hackerone.com/reports/3564655"],"published_time":"2026-04-23T00:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32679","summary":"The installers of LiveOn Meet Client for Windows (Downloader5Installer.exe and Downloader5InstallerForAdmin.exe) and the installers of Canon Network Camera Plugin (CanonNWCamPlugin.exe and CanonNWCamPluginForAdmin.exe) insecurely load Dynamic Link Libraries (DLLs). If a malicious DLL is placed at the same directory, the affected installer may load that DLL and execute its code with the privilege of the user invoking the installer.","cvss":8.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":8.4,"epss":0.00014,"ranking_epss":0.02723,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://jvn.jp/en/jp/JVN45563482/","https://web.liveon.ne.jp/wp-content/uploads/2026/04/JMSSA2026-001.pdf"],"published_time":"2026-04-23T00:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3621","summary":"IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity spoofing under limited conditions when an application is deployed without authentication and authorization configured.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0005,"ranking_epss":0.15437,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7270437"],"published_time":"2026-04-23T00:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40062","summary":"A path Traversal vulnerability exists in Ziostation2 v2.9.8.7 and earlier. A remote unauthenticated attacker may get sensitive information on the operating system.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.00096,"ranking_epss":0.26414,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://jvn.jp/en/jp/JVN00575116/"],"published_time":"2026-04-23T00:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41176","summary":"Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.","cvss":9.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.2,"epss":0.02794,"ranking_epss":0.86129,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go","https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go","https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx","https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx"],"published_time":"2026-04-23T00:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41179","summary":"Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.","cvss":9.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.2,"epss":0.05976,"ranking_epss":0.90692,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/backend/webdav/webdav.go","https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/operations/rc.go","https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/cache.go","https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q"],"published_time":"2026-04-23T00:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1272","summary":"IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to Security Misconfiguration vulnerability in the user access control panel.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00022,"ranking_epss":0.06063,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7269445"],"published_time":"2026-04-23T00:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1274","summary":"IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to a Bypass Business Logic vulnerability in the access management control panel.","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":8e-05,"ranking_epss":0.00734,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7269445"],"published_time":"2026-04-23T00:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1352","summary":"IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00044,"ranking_epss":0.13404,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7269433"],"published_time":"2026-04-23T00:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1726","summary":"IBM Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2, 4.2.1, 5.0, and 5.1","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":8e-05,"ranking_epss":0.00693,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7268697"],"published_time":"2026-04-23T00:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-36074","summary":"IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.3 IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A privileged user could upload malicious files into the system that can be sent to victims for performing further attacks against the system.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10532,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7268907"],"published_time":"2026-04-23T00:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4049","summary":"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T23:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41312","summary":"pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.8,"epss":0.00014,"ranking_epss":0.02533,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/py-pdf/pypdf/commit/ac734dab4eef92bcce50d503949b4d9887d89f11","https://github.com/py-pdf/pypdf/pull/3734","https://github.com/py-pdf/pypdf/releases/tag/6.10.2","https://github.com/py-pdf/pypdf/security/advisories/GHSA-7gw9-cf7v-778f"],"published_time":"2026-04-22T22:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41313","summary":"pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer `/Size` value in incremental mode. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.8,"epss":0.00014,"ranking_epss":0.02533,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/py-pdf/pypdf/commit/c50a0104cf083356f7c7f5d61410466a57f5c88a","https://github.com/py-pdf/pypdf/pull/3735","https://github.com/py-pdf/pypdf/releases/tag/6.10.2","https://github.com/py-pdf/pypdf/security/advisories/GHSA-4pxv-j86v-mhcw"],"published_time":"2026-04-22T22:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41314","summary":"pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.8,"epss":0.00014,"ranking_epss":0.02533,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/py-pdf/pypdf/commit/ac734dab4eef92bcce50d503949b4d9887d89f11","https://github.com/py-pdf/pypdf/pull/3734","https://github.com/py-pdf/pypdf/releases/tag/6.10.2","https://github.com/py-pdf/pypdf/security/advisories/GHSA-x284-j5p8-9c5p"],"published_time":"2026-04-22T22:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41454","summary":"WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":8.7,"epss":0.00036,"ranking_epss":0.10608,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4","https://github.com/wekan/wekan/releases/tag/v8.35","https://www.vulncheck.com/advisories/wekan-missing-authorization-via-integration-rest-api"],"published_time":"2026-04-22T22:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41455","summary":"WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.5,"cvss_v4":6.3,"epss":0.00027,"ranking_epss":0.07477,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4","https://github.com/wekan/wekan/releases/tag/v8.35","https://www.vulncheck.com/advisories/wekan-ssrf-via-webhook-url"],"published_time":"2026-04-22T22:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40517","summary":"radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsanitized symbol name interpolation in the flag rename command, which are then executed when a user runs the idp command against the malicious PDB file, enabling arbitrary OS command execution through radare2's shell execution operator.","cvss":8.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":8.4,"epss":0.00022,"ranking_epss":0.05942,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zero","https://github.com/radareorg/radare2/issues/25730","https://github.com/radareorg/radare2/pull/25731","https://www.vulncheck.com/advisories/radare2-command-injection-via-pdb-parser-symbol-names"],"published_time":"2026-04-22T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41170","summary":"Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the `RestoreController.PostRestoreJob` endpoint allows an administrator to supply an arbitrary URL for downloading backup archives. This URL is fetched using the \"Backup\" `HttpClient` without any SSRF protection. A malicious or compromised admin can use this endpoint to probe internal network services, access cloud metadata endpoints, or perform internal reconnaissance. The vulnerability is authenticated (Admin-only) but highly impactful, allowing potential access to sensitive internal resources. Version 7.23.0 contains a fix.","cvss":7.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.2,"epss":0.00036,"ranking_epss":0.10514,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4","https://github.com/Squidex/squidex/security/advisories/GHSA-6q6m-7h5j-jq4g","https://github.com/Squidex/squidex/security/advisories/GHSA-6q6m-7h5j-jq4g"],"published_time":"2026-04-22T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41171","summary":"Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery (SSRF) vulnerability due to missing SSRF protection on the `Jint` HTTP client used by scripting engine functions (`getJSON`, `request`, etc.). An authenticated user with low privileges (e.g., schema editing permissions) can force the server to make arbitrary outbound HTTP requests to attacker-controlled or internal endpoints. This allows access to internal services and cloud metadata endpoints (e.g., IMDS), potentially leading to credential exposure and lateral movement. Version 7.23.0 contains a fix.","cvss":7.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.3,"epss":0.00031,"ranking_epss":0.09131,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4","https://github.com/Squidex/squidex/security/advisories/GHSA-4m22-gvqm-jv97","https://github.com/Squidex/squidex/security/advisories/GHSA-4m22-gvqm-jv97"],"published_time":"2026-04-22T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41172","summary":"Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as an asset. Version 7.23.0 contains a fix.","cvss":7.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.3,"epss":0.00038,"ranking_epss":0.11521,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4","https://github.com/Squidex/squidex/security/advisories/GHSA-x7cq-4f4c-8qcv","https://github.com/Squidex/squidex/security/advisories/GHSA-x7cq-4f4c-8qcv"],"published_time":"2026-04-22T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41175","summary":"Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. \"view entries\" permission to delete entries, or \"view users\" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. This has been fixed in 5.73.20 and 6.13.0.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00049,"ranking_epss":0.15174,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w"],"published_time":"2026-04-22T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41177","summary":"Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). The application fails to validate the URI scheme of the user-supplied `Url` parameter, allowing the use of the `file://` protocol. This allows an authenticated administrator to force the backend server to interact with the local filesystem, which can lead to Local File Interaction (LFI) and potential disclosure of sensitive system information through side-channel analysis of internal logs. Version 7.23.0 contains a fix.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10345,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4","https://github.com/Squidex/squidex/security/advisories/GHSA-45fq-w37p-qfw5","https://github.com/Squidex/squidex/security/advisories/GHSA-45fq-w37p-qfw5"],"published_time":"2026-04-22T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41134","summary":"Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission). When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients. This issue is only practically exploitable when the OpenAPI description used for generation is from an untrusted source, or a normally trusted OpenAPI description has been compromised/tampered with. Only generating from trusted, integrity-protected API descriptions significantly reduces the risk. To remediate the issue, upgrade Kiota to 1.31.1 or later and regenerate/refresh existing generated clients as a precaution. Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.","cvss":7.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.3,"epss":0.00051,"ranking_epss":0.15817,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/microsoft/kiota/security/advisories/GHSA-2hx3-vp6r-mg3f"],"published_time":"2026-04-22T21:17:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41166","summary":"OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10628,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openremote/openremote/releases/tag/1.22.1","https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44","https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44"],"published_time":"2026-04-22T21:17:09","vendor":"openremote","product":"openremote","version":null},{"cve_id":"CVE-2026-41167","summary":"Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00077,"ranking_epss":0.2279,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/CyferShepard/Jellystat/commit/735fe7c6eb0e3e34e92a8a82fd21914d76693665","https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m","https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m"],"published_time":"2026-04-22T21:17:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41168","summary":"pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large `/Size` values or object streams with wrong large `/N` values. This has been fixed in pypdf 6.10.1. As a workaround, one may apply the changes from the patch manually.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00042,"ranking_epss":0.12923,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/py-pdf/pypdf/commit/62338e9d36419cf193ccec7331784f45df1d70b3","https://github.com/py-pdf/pypdf/pull/3733","https://github.com/py-pdf/pypdf/releases/tag/6.10.1","https://github.com/py-pdf/pypdf/security/advisories/GHSA-jj6c-8h6c-hppx"],"published_time":"2026-04-22T21:17:09","vendor":"pypdf_project","product":"pypdf","version":null},{"cve_id":"CVE-2026-34068","summary":"nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, the staking contract accepts `UpdateValidator` transactions that set `new_voting_key=Some(...)` while omitting `new_proof_of_knowledge`. this skips the proof-of-knowledge requirement that is needed to prevent BLS rogue-key attacks when public keys are aggregated. Because tendermint macro block justification verification aggregates validator voting keys and verifies a single aggregated BLS signature against that aggregate public key, a rogue-key voting key in the validator set can allow an attacker to forge a quorum-looking justification while only producing a single signature. While the impact is critical, the exploitability is low: The voting keys are fixed for the epoch, so the attacker would need to know the next epoch validator set (chosen through VRF), which is unlikely. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.","cvss":6.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":null,"epss":8e-05,"ranking_epss":0.00797,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nimiq/core-rs-albatross/commit/e7f0ab7d2115e17d6e5548ddc60f10df1a5d645f","https://github.com/nimiq/core-rs-albatross/pull/3654","https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0","https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-pf4j-pf3w-95f9"],"published_time":"2026-04-22T21:17:08","vendor":"nimiq","product":"nimiq_proof-of-stake","version":null},{"cve_id":"CVE-2026-3837","summary":"An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping\n\nThis issue affects Frappe: 16.10.0.","cvss":4.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.6,"epss":0.0007,"ranking_epss":0.21334,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fluidattacks.com/es/advisories/sabina","https://github.com/frappe/frappe"],"published_time":"2026-04-22T21:17:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40882","summary":"OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. Version 1.22.0 fixes the issue.","cvss":7.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.6,"cvss_v4":null,"epss":0.00056,"ranking_epss":0.174,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc","https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc"],"published_time":"2026-04-22T21:17:08","vendor":"openremote","product":"openremote","version":null},{"cve_id":"CVE-2026-40937","summary":"RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.0005,"ranking_epss":0.15356,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94","https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm"],"published_time":"2026-04-22T21:17:08","vendor":"rustfs","product":"rustfs","version":null},{"cve_id":"CVE-2026-34067","summary":"nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != positions.len()` due to `assert_eq!(history.len(), positions.len())`. The proof object is derived from untrusted p2p responses (`ResponseTransactionsProof.proof`) and is therefore attacker-controlled at the network boundary until validated. A malicious peer could trigger a crash by returning a crafted inclusion proof with a length mismatch. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.","cvss":3.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.1,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.0123,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nimiq/core-rs-albatross/commit/6ff0800e8e031363e787c827d8d033e5694e4e6a","https://github.com/nimiq/core-rs-albatross/pull/3659","https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0","https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-264v-m8fm-76jm"],"published_time":"2026-04-22T21:17:07","vendor":"nimiq","product":"nimiq_proof-of-stake","version":null},{"cve_id":"CVE-2026-33656","summary":"EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is concatenated directly into a file path with no sanitization in `EspoUploadDir::getFilePath()`, an attacker can redirect any file read or write operation to an arbitrary path within the web server's `open_basedir` scope. Version 9.3.4 fixes the issue.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00054,"ranking_epss":0.16903,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x","https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x"],"published_time":"2026-04-22T21:17:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33733","summary":"EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass them into template path construction without normalization or traversal filtering. As a result, an authenticated admin can use `../` sequences to escape the intended template directory and read, create, overwrite, or delete arbitrary files that resolve to `body.tpl` or `subject.tpl` under the web application user's filesystem permissions. Version 9.3.4 fixes the issue.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00076,"ranking_epss":0.22537,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/espocrm/espocrm/security/advisories/GHSA-44c3-xjfp-3jrh","https://github.com/espocrm/espocrm/security/advisories/GHSA-44c3-xjfp-3jrh"],"published_time":"2026-04-22T21:17:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6019","summary":"http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.","cvss":2.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.1,"epss":0.00039,"ranking_epss":0.11642,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104","https://github.com/python/cpython/issues/90309","https://github.com/python/cpython/pull/148848","https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/"],"published_time":"2026-04-22T20:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34065","summary":"nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose `validators` set contains an invalid compressed BLS voting key. Hashing an election macro header hashes `validators` and reaches `Validators::voting_keys()`, which calls `validator.voting_key.uncompress().unwrap()` and panics on invalid bytes. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.1264,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nimiq/core-rs-albatross/commit/e10eaebcd7774e5da6d0ff5e88ed13503474f0ff","https://github.com/nimiq/core-rs-albatross/pull/3662","https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0","https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-7c4j-2m43-2mgh"],"published_time":"2026-04-22T20:16:41","vendor":"nimiq","product":"nimiq_proof-of-stake","version":null},{"cve_id":"CVE-2026-34066","summary":"nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must be within the macro block being pushed and within the same epoch). During history sync, a peer can influence the `history: &[HistoricTransaction]` input passed into `Blockchain::push_history_sync`, and a malformed history list can violate these invariants and trigger a panic. `extend_history_sync` calls `this.history_store.add_to_history(..)` before comparing the computed history root against the macro block header (`block.history_root()`), so the panic can happen before later rejection checks run. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00049,"ranking_epss":0.15246,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nimiq/core-rs-albatross/commit/6f5511309c199d84b012fe6b9aba7e5582892c50","https://github.com/nimiq/core-rs-albatross/pull/3656","https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0","https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-j99g-7rqw-q9jg"],"published_time":"2026-04-22T20:16:41","vendor":"nimiq","product":"nimiq_proof-of-stake","version":null},{"cve_id":"CVE-2026-3673","summary":"An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping.\nThis issue affects Frappe: 16.10.10.","cvss":4.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.6,"epss":0.0007,"ranking_epss":0.21334,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fluidattacks.com/es/advisories/silvio","https://github.com/frappe/frappe","https://fluidattacks.com/es/advisories/silvio"],"published_time":"2026-04-22T20:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33471","summary":"nimiq-block contains block primitives to be used in Nimiq's Rust implementation. `SkipBlockProof::verify` computes its quorum check using `BitSet.len()`, then iterates `BitSet` indices and casts each `usize` index to `u16` (`slot as u16`) for slot lookup. Prior to version 1.3.0, if an attacker can get a `SkipBlockProof` verified where `MultiSignature.signers` contains out-of-range indices spaced by 65536, these indices inflate `len()` but collide onto the same in-range `u16` slot during aggregation. This makes it possible for a malicious validator with far fewer than `2f+1` real signer slots to pass skip block proof verification by multiplying a single BLS signature by the same factor. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06962,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nimiq/core-rs-albatross/commit/d02059053181ed8ddad6b59a0adfd661ef5cd823","https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0","https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-6973-8887-87ff"],"published_time":"2026-04-22T20:16:40","vendor":"nimiq","product":"nimiq_proof-of-stake","version":null},{"cve_id":"CVE-2026-34062","summary":"nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `MessageCodec::read_request` and `read_response` call `read_to_end()` on inbound substreams, so a remote peer can send only a partial frame and keep the substream open. because `Behaviour::new` also sets `with_max_concurrent_streams(1000)`, the node exposes a much larger stalled-slot budget than the library default. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00037,"ranking_epss":0.10944,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nimiq/core-rs-albatross/commit/c021a5337b808c73571b44999f9753051bac7508","https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0","https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-gh7r-qh4p-q4fr"],"published_time":"2026-04-22T20:16:40","vendor":"nimiq","product":"nimiq_proof-of-stake","version":null},{"cve_id":"CVE-2026-34063","summary":"Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `network-libp2p` discovery uses a libp2p `ConnectionHandler` state machine. the handler assumes there is at most one inbound and one outbound discovery substream per connection. if a remote peer opens/negotiate the discovery protocol substream a second time on the same connection, the handler hits a `panic!(\\\"Inbound already connected\\\")` / `panic!(\\\"Outbound already connected\\\")` path instead of failing closed. This causes a remote crash of the networking task (swarm), taking the node's p2p networking offline until restart. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.1264,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nimiq/core-rs-albatross/commit/e0d4e01994f061bf41d3c2835bc74040d3c084f5","https://github.com/nimiq/core-rs-albatross/pull/3666","https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0","https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-74hp-mhfx-m45h"],"published_time":"2026-04-22T20:16:40","vendor":"nimiq","product":"nimiq_proof-of-stake","version":null},{"cve_id":"CVE-2026-34064","summary":"nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap > balance`, the node crashes while trying to return an error. The `min_cap > balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount <= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08266,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nimiq/core-rs-albatross/commit/4d01946f0b3d6c6e31786f91cdfb3eb902908da0","https://github.com/nimiq/core-rs-albatross/pull/3658","https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0","https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3"],"published_time":"2026-04-22T20:16:40","vendor":"nimiq","product":"nimiq_proof-of-stake","version":null},{"cve_id":"CVE-2026-41469","summary":"Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template injection and sandbox escape vulnerabilities present in the same application, the absence of CSP removes the browser-enforced restriction that would otherwise block external script execution, enabling attackers to load arbitrary remote payloads into operator browser sessions.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.2,"cvss_v4":5.1,"epss":0.00026,"ranking_epss":0.0727,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.py","https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txt","https://www.beghelli.it","https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/","https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-missing-content-security-policy"],"published_time":"2026-04-22T19:17:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41459","summary":"Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08688,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/bootstrapbool/xerteonlinetoolkits-rce","https://github.com/thexerteproject/xerteonlinetoolkits/commit/f063e942b4a9bf77a06829e844c2c70316bc45e8","https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527","https://www.vulncheck.com/advisories/xerte-online-toolkits-path-disclosure-via-setup","https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits","https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html"],"published_time":"2026-04-22T19:17:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41468","summary":"Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript execution in operator browser sessions, enabling session hijacking, DOM manipulation, and persistent browser compromise. Network-adjacent attackers can deliver the complete injection and escape chain via MITM in plaintext HTTP deployments without active user interaction.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.7,"cvss_v4":9.3,"epss":0.00066,"ranking_epss":0.20396,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.py","https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txt","https://www.beghelli.it","https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/","https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-angularjs-sandbox-escape-via-template-injection"],"published_time":"2026-04-22T19:17:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34414","summary":"Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":7.1,"epss":0.00094,"ranking_epss":0.26115,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/bootstrapbool/xerteonlinetoolkits-rce","https://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805","https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212","https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23","https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527","https://www.vulncheck.com/advisories/xerte-online-toolkits-path-traversal-via-connector-php","https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits","https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html"],"published_time":"2026-04-22T19:17:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34415","summary":"Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00193,"ranking_epss":0.41073,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/bootstrapbool/xerteonlinetoolkits-rce","https://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805","https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212","https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23","https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527","https://www.vulncheck.com/advisories/xerte-online-toolkits-file-upload-rce-via-elfinder-connector","https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits","https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html"],"published_time":"2026-04-22T19:17:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34413","summary":"Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers can perform file operations on project media directories including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files, which can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read.","cvss":8.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":8.8,"epss":0.00325,"ranking_epss":0.55493,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/bootstrapbool/xerteonlinetoolkits-rce","https://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805","https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212","https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23","https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527","https://www.vulncheck.com/advisories/xerte-online-toolkits-missing-authentication-via-connector-php","https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits","https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html"],"published_time":"2026-04-22T19:17:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26354","summary":"Dell PowerProtect Data Domain with Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.60, contain a stack-based Buffer Overflow vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00047,"ranking_epss":0.1456,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"],"published_time":"2026-04-22T19:17:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-28950","summary":"A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2. Notifications marked for deletion could be unexpectedly retained on the device.","cvss":6.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.01947,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://support.apple.com/en-us/127002","https://support.apple.com/en-us/127003"],"published_time":"2026-04-22T19:17:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4922","summary":"GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.00848,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/","https://gitlab.com/gitlab-org/gitlab/-/work_items/594937","https://hackerone.com/reports/3627285"],"published_time":"2026-04-22T17:16:44","vendor":"gitlab","product":"gitlab","version":null},{"cve_id":"CVE-2026-5262","summary":"GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unauthenticated user to access tokens in the Storybook development environment due to improper input validation.","cvss":8.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.0,"cvss_v4":null,"epss":0.00046,"ranking_epss":0.14268,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/","https://gitlab.com/gitlab-org/gitlab/-/work_items/595332","https://hackerone.com/reports/3574642"],"published_time":"2026-04-22T17:16:44","vendor":"gitlab","product":"gitlab","version":null},{"cve_id":"CVE-2026-5377","summary":"GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access control in the issue description rendering process.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02106,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/","https://gitlab.com/gitlab-org/gitlab/-/work_items/595553","https://hackerone.com/reports/3640688"],"published_time":"2026-04-22T17:16:44","vendor":"gitlab","product":"gitlab","version":null},{"cve_id":"CVE-2026-5816","summary":"GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.","cvss":8.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.0,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02261,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/","https://gitlab.com/gitlab-org/gitlab/-/work_items/592816","https://hackerone.com/reports/3572231"],"published_time":"2026-04-22T17:16:44","vendor":"gitlab","product":"gitlab","version":null},{"cve_id":"CVE-2026-6515","summary":"GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or incorrectly scoped credentials to access Virtual Registries under certain conditions.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.0173,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/","https://gitlab.com/gitlab-org/gitlab/-/work_items/595993"],"published_time":"2026-04-22T17:16:44","vendor":"gitlab","product":"gitlab","version":null},{"cve_id":"CVE-2026-35380","summary":"A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' (two single quotes) as an empty delimiter. The implementation mistakenly maps this string to the NUL character for both the -d (delimiter) and --output-delimiter options. This vulnerability can lead to silent data corruption or logic errors in automated scripts and data pipelines that process strings containing these characters, as the utility may unintentionally split or join data on NUL bytes rather than the intended literal characters.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04814,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/11399","https://github.com/uutils/coreutils/releases/tag/0.8.0"],"published_time":"2026-04-22T17:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35381","summary":"A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The implementation incorrectly routes this specific combination through a specialized newline-delimiter code path that fails to check the record suppression status. Consequently, uutils cut emits the entire record plus a NUL byte instead of suppressing it. This divergence from GNU coreutils behavior creates a data integrity risk for automated pipelines that rely on cut -s to filter out undelimited data.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.0189,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/11394","https://github.com/uutils/coreutils/releases/tag/0.8.0"],"published_time":"2026-04-22T17:16:43","vendor":"uutils","product":"coreutils","version":null},{"cve_id":"CVE-2026-35382","summary":"Rejected reason: Voluntarily withdrawn","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T17:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3254","summary":"GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox.","cvss":3.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.5,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01519,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/gitlab-org/gitlab/-/work_items/591587","https://hackerone.com/reports/3572752"],"published_time":"2026-04-22T17:16:43","vendor":"gitlab","product":"gitlab","version":null},{"cve_id":"CVE-2026-35374","summary":"A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiating the split operation. However, the utility subsequently opens the output file with truncation after this path-based validation is complete. A local attacker with write access to the directory can exploit this race window by manipulating mutable path components (e.g., swapping a path with a symbolic link). This can cause split to truncate and write to an unintended target file, potentially including the input file itself or other sensitive files accessible to the process, leading to permanent data loss.","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01646,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/11401"],"published_time":"2026-04-22T17:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35375","summary":"A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes to_string_lossy() when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8 replacement character (U+FFFD). This behavior diverges from GNU split, which preserves raw pathname bytes intact. In environments utilizing non-UTF-8 encodings, this vulnerability leads to the creation of files with incorrect names, potentially causing filename collisions, broken automation, or the misdirection of output data.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.0189,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/11397","https://github.com/uutils/coreutils/releases/tag/0.8.0"],"published_time":"2026-04-22T17:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35376","summary":"A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects.","cvss":4.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.5,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01517,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/11402","https://github.com/uutils/coreutils/releases/tag/0.8.0"],"published_time":"2026-04-22T17:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35377","summary":"A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\\\ and \\'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an \"invalid sequence\" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \\a or \\x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.02872,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/11512"],"published_time":"2026-04-22T17:16:42","vendor":"uutils","product":"coreutils","version":null},{"cve_id":"CVE-2026-35378","summary":"A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within \"dead\" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02526,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/11395","https://github.com/uutils/coreutils/releases/tag/0.8.0"],"published_time":"2026-04-22T17:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35379","summary":"A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.0189,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/11405","https://github.com/uutils/coreutils/releases/tag/0.8.0"],"published_time":"2026-04-22T17:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35372","summary":"A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the \"no-dereference\" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":0.00019,"ranking_epss":0.05152,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/11253","https://github.com/uutils/coreutils/releases/tag/0.8.0"],"published_time":"2026-04-22T17:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35373","summary":"A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation enforces UTF-8 encoding, resulting in a failure to stat the file and a non-zero exit code. In environments where automated scripts or system tasks process valid but non-UTF-8 filenames common on Unix filesystems, this divergence causes the utility to fail, leading to a local denial of service for those specific operations.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02164,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/11403"],"published_time":"2026-04-22T17:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35366","summary":"The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01425,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/9701","https://github.com/uutils/coreutils/pull/9728","https://github.com/uutils/coreutils/releases/tag/0.6.0","https://github.com/uutils/coreutils/issues/9701"],"published_time":"2026-04-22T17:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35367","summary":"The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.00921,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/10021","https://github.com/uutils/coreutils/issues/10021"],"published_time":"2026-04-22T17:16:40","vendor":"uutils","product":"coreutils","version":null},{"cve_id":"CVE-2026-35368","summary":"A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02441,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/10327","https://github.com/uutils/coreutils/issues/10327"],"published_time":"2026-04-22T17:16:40","vendor":"uutils","product":"coreutils","version":null},{"cve_id":"CVE-2026-35369","summary":"An argument parsing error in the kill utility of uutils coreutils incorrectly interprets kill -1 as a request to send the default signal (SIGTERM) to PID -1. Sending a signal to PID -1 causes the kernel to terminate all processes visible to the caller, potentially leading to a system crash or massive process termination. This differs from GNU coreutils, which correctly recognizes -1 as a signal number in this context and would instead report a missing PID argument.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00019,"ranking_epss":0.05144,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/9700","https://github.com/uutils/coreutils/releases/tag/0.6.0"],"published_time":"2026-04-22T17:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35370","summary":"The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.021,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/10006","https://github.com/uutils/coreutils/issues/10006"],"published_time":"2026-04-22T17:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35371","summary":"The id utility in uutils coreutils exhibits incorrect behavior in its \"pretty print\" output when the real UID and effective UID differ. The implementation incorrectly uses the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleading diagnostic output that can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01185,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/10006","https://github.com/uutils/coreutils/issues/10006"],"published_time":"2026-04-22T17:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35363","summary":"A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery.","cvss":5.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.6,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.00957,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/9749"],"published_time":"2026-04-22T17:16:39","vendor":"uutils","product":"coreutils","version":null},{"cve_id":"CVE-2026-35364","summary":"A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01646,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/10015","https://github.com/uutils/coreutils/issues/10015"],"published_time":"2026-04-22T17:16:39","vendor":"uutils","product":"coreutils","version":null},{"cve_id":"CVE-2026-35365","summary":"The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries. Instead of preserving symlinks, the implementation expands them, copying the linked targets as real files or directories at the destination. This can lead to resource exhaustion (disk space or time) if symlinks point to large external directories, unexpected duplication of sensitive data into unintended locations, or infinite recursion and repeated copying in the presence of symlink loops.","cvss":6.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.6,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.01994,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/10546","https://github.com/uutils/coreutils/releases/tag/0.7.0"],"published_time":"2026-04-22T17:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35356","summary":"A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file descriptor. An attacker with concurrent write access can replace a path component with a symbolic link between these operations, redirecting the privileged write to an arbitrary file system location.","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01646,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/10140","https://github.com/uutils/coreutils/releases/tag/0.7.0"],"published_time":"2026-04-22T17:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35357","summary":"The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.00979,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/10011","https://github.com/uutils/coreutils/issues/10011"],"published_time":"2026-04-22T17:16:38","vendor":"uutils","product":"coreutils","version":null},{"cve_id":"CVE-2026-35358","summary":"The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats character and block device nodes as stream sources rather than preserving them. Because the implementation reads bytes into regular files at the destination instead of using mknod, device semantics are destroyed (e.g., /dev/null becomes a regular file). This behavior can lead to runtime denial of service through disk exhaustion or process hangs when reading from unbounded device nodes.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01697,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/9746","https://github.com/uutils/coreutils/pull/11163","https://github.com/uutils/coreutils/releases/tag/0.7.0","https://github.com/uutils/coreutils/issues/9746"],"published_time":"2026-04-22T17:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35359","summary":"A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":null,"epss":0.00016,"ranking_epss":0.03799,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/10017","https://github.com/uutils/coreutils/issues/10017"],"published_time":"2026-04-22T17:16:38","vendor":"uutils","product":"coreutils","version":null},{"cve_id":"CVE-2026-35360","summary":"The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01646,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/10019","https://github.com/uutils/coreutils/issues/10019"],"published_time":"2026-04-22T17:16:38","vendor":"uutils","product":"coreutils","version":null},{"cve_id":"CVE-2026-35361","summary":"The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the utility attempts cleanup using std::fs::remove_dir, which cannot remove device nodes or FIFOs. This leaves mislabeled nodes behind with incorrect default contexts, potentially allowing unauthorized access to device nodes that should have been restricted by mandatory access controls.","cvss":3.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.4,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01724,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/10582","https://github.com/uutils/coreutils/releases/tag/0.6.0","https://github.com/uutils/coreutils/pull/10582"],"published_time":"2026-04-22T17:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35362","summary":"The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions.","cvss":3.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.6,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02072,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/9792","https://github.com/uutils/coreutils/releases/tag/0.6.0"],"published_time":"2026-04-22T17:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35348","summary":"The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02108,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/9696","https://github.com/uutils/coreutils/issues/9696"],"published_time":"2026-04-22T17:16:37","vendor":"uutils","product":"coreutils","version":null},{"cve_id":"CVE-2026-35349","summary":"A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker or accidental user can bypass this safeguard by using a symbolic link that resolves to the root directory (e.g., /tmp/rootlink -> /), potentially leading to the unintended recursive deletion of the entire root filesystem.","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02691,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/9706","https://github.com/uutils/coreutils/releases/tag/0.7.0"],"published_time":"2026-04-22T17:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35350","summary":"The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.","cvss":6.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.6,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/9750","https://github.com/uutils/coreutils/issues/9750"],"published_time":"2026-04-22T17:16:37","vendor":"uutils","product":"coreutils","version":null},{"cve_id":"CVE-2026-35351","summary":"The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01324,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/9714","https://github.com/uutils/coreutils/issues/9714"],"published_time":"2026-04-22T17:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35352","summary":"A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.0107,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/10020","https://github.com/uutils/coreutils/issues/10020"],"published_time":"2026-04-22T17:16:37","vendor":"uutils","product":"coreutils","version":null},{"cve_id":"CVE-2026-35353","summary":"The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions (typically 0755) before subsequently changing them to the requested mode via a separate chmod system call. In multi-user environments, this introduces a brief window where a directory intended to be private is accessible to other users, potentially leading to unauthorized data access.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.00896,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/10036","https://github.com/uutils/coreutils/releases/tag/0.6.0"],"published_time":"2026-04-22T17:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35354","summary":"A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race to swap files between calls, causing the destination file to receive an inconsistent mix of security xattrs, such as SELinux labels or file capabilities.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.0146,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/10014","https://github.com/uutils/coreutils/issues/10014"],"published_time":"2026-04-22T17:16:37","vendor":"uutils","product":"coreutils","version":null},{"cve_id":"CVE-2026-35355","summary":"The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation. The implementation unlinks an existing destination file and then recreates it using a path-based operation without the O_EXCL flag. A local attacker can exploit the window between the unlink and the subsequent creation to swap the path with a symbolic link, allowing them to redirect privileged writes to overwrite arbitrary system files.","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01646,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/10067","https://github.com/uutils/coreutils/releases/tag/0.6.0","https://github.com/uutils/coreutils/pull/10067"],"published_time":"2026-04-22T17:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35341","summary":"A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that path and continues to execute a follow-up set_permissions call. This results in the existing file's permissions being changed to the default mode (often 644 after umask), potentially exposing sensitive files such as SSH private keys to other users on the system.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.01011,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/10020"],"published_time":"2026-04-22T17:16:36","vendor":"uutils","product":"coreutils","version":null},{"cve_id":"CVE-2026-35342","summary":"The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02625,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/10566","https://github.com/uutils/coreutils/releases/tag/0.6.0"],"published_time":"2026-04-22T17:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35343","summary":"The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines that should have been suppressed. This can lead to unexpected data being passed to downstream scripts that rely on strict output filtering.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.0189,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/11143","https://github.com/uutils/coreutils/releases/tag/0.7.0"],"published_time":"2026-04-22T17:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35344","summary":"The dd utility in uutils coreutils suppresses errors during file truncation operations by unconditionally calling Result::ok() on truncation attempts. While intended to mimic GNU behavior for special files like /dev/null, the uutils implementation also hides failures on regular files and directories caused by full disks or read-only file systems. This can lead to silent data corruption in backup or migration scripts, as the utility may report a successful operation even when the destination file contains old or garbage data.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.0189,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/9745"],"published_time":"2026-04-22T17:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35345","summary":"A vulnerability in the tail utility of uutils coreutils allows for the exfiltration of sensitive file contents when using the --follow=name option. Unlike GNU tail, the uutils implementation continues to monitor a path after it has been replaced by a symbolic link, subsequently outputting the contents of the link's target. In environments where a privileged user (e.g., root) monitors a log directory, a local attacker with write access to that directory can replace a log file with a symlink to a sensitive system file (such as /etc/shadow), causing tail to disclose the contents of the sensitive file.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01493,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/10328","https://github.com/uutils/coreutils/issues/10328"],"published_time":"2026-04-22T17:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35346","summary":"The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation uses String::from_utf8_lossy(), which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD). This behavior differs from GNU comm, which processes raw bytes and preserves the original input. This results in corrupted output when the utility is used to compare binary files or files using non-UTF-8 legacy encodings.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/issues/10192","https://github.com/uutils/coreutils/pull/10206","https://github.com/uutils/coreutils/releases/tag/0.6.0","https://github.com/uutils/coreutils/issues/10192"],"published_time":"2026-04-22T17:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35347","summary":"The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. If an input path is a FIFO or a pipe, this pre-read operation drains the stream, leading to silent data loss before the actual comparison logic is executed. Additionally, the utility may hang indefinitely if it attempts to pre-read from infinite streams like /dev/zero.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":0.00019,"ranking_epss":0.05263,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/9545","https://github.com/uutils/coreutils/releases/tag/0.6.0","https://github.com/uutils/coreutils/pull/9545"],"published_time":"2026-04-22T17:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35338","summary":"A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01226,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/10033","https://github.com/uutils/coreutils/releases/tag/0.6.0"],"published_time":"2026-04-22T17:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35339","summary":"The recursive mode (-R) of the chmod utility in uutils coreutils incorrectly handles exit codes when processing multiple files. The final return value is determined solely by the success or failure of the last file processed. This allows the command to return an exit code of 0 (success) even if errors were encountered on previous files, such as 'Operation not permitted'. Scripts relying on these exit codes may proceed under a false sense of success while sensitive files remain with restrictive or incorrect permissions.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01185,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/9793","https://github.com/uutils/coreutils/releases/tag/0.6.0"],"published_time":"2026-04-22T17:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35340","summary":"A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.0189,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uutils/coreutils/pull/10035","https://github.com/uutils/coreutils/releases/tag/0.6.0"],"published_time":"2026-04-22T17:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32885","summary":"DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both `Untar()` and `Unzip()` functions in `pkg/archive/archive.go`. Downloads and extracts archives from remote sources without path validation. Version 1.25.2 patches the issue.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01814,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ddev/ddev/releases/tag/v1.25.2","https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg","https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg"],"published_time":"2026-04-22T17:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-3922","summary":"GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service by overwhelming system resources under certain conditions due to insufficient resource allocation limits in the GraphQL API.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10777,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/","https://gitlab.com/gitlab-org/gitlab/-/work_items/537422","https://hackerone.com/reports/3098035"],"published_time":"2026-04-22T17:16:33","vendor":"gitlab","product":"gitlab","version":null},{"cve_id":"CVE-2025-6016","summary":"GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service due to insufficient resource allocation limits when retrieving notes under certain conditions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05819,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/","https://gitlab.com/gitlab-org/gitlab/-/work_items/548940","https://hackerone.com/reports/3160363"],"published_time":"2026-04-22T17:16:33","vendor":"gitlab","product":"gitlab","version":null},{"cve_id":"CVE-2025-9957","summary":"GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user with project owner permissions to bypass group fork prevention settings due to improper authorization checks.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01818,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/","https://gitlab.com/gitlab-org/gitlab/-/work_items/567781","https://hackerone.com/reports/3275222"],"published_time":"2026-04-22T17:16:33","vendor":"gitlab","product":"gitlab","version":null},{"cve_id":"CVE-2026-1660","summary":"GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to cause denial of service when importing issues due to improper input validation.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18793,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/","https://gitlab.com/gitlab-org/gitlab/-/work_items/588200","https://hackerone.com/reports/3518743"],"published_time":"2026-04-22T17:16:33","vendor":"gitlab","product":"gitlab","version":null},{"cve_id":"CVE-2025-0186","summary":"GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service under certain conditions by exhausting server resources by making crafted requests to a discussions endpoint.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10537,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/","https://gitlab.com/gitlab-org/gitlab/-/work_items/511312","https://hackerone.com/reports/2915694"],"published_time":"2026-04-22T17:16:32","vendor":"gitlab","product":"gitlab","version":null},{"cve_id":"CVE-2026-30139","summary":"A reflected cross-site scripting (XSS) vulnerability in the AdvancedSearch functionality of Silverpeas Core before version 6.4.6 allows attackers to execute arbitrary JavaScript in the context of a user's browser via crafted input.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08281,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Silverpeas/Silverpeas-Core/pull/1421","https://github.com/bodd1593/CVEs-huyle/tree/main/CVE-2026-30139","https://github.com/bodd1593/CVEs-huyle/tree/main/CVE-2026-30139"],"published_time":"2026-04-22T16:16:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-58922","summary":"Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada allows Cross Site Request Forgery.This issue affects Avada: from n/a before 7.13.2.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02854,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/avada/vulnerability/wordpress-avada-theme-7-13-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"],"published_time":"2026-04-22T16:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25272","summary":"ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Attackers can connect to the database using default connector credentials, decrypt the DBA password, and execute commands via the xp_cmdshell stored procedure or add backdoor users to the BEDIENER table.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00168,"ranking_epss":0.37664,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.elba.at","https://www.exploit-db.com/exploits/45905","https://www.vulncheck.com/advisories/elba5-remote-code-execution-via-database-access"],"published_time":"2026-04-22T16:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-58344","summary":"Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard settings. Attackers with admin privileges can store JavaScript payloads in the Forum Name field that execute in the browsers of all users visiting the forum, enabling session hijacking and data theft.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":5.1,"epss":0.0003,"ranking_epss":0.08698,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/lincanbin/Carbon-Forum","https://www.94cb.com/","https://www.exploit-db.com/exploits/52043","https://www.vulncheck.com/advisories/carbon-forum-persistent-xss-via-forum-name-field"],"published_time":"2026-04-22T16:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25266","summary":"Angry IP Scanner 3.5.3 contains a buffer overflow vulnerability in the preferences dialog that allows local attackers to crash the application by supplying an excessively large string. Attackers can generate a file containing a massive buffer of repeated characters and paste it into the unavailable value field in the display preferences to trigger a denial of service.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":6.9,"epss":0.00012,"ranking_epss":0.01672,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://angryip.org","https://www.exploit-db.com/exploits/45993","https://www.vulncheck.com/advisories/angry-ip-scanner-denial-of-service-via-preferences-buffer-overflow"],"published_time":"2026-04-22T16:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25267","summary":"UltraISO 9.7.1.3519 contains a local buffer overflow vulnerability in the Output FileName field of the Make CD/DVD Image dialog that allows attackers to overwrite SEH and SE handler records. Attackers can craft a malicious filename string with 304 bytes of data followed by SEH record overwrite values and paste it into the Output FileName field to trigger a denial of service crash.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":6.9,"epss":0.00012,"ranking_epss":0.01672,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.exploit-db.com/exploits/45996","https://www.ultraiso.com/","https://www.vulncheck.com/advisories/ultraiso-buffer-overflow-via-output-filename"],"published_time":"2026-04-22T16:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25268","summary":"LanSpy 2.0.1.159 contains a local buffer overflow vulnerability that allows attackers to overwrite the instruction pointer by supplying oversized input to the scan field. Attackers can craft a payload with 688 bytes of padding followed by 4 bytes of controlled data to crash the application or potentially achieve code execution.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":8.6,"epss":0.00013,"ranking_epss":0.02219,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lizardsystems.com","https://www.exploit-db.com/exploits/45968","https://www.vulncheck.com/advisories/lanspy-local-buffer-overflow-via-scan-field"],"published_time":"2026-04-22T16:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25269","summary":"ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when the email is viewed, compromising user sessions and stealing sensitive information.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":5.1,"epss":0.00029,"ranking_epss":0.08202,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.icewarp.com/","https://www.exploit-db.com/exploits/45974","https://www.vulncheck.com/advisories/icewarp-cross-site-scripting-via-email-html-injection"],"published_time":"2026-04-22T16:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25270","summary":"ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00178,"ranking_epss":0.39148,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/top-think/framework/","https://thinkphp.cn","https://www.exploit-db.com/exploits/45978","https://www.vulncheck.com/advisories/thinkphp-remote-code-execution-via-invokefunction"],"published_time":"2026-04-22T16:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25271","summary":"Textpad 8.1.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long buffer string through the Run command interface. Attackers can paste a 5000-byte payload into the Command field via Tools > Run to trigger a buffer overflow that crashes the application.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":6.9,"epss":0.00012,"ranking_epss":0.0161,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://textpad.com","https://www.exploit-db.com/exploits/45956","https://www.textpad.com/download/v81/win32/txpeng812-32.zip","https://www.vulncheck.com/advisories/textpad-denial-of-service-via-run-command"],"published_time":"2026-04-22T16:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25260","summary":"MAGIX Music Editor 3.1 contains a buffer overflow vulnerability in the FreeDB Proxy Options dialog that allows local attackers to execute arbitrary code by exploiting structured exception handling. Attackers can craft a malicious payload, paste it into the Server field via the CD menu's FreeDB Proxy Options, and trigger code execution when settings are accepted.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":8.6,"epss":0.00013,"ranking_epss":0.02366,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.exploit-db.com/exploits/46056","https://www.magix.com/us/","https://www.magix.com/us/music/mp3-deluxe/","https://www.vulncheck.com/advisories/magix-music-editor-buffer-overflow-via-seh"],"published_time":"2026-04-22T16:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25261","summary":"Iperius Backup 5.8.1 contains a local buffer overflow vulnerability in the structured exception handling (SEH) mechanism that allows local attackers to execute arbitrary code by supplying a malicious file path. Attackers can create a backup job with a crafted payload in the external file location field that triggers a buffer overflow when the backup job executes, enabling code execution with application privileges.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":8.6,"epss":0.00013,"ranking_epss":0.02219,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.exploit-db.com/exploits/46059","https://www.iperiusbackup.com","https://www.vulncheck.com/advisories/iperius-backup-local-buffer-overflow-seh"],"published_time":"2026-04-22T16:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25262","summary":"Angry IP Scanner for Linux 3.5.3 contains a denial of service vulnerability that allows local attackers to crash the application by supplying malformed input to the port selection field. Attackers can craft a malicious string containing buffer overflow patterns and paste it into the Preferences Ports tab to trigger an application crash.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":6.9,"epss":0.00012,"ranking_epss":0.01672,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://angryip.org/","https://www.exploit-db.com/exploits/46038","https://www.vulncheck.com/advisories/angry-ip-scanner-for-linux-denial-of-service"],"published_time":"2026-04-22T16:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25265","summary":"LanSpy 2.0.1.159 contains a local buffer overflow vulnerability in the scan section that allows local attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Attackers can craft malicious payloads using egghunter techniques to locate and execute shellcode, triggering code execution through SEH chain manipulation and controlled jumps.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":8.6,"epss":0.00013,"ranking_epss":0.02219,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lizardsystems.com","https://www.exploit-db.com/exploits/46018","https://www.vulncheck.com/advisories/lanspy-local-buffer-overflow"],"published_time":"2026-04-22T16:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25259","summary":"Terminal Services Manager 3.1 contains a stack-based buffer overflow vulnerability in the computer names field that allows local attackers to execute arbitrary code by triggering structured exception handling. Attackers can craft a malicious input file with shellcode and jump instructions that overwrite the SEH handler pointer to execute calc.exe or other payloads when imported through the add computers wizard.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":8.6,"epss":0.00012,"ranking_epss":0.0161,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lizardsystems.com","https://www.exploit-db.com/exploits/46058","https://www.vulncheck.com/advisories/terminal-services-manager-buffer-overflow-seh"],"published_time":"2026-04-22T16:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35548","summary":"An issue was discovered in guardsix (formerly Logpoint) ODBC Enrichment Plugins before 5.2.1 (5.2.1 is used in guardsix 7.9.0.0). A logic flaw allowed stored database credentials to be reused after modification of the target Host, IP address, or Port. When editing an existing Enrichment Source, previously stored credentials were retained even if the connection endpoint was changed. An authenticated Operator user could redirect the database connection to unintended internal systems, resulting in SSRF and potential misuse of valid stored credentials.","cvss":8.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.08023,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://guardsix.com/media-room#/pressreleases/logpoint-becomes-guardsix-as-europe-reassesses-sovereign-security-operations-3436974","https://servicedesk.guardsix.com/hc/en-us/articles/35555683205021-SSRF-in-ODBC-Enrichment-Source"],"published_time":"2026-04-22T15:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6862","summary":"A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02133,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-6862","https://bugzilla.redhat.com/show_bug.cgi?id=2459982"],"published_time":"2026-04-22T14:17:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6859","summary":"A flaw was found in InstructLab. The `linux_train.py` script hardcodes `trust_remote_code=True` when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run `ilab train/download/generate` with a specially crafted malicious model from the HuggingFace Hub. This vulnerability can lead to complete system compromise.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00147,"ranking_epss":0.34893,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-6859","https://bugzilla.redhat.com/show_bug.cgi?id=2459998"],"published_time":"2026-04-22T14:17:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6861","summary":"A flaw was found in GNU Emacs. This vulnerability, a memory corruption issue, occurs when Emacs processes specially crafted SVG (Scalable Vector Graphics) CSS (Cascading Style Sheets) data. A local user could exploit this by convincing a victim to open a malicious SVG file, which may lead to a denial of service (DoS) or potentially information disclosure.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03259,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-6861","https://bugzilla.redhat.com/show_bug.cgi?id=2459992"],"published_time":"2026-04-22T14:17:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5750","summary":"An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from: '/api/suppliers/v1/suppliers//false' to list user information; and '/#/supplier-registration/supplier-registration//2' to update your user information (personal details, documents, etc.).","cvss":7.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.6,"epss":0.00038,"ranking_epss":0.11521,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fullstep"],"published_time":"2026-04-22T14:17:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6355","summary":"A vulnerability in the web application allows unauthorized users to access and manipulate sensitive data across different tenants by exploiting insecure direct object references. This could lead to unauthorized access to sensitive information and unauthorized changes to the tenant's configuration.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.09212,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Penguinsecq/CVE-2026-6355/"],"published_time":"2026-04-22T14:17:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6356","summary":"A vulnerability in the web application allows standard users to escalate their privileges to those of a super administrator through parameter manipulation, enabling them to access and modify sensitive information.","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.08023,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Penguinsecq/CVE-2026-6356/","https://github.com/Penguinsecq/CVE-2026-6356/"],"published_time":"2026-04-22T14:17:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5749","summary":"Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise the confidentiality of the affected resource, provided they have a valid token with which to interact with the API.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.0005,"ranking_epss":0.15431,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fullstep"],"published_time":"2026-04-22T14:17:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41651","summary":"PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5.\n\nA local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags`  combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`:\n1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been  authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING.\n2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags.\n3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06987,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L2273-L2277","https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L4036","https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L873-L882","https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv","https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html","http://www.openwall.com/lists/oss-security/2026/04/22/6","https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html"],"published_time":"2026-04-22T14:17:04","vendor":"packagekit_project","product":"packagekit","version":null},{"cve_id":"CVE-2026-33611","summary":"An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00208,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.html"],"published_time":"2026-04-22T14:16:55","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33596","summary":"A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.","cvss":3.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.1,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00279,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"],"published_time":"2026-04-22T14:16:54","vendor":"powerdns","product":"dnsdist","version":null},{"cve_id":"CVE-2026-33597","summary":"PRSD detection denial of service","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01911,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"],"published_time":"2026-04-22T14:16:54","vendor":"powerdns","product":"dnsdist","version":null},{"cve_id":"CVE-2026-33598","summary":"A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache.","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.01005,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"],"published_time":"2026-04-22T14:16:54","vendor":"powerdns","product":"dnsdist","version":null},{"cve_id":"CVE-2026-33599","summary":"A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.","cvss":3.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.1,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00277,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"],"published_time":"2026-04-22T14:16:54","vendor":"powerdns","product":"dnsdist","version":null},{"cve_id":"CVE-2026-33602","summary":"A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00235,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"],"published_time":"2026-04-22T14:16:54","vendor":"powerdns","product":"dnsdist","version":null},{"cve_id":"CVE-2026-33608","summary":"An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00289,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.html"],"published_time":"2026-04-22T14:16:54","vendor":"powerdns","product":"authoritative","version":null},{"cve_id":"CVE-2026-33609","summary":"Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":8e-05,"ranking_epss":0.00747,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.html"],"published_time":"2026-04-22T14:16:54","vendor":"powerdns","product":"authoritative","version":null},{"cve_id":"CVE-2026-33610","summary":"A rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00016,"ranking_epss":0.03551,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.html"],"published_time":"2026-04-22T14:16:54","vendor":"powerdns","product":"authoritative","version":null},{"cve_id":"CVE-2026-31528","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Make sure to use pmu_ctx->pmu for groups\n\nOliver reported that x86_pmu_del() ended up doing an out-of-bound memory access\nwhen group_sched_in() fails and needs to roll back.\n\nThis *should* be handled by the transaction callbacks, but he found that when\nthe group leader is a software event, the transaction handlers of the wrong PMU\nare used. Despite the move_group case in perf_event_open() and group_sched_in()\nusing pmu_ctx->pmu.\n\nTurns out, inherit uses event->pmu to clone the events, effectively undoing the\nmove_group case for all inherited contexts. Fix this by also making inherit use\npmu_ctx->pmu, ensuring all inherited counters end up in the same pmu context.\n\nSimilarly, __perf_event_read() should use equally use pmu_ctx->pmu for the\ngroup case.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04778,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/35f7914e54fe7f13654c22ee045b05e4b6d8062b","https://git.kernel.org/stable/c/3a696e84a8b1fafdd774bb30d62919faf844d9e4","https://git.kernel.org/stable/c/4b9ce671960627b2505b3f64742544ae9801df97","https://git.kernel.org/stable/c/4c759446046500a1a6785b25725725c3ff087ace","https://git.kernel.org/stable/c/656f35b463995bee024d948440128230aacd81e1"],"published_time":"2026-04-22T14:16:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31529","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Fix leakage in __construct_region()\n\nFailing the first sysfs_update_group() needs to explicitly\nkfree the resource as it is too early for cxl_region_iomem_release()\nto do so.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04944,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/77b310bb7b5ff8c017524df83292e0242ba89791","https://git.kernel.org/stable/c/f1b4741adf08b0063291ec1b0dfa9c3d55644933"],"published_time":"2026-04-22T14:16:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31530","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/port: Fix use after free of parent_port in cxl_detach_ep()\n\ncxl_detach_ep() is called during bottom-up removal when all CXL memory\ndevices beneath a switch port have been removed. For each port in the\nhierarchy it locks both the port and its parent, removes the endpoint,\nand if the port is now empty, marks it dead and unregisters the port\nby calling delete_switch_port(). There are two places during this work\nwhere the parent_port may be used after freeing:\n\nFirst, a concurrent detach may have already processed a port by the\ntime a second worker finds it via bus_find_device(). Without pinning\nparent_port, it may already be freed when we discover port->dead and\nattempt to unlock the parent_port. In a production kernel that's a\nsilent memory corruption, with lock debug, it looks like this:\n\n[]DEBUG_LOCKS_WARN_ON(__owner_task(owner) != get_current())\n[]WARNING: kernel/locking/mutex.c:949 at __mutex_unlock_slowpath+0x1ee/0x310\n[]Call Trace:\n[]mutex_unlock+0xd/0x20\n[]cxl_detach_ep+0x180/0x400 [cxl_core]\n[]devm_action_release+0x10/0x20\n[]devres_release_all+0xa8/0xe0\n[]device_unbind_cleanup+0xd/0xa0\n[]really_probe+0x1a6/0x3e0\n\nSecond, delete_switch_port() releases three devm actions registered\nagainst parent_port. The last of those is unregister_port() and it\ncalls device_unregister() on the child port, which can cascade. If\nparent_port is now also empty the device core may unregister and free\nit too. So by the time delete_switch_port() returns, parent_port may\nbe free, and the subsequent device_unlock(&parent_port->dev) operates\non freed memory. The kernel log looks same as above, with a different\noffset in cxl_detach_ep().\n\nBoth of these issues stem from the absence of a lifetime guarantee\nbetween a child port and its parent port.\n\nEstablish a lifetime rule for ports: child ports hold a reference to\ntheir parent device until release. Take the reference when the port\nis allocated and drop it when released. This ensures the parent is\nvalid for the full lifetime of the child and eliminates the use after\nfree window in cxl_detach_ep().\n\nThis is easily reproduced with a reload of cxl_acpi in QEMU with CXL\ndevices present.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/19d2f0b97a131198efc2c4ca3eb7f980bba8c2b4","https://git.kernel.org/stable/c/2c32141462045cf93d54a5146a0ba572b83533dd","https://git.kernel.org/stable/c/d216a4bd138eb57cc4ae7c43b2f709e3482af7e2","https://git.kernel.org/stable/c/f7dc6f381a1e5f068333f1faa9265d6af1df4235"],"published_time":"2026-04-22T14:16:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33254","summary":"An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01103,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"],"published_time":"2026-04-22T14:16:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33593","summary":"A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.05546,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"],"published_time":"2026-04-22T14:16:53","vendor":"powerdns","product":"dnsdist","version":null},{"cve_id":"CVE-2026-33594","summary":"A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01113,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"],"published_time":"2026-04-22T14:16:53","vendor":"powerdns","product":"dnsdist","version":null},{"cve_id":"CVE-2026-33595","summary":"A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01113,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"],"published_time":"2026-04-22T14:16:53","vendor":"powerdns","product":"dnsdist","version":null},{"cve_id":"CVE-2026-31522","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: magicmouse: avoid memory leak in magicmouse_report_fixup()\n\nThe magicmouse_report_fixup() function was returning a\nnewly kmemdup()-allocated buffer, but never freeing it.\n\nThe caller of report_fixup() does not take ownership of the returned\npointer, but it *is* permitted to return a sub-portion of the input\nrdesc, whose lifetime is managed by the caller.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/136f605e246b4bfe7ac2259471d1ff814aed0084","https://git.kernel.org/stable/c/579c4c9857acdc8380fa99803f355f878bd766cb","https://git.kernel.org/stable/c/79e5dcc95d9abed6f8203cfd529f4ec71f0e505d","https://git.kernel.org/stable/c/7edfe4346b052b708645d0acc0f186425766b785","https://git.kernel.org/stable/c/91e8c6e601bdc1ccdf886479b6513c01c7e51c2c","https://git.kernel.org/stable/c/d84c21aabaab517b9aaf9bc1d785922cb9db2f31","https://git.kernel.org/stable/c/fa95b0146358b49f9858139b67314591fd5871b0"],"published_time":"2026-04-22T14:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31523","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: ensure we're polling a polled queue\n\nA user can change the polled queue count at run time. There's a brief\nwindow during a reset where a hipri task may try to poll that queue\nbefore the block layer has updated the queue maps, which would race with\nthe now interrupt driven queue and may cause double completions.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0685dd9cb855ab77fcf3577b4702ba1d6df1c98d","https://git.kernel.org/stable/c/166e31d7dbf6aa44829b98aa446bda5c9580f12a","https://git.kernel.org/stable/c/6f12734c4b619f923a4df0b1a46b8098b187d324","https://git.kernel.org/stable/c/965e2c943f065122f14282a88d70a8a92e12a4da","https://git.kernel.org/stable/c/acbc72dd1a09df53cafcf577259f4678be6afd6d","https://git.kernel.org/stable/c/b222680ba55e018426c4535067a008f1d81a5d21","https://git.kernel.org/stable/c/b96c7b25eb1b748f3e3b1832ebf028b0b223d7e3","https://git.kernel.org/stable/c/ba167d5982e2eb6ff9356d409eca592ce99555da"],"published_time":"2026-04-22T14:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31524","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: asus: avoid memory leak in asus_report_fixup()\n\nThe asus_report_fixup() function was returning a newly allocated\nkmemdup()-allocated buffer, but never freeing it.  Switch to\ndevm_kzalloc() to ensure the memory is managed and freed automatically\nwhen the device is removed.\n\nThe caller of report_fixup() does not take ownership of the returned\npointer, but it is permitted to return a pointer whose lifetime is at\nleast that of the input buffer.\n\nAlso fix a harmless out-of-bounds read by copying only the original\ndescriptor size.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2bad24c17742fc88973d6aea526ce1353f5334a3","https://git.kernel.org/stable/c/2e4fe6b15c2f390c023b20d728b1a3fe7ea4f973","https://git.kernel.org/stable/c/726765b43deb2b4723869d673cc5fc6f7a3b2059","https://git.kernel.org/stable/c/7a6d6e4d8af044f94fa97e97af5ff2771e1fbebd","https://git.kernel.org/stable/c/84724ac4821a160d47b84289adf139023027bdbb","https://git.kernel.org/stable/c/a41cc7c1668e44ff2c2d36f9a6353253ffc43e3c","https://git.kernel.org/stable/c/ede95cfcab8064d9a08813fbd7ed42cea8843dcf","https://git.kernel.org/stable/c/f20f17cffbe34fb330267e0f8084f5565f807444"],"published_time":"2026-04-22T14:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31525","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN\n\nThe BPF interpreter's signed 32-bit division and modulo handlers use\nthe kernel abs() macro on s32 operands. The abs() macro documentation\n(include/linux/math.h) explicitly states the result is undefined when\nthe input is the type minimum. When DST contains S32_MIN (0x80000000),\nabs((s32)DST) triggers undefined behavior and returns S32_MIN unchanged\non arm64/x86. This value is then sign-extended to u64 as\n0xFFFFFFFF80000000, causing do_div() to compute the wrong result.\n\nThe verifier's abstract interpretation (scalar32_min_max_sdiv) computes\nthe mathematically correct result for range tracking, creating a\nverifier/interpreter mismatch that can be exploited for out-of-bounds\nmap value access.\n\nIntroduce abs_s32() which handles S32_MIN correctly by casting to u32\nbefore negating, avoiding signed overflow entirely. Replace all 8\nabs((s32)...) call sites in the interpreter's sdiv32/smod32 handlers.\n\ns32 is the only affected case -- the s64 division/modulo handlers do\nnot use abs().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04778,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0d5d8c3ce45c734aaf3c51cbef59155a6746157d","https://git.kernel.org/stable/c/694ea55f1b1c74f9942d91ec366ae9e822422e42","https://git.kernel.org/stable/c/9ab1227765c446942f290c83382f0b19887c55cf","https://git.kernel.org/stable/c/c77b30bd1dcb61f66c640ff7d2757816210c7cb0","https://git.kernel.org/stable/c/f14ca604c0ff274fba19f73f1f0485c0047c1396"],"published_time":"2026-04-22T14:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31526","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix exception exit lock checking for subprogs\n\nprocess_bpf_exit_full() passes check_lock = !curframe to\ncheck_resource_leak(), which is false in cases when bpf_throw() is\ncalled from a static subprog. This makes check_resource_leak() to skip\nvalidation of active_rcu_locks, active_preempt_locks, and\nactive_irq_id on exception exits from subprogs.\n\nAt runtime bpf_throw() unwinds the stack via ORC without releasing any\nuser-acquired locks, which may cause various issues as the result.\n\nFix by setting check_lock = true for exception exits regardless of\ncurframe, since exceptions bypass all intermediate frame\ncleanup. Update the error message prefix to \"bpf_throw\" for exception\nexits to distinguish them from normal BPF_EXIT.\n\nFix reject_subprog_with_rcu_read_lock test which was previously\npassing for the wrong reason. Test program returned directly from the\nsubprog call without closing the RCU section, so the error was\ntriggered by the unclosed RCU lock on normal exit, not by\nbpf_throw. Update __msg annotations for affected tests to match the\nnew \"bpf_throw\" error prefix.\n\nThe spin_lock case is not affected because they are already checked [1]\nat the call site in do_check_insn() before bpf_throw can run.\n\n[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c?h=v7.0-rc4#n21098","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5a399f3117642494e35545f6ca397d3e177c1f9b","https://git.kernel.org/stable/c/6c2128505f61b504c79a20b89596feba61388112","https://git.kernel.org/stable/c/c0281da1f2aa5c2fca3a05f79b86bea96591c358"],"published_time":"2026-04-22T14:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31527","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: platform: use generic driver_override infrastructure\n\nWhen a driver is probed through __driver_attach(), the bus' match()\ncallback is called without the device lock held, thus accessing the\ndriver_override field without a lock, which can cause a UAF.\n\nFix this by using the driver-core driver_override infrastructure taking\ncare of proper locking internally.\n\nNote that calling match() from __driver_attach() without the device lock\nheld is intentional. [1]","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2b38efc05bf7a8568ec74bfffea0f5cfa62bc01d","https://git.kernel.org/stable/c/7c02a9bd7d14a89065fcf672b86d8e1d1a41d3b1","https://git.kernel.org/stable/c/9a6086d2a828dd2ff74cf9abcae456670febd71f","https://git.kernel.org/stable/c/edee7ee5a14c3b33f6d54641f5af5c5e9180992d"],"published_time":"2026-04-22T14:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31516","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: prevent policy_hthresh.work from racing with netns teardown\n\nA XFRM_MSG_NEWSPDINFO request can queue the per-net work item\npolicy_hthresh.work onto the system workqueue.\n\nThe queued callback, xfrm_hash_rebuild(), retrieves the enclosing\nstruct net via container_of(). If the net namespace is torn down\nbefore that work runs, the associated struct net may already have\nbeen freed, and xfrm_hash_rebuild() may then dereference stale memory.\n\nxfrm_policy_fini() already flushes policy_hash_work during teardown,\nbut it does not synchronize policy_hthresh.work.\n\nSynchronize policy_hthresh.work in xfrm_policy_fini() as well, so the\nqueued work cannot outlive the net namespace teardown and access a\nfreed struct net.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/29fe3a61bcdce398ee3955101c39f89c01a8a77e","https://git.kernel.org/stable/c/4e2e77843fef473ef47e322d52436d8308582a96","https://git.kernel.org/stable/c/56ea2257b83ee29a543f158159e3d1abc1e3e4fe","https://git.kernel.org/stable/c/8854e9367465d784046362698731c1111e3b39b8"],"published_time":"2026-04-22T14:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31517","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly\n\nIn iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner\npacket 'newskb' that is being reassembled. First a zero-copy approach is\ntried if it succeeds then newskb becomes non-linear.\n\nWhen a subsequent fragment in the same datagram does not meet the\nfast-path conditions, a memory copy is performed. It calls skb_put() to\nappend the data and as newskb is non-linear it triggers\nSKB_LINEAR_ASSERT check.\n\n Oops: invalid opcode: 0000 [#1] SMP NOPTI\n [...]\n RIP: 0010:skb_put+0x3c/0x40\n [...]\n Call Trace:\n  <IRQ>\n  iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs]\n  iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs]\n  iptfs_input+0x122/0x3e0 [xfrm_iptfs]\n  xfrm_input+0x91e/0x1a50\n  xfrm4_esp_rcv+0x3a/0x110\n  ip_protocol_deliver_rcu+0x1d7/0x1f0\n  ip_local_deliver_finish+0xbe/0x1e0\n  __netif_receive_skb_core.constprop.0+0xb56/0x1120\n  __netif_receive_skb_list_core+0x133/0x2b0\n  netif_receive_skb_list_internal+0x1ff/0x3f0\n  napi_complete_done+0x81/0x220\n  virtnet_poll+0x9d6/0x116e [virtio_net]\n  __napi_poll.constprop.0+0x2b/0x270\n  net_rx_action+0x162/0x360\n  handle_softirqs+0xdc/0x510\n  __irq_exit_rcu+0xe7/0x110\n  irq_exit_rcu+0xe/0x20\n  common_interrupt+0x85/0xa0\n  </IRQ>\n  <TASK>\n\nFix this by checking if the skb is non-linear. If it is, linearize it by\ncalling skb_linearize(). As the initial allocation of newskb originally\nreserved enough tailroom for the entire reassembled packet we do not\nneed to check if we have enough tailroom or extend it.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0b352f83cabfefdaafa806d6471f0eca117dc7d5","https://git.kernel.org/stable/c/33a7b36268933c75bdc355e5531951e0ea9f1951","https://git.kernel.org/stable/c/7fdfe8f6efeb0e1200e22a903f2471539f54522b"],"published_time":"2026-04-22T14:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31518","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nesp: fix skb leak with espintcp and async crypto\n\nWhen the TX queue for espintcp is full, esp_output_tail_tcp will\nreturn an error and not free the skb, because with synchronous crypto,\nthe common xfrm output code will drop the packet for us.\n\nWith async crypto (esp_output_done), we need to drop the skb when\nesp_output_tail_tcp returns an error.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2","https://git.kernel.org/stable/c/41aafca57de4a4c026701622bd4648f112a9edcd","https://git.kernel.org/stable/c/4820847e036ff1035b01b69ad68dfc17e7028fe9","https://git.kernel.org/stable/c/6a3ec6efbc4f90e0ccb2e71574f07351f19996f4","https://git.kernel.org/stable/c/6aa9841d917532d0f2d932d1ff2f3a94305aaf47","https://git.kernel.org/stable/c/88d386243ed374ac969dabd3bbc1409a31d81818","https://git.kernel.org/stable/c/aca3ad0c262f54a5b5c95dda80a48365997d1224","https://git.kernel.org/stable/c/df6f995358dc1f3c42484f5cfe241d7bd3e1cd15"],"published_time":"2026-04-22T14:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31519","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create\n\nWe have recently observed a number of subvolumes with broken dentries.\nls-ing the parent dir looks like:\n\ndrwxrwxrwt 1 root root 16 Jan 23 16:49 .\ndrwxr-xr-x 1 root root 24 Jan 23 16:48 ..\nd????????? ? ?    ?     ?            ? broken_subvol\n\nand similarly stat-ing the file fails.\n\nIn this state, deleting the subvol fails with ENOENT, but attempting to\ncreate a new file or subvol over it errors out with EEXIST and even\naborts the fs. Which leaves us a bit stuck.\n\ndmesg contains a single notable error message reading:\n\"could not do orphan cleanup -2\"\n\n2 is ENOENT and the error comes from the failure handling path of\nbtrfs_orphan_cleanup(), with the stack leading back up to\nbtrfs_lookup().\n\nbtrfs_lookup\nbtrfs_lookup_dentry\nbtrfs_orphan_cleanup // prints that message and returns -ENOENT\n\nAfter some detailed inspection of the internal state, it became clear\nthat:\n- there are no orphan items for the subvol\n- the subvol is otherwise healthy looking, it is not half-deleted or\n  anything, there is no drop progress, etc.\n- the subvol was created a while ago and does the meaningful first\n  btrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much\n  later.\n- after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT,\n  which results in a negative dentry for the subvolume via\n  d_splice_alias(NULL, dentry), leading to the observed behavior. The\n  bug can be mitigated by dropping the dentry cache, at which point we\n  can successfully delete the subvolume if we want.\n\ni.e.,\nbtrfs_lookup()\n  btrfs_lookup_dentry()\n    if (!sb_rdonly(inode->vfs_inode)->vfs_inode)\n    btrfs_orphan_cleanup(sub_root)\n      test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)\n      btrfs_search_slot() // finds orphan item for inode N\n      ...\n      prints \"could not do orphan cleanup -2\"\n  if (inode == ERR_PTR(-ENOENT))\n    inode = NULL;\n  return d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume\n\nbtrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)\non the root when it runs, so it cannot run more than once on a given\nroot, so something else must run concurrently. However, the obvious\nroutes to deleting an orphan when nlinks goes to 0 should not be able to\nrun without first doing a lookup into the subvolume, which should run\nbtrfs_orphan_cleanup() and set the bit.\n\nThe final important observation is that create_subvol() calls\nd_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so if\nthe dentry cache gets dropped, the next lookup into the subvolume will\nmake a real call into btrfs_orphan_cleanup() for the first time. This\nopens up the possibility of concurrently deleting the inode/orphan items\nbut most typical evict() paths will be holding a reference on the parent\ndentry (child dentry holds parent->d_lockref.count via dget in\nd_alloc(), released in __dentry_kill()) and prevent the parent from\nbeing removed from the dentry cache.\n\nThe one exception is delayed iputs. Ordered extent creation calls\nigrab() on the inode. If the file is unlinked and closed while those\nrefs are held, iput() in __dentry_kill() decrements i_count but does\nnot trigger eviction (i_count > 0). The child dentry is freed and the\nsubvol dentry's d_lockref.count drops to 0, making it evictable while\nthe inode is still alive.\n\nSince there are two races (the race between writeback and unlink and\nthe race between lookup and delayed iputs), and there are too many moving\nparts, the following three diagrams show the complete picture.\n(Only the second and third are races)\n\nPhase 1:\nCreate Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP set\n\nbtrfs_mksubvol()\n  lookup_one_len()\n    __lookup_slow()\n      d_alloc_parallel()\n        __d_alloc() // d_lockref.count = 1\n  create_subvol(dentry)\n    // doesn't touch the bit..\n    d_instantiate_new(dentry, inode) // dentry in cache with d_lockref.c\n---truncated---","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2ec578e6452138ab76f6c9a9c18711fcd197649f","https://git.kernel.org/stable/c/5131fa077f9bb386a1b901bf5b247041f0ec8f80","https://git.kernel.org/stable/c/696683f214495db3cdacab9a713efaaced8660f8","https://git.kernel.org/stable/c/a41a9b8d19a98b45591528c6e54d31cc66271d1e","https://git.kernel.org/stable/c/c57276ced3c3207f42182dfa2f0d8e860357e111","https://git.kernel.org/stable/c/d43da8de0ed376abafbad8a245a1835e8f66cb0f"],"published_time":"2026-04-22T14:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31520","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: apple: avoid memory leak in apple_report_fixup()\n\nThe apple_report_fixup() function was returning a\nnewly kmemdup()-allocated buffer, but never freeing it.\n\nThe caller of report_fixup() does not take ownership of the returned\npointer, but it *is* permitted to return a sub-portion of the input\nrdesc, whose lifetime is managed by the caller.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/239c15116d80f67d32f00acc34575f1a6b699613","https://git.kernel.org/stable/c/2635d0c715f3fb177e0f80ecd5fa48feb6bf3884","https://git.kernel.org/stable/c/31860c3f7ac66ab897a8c90dc4e74fa17ca0b624","https://git.kernel.org/stable/c/be1a341c161430282acdfe2ac99b413271575cf1","https://git.kernel.org/stable/c/e2f090aeb7b9930a964e151910f4d45b04c8a7e5","https://git.kernel.org/stable/c/e652ebd29928181c3e6820e303da25873e9917d4"],"published_time":"2026-04-22T14:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31521","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmodule: Fix kernel panic when a symbol st_shndx is out of bounds\n\nThe module loader doesn't check for bounds of the ELF section index in\nsimplify_symbols():\n\n       for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {\n\t\tconst char *name = info->strtab + sym[i].st_name;\n\n\t\tswitch (sym[i].st_shndx) {\n\t\tcase SHN_COMMON:\n\n\t\t[...]\n\n\t\tdefault:\n\t\t\t/* Divert to percpu allocation if a percpu var. */\n\t\t\tif (sym[i].st_shndx == info->index.pcpu)\n\t\t\t\tsecbase = (unsigned long)mod_percpu(mod);\n\t\t\telse\n  /** HERE --> **/\t\tsecbase = info->sechdrs[sym[i].st_shndx].sh_addr;\n\t\t\tsym[i].st_value += secbase;\n\t\t\tbreak;\n\t\t}\n\t}\n\nA symbol with an out-of-bounds st_shndx value, for example 0xffff\n(known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic:\n\n  BUG: unable to handle page fault for address: ...\n  RIP: 0010:simplify_symbols+0x2b2/0x480\n  ...\n  Kernel panic - not syncing: Fatal exception\n\nThis can happen when module ELF is legitimately using SHN_XINDEX or\nwhen it is corrupted.\n\nAdd a bounds check in simplify_symbols() to validate that st_shndx is\nwithin the valid range before using it.\n\nThis issue was discovered due to a bug in llvm-objcopy, see relevant\ndiscussion for details [1].\n\n[1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/082f15d2887329e0f43fd3727e69365f5bfe5d2c","https://git.kernel.org/stable/c/4bbdb0e48176fd281c2b9a211b110db6fd94e175","https://git.kernel.org/stable/c/5d16f519b6eb1d071807e57efe0df2baa8d32ad6","https://git.kernel.org/stable/c/6ba6957c640f58dc8ef046981a045da43e47ea23","https://git.kernel.org/stable/c/ec2b22a58073f80739013588af448ff6e2ab906f","https://git.kernel.org/stable/c/ef75dc1401d8e797ee51559a0dd0336c225e1776","https://git.kernel.org/stable/c/f9d69d5e7bde2295eb7488a56f094ac8f5383b92"],"published_time":"2026-04-22T14:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31510","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb\n\nBefore using sk pointer, check if it is null.\n\nFix the following:\n\n KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267]\n CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025\n Workqueue: events l2cap_info_timeout\n RIP: 0010:kasan_byte_accessible+0x12/0x30\n Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce\n veth0_macvtap: entered promiscuous mode\n RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001\n RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000\n R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001\n FS:  0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005582615a5008 CR3: 000000007007e000 CR4: 0000000000752ef0\n PKRU: 55555554\n Call Trace:\n  <TASK>\n  __kasan_check_byte+0x12/0x40\n  lock_acquire+0x79/0x2e0\n  lock_sock_nested+0x48/0x100\n  ? l2cap_sock_ready_cb+0x46/0x160\n  l2cap_sock_ready_cb+0x46/0x160\n  l2cap_conn_start+0x779/0xff0\n  ? __pfx_l2cap_conn_start+0x10/0x10\n  ? l2cap_info_timeout+0x60/0xa0\n  ? __pfx___mutex_lock+0x10/0x10\n  l2cap_info_timeout+0x68/0xa0\n  ? process_scheduled_works+0xa8d/0x18c0\n  process_scheduled_works+0xb6e/0x18c0\n  ? __pfx_process_scheduled_works+0x10/0x10\n  ? assign_work+0x3d5/0x5e0\n  worker_thread+0xa53/0xfc0\n  kthread+0x388/0x470\n  ? __pfx_worker_thread+0x10/0x10\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork+0x51e/0xb90\n  ? __pfx_ret_from_fork+0x10/0x10\n veth1_macvtap: entered promiscuous mode\n  ? __switch_to+0xc7d/0x1450\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork_asm+0x1a/0x30\n  </TASK>\n Modules linked in:\n ---[ end trace 0000000000000000 ]---\n batman_adv: batadv0: Interface activated: batadv_slave_0\n batman_adv: batadv0: Interface activated: batadv_slave_1\n netdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0\n RIP: 0010:kasan_byte_accessible+0x12/0x30\n Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce\n ieee80211 phy39: Selected rate control algorithm 'minstrel_ht'\n RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001\n RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000\n R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001\n FS:  0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f7e16139e9c CR3: 000000000e74e000 CR4: 0000000000752ef0\n PKRU: 55555554\n Kernel panic - not syncing: Fatal exception","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03d4eafb0f3788239df63575951f6b4c97bbfda4","https://git.kernel.org/stable/c/0780f9333852971ca77d110019e3a66ce5a7b100","https://git.kernel.org/stable/c/1dc6db047919ecd59493cd51248b37381bbabcbb","https://git.kernel.org/stable/c/3c821bc0fbeaa27910a20d0b43c6008d099792af","https://git.kernel.org/stable/c/898b89c90ff9496e64b9331040778cc4e1b28c9d","https://git.kernel.org/stable/c/a04a760c06bb591989db659439efdf106f0bae76","https://git.kernel.org/stable/c/b6552e0503973daf6f23bd6ed9273ef131ee364f","https://git.kernel.org/stable/c/d34776c7fa1f2c510f1cdd14823aba701babb4ad"],"published_time":"2026-04-22T14:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31511","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete\n\nThis fixes the condition checking so mgmt_pending_valid is executed\nwhenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd)\nwould kfree(cmd) without unlinking it from the list first, leaving a\ndangling pointer. Any subsequent list traversal (e.g.,\nmgmt_pending_foreach during __mgmt_power_off, or another\nmgmt_pending_valid call) would dereference freed memory.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/340666172cf747de58c283d2eef1f335f050538b","https://git.kernel.org/stable/c/3a89c33deffb3cb7877a7ea2e50734cd12b064f2","https://git.kernel.org/stable/c/5f5fa4cd35f707344f65ce9e225b6528691dbbaa","https://git.kernel.org/stable/c/bafec9325d4de26b6c49db75b5d5172de652aae0"],"published_time":"2026-04-22T14:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31512","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\n\nl2cap_ecred_data_rcv() reads the SDU length field from skb->data using\nget_unaligned_le16() without first verifying that skb contains at least\nL2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads\npast the valid data in the skb.\n\nThe ERTM reassembly path correctly calls pskb_may_pull() before reading\nthe SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the\nsame validation to the Enhanced Credit Based Flow Control data path.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3340be2bafdcc806f048273ea6d8e82a6597aa1b","https://git.kernel.org/stable/c/40c7f7eea2f4d9cb0b3e924254c8c9053372168f","https://git.kernel.org/stable/c/477ad4976072056c348937e94f24583321938df4","https://git.kernel.org/stable/c/5ad981249be52f5e4e92e0e97b436b569071cb86","https://git.kernel.org/stable/c/8c96f3bd4ae0802db90630be8e9851827e9c9209","https://git.kernel.org/stable/c/c65bd945d1c08c3db756821b6bf9f1c4a77b29c6","https://git.kernel.org/stable/c/cef09691cfb61f6c91cc27c3d69634f81c8ab949","https://git.kernel.org/stable/c/e47315b84d0eb188772c3ff5cf073cdbdefca6b4"],"published_time":"2026-04-22T14:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31513","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req\n\nSyzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd()\nthat is triggered by a malformed Enhanced Credit Based Connection Request.\n\nThe vulnerability stems from l2cap_ecred_conn_req(). The function allocates\na local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel\nIDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more\nthan 5 SCIDs, the function calculates `rsp_len` based on this unvalidated\n`cmd_len` before checking if the number of SCIDs exceeds\nL2CAP_ECRED_MAX_CID.\n\nIf the SCID count is too high, the function correctly jumps to the\n`response` label to reject the packet, but `rsp_len` retains the\nattacker's oversized value. Consequently, l2cap_send_cmd() is instructed\nto read past the end of the 18-byte `pdu` buffer, triggering a\nKASAN panic.\n\nFix this by moving the assignment of `rsp_len` to after the `num_scid`\nboundary check. If the packet is rejected, `rsp_len` will safely\nremain 0, and the error response will only read the 8-byte base header\nfrom the stack.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5b35f8211a913cfe7ab9d54fa36a272d2059a588","https://git.kernel.org/stable/c/9d87cb22195b2c67405f5485d525190747ad5493","https://git.kernel.org/stable/c/a3d9c50d69785ae02e153f000da1b5fd6dbfdf1b","https://git.kernel.org/stable/c/c8e1a27edb8b4e5afb56b384acd7b6c2dec1b7cc"],"published_time":"2026-04-22T14:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31514","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: set fileio bio failed in short read case\n\nFor file-backed mount, IO requests are handled by vfs_iocb_iter_read().\nHowever, it can be interrupted by SIGKILL, returning the number of\nbytes actually copied. Unused folios in bio are unexpectedly marked\nas uptodate.\n\n  vfs_read\n    filemap_read\n      filemap_get_pages\n        filemap_readahead\n          erofs_fileio_readahead\n            erofs_fileio_rq_submit\n              vfs_iocb_iter_read\n                filemap_read\n                  filemap_get_pages  <= detect signal\n              erofs_fileio_ki_complete  <= set all folios uptodate\n\nThis patch addresses this by setting short read bio with an error\ndirectly.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5a5f23ef5431639db1ac3a0b274aef3a84cc413c","https://git.kernel.org/stable/c/5cf3972c8221abdb1b464a14ccf8103d840b9085","https://git.kernel.org/stable/c/d1ba7d6b3cd1757b108d7b6856c92ae661d6c323","https://git.kernel.org/stable/c/eade54040384f54b7fb330e4b0975c5734850b3c"],"published_time":"2026-04-22T14:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31515","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\naf_key: validate families in pfkey_send_migrate()\n\nsyzbot was able to trigger a crash in skb_put() [1]\n\nIssue is that pfkey_send_migrate() does not check old/new families,\nand that set_ipsecrequest() @family argument was truncated,\nthus possibly overfilling the skb.\n\nValidate families early, do not wait set_ipsecrequest().\n\n[1]\n\nskbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL>\n kernel BUG at net/core/skbuff.c:214 !\nCall Trace:\n <TASK>\n  skb_over_panic net/core/skbuff.c:219 [inline]\n  skb_put+0x159/0x210 net/core/skbuff.c:2655\n  skb_put_zero include/linux/skbuff.h:2788 [inline]\n  set_ipsecrequest net/key/af_key.c:3532 [inline]\n  pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636\n  km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848\n  xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705\n  xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/7b18692c59afb8e5c364c8e3ac01e51dd6b52028","https://git.kernel.org/stable/c/83f644ea92987c100b82d8481ae2230faeed3d34","https://git.kernel.org/stable/c/8ddf8de7e758f6888988467af9ffc8adf589fb16","https://git.kernel.org/stable/c/d0c5aa8dd38887714f1aad04236a3620b56a5e4e","https://git.kernel.org/stable/c/d3225e6b9bd51ec177970a628fe4b11237ce87d5","https://git.kernel.org/stable/c/e06b596fc4eb01936a2e5dccad17c946d660bab8","https://git.kernel.org/stable/c/eb2d16a7d599dc9d4df391b5e660df9949963786","https://git.kernel.org/stable/c/ee836e820a40e2ca4da8af7310bff92d586772d4"],"published_time":"2026-04-22T14:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31504","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group's `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po->num` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f->arr[]` and increments `f->num_members`,\nbut does NOT increment `f->sk_ref`.\n\nThe fix sets `po->num` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9","https://git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796","https://git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703e","https://git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71b","https://git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880b","https://git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1","https://git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6","https://git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66e"],"published_time":"2026-04-22T14:16:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31505","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niavf: fix out-of-bounds writes in iavf_get_ethtool_stats()\n\niavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the\nvalue could change in runtime, we should use num_tx_queues instead.\n\nMoreover iavf_get_ethtool_stats() uses num_active_queues while\niavf_get_sset_count() and iavf_get_stat_strings() use\nreal_num_tx_queues, which triggers out-of-bounds writes when we do\n\"ethtool -L\" and \"ethtool -S\" simultaneously [1].\n\nFor example when we change channels from 1 to 8, Thread 3 could be\nscheduled before Thread 2, and out-of-bounds writes could be triggered\nin Thread 3:\n\nThread 1 (ethtool -L)       Thread 2 (work)        Thread 3 (ethtool -S)\niavf_set_channels()\n...\niavf_alloc_queues()\n-> num_active_queues = 8\niavf_schedule_finish_config()\n                                                   iavf_get_sset_count()\n                                                   real_num_tx_queues: 1\n                                                   -> buffer for 1 queue\n                                                   iavf_get_ethtool_stats()\n                                                   num_active_queues: 8\n                                                   -> out-of-bounds!\n                            iavf_finish_config()\n                            -> real_num_tx_queues = 8\n\nUse immutable num_tx_queues in all related functions to avoid the issue.\n\n[1]\n BUG: KASAN: vmalloc-out-of-bounds in iavf_add_one_ethtool_stat+0x200/0x270\n Write of size 8 at addr ffffc900031c9080 by task ethtool/5800\n\n CPU: 1 UID: 0 PID: 5800 Comm: ethtool Not tainted 6.19.0-enjuk-08403-g8137e3db7f1c #241 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n Call Trace:\n  <TASK>\n  dump_stack_lvl+0x6f/0xb0\n  print_report+0x170/0x4f3\n  kasan_report+0xe1/0x180\n  iavf_add_one_ethtool_stat+0x200/0x270\n  iavf_get_ethtool_stats+0x14c/0x2e0\n  __dev_ethtool+0x3d0c/0x5830\n  dev_ethtool+0x12d/0x270\n  dev_ioctl+0x53c/0xe30\n  sock_do_ioctl+0x1a9/0x270\n  sock_ioctl+0x3d4/0x5e0\n  __x64_sys_ioctl+0x137/0x1c0\n  do_syscall_64+0xf3/0x690\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f7da0e6e36d\n ...\n  </TASK>\n\n The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900031c9000 allocated at __dev_ethtool+0x3cc9/0x5830\n The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000\n index:0xffff88813a013de0 pfn:0x13a013\n flags: 0x200000000000000(node=0|zone=2)\n raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000\n raw: ffff88813a013de0 0000000000000000 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n  ffffc900031c8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n  ffffc900031c9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffffc900031c9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n                    ^\n  ffffc900031c9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n  ffffc900031c9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1f931dee5b726df1940348ec31614d64bac03aa6","https://git.kernel.org/stable/c/bb85741d2dc2be207353a412f51b83697fcbefcf","https://git.kernel.org/stable/c/fdf902bf86a80bf15792a1d20a67a5302498d7f1","https://git.kernel.org/stable/c/fecacfc95f195b99c71c579a472120d0b4ed65fa"],"published_time":"2026-04-22T14:16:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31506","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bcmasp: fix double free of WoL irq\n\nWe do not need to free wol_irq since it was instantiated with\ndevm_request_irq(). So devres will free for us.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/121a6ad9cd42ba3bfc57deae93e3326515c2afe1","https://git.kernel.org/stable/c/8a30509ce6a29bdf18e0802383c524a7b2357ec0","https://git.kernel.org/stable/c/9e5f5c07cc7d66522f8c9676c28605eba5d4a20e","https://git.kernel.org/stable/c/cbfa5be2bf64511d49b854a0f9fd6d0b5118621f"],"published_time":"2026-04-22T14:16:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31507","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer\n\nsmc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores\nthe pointer in pipe_buffer.private.  The pipe_buf_operations for these\nbuffers used .get = generic_pipe_buf_get, which only increments the page\nreference count when tee(2) duplicates a pipe buffer.  The smc_spd_priv\npointer itself was not handled, so after tee() both the original and the\ncloned pipe_buffer share the same smc_spd_priv *.\n\nWhen both pipes are subsequently released, smc_rx_pipe_buf_release() is\ncalled twice against the same object:\n\n  1st call: kfree(priv)  sock_put(sk)  smc_rx_update_cons()  [correct]\n  2nd call: kfree(priv)  sock_put(sk)  smc_rx_update_cons()  [UAF]\n\nKASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which\nthen escalates to a NULL-pointer dereference and kernel panic via\nsmc_rx_update_consumer() when it chases the freed priv->smc pointer:\n\n  BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0\n  Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x53/0x70\n   print_report+0xce/0x650\n   kasan_report+0xc6/0x100\n   smc_rx_pipe_buf_release+0x78/0x2a0\n   free_pipe_info+0xd4/0x130\n   pipe_release+0x142/0x160\n   __fput+0x1c6/0x490\n   __x64_sys_close+0x4f/0x90\n   do_syscall_64+0xa6/0x1a0\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n   </TASK>\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000020\n  RIP: 0010:smc_rx_update_consumer+0x8d/0x350\n  Call Trace:\n   <TASK>\n   smc_rx_pipe_buf_release+0x121/0x2a0\n   free_pipe_info+0xd4/0x130\n   pipe_release+0x142/0x160\n   __fput+0x1c6/0x490\n   __x64_sys_close+0x4f/0x90\n   do_syscall_64+0xa6/0x1a0\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n   </TASK>\n  Kernel panic - not syncing: Fatal exception\n\nBeyond the memory-safety problem, duplicating an SMC splice buffer is\nsemantically questionable: smc_rx_update_cons() would advance the\nconsumer cursor twice for the same data, corrupting receive-window\naccounting.  A refcount on smc_spd_priv could fix the double-free, but\nthe cursor-accounting issue would still need to be addressed separately.\n\nThe .get callback is invoked by both tee(2) and splice_pipe_to_pipe()\nfor partial transfers; both will now return -EFAULT.  Users who need\nto duplicate SMC socket data must use a copy-based read path.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/24dd586bb4cbba1889a50abe74143817a095c1c9","https://git.kernel.org/stable/c/3cc76380fea749280c026f410af56a28aaac388a","https://git.kernel.org/stable/c/54c87a730157868543ebdfa0ecb21b4590ed23a5","https://git.kernel.org/stable/c/7bcb974c771c863e8588cea0012ac204443a7126","https://git.kernel.org/stable/c/7e8916f46c2f48607f907fd401590093753a6bc5","https://git.kernel.org/stable/c/81acbd345d405994875d419d43b319fee0b9ad62","https://git.kernel.org/stable/c/98ba5cb274768146e25ffbfde47753652c1c20d3","https://git.kernel.org/stable/c/ae5575e660410c8d2c5d38fb28a0f37aea945676"],"published_time":"2026-04-22T14:16:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31508","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Avoid releasing netdev before teardown completes\n\nThe patch cited in the Fixes tag below changed the teardown code for\nOVS ports to no longer unconditionally take the RTNL. After this change,\nthe netdev_destroy() callback can proceed immediately to the call_rcu()\ninvocation if the IFF_OVS_DATAPATH flag is already cleared on the\nnetdev.\n\nThe ovs_netdev_detach_dev() function clears the flag before completing\nthe unregistration, and if it gets preempted after clearing the flag (as\ncan happen on an -rt kernel), netdev_destroy() can complete and the\ndevice can be freed before the unregistration completes. This leads to a\nsplat like:\n\n[  998.393867] Oops: general protection fault, probably for non-canonical address 0xff00000001000239: 0000 [#1] SMP PTI\n[  998.393877] CPU: 42 UID: 0 PID: 55177 Comm: ip Kdump: loaded Not tainted 6.12.0-211.1.1.el10_2.x86_64+rt #1 PREEMPT_RT\n[  998.393886] Hardware name: Dell Inc. PowerEdge R740/0JMK61, BIOS 2.24.0 03/27/2025\n[  998.393889] RIP: 0010:dev_set_promiscuity+0x8d/0xa0\n[  998.393901] Code: 00 00 75 d8 48 8b 53 08 48 83 ba b0 02 00 00 00 75 ca 48 83 c4 08 5b c3 cc cc cc cc 48 83 bf 48 09 00 00 00 75 91 48 8b 47 08 <48> 83 b8 b0 02 00 00 00 74 97 eb 81 0f 1f 80 00 00 00 00 90 90 90\n[  998.393906] RSP: 0018:ffffce5864a5f6a0 EFLAGS: 00010246\n[  998.393912] RAX: ff00000000ffff89 RBX: ffff894d0adf5a05 RCX: 0000000000000000\n[  998.393917] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff894d0adf5a05\n[  998.393921] RBP: ffff894d19252000 R08: ffff894d19252000 R09: 0000000000000000\n[  998.393924] R10: ffff894d19252000 R11: ffff894d192521b8 R12: 0000000000000006\n[  998.393927] R13: ffffce5864a5f738 R14: 00000000ffffffe2 R15: 0000000000000000\n[  998.393931] FS:  00007fad61971800(0000) GS:ffff894cc0140000(0000) knlGS:0000000000000000\n[  998.393936] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  998.393940] CR2: 000055df0a2a6e40 CR3: 000000011c7fe003 CR4: 00000000007726f0\n[  998.393944] PKRU: 55555554\n[  998.393946] Call Trace:\n[  998.393949]  <TASK>\n[  998.393952]  ? show_trace_log_lvl+0x1b0/0x2f0\n[  998.393961]  ? show_trace_log_lvl+0x1b0/0x2f0\n[  998.393975]  ? dp_device_event+0x41/0x80 [openvswitch]\n[  998.394009]  ? __die_body.cold+0x8/0x12\n[  998.394016]  ? die_addr+0x3c/0x60\n[  998.394027]  ? exc_general_protection+0x16d/0x390\n[  998.394042]  ? asm_exc_general_protection+0x26/0x30\n[  998.394058]  ? dev_set_promiscuity+0x8d/0xa0\n[  998.394066]  ? ovs_netdev_detach_dev+0x3a/0x80 [openvswitch]\n[  998.394092]  dp_device_event+0x41/0x80 [openvswitch]\n[  998.394102]  notifier_call_chain+0x5a/0xd0\n[  998.394106]  unregister_netdevice_many_notify+0x51b/0xa60\n[  998.394110]  rtnl_dellink+0x169/0x3e0\n[  998.394121]  ? rt_mutex_slowlock.constprop.0+0x95/0xd0\n[  998.394125]  rtnetlink_rcv_msg+0x142/0x3f0\n[  998.394128]  ? avc_has_perm_noaudit+0x69/0xf0\n[  998.394130]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[  998.394132]  netlink_rcv_skb+0x50/0x100\n[  998.394138]  netlink_unicast+0x292/0x3f0\n[  998.394141]  netlink_sendmsg+0x21b/0x470\n[  998.394145]  ____sys_sendmsg+0x39d/0x3d0\n[  998.394149]  ___sys_sendmsg+0x9a/0xe0\n[  998.394156]  __sys_sendmsg+0x7a/0xd0\n[  998.394160]  do_syscall_64+0x7f/0x170\n[  998.394162]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  998.394165] RIP: 0033:0x7fad61bf4724\n[  998.394188] Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d c5 e9 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\n[  998.394189] RSP: 002b:00007ffd7e2f7cb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n[  998.394191] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fad61bf4724\n[  998.394193] RDX: 0000000000000000 RSI: 00007ffd7e2f7d20 RDI: 0000000000000003\n[  998.394194] RBP: 00007ffd7e2f7d90 R08: 0000000000000010 R09: 000000000000003f\n[  998.394195] R10: 000055df11558010 R11: 0000000000000202 R12: 00007ffd7e2\n---truncated---","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/33609454be4f582e686a4bf13d4482a5ca0f6c4b","https://git.kernel.org/stable/c/43579baa17270aa51f93eb09b6e4af6e047b7f6e","https://git.kernel.org/stable/c/4c3e25a7b711a402fcbbbcfbbdf2868ece1ae7c8","https://git.kernel.org/stable/c/5fdeaf591a0942772c2d18ff3563697a49ad01c6","https://git.kernel.org/stable/c/755a6300afbd743cda4b102f24f343380ec0e0ff","https://git.kernel.org/stable/c/7c770dadfda5cbbde6aa3c4363ed513f1d212bf8","https://git.kernel.org/stable/c/95265232b49765a4d00f4d028c100bb7185600f4","https://git.kernel.org/stable/c/df3c95be76103604e752131d9495a24814915ece"],"published_time":"2026-04-22T14:16:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31509","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: fix circular locking dependency in nci_close_device\n\nnci_close_device() flushes rx_wq and tx_wq while holding req_lock.\nThis causes a circular locking dependency because nci_rx_work()\nrunning on rx_wq can end up taking req_lock too:\n\n  nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete\n    -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target\n    -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock)\n\nMove the flush of rx_wq after req_lock has been released.\nThis should safe (I think) because NCI_UP has already been cleared\nand the transport is closed, so the work will see it and return\n-ENETDOWN.\n\nNIPA has been hitting this running the nci selftest with a debug\nkernel on roughly 4% of the runs.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09143c0e8f3b03517e6233aad42f45c794d8df8e","https://git.kernel.org/stable/c/1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289","https://git.kernel.org/stable/c/4527025d440ce84bf56e75ce1df2e84cb8178616","https://git.kernel.org/stable/c/5eef9ebec7f5738f12cadede3545c05b34bf5ac3","https://git.kernel.org/stable/c/7ed00a3edc8597fe2333f524401e2889aa1b5edf","https://git.kernel.org/stable/c/ca54e904a071aa65ef3ad46ba42d51aaac6b73b4","https://git.kernel.org/stable/c/d89b74bf08f067b55c03d7f999ba0a0e73177eb3","https://git.kernel.org/stable/c/eb435d150ca74b4d40f77f1a2266f3636ed64a79"],"published_time":"2026-04-22T14:16:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31498","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop\n\nl2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED\nstate to support L2CAP reconfiguration (e.g. MTU changes). However,\nsince both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from\nthe initial configuration, the reconfiguration path falls through to\nl2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and\nretrans_list without freeing the previous allocations and sets\nchan->sdu to NULL without freeing the existing skb. This leaks all\npreviously allocated ERTM resources.\n\nAdditionally, l2cap_parse_conf_req() does not validate the minimum\nvalue of remote_mps derived from the RFC max_pdu_size option. A zero\nvalue propagates to l2cap_segment_sdu() where pdu_len becomes zero,\ncausing the while loop to never terminate since len is never\ndecremented, exhausting all available memory.\n\nFix the double-init by skipping l2cap_ertm_init() and\nl2cap_chan_ready() when the channel is already in BT_CONNECTED state,\nwhile still allowing the reconfiguration parameters to be updated\nthrough l2cap_parse_conf_req(). Also add a pdu_len zero check in\nl2cap_segment_sdu() as a safeguard.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/042e2cd4bb11e5313b19b87593616524949e4c52","https://git.kernel.org/stable/c/25f420a0d4cfd61d3d23ec4b9c56d9f443d91377","https://git.kernel.org/stable/c/52667c859fe33f70c2e711cb81bbd505d5eb8e75","https://git.kernel.org/stable/c/900e4db5385ec2cacd372345a80ab9c8e105b3a3","https://git.kernel.org/stable/c/9760b83cfd24b38caee663f429011a0dd6064fa9","https://git.kernel.org/stable/c/9a21a631ee034b1573dce14b572a24943dbfd7ae","https://git.kernel.org/stable/c/de37e2655b7abc3f59254c6b72256840f39fc6d5","https://git.kernel.org/stable/c/e7aab23b7df89a3d754a5f0a7d2237548b328bd0"],"published_time":"2026-04-22T14:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31499","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix deadlock in l2cap_conn_del()\n\nl2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer\nand id_addr_timer while holding conn->lock. However, the work functions\nl2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire\nconn->lock, creating a potential AB-BA deadlock if the work is already\nexecuting when l2cap_conn_del() takes the lock.\n\nMove the work cancellations before acquiring conn->lock and use\ndisable_delayed_work_sync() to additionally prevent the works from\nbeing rearmed after cancellation, consistent with the pattern used in\nhci_conn_del().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00fdebbbc557a2fc21321ff2eaa22fd70c078608","https://git.kernel.org/stable/c/3f26ecbd9cde621dd94be7ef252c7210b965a5c7","https://git.kernel.org/stable/c/d008460de352e534f6721de829b093368564ec66"],"published_time":"2026-04-22T14:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31500","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock\n\nbtintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET\nand Intel exception-info retrieval) without holding\nhci_req_sync_lock().  This lets it race against\nhci_dev_do_close() -> btintel_shutdown_combined(), which also runs\n__hci_cmd_sync() under the same lock.  When both paths manipulate\nhdev->req_status/req_rsp concurrently, the close path may free the\nresponse skb first, and the still-running hw_error path hits a\nslab-use-after-free in kfree_skb().\n\nWrap the whole recovery sequence in hci_req_sync_lock/unlock so it\nis serialized with every other synchronous HCI command issuer.\n\nBelow is the data race report and the kasan report:\n\n  BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined\n\n  read of hdev->req_rsp at net/bluetooth/hci_sync.c:199\n  by task kworker/u17:1/83:\n   __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n   __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n   btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254\n   hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030\n\n  write/free by task ioctl/22580:\n   btintel_shutdown_combined+0xd0/0x360\n    drivers/bluetooth/btintel.c:3648\n   hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246\n   hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526\n\n  BUG: KASAN: slab-use-after-free in\n   sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202\n  Read of size 4 at addr ffff888144a738dc\n  by task kworker/u17:1/83:\n   __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n   __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n   btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04778,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5f84e845648dfa86e42de5487f1a774b42f0444d","https://git.kernel.org/stable/c/66696648af477dc87859e5e4b607112f5f29d010","https://git.kernel.org/stable/c/94d8e6fe5d0818e9300e514e095a200bd5ff93ae","https://git.kernel.org/stable/c/e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5","https://git.kernel.org/stable/c/f7d84737663ad4a120d2d8ef1561a4df91282c2e"],"published_time":"2026-04-22T14:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31501","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path\n\ncppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor.\nIn both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is\nfreed via k3_cppi_desc_pool_free() before the psdata pointer is used\nby emac_rx_timestamp(), which dereferences psdata[0] and psdata[1].\nThis constitutes a use-after-free on every received packet that goes\nthrough the timestamp path.\n\nDefer the descriptor free until after all accesses through the psdata\npointer are complete. For emac_rx_packet(), move the free into the\nrequeue label so both early-exit and success paths free the descriptor\nafter all accesses are done. For emac_rx_packet_zc(), move the free to\nthe end of the loop body after emac_dispatch_skb_zc() (which calls\nemac_rx_timestamp()) has returned.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04944,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/d5827316debcb677679bb014885d7be92c410e11","https://git.kernel.org/stable/c/eb8c426c9803beb171f89d15fea17505eb517714"],"published_time":"2026-04-22T14:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31502","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix header_ops type confusion with non-Ethernet ports\n\nSimilar to commit 950803f72547 (\"bonding: fix type confusion in\nbond_setup_by_slave()\") team has the same class of header_ops type\nconfusion.\n\nFor non-Ethernet ports, team_setup_by_port() copies port_dev->header_ops\ndirectly. When the team device later calls dev_hard_header() or\ndev_parse_header(), these callbacks can run with the team net_device\ninstead of the real lower device, so netdev_priv(dev) is interpreted as\nthe wrong private type and can crash.\n\nThe syzbot report shows a crash in bond_header_create(), but the root\ncause is in team: the topology is gre -> bond -> team, and team calls\nthe inherited header_ops with its own net_device instead of the lower\ndevice, so bond_header_create() receives a team device and interprets\nnetdev_priv() as bonding private data, causing a type confusion crash.\n\nFix this by introducing team header_ops wrappers for create/parse,\nselecting a team port under RCU, and calling the lower device callbacks\nwith port->dev, so each callback always sees the correct net_device\ncontext.\n\nAlso pass the selected lower device to the lower parse callback, so\nrecursion is bounded in stacked non-Ethernet topologies and parse\ncallbacks always run with the correct device context.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0a7468ed49a6b65d34abcc6eb60e15f7f6d34da0","https://git.kernel.org/stable/c/20491d384d973a63fbdaf7a71e38d69b0659ea55","https://git.kernel.org/stable/c/425000dbf17373a4ab8be9428f5dc055ef870a56","https://git.kernel.org/stable/c/6d3161fa3eee64d46b766fb0db33ec7f300ef52d"],"published_time":"2026-04-22T14:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31503","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix wildcard bind conflict check when using hash2\n\nWhen binding a udp_sock to a local address and port, UDP uses\ntwo hashes (udptable->hash and udptable->hash2) for collision\ndetection. The current code switches to \"hash2\" when\nhslot->count > 10.\n\n\"hash2\" is keyed by local address and local port.\n\"hash\" is keyed by local port only.\n\nThe issue can be shown in the following bind sequence (pseudo code):\n\nbind(fd1,  \"[fd00::1]:8888\")\nbind(fd2,  \"[fd00::2]:8888\")\nbind(fd3,  \"[fd00::3]:8888\")\nbind(fd4,  \"[fd00::4]:8888\")\nbind(fd5,  \"[fd00::5]:8888\")\nbind(fd6,  \"[fd00::6]:8888\")\nbind(fd7,  \"[fd00::7]:8888\")\nbind(fd8,  \"[fd00::8]:8888\")\nbind(fd9,  \"[fd00::9]:8888\")\nbind(fd10, \"[fd00::10]:8888\")\n\n/* Correctly return -EADDRINUSE because \"hash\" is used\n * instead of \"hash2\". udp_lib_lport_inuse() detects the\n * conflict.\n */\nbind(fail_fd, \"[::]:8888\")\n\n/* After one more socket is bound to \"[fd00::11]:8888\",\n * hslot->count exceeds 10 and \"hash2\" is used instead.\n */\nbind(fd11, \"[fd00::11]:8888\")\nbind(fail_fd, \"[::]:8888\")      /* succeeds unexpectedly */\n\nThe same issue applies to the IPv4 wildcard address \"0.0.0.0\"\nand the IPv4-mapped wildcard address \"::ffff:0.0.0.0\". For\nexample, if there are existing sockets bound to\n\"192.168.1.[1-11]:8888\", then binding \"0.0.0.0:8888\" or\n\"[::ffff:0.0.0.0]:8888\" can also miss the conflict when\nhslot->count > 10.\n\nTCP inet_csk_get_port() already has the correct check in\ninet_use_bhash2_on_bind(). Rename it to\ninet_use_hash2_on_bind() and move it to inet_hashtables.h\nso udp.c can reuse it in this fix.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0a360f7f73a06ac88f18917055fbcc79694252d7","https://git.kernel.org/stable/c/18d84c45def3671d5c89fbdd5d4ab8a3217fe4b4","https://git.kernel.org/stable/c/2297e38114316b26ae02f2d205c49b5511c5ed55","https://git.kernel.org/stable/c/d6ace0dbcbb7fd285738bb87b42b71b01858c952","https://git.kernel.org/stable/c/e537dd15d0d4ad989d56a1021290f0c674dd8b28","https://git.kernel.org/stable/c/f1bed05a832ae79be5f7a105da56810eaa59a5f1"],"published_time":"2026-04-22T14:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31492","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Initialize free_qp completion before using it\n\nIn irdma_create_qp, if ib_copy_to_udata fails, it will call\nirdma_destroy_qp to clean up which will attempt to wait on\nthe free_qp completion, which is not initialized yet. Fix this\nby initializing the completion before the ib_copy_to_udata call.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/11a95521fb93c91e2d4ef9d53dc80ef0a755549b","https://git.kernel.org/stable/c/3cb88c12461b71c7d9c604aa2e6a9a477ecfa147","https://git.kernel.org/stable/c/ac1da7bd224d406b6f1b84414f0f652ab43b6bd8","https://git.kernel.org/stable/c/af310407f79d5816fc0ab3638e1588b6193316dd","https://git.kernel.org/stable/c/cd1534c8f4984432382c240f6784408497f5bb0a","https://git.kernel.org/stable/c/f72996834f7bdefc2b95e3eec30447ee195df44e"],"published_time":"2026-04-22T14:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31493","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/efa: Fix use of completion ctx after free\n\nOn admin queue completion handling, if the admin command completed with\nerror we print data from the completion context. The issue is that we\nalready freed the completion context in polling/interrupts handler which\nmeans we print data from context in an unknown state (it might be\nalready used again).\nChange the admin submission flow so alloc/dealloc of the context will be\nsymmetric and dealloc will be called after any potential use of the\ncontext.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0dd98aea1c0c45987fa2dd92f988b0eb1a72c125","https://git.kernel.org/stable/c/1cf95fe5dc5471efea947b4c6f8913da6bc7976e","https://git.kernel.org/stable/c/ef3b06742c8a201d0e83edc9a33a89a4fe3009f8"],"published_time":"2026-04-22T14:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31494","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: use the current queue number for stats\n\nThere's a potential mismatch between the memory reserved for statistics\nand the amount of memory written.\n\ngem_get_sset_count() correctly computes the number of stats based on the\nactive queues, whereas gem_get_ethtool_stats() indiscriminately copies\ndata using the maximum number of queues, and in the case the number of\nactive queues is less than MACB_MAX_QUEUES, this results in a OOB write\nas observed in the KASAN splat.\n\n==================================================================\nBUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78\n  [macb]\nWrite of size 760 at addr ffff80008080b000 by task ethtool/1027\n\nCPU: [...]\nTainted: [E]=UNSIGNED_MODULE\nHardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025\nCall trace:\n show_stack+0x20/0x38 (C)\n dump_stack_lvl+0x80/0xf8\n print_report+0x384/0x5e0\n kasan_report+0xa0/0xf0\n kasan_check_range+0xe8/0x190\n __asan_memcpy+0x54/0x98\n gem_get_ethtool_stats+0x54/0x78 [macb\n   926c13f3af83b0c6fe64badb21ec87d5e93fcf65]\n dev_ethtool+0x1220/0x38c0\n dev_ioctl+0x4ac/0xca8\n sock_do_ioctl+0x170/0x1d8\n sock_ioctl+0x484/0x5d8\n __arm64_sys_ioctl+0x12c/0x1b8\n invoke_syscall+0xd4/0x258\n el0_svc_common.constprop.0+0xb4/0x240\n do_el0_svc+0x48/0x68\n el0_svc+0x40/0xf8\n el0t_64_sync_handler+0xa0/0xe8\n el0t_64_sync+0x1b0/0x1b8\n\nThe buggy address belongs to a 1-page vmalloc region starting at\n  0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000\n  index:0xffff00000a333000 pfn:0xa333\nflags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff)\nraw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000\nraw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n                                  ^\n ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n==================================================================\n\nFix it by making sure the copied size only considers the active number of\nqueues.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.09524,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/240c5302eed83e34e98db18f6795ee5f40814024","https://git.kernel.org/stable/c/72d96e4e24bbefdcfbc68bdb9341a05d8f5cb6e5","https://git.kernel.org/stable/c/7ff87da099210856cbfe2f2f7f52ddfa57af4f0c","https://git.kernel.org/stable/c/95246341945163ad9a250a87ca5bd1c1252777ae","https://git.kernel.org/stable/c/9596759a84e1dbf2670518d85e969208960041f9","https://git.kernel.org/stable/c/9738be665544281aa624842812c2fbfed6f88226","https://git.kernel.org/stable/c/9d74d10e4e26672e139a8bcf8bf95957bf2d160f","https://git.kernel.org/stable/c/e182fe273cdf5a8931592228196ef514ffac392b"],"published_time":"2026-04-22T14:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31495","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: use netlink policy range checks\n\nReplace manual range and mask validations with netlink policy\nannotations in ctnetlink code paths, so that the netlink core rejects\ninvalid values early and can generate extack errors.\n\n- CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at\n  policy level, removing the manual >= TCP_CONNTRACK_MAX check.\n- CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE\n  (14). The normal TCP option parsing path already clamps to this value,\n  but the ctnetlink path accepted 0-255, causing undefined behavior when\n  used as a u32 shift count.\n- CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with\n  CTA_FILTER_F_ALL, removing the manual mask checks.\n- CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding\n  a new mask define grouping all valid expect flags.\n\nExtracted from a broader nf-next patch by Florian Westphal, scoped to\nctnetlink for the fixes tree.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07942,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2ef71307c86a9f866d6e28f1a0c06e2e9d794474","https://git.kernel.org/stable/c/435b576cd2faa75154777868f8cbb73bf71644d3","https://git.kernel.org/stable/c/45c33e79ae705b7af97e3117672b6cd258dd0b1b","https://git.kernel.org/stable/c/4f7d25f3f0786402ba48ff7d13b6241d77d975f5","https://git.kernel.org/stable/c/675c913b940488a84effdeeac5a1cfb657b59804","https://git.kernel.org/stable/c/8f15b5071b4548b0aafc03b366eb45c9c6566704","https://git.kernel.org/stable/c/c6cb41eaae875501eaaa487b8db6539feb092292","https://git.kernel.org/stable/c/fcec5ce2d73a41668b24e3f18c803541602a59f6"],"published_time":"2026-04-22T14:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31496","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_expect: skip expectations in other netns via proc\n\nSkip expectations that do not reside in this netns.\n\nSimilar to e77e6ff502ea (\"netfilter: conntrack: do not dump other netns's\nconntrack entries via proc\").","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/168145c87444619e3e649322bbe7719ecd00d411","https://git.kernel.org/stable/c/2028405ea6987b4448784e439413202cfe19f43f","https://git.kernel.org/stable/c/3265ad619987cb551edaf797ed056d80ac450225","https://git.kernel.org/stable/c/3db5647984de03d9cae0dcddb509b058351f0ee4","https://git.kernel.org/stable/c/9ca8c7452493d915f9bbf2f39331e6c583d07a23","https://git.kernel.org/stable/c/dcfcd95b3ae7683e8ae55c92284b3430ce614bc7"],"published_time":"2026-04-22T14:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31497","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: clamp SCO altsetting table indices\n\nbtusb_work() maps the number of active SCO links to USB alternate\nsettings through a three-entry lookup table when CVSD traffic uses\ntransparent voice settings. The lookup currently indexes alts[] with\ndata->sco_num - 1 without first constraining sco_num to the number of\navailable table entries.\n\nWhile the table only defines alternate settings for up to three SCO\nlinks, data->sco_num comes from hci_conn_num() and is used directly.\nCap the lookup to the last table entry before indexing it so the\ndriver keeps selecting the highest supported alternate setting without\nreading past alts[].","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1019028eb124564cf7bca58a16f1df8a1ca30726","https://git.kernel.org/stable/c/129fa608b6ad08b8ab7178eeb2ec272c993aaccc","https://git.kernel.org/stable/c/21c254202f9d78abe0fcd642a92966deb92bd226","https://git.kernel.org/stable/c/312c4450fe23014665c163f480edd5ad2e27bbb8","https://git.kernel.org/stable/c/476c9262b430c38c6a701a3b8176a3f48689085b","https://git.kernel.org/stable/c/6fba3c3d48c927e55611a0f5ea34da88138ed0ff","https://git.kernel.org/stable/c/834cf890d2c3d29cbfa1ee2376c40469c28ec297","https://git.kernel.org/stable/c/9dd13a8641de79bc1bc93da55cdd35259a002683"],"published_time":"2026-04-22T14:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31486","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (pmbus/core) Protect regulator operations with mutex\n\nThe regulator operations pmbus_regulator_get_voltage(),\npmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage()\naccess PMBus registers and shared data but were not protected by\nthe update_lock mutex. This could lead to race conditions.\n\nHowever, adding mutex protection directly to these functions causes\na deadlock because pmbus_regulator_notify() (which calls\nregulator_notifier_call_chain()) is often called with the mutex\nalready held (e.g., from pmbus_fault_handler()). If a regulator\ncallback then calls one of the now-protected voltage functions,\nit will attempt to acquire the same mutex.\n\nRework pmbus_regulator_notify() to utilize a worker function to\nsend notifications outside of the mutex protection. Events are\nstored as atomics in a per-page bitmask and processed by the worker.\n\nInitialize the worker and its associated data during regulator\nregistration, and ensure it is cancelled on device removal using\ndevm_add_action_or_reset().\n\nWhile at it, remove the unnecessary include of linux/of.h.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2c77ae315f3ce9d2c8e1609be74c9358c1fe4e07","https://git.kernel.org/stable/c/4e9d723d9f198b86f6882a84c501ba1f39e8d055","https://git.kernel.org/stable/c/754bd2b4a084b90b5e7b630e1f423061a9b9b761"],"published_time":"2026-04-22T14:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31487","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: use generic driver_override infrastructure\n\nWhen a driver is probed through __driver_attach(), the bus' match()\ncallback is called without the device lock held, thus accessing the\ndriver_override field without a lock, which can cause a UAF.\n\nFix this by using the driver-core driver_override infrastructure taking\ncare of proper locking internally.\n\nNote that calling match() from __driver_attach() without the device lock\nheld is intentional. [1]\n\nAlso note that we do not enable the driver_override feature of struct\nbus_type, as SPI - in contrast to most other buses - passes \"\" to\nsysfs_emit() when the driver_override pointer is NULL. Thus, printing\n\"\\n\" instead of \"(null)\\n\".","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/c73a58661a760373d08a6883af4f0bb5cc991a67","https://git.kernel.org/stable/c/cc34d77dd48708d810c12bfd6f5bf03304f6c824","https://git.kernel.org/stable/c/e0ae367a2de06c49aa1de6ec9b1ab6860bbb2cf0","https://git.kernel.org/stable/c/eedf220442d13b6d97294e5b0ac8a2c38ee1a1a0"],"published_time":"2026-04-22T14:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31488","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Do not skip unrelated mode changes in DSC validation\n\nStarting with commit 17ce8a6907f7 (\"drm/amd/display: Add dsc pre-validation in\natomic check\"), amdgpu resets the CRTC state mode_changed flag to false when\nrecomputing the DSC configuration results in no timing change for a particular\nstream.\n\nHowever, this is incorrect in scenarios where a change in MST/DSC configuration\nhappens in the same KMS commit as another (unrelated) mode change. For example,\nthe integrated panel of a laptop may be configured differently (e.g., HDR\nenabled/disabled) depending on whether external screens are attached. In this\ncase, plugging in external DP-MST screens may result in the mode_changed flag\nbeing dropped incorrectly for the integrated panel if its DSC configuration\ndid not change during precomputation in pre_validate_dsc().\n\nAt this point, however, dm_update_crtc_state() has already created new streams\nfor CRTCs with DSC-independent mode changes. In turn,\namdgpu_dm_commit_streams() will never release the old stream, resulting in a\nmemory leak. amdgpu_dm_atomic_commit_tail() will never acquire a reference to\nthe new stream either, which manifests as a use-after-free when the stream gets\ndisabled later on:\n\nBUG: KASAN: use-after-free in dc_stream_release+0x25/0x90 [amdgpu]\nWrite of size 4 at addr ffff88813d836524 by task kworker/9:9/29977\n\nWorkqueue: events drm_mode_rmfb_work_fn\nCall Trace:\n <TASK>\n dump_stack_lvl+0x6e/0xa0\n print_address_description.constprop.0+0x88/0x320\n ? dc_stream_release+0x25/0x90 [amdgpu]\n print_report+0xfc/0x1ff\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __virt_addr_valid+0x225/0x4e0\n ? dc_stream_release+0x25/0x90 [amdgpu]\n kasan_report+0xe1/0x180\n ? dc_stream_release+0x25/0x90 [amdgpu]\n kasan_check_range+0x125/0x200\n dc_stream_release+0x25/0x90 [amdgpu]\n dc_state_destruct+0x14d/0x5c0 [amdgpu]\n dc_state_release.part.0+0x4e/0x130 [amdgpu]\n dm_atomic_destroy_state+0x3f/0x70 [amdgpu]\n drm_atomic_state_default_clear+0x8ee/0xf30\n ? drm_mode_object_put.part.0+0xb1/0x130\n __drm_atomic_state_free+0x15c/0x2d0\n atomic_remove_fb+0x67e/0x980\n\nSince there is no reliable way of figuring out whether a CRTC has unrelated\nmode changes pending at the time of DSC validation, remember the value of the\nmode_changed flag from before the point where a CRTC was marked as potentially\naffected by a change in DSC configuration. Reset the mode_changed flag to this\nearlier value instead in pre_validate_dsc().\n\n(cherry picked from commit cc7c7121ae082b7b82891baa7280f1ff2608f22b)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10862e344b4d6434642a48c87d765813fc0b0ba7","https://git.kernel.org/stable/c/111208b5b7ebcdadb3f922cc52d8425f0fa91b33","https://git.kernel.org/stable/c/8a5edc97fd9c6415ff2eff872748439a97e3c3d8","https://git.kernel.org/stable/c/aed3d041ab061ec8a64f50a3edda0f4db7280025"],"published_time":"2026-04-22T14:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31489","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: meson-spicc: Fix double-put in remove path\n\nmeson_spicc_probe() registers the controller with\ndevm_spi_register_controller(), so teardown already drops the\ncontroller reference via devm cleanup.\n\nCalling spi_controller_put() again in meson_spicc_remove()\ncauses a double-put.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/40ad0334c17b23d8b66b1082ad1478a6202e90e2","https://git.kernel.org/stable/c/63542bb402b7013171c9f621c28b609eda4dbf1f","https://git.kernel.org/stable/c/9b812ceb75a6260c17c91db4b9e74ead8cfa06f5","https://git.kernel.org/stable/c/da06a104f0486355073ff0d1bcb1fcbebb7080d6"],"published_time":"2026-04-22T14:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31490","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/pf: Fix use-after-free in migration restore\n\nWhen an error is returned from xe_sriov_pf_migration_restore_produce(),\nthe data pointer is not set to NULL, which can trigger use-after-free\nin subsequent .write() calls.\nSet the pointer to NULL upon error to fix the problem.\n\n(cherry picked from commit 4f53d8c6d23527d734fe3531d08e15cb170a0819)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04944,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/87997b6c6516e049cbaf2fc6810b213d587a06b1","https://git.kernel.org/stable/c/e28552b4ddea5cb4725380dd08237831af835124"],"published_time":"2026-04-22T14:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31491","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Harden depth calculation functions\n\nAn issue was exposed where OS can pass in U32_MAX for SQ/RQ/SRQ size.\nThis can cause integer overflow and truncation of SQ/RQ/SRQ depth\nreturning a success when it should have failed.\n\nHarden the functions to do all depth calculations and boundary\nchecking in u64 sizes.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3f08351de5ca4f2f724b86ad252fbc21289467e1","https://git.kernel.org/stable/c/cbd852f5700eb3f64392452faf693ac45cae8281","https://git.kernel.org/stable/c/e37afcb56ae070477741fe2d6e61fc0c542cce2d"],"published_time":"2026-04-22T14:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31480","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix potential deadlock in cpu hotplug with osnoise\n\nThe following sequence may leads deadlock in cpu hotplug:\n\n    task1        task2        task3\n    -----        -----        -----\n\n mutex_lock(&interface_lock)\n\n            [CPU GOING OFFLINE]\n\n            cpus_write_lock();\n            osnoise_cpu_die();\n              kthread_stop(task3);\n                wait_for_completion();\n\n                      osnoise_sleep();\n                        mutex_lock(&interface_lock);\n\n cpus_read_lock();\n\n [DEAD LOCK]\n\nFix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock).","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03474a01c199de17a8e2d39b51df6beb9c76e831","https://git.kernel.org/stable/c/1f9885732248d22f788e4992c739a98c88ab8a55","https://git.kernel.org/stable/c/7a41d4633cd2c15eb5ed31e8f3b16910e50a8c9f","https://git.kernel.org/stable/c/7aa095ce7d224308cb6979956f0de8607df93d4f","https://git.kernel.org/stable/c/cf929c21eeed5bd39873fb14bfdfff963fa6f1da","https://git.kernel.org/stable/c/ef41a85a55022e27cdaebf22a6676910b66f65aa","https://git.kernel.org/stable/c/f278b8ebf7eba2a1699cfc7bf30dd3ef898d60d7"],"published_time":"2026-04-22T14:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31481","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Drain deferred trigger frees if kthread creation fails\n\nBoot-time trigger registration can fail before the trigger-data cleanup\nkthread exists. Deferring those frees until late init is fine, but the\npost-boot fallback must still drain the deferred list if kthread\ncreation never succeeds.\n\nOtherwise, boot-deferred nodes can accumulate on\ntrigger_data_free_list, later frees fall back to synchronously freeing\nonly the current object, and the older queued entries are leaked\nforever.\n\nTo trigger this, add the following to the kernel command line:\n\n  trace_event=sched_switch trace_trigger=sched_switch.traceon,sched_switch.traceon\n\nThe second traceon trigger will fail and be freed. This triggers a NULL\npointer dereference and crashes the kernel.\n\nKeep the deferred boot-time behavior, but when kthread creation fails,\ndrain the whole queued list synchronously. Do the same in the late-init\ndrain path so queued entries are not stranded there either.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04944,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/250ab25391edeeab8462b68be42e4904506c409c","https://git.kernel.org/stable/c/771624b7884a83bb9f922ae64ee41a5f8b7576c9"],"published_time":"2026-04-22T14:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31482","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ns390/entry: Scrub r12 register on kernel entry\n\nBefore commit f33f2d4c7c80 (\"s390/bp: remove TIF_ISOLATE_BP\"),\nall entry handlers loaded r12 with the current task pointer\n(lg %r12,__LC_CURRENT) for use by the BPENTER/BPEXIT macros. That\ncommit removed TIF_ISOLATE_BP, dropping both the branch prediction\nmacros and the r12 load, but did not add r12 to the register clearing\nsequence.\n\nAdd the missing xgr %r12,%r12 to make the register scrub consistent\nacross all entry points.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04778,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0738d395aab8fae3b5a3ad3fc640630c91693c27","https://git.kernel.org/stable/c/7f4e3233faa8470dd0627bc49b2809f2bfebd909","https://git.kernel.org/stable/c/95c899cd791803a5bf7b73e5994fbbe1cc1a9c36","https://git.kernel.org/stable/c/99a8b420f3f0e162eb9c9c9253929d4d23f9bd30","https://git.kernel.org/stable/c/a58d298a83a3a9b7ca99ded9d60a1e77231159ef"],"published_time":"2026-04-22T14:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31483","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ns390/syscalls: Add spectre boundary for syscall dispatch table\n\nThe s390 syscall number is directly controlled by userspace, but does\nnot have an array_index_nospec() boundary to prevent access past the\nsyscall function pointer tables.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1cb9c7bc9025c637564fabc7fcc3c9343949e310","https://git.kernel.org/stable/c/3c3b97064764899c39a0abbd35a6caa031e70333","https://git.kernel.org/stable/c/48b8814e25d073dd84daf990a879a820bad2bcbd","https://git.kernel.org/stable/c/4d05dd18d867d58c6952a3bc260d244899da7256","https://git.kernel.org/stable/c/7a5260fbc6e79a1595328ec5c6aa3f937504a1f0","https://git.kernel.org/stable/c/87776f02449e3bded95b2ccbd6b012e9ae64e6f3","https://git.kernel.org/stable/c/f8c444b918d639e1f9a621ee20fe481c1d10dfc4"],"published_time":"2026-04-22T14:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31484","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/fdinfo: fix OOB read in SQE_MIXED wrap check\n\n__io_uring_show_fdinfo() iterates over pending SQEs and, for 128-byte\nSQEs on an IORING_SETUP_SQE_MIXED ring, needs to detect when the second\nhalf of the SQE would be past the end of the sq_sqes array. The current\ncheck tests (++sq_head & sq_mask) == 0, but sq_head is only incremented\nwhen a 128-byte SQE is encountered, not on every iteration. The actual\narray index is sq_idx = (i + sq_head) & sq_mask, which can be sq_mask\n(the last slot) while the wrap check passes.\n\nFix by checking sq_idx directly. Keep the sq_head increment so the loop\nstill skips the second half of the 128-byte SQE on the next iteration.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04944,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5170efd9c344c68a8075dcb8ed38d3f8a60e7ed4","https://git.kernel.org/stable/c/ba21ab247a5be5382da7464b95afbe5f0e9aa503"],"published_time":"2026-04-22T14:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31485","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-lpspi: fix teardown order issue (UAF)\n\nThere is a teardown order issue in the driver. The SPI controller is\nregistered using devm_spi_register_controller(), which delays\nunregistration of the SPI controller until after the fsl_lpspi_remove()\nfunction returns.\n\nAs the fsl_lpspi_remove() function synchronously tears down the DMA\nchannels, a running SPI transfer triggers the following NULL pointer\ndereference due to use after free:\n\n| fsl_lpspi 42550000.spi: I/O Error in DMA RX\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[...]\n| Call trace:\n|  fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]\n|  fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]\n|  spi_transfer_one_message+0x49c/0x7c8\n|  __spi_pump_transfer_message+0x120/0x420\n|  __spi_sync+0x2c4/0x520\n|  spi_sync+0x34/0x60\n|  spidev_message+0x20c/0x378 [spidev]\n|  spidev_ioctl+0x398/0x750 [spidev]\n[...]\n\nSwitch from devm_spi_register_controller() to spi_register_controller() in\nfsl_lpspi_probe() and add the corresponding spi_unregister_controller() in\nfsl_lpspi_remove().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/15650dfbaeeb14bcaaf053b93cf631db8d465300","https://git.kernel.org/stable/c/adb25339b66112393fd6892ceff926765feb5b86","https://git.kernel.org/stable/c/b341c1176f2e001b3adf0b47154fc31589f7410e","https://git.kernel.org/stable/c/ca4483f36ac1b62e69f8b182c5b8f059e0abecfb","https://git.kernel.org/stable/c/d5d01f24bc6fbde40b4e567ef9160194b61267bc","https://git.kernel.org/stable/c/e3fd54f8b0317fbccc103961ddd660f2a32dcf0b","https://git.kernel.org/stable/c/e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3","https://git.kernel.org/stable/c/fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6"],"published_time":"2026-04-22T14:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31474","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: fix tx.buf use-after-free in isotp_sendmsg()\n\nisotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access\nto so->tx.buf. isotp_release() waits for ISOTP_IDLE via\nwait_event_interruptible() and then calls kfree(so->tx.buf).\n\nIf a signal interrupts the wait_event_interruptible() inside close()\nwhile tx.state is ISOTP_SENDING, the loop exits early and release\nproceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf)\nwhile sendmsg may still be reading so->tx.buf for the final CAN frame\nin isotp_fill_dataframe().\n\nThe so->tx.buf can be allocated once when the standard tx.buf length needs\nto be extended. Move the kfree() of this potentially extended tx.buf to\nsk_destruct time when either isotp_sendmsg() and isotp_release() are done.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04778,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c","https://git.kernel.org/stable/c/424e95d62110cdbc8fd12b40918f37e408e35a92","https://git.kernel.org/stable/c/9649d051e54413049c009638ec1dc23962c884a4","https://git.kernel.org/stable/c/cb3d6efa78460e6d50bf68806d0db66265709f64","https://git.kernel.org/stable/c/eec8a1b18a79600bd4419079dc0026c1db72a830"],"published_time":"2026-04-22T14:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31475","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: sma1307: fix double free of devm_kzalloc() memory\n\nA previous change added NULL checks and cleanup for allocation\nfailures in sma1307_setting_loaded().\n\nHowever, the cleanup for mode_set entries is wrong. Those entries are\nallocated with devm_kzalloc(), so they are device-managed resources and\nmust not be freed with kfree(). Manually freeing them in the error path\ncan lead to a double free when devres later releases the same memory.\n\nDrop the manual kfree() loop and let devres handle the cleanup.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1a82c3272626db9006f4c2cad3adf2916417aed6","https://git.kernel.org/stable/c/d472d1a52985211b92883bb64bbe710b45980190","https://git.kernel.org/stable/c/fe757092d2329c397ecb32f2bf68a5b1c4bd9193"],"published_time":"2026-04-22T14:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31476","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: do not expire session on binding failure\n\nWhen a multichannel session binding request fails (e.g. wrong password),\nthe error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED.\nHowever, during binding, sess points to the target session looked up via\nksmbd_session_lookup_slowpath() -- which belongs to another connection's\nuser. This allows a remote attacker to invalidate any active session by\nsimply sending a binding request with a wrong password (DoS).\n\nFix this by skipping session expiration when the failed request was\na binding attempt, since the session does not belong to the current\nconnection. The reference taken by ksmbd_session_lookup_slowpath() is\nstill correctly released via ksmbd_user_session_put().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00076,"ranking_epss":0.22561,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1d1888b4a7aec518b707f6eca0bf08992c0e8da3","https://git.kernel.org/stable/c/6fafc4c4238e538969f1375f9ecdc6587c53f1cc","https://git.kernel.org/stable/c/9bbb19d21ded7d78645506f20d8c44895e3d0fb9","https://git.kernel.org/stable/c/a897064a457056acb976e20e3007cdf553de340f","https://git.kernel.org/stable/c/e0e5edc81b241c70355217de7e120c97c3429deb","https://git.kernel.org/stable/c/f5300690c23c5ac860499bb37dbc09cf43fd62e6"],"published_time":"2026-04-22T14:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31477","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix memory leaks and NULL deref in smb2_lock()\n\nsmb2_lock() has three error handling issues after list_del() detaches\nsmb_lock from lock_list at no_check_cl:\n\n1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK\n   path, goto out leaks smb_lock and its flock because the out:\n   handler only iterates lock_list and rollback_list, neither of\n   which contains the detached smb_lock.\n\n2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out\n   leaks smb_lock and flock for the same reason.  The error code\n   returned to the dispatcher is also stale.\n\n3) In the rollback path, smb_flock_init() can return NULL on\n   allocation failure.  The result is dereferenced unconditionally,\n   causing a kernel NULL pointer dereference.  Add a NULL check to\n   prevent the crash and clean up the bookkeeping; the VFS lock\n   itself cannot be rolled back without the allocation and will be\n   released at file or connection teardown.\n\nFix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before\nthe if(!rc) check in the UNLOCK branch so all exit paths share one\nfree site, and by freeing smb_lock and flock before goto out in the\nnon-UNLOCK branch.  Propagate the correct error code in both cases.\nFix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding\na NULL check for locks_free_lock(rlock) in the shared cleanup.\n\nFound via call-graph analysis using sqry.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/309b44ed684496ed3f9c5715d10b899338623512","https://git.kernel.org/stable/c/3cdacd11b41569ce75b3162142240f2355e04900","https://git.kernel.org/stable/c/91aeaa7256006d79a37298f5a1df23325db91599","https://git.kernel.org/stable/c/aab42f0795620cf0d3955a520f571f697d0f9a2a","https://git.kernel.org/stable/c/c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9","https://git.kernel.org/stable/c/cdac6f7e7e428dc70e3b5898ac6999a72ed13993"],"published_time":"2026-04-22T14:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31478","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()\n\nAfter this commit (e2b76ab8b5c9 \"ksmbd: add support for read compound\"),\nresponse buffer management was changed to use dynamic iov array.\nIn the new design, smb2_calc_max_out_buf_len() expects the second\nargument (hdr2_len) to be the offset of ->Buffer field in the\nresponse structure, not a hardcoded magic number.\nFix the remaining call sites to use the correct offsetof() value.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08669,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0e55f63dd08f09651d39e1b709a91705a8a0ddcb","https://git.kernel.org/stable/c/4cb537ae4f37d7d0f617815ed4bed7173fb50861","https://git.kernel.org/stable/c/6aef1765d6807e0f027cd87f6ac973eb0879a46d","https://git.kernel.org/stable/c/70b4c414889492c522b6e4331562360f49be2361","https://git.kernel.org/stable/c/80824c7e527b70cf9039534e60aff592e8f209d1","https://git.kernel.org/stable/c/9a7166f0ef8cbb7bb48dd05e2471d995566003f5","https://git.kernel.org/stable/c/c3a89e3ec1ccf64fa6a34e391e1581ebbcba8683"],"published_time":"2026-04-22T14:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31479","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: always keep track of remap prev/next\n\nDuring 3D workload, user is reporting hitting:\n\n[  413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925\n[  413.361944] CPU: 7 UID: 1000 PID: 9925 Comm: vkd3d_queue Kdump: loaded Not tainted 7.0.0-070000rc3-generic #202603090038 PREEMPT(lazy)\n[  413.361949] RIP: 0010:vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe]\n[  413.362074] RSP: 0018:ffffd4c25c3df930 EFLAGS: 00010282\n[  413.362077] RAX: 0000000000000000 RBX: ffff8f3ee817ed10 RCX: 0000000000000000\n[  413.362078] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[  413.362079] RBP: ffffd4c25c3df980 R08: 0000000000000000 R09: 0000000000000000\n[  413.362081] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8f41fbf99380\n[  413.362082] R13: ffff8f3ee817e968 R14: 00000000ffffffef R15: ffff8f43d00bd380\n[  413.362083] FS:  00000001040ff6c0(0000) GS:ffff8f4696d89000(0000) knlGS:00000000330b0000\n[  413.362085] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033\n[  413.362086] CR2: 00007ddfc4747000 CR3: 00000002e6262005 CR4: 0000000000f72ef0\n[  413.362088] PKRU: 55555554\n[  413.362089] Call Trace:\n[  413.362092]  <TASK>\n[  413.362096]  xe_vm_bind_ioctl+0xa9a/0xc60 [xe]\n\nWhich seems to hint that the vma we are re-inserting for the ops unwind\nis either invalid or overlapping with something already inserted in the\nvm. It shouldn't be invalid since this is a re-insertion, so must have\nworked before. Leaving the likely culprit as something already placed\nwhere we want to insert the vma.\n\nFollowing from that, for the case where we do something like a rebind in\nthe middle of a vma, and one or both mapped ends are already compatible,\nwe skip doing the rebind of those vma and set next/prev to NULL. As well\nas then adjust the original unmap va range, to avoid unmapping the ends.\nHowever, if we trigger the unwind path, we end up with three va, with\nthe two ends never being removed and the original va range in the middle\nstill being the shrunken size.\n\nIf this occurs, one failure mode is when another unwind op needs to\ninteract with that range, which can happen with a vector of binds. For\nexample, if we need to re-insert something in place of the original va.\nIn this case the va is still the shrunken version, so when removing it\nand then doing a re-insert it can overlap with the ends, which were\nnever removed, triggering a warning like above, plus leaving the vm in a\nbad state.\n\nWith that, we need two things here:\n\n 1) Stop nuking the prev/next tracking for the skip cases. Instead\n    relying on checking for skip prev/next, where needed. That way on the\n    unwind path, we now correctly remove both ends.\n\n 2) Undo the unmap va shrinkage, on the unwind path. With the two ends\n    now removed the unmap va should expand back to the original size again,\n    before re-insertion.\n\nv2:\n  - Update the explanation in the commit message, based on an actual IGT of\n    triggering this issue, rather than conjecture.\n  - Also undo the unmap shrinkage, for the skip case. With the two ends\n    now removed, the original unmap va range should expand back to the\n    original range.\nv3:\n  - Track the old start/range separately. vma_size/start() uses the va\n    info directly.\n\n(cherry picked from commit aec6969f75afbf4e01fd5fb5850ed3e9c27043ac)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5eda8001ebb5269755608d678dd1f3928ab077c9","https://git.kernel.org/stable/c/bfe9e314d7574d1c5c851972e7aee342733819d2","https://git.kernel.org/stable/c/ccd41f110c608b3cc347b9be881c3e72cd634b2b","https://git.kernel.org/stable/c/e6ba1749549e87b83c0c4885d84b543687c3740e"],"published_time":"2026-04-22T14:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31468","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Fix double free in dma-buf feature\n\nThe error path through vfio_pci_core_feature_dma_buf() ignores its\nown advice to only use dma_buf_put() after dma_buf_export(), instead\nfalling through the entire unwind chain.  In the unlikely event that\nwe encounter file descriptor exhaustion, this can result in an\nunbalanced refcount on the vfio device and double free of allocated\nobjects.\n\nAvoid this by moving the \"put\" directly into the error path and return\nthe errno rather than entering the unwind chain.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04944,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/83ad334afc9a645cef1062f5346526b1e36d6516","https://git.kernel.org/stable/c/e98137f0a874ab36d0946de4707aa48cb7137d1c"],"published_time":"2026-04-22T14:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31469","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false\n\nA UAF issue occurs when the virtio_net driver is configured with napi_tx=N\nand the device's IFF_XMIT_DST_RELEASE flag is cleared\n(e.g., during the configuration of tc route filter rules).\n\nWhen IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack\nexpects the driver to hold the reference to skb->dst until the packet\nis fully transmitted and freed. In virtio_net with napi_tx=N,\nskbs may remain in the virtio transmit ring for an extended period.\n\nIf the network namespace is destroyed while these skbs are still pending,\nthe corresponding dst_ops structure has freed. When a subsequent packet\nis transmitted, free_old_xmit() is triggered to clean up old skbs.\nIt then calls dst_release() on the skb associated with the stale dst_entry.\nSince the dst_ops (referenced by the dst_entry) has already been freed,\na UAF kernel paging request occurs.\n\nfix it by adds skb_dst_drop(skb) in start_xmit to explicitly release\nthe dst reference before the skb is queued in virtio_net.\n\nCall Trace:\n Unable to handle kernel paging request at virtual address ffff80007e150000\n CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT\n  ...\n  percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)\n  dst_release+0xe0/0x110  net/core/dst.c:177\n  skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177\n  sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255\n  dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469\n  napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527\n  __free_old_xmit+0x164/0x230  drivers/net/virtio_net.c:611 [virtio_net]\n  free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]\n  start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]\n  ...\n\nReproduction Steps:\nNETDEV=\"enp3s0\"\n\nconfig_qdisc_route_filter() {\n    tc qdisc del dev $NETDEV root\n    tc qdisc add dev $NETDEV root handle 1: prio\n    tc filter add dev $NETDEV parent 1:0 \\\n\tprotocol ip prio 100 route to 100 flowid 1:1\n    ip route add 192.168.1.100/32 dev $NETDEV realm 100\n}\n\ntest_ns() {\n    ip netns add testns\n    ip link set $NETDEV netns testns\n    ip netns exec testns ifconfig $NETDEV  10.0.32.46/24\n    ip netns exec testns ping -c 1 10.0.32.1\n    ip netns del testns\n}\n\nconfig_qdisc_route_filter\n\ntest_ns\nsleep 2\ntest_ns","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/63d45077b97bb0e0fe0c75931acbbca7a47af141","https://git.kernel.org/stable/c/8a4790850e710fd6771e4d2112168ed1dd6c0e54","https://git.kernel.org/stable/c/9a18629f2525781f0f3dda7be72b204e4cf77d08","https://git.kernel.org/stable/c/ba8bda9a0896746053aa97ac6c3e08168729172c","https://git.kernel.org/stable/c/be0e63f3b97bbaf453c542e8a15ba2a536e2ac01","https://git.kernel.org/stable/c/c1ec36cb3768574b916f20d2d7415fd14fa1bf12","https://git.kernel.org/stable/c/f04733c4dc40c43899c3d1c97afbae5831a3770f","https://git.kernel.org/stable/c/fedd2e1630cac920844997227ccbe7b26a76375a"],"published_time":"2026-04-22T14:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31470","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvirt: tdx-guest: Fix handling of host controlled 'quote' buffer length\n\nValidate host controlled value `quote_buf->out_len` that determines how\nmany bytes of the quote are copied out to guest userspace. In TDX\nenvironments with remote attestation, quotes are not considered private,\nand can be forwarded to an attestation server.\n\nCatch scenarios where the host specifies a response length larger than\nthe guest's allocation, or otherwise races modifying the response while\nthe guest consumes it.\n\nThis prevents contents beyond the pages allocated for `quote_buf`\n(up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace,\nand possibly forwarded in attestation requests.\n\nRecall that some deployments want per-container configs-tsm-report\ninterfaces, so the leak may cross container protection boundaries, not\njust local root.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/02ca2d9d197723696cb9cc0cb159eb7e8bf5f89b","https://git.kernel.org/stable/c/6f3c8795ae9ba74fa10fe979293d1904712d3fb1","https://git.kernel.org/stable/c/a079a62883e3365de592cea9f7a669d8115433b0","https://git.kernel.org/stable/c/c3fd16c3b98ed726294feab2f94f876290bf7b61"],"published_time":"2026-04-22T14:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31471","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: only publish mode_data after clone setup\n\niptfs_clone_state() stores x->mode_data before allocating the reorder\nwindow. If that allocation fails, the code frees the cloned state and\nreturns -ENOMEM, leaving x->mode_data pointing at freed memory.\n\nThe xfrm clone unwind later runs destroy_state() through x->mode_data,\nso the failed clone path tears down IPTFS state that clone_state()\nalready freed.\n\nKeep the cloned IPTFS state private until all allocations succeed so\nfailed clones leave x->mode_data unset. The destroy path already\nhandles a NULL mode_data pointer.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1","https://git.kernel.org/stable/c/5784a1e2889c9525a8f036cb586930e232170bf7","https://git.kernel.org/stable/c/d849a2f7309fc0616e79d13b008b0a47e0458b6e"],"published_time":"2026-04-22T14:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31472","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: validate inner IPv4 header length in IPTFS payload\n\nAdd validation of the inner IPv4 packet tot_len and ihl fields parsed\nfrom decrypted IPTFS payloads in __input_process_payload(). A crafted\nESP packet containing an inner IPv4 header with tot_len=0 causes an\ninfinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the\ndata offset never advances and the while(data < tail) loop never\nterminates, spinning forever in softirq context.\n\nReject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct\niphdr), which catches both the tot_len=0 case and malformed ihl values.\nThe normal IP stack performs this validation in ip_rcv_core(), but IPTFS\nextracts and processes inner packets before they reach that layer.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0d10393d5eac33cbd92f7a41fddca12c41d3cb7e","https://git.kernel.org/stable/c/3db7d4f777a00164582061ccaa99569cd85011a3","https://git.kernel.org/stable/c/de6d8e8ce5187f7402c9859b443355e7120c5f09"],"published_time":"2026-04-22T14:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31473","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex\n\nMEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)\nqueue teardown paths. This can race request object cleanup against vb2\nqueue cancellation and lead to use-after-free reports.\n\nWe already serialize request queueing against STREAMON/OFF with\nreq_queue_mutex. Extend that serialization to REQBUFS, and also take\nthe same mutex in media_request_ioctl_reinit() so REINIT is in the\nsame exclusion domain.\n\nThis keeps request cleanup and queue cancellation from running in\nparallel for request-capable devices.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1a0d9083c24fbd5d22f7100f09d11e4d696a5f01","https://git.kernel.org/stable/c/2c685e99efb3b3bd2b78699fba6b1cf321975db0","https://git.kernel.org/stable/c/331242998a7ade5c2f65e14988901614629f3db5","https://git.kernel.org/stable/c/585fd9a2063dacce8b2820f675ef23d5d17434c5","https://git.kernel.org/stable/c/72b9e81e0203f03c40f3adb457f55bd4c8eb112d","https://git.kernel.org/stable/c/bef4f4a88b73e4cc550d25f665b8a9952af22773","https://git.kernel.org/stable/c/cf2023e84f0888f96f4b65dc0804e7f3651969c1","https://git.kernel.org/stable/c/d8549a453d5bdc0a71de66ad47a1106703406a56"],"published_time":"2026-04-22T14:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31463","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niomap: fix invalid folio access when i_blkbits differs from I/O granularity\n\nCommit aa35dd5cbc06 (\"iomap: fix invalid folio access after\nfolio_end_read()\") partially addressed invalid folio access for folios\nwithout an ifs attached, but it did not handle the case where\n1 << inode->i_blkbits matches the folio size but is different from the\ngranularity used for the IO, which means IO can be submitted for less\nthan the full folio for the !ifs case.\n\nIn this case, the condition:\n\n  if (*bytes_submitted == folio_len)\n    ctx->cur_folio = NULL;\n\nin iomap_read_folio_iter() will not invalidate ctx->cur_folio, and\niomap_read_end() will still be called on the folio even though the IO\nhelper owns it and will finish the read on it.\n\nFix this by unconditionally invalidating ctx->cur_folio for the !ifs\ncase.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04944,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4a927f670cdb0def226f9f85f42a9f19d9e09c88","https://git.kernel.org/stable/c/bd71fb3fea9945987053968f028a948997cba8cc"],"published_time":"2026-04-22T14:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31464","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()\n\nA malicious or compromised VIO server can return a num_written value in the\ndiscover targets MAD response that exceeds max_targets. This value is\nstored directly in vhost->num_targets without validation, and is then used\nas the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which\nis only allocated for max_targets entries. Indices at or beyond max_targets\naccess kernel memory outside the DMA-coherent allocation.  The\nout-of-bounds data is subsequently embedded in Implicit Logout and PLOGI\nMADs that are sent back to the VIO server, leaking kernel memory.\n\nFix by clamping num_written to max_targets before storing it.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89","https://git.kernel.org/stable/c/4ed727e35b0ab17d3eeeb1e8023768396e2be161","https://git.kernel.org/stable/c/61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f","https://git.kernel.org/stable/c/786f10b1966e485046839f992e89f2c18cbd1983","https://git.kernel.org/stable/c/a007246cb6c9ebdc93dafbf63cc2d43d98f402cc","https://git.kernel.org/stable/c/bae4df0a643fa7f84663473aa3082a9c2ed139db","https://git.kernel.org/stable/c/d1466bf991b2343cf2ba8336e440c8faf3cbb780","https://git.kernel.org/stable/c/d842348f8a00d5b1d7358f207eb34ffcf5b16df3"],"published_time":"2026-04-22T14:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31465","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwriteback: don't block sync for filesystems with no data integrity guarantees\n\nAdd a SB_I_NO_DATA_INTEGRITY superblock flag for filesystems that cannot\nguarantee data persistence on sync (eg fuse). For superblocks with this\nflag set, sync kicks off writeback of dirty inodes but does not wait\nfor the flusher threads to complete the writeback.\n\nThis replaces the per-inode AS_NO_DATA_INTEGRITY mapping flag added in\ncommit f9a49aa302a0 (\"fs/writeback: skip AS_NO_DATA_INTEGRITY mappings\nin wait_sb_inodes()\"). The flag belongs at the superblock level because\ndata integrity is a filesystem-wide property, not a per-inode one.\nHaving this flag at the superblock level also allows us to skip having\nto iterate every dirty inode in wait_sb_inodes() only to skip each inode\nindividually.\n\nPrior to this commit, mappings with no data integrity guarantees skipped\nwaiting on writeback completion but still waited on the flusher threads\nto finish initiating the writeback. Waiting on the flusher threads is\nunnecessary. This commit kicks off writeback but does not wait on the\nflusher threads. This change properly addresses a recent report [1] for\na suspend-to-RAM hang seen on fuse-overlayfs that was caused by waiting\non the flusher threads to finish:\n\nWorkqueue: pm_fs_sync pm_fs_sync_work_fn\nCall Trace:\n <TASK>\n __schedule+0x457/0x1720\n schedule+0x27/0xd0\n wb_wait_for_completion+0x97/0xe0\n sync_inodes_sb+0xf8/0x2e0\n __iterate_supers+0xdc/0x160\n ksys_sync+0x43/0xb0\n pm_fs_sync_work_fn+0x17/0xa0\n process_one_work+0x193/0x350\n worker_thread+0x1a1/0x310\n kthread+0xfc/0x240\n ret_from_fork+0x243/0x280\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\nOn fuse this is problematic because there are paths that may cause the\nflusher thread to block (eg if systemd freezes the user session cgroups\nfirst, which freezes the fuse daemon, before invoking the kernel\nsuspend. The kernel suspend triggers ->write_node() which on fuse issues\na synchronous setattr request, which cannot be processed since the\ndaemon is frozen. Or if the daemon is buggy and cannot properly complete\nwriteback, initiating writeback on a dirty folio already under writeback\nleads to writeback_get_folio() -> folio_prepare_writeback() ->\nunconditional wait on writeback to finish, which will cause a hang).\nThis commit restores fuse to its prior behavior before tmp folios were\nremoved, where sync was essentially a no-op.\n\n[1] https://lore.kernel.org/linux-fsdevel/CAJnrk1a-asuvfrbKXbEwwDSctvemF+6zfhdnuzO65Pt8HsFSRw@mail.gmail.com/T/#m632c4648e9cafc4239299887109ebd880ac6c5c1","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5c24a13d8a0466ca0446e58309e51f2606520164","https://git.kernel.org/stable/c/76f9377cd2ab7a9220c25d33940d9ca20d368172","https://git.kernel.org/stable/c/83800f8ef358ea2fc9b1ae4986b83f2bc24be927"],"published_time":"2026-04-22T14:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31466","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix folio isn't locked in softleaf_to_folio()\n\nOn arm64 server, we found folio that get from migration entry isn't locked\nin softleaf_to_folio().  This issue triggers when mTHP splitting and\nzap_nonpresent_ptes() races, and the root cause is lack of memory barrier\nin softleaf_to_folio().  The race is as follows:\n\n\tCPU0                                             CPU1\n\ndeferred_split_scan()                              zap_nonpresent_ptes()\n  lock folio\n  split_folio()\n    unmap_folio()\n      change ptes to migration entries\n    __split_folio_to_order()                         softleaf_to_folio()\n      set flags(including PG_locked) for tail pages    folio = pfn_folio(softleaf_to_pfn(entry))\n      smp_wmb()                                        VM_WARN_ON_ONCE(!folio_test_locked(folio))\n      prep_compound_page() for tail pages\n\nIn __split_folio_to_order(), smp_wmb() guarantees page flags of tail pages\nare visible before the tail page becomes non-compound.  smp_wmb() should\nbe paired with smp_rmb() in softleaf_to_folio(), which is missed.  As a\nresult, if zap_nonpresent_ptes() accesses migration entry that stores tail\npfn, softleaf_to_folio() may see the updated compound_head of tail page\nbefore page->flags.\n\nThis issue will trigger VM_WARN_ON_ONCE() in pfn_swap_entry_folio()\nbecause of the race between folio split and zap_nonpresent_ptes()\nleading to a folio incorrectly undergoing modification without a folio\nlock being held.\n\nThis is a BUG_ON() before commit 93976a20345b (\"mm: eliminate further\nswapops predicates\"), which in merged in v6.19-rc1.\n\nTo fix it, add missing smp_rmb() if the softleaf entry is migration entry\nin softleaf_to_folio() and softleaf_to_page().\n\n[tujinjiang@huawei.com: update function name and comments]","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/426ee10711586617da869c8bb798214965337617","https://git.kernel.org/stable/c/4c5e7f0fcd592801c9cc18f29f80fbee84eb8669","https://git.kernel.org/stable/c/722cfaf6b31d31123439e67b5deac6b1261a3dea","https://git.kernel.org/stable/c/7ad1997b9bc8032603df8f091761114479285769","https://git.kernel.org/stable/c/7ddcf4a245c1c5a91fdd9698757e3d95179ffe41","https://git.kernel.org/stable/c/8bfb8414e9f2ce6f5f2f0e3d0da52f2d132128e7","https://git.kernel.org/stable/c/b8c49ad888892ad7b77062b9c102b799a3e9b4f8","https://git.kernel.org/stable/c/f1acf5887c2bbaf998dc3fe32c72b7a8b84a3ddd"],"published_time":"2026-04-22T14:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31467","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: add GFP_NOIO in the bio completion if needed\n\nThe bio completion path in the process context (e.g. dm-verity)\nwill directly call into decompression rather than trigger another\nworkqueue context for minimal scheduling latencies, which can\nthen call vm_map_ram() with GFP_KERNEL.\n\nDue to insufficient memory, vm_map_ram() may generate memory\nswapping I/O, which can cause submit_bio_wait to deadlock\nin some scenarios.\n\nTrimmed down the call stack, as follows:\n\nf2fs_submit_read_io\n  submit_bio                      //bio_list is initialized.\n    mmc_blk_mq_recovery\n      z_erofs_endio\n        vm_map_ram\n          __pte_alloc_kernel\n            __alloc_pages_direct_reclaim\n              shrink_folio_list\n                __swap_writepage\n                  submit_bio_wait  //bio_list is non-NULL, hang!!!\n\nUse memalloc_noio_{save,restore}() to wrap up this path.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/378949f46e897204384f3f5f91e42e93e3f87568","https://git.kernel.org/stable/c/5c8ecdcfbfb0b0c6a82a4ebadc1ddea61609b902","https://git.kernel.org/stable/c/c23df30915f83e7257c8625b690a1cece94142a0","https://git.kernel.org/stable/c/d6565ea662e17d45a577184b0011bd69de22dc2b","https://git.kernel.org/stable/c/d9d8360cb66e3b599d89d2526e7da8b530ebf2ff","https://git.kernel.org/stable/c/da40464064599eefe78749f75cd2bba371044c04","https://git.kernel.org/stable/c/e83e20b82859f0588e9a52a6fa9fea704a2061cf"],"published_time":"2026-04-22T14:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31457","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: check contexts->nr in repeat_call_fn\n\ndamon_sysfs_repeat_call_fn() calls damon_sysfs_upd_tuned_intervals(),\ndamon_sysfs_upd_schemes_stats(), and\ndamon_sysfs_upd_schemes_effective_quotas() without checking contexts->nr. \nIf nr_contexts is set to 0 via sysfs while DAMON is running, these\nfunctions dereference contexts_arr[0] and cause a NULL pointer\ndereference.  Add the missing check.\n\nFor example, the issue can be reproduced using DAMON sysfs interface and\nDAMON user-space tool (damo) [1] like below.\n\n    $ sudo damo start --refresh_interval 1s\n    $ echo 0 | sudo tee \\\n            /sys/kernel/mm/damon/admin/kdamonds/0/contexts/nr_contexts","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3527e9fdc38570cea0f6ddb7a2c9303d4044b217","https://git.kernel.org/stable/c/652cd0641a763dd0e846b0d12814977fadb2b7d8","https://git.kernel.org/stable/c/6557004a8b59c7701e695f02be03c7e20ed1cc15"],"published_time":"2026-04-22T14:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31458","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]\n\nMultiple sysfs command paths dereference contexts_arr[0] without first\nverifying that kdamond->contexts->nr == 1.  A user can set nr_contexts to\n0 via sysfs while DAMON is running, causing NULL pointer dereferences.\n\nIn more detail, the issue can be triggered by privileged users like\nbelow.\n\nFirst, start DAMON and make contexts directory empty\n(kdamond->contexts->nr == 0).\n\n    # damo start\n    # cd /sys/kernel/mm/damon/admin/kdamonds/0\n    # echo 0 > contexts/nr_contexts\n\nThen, each of below commands will cause the NULL pointer dereference.\n\n    # echo update_schemes_stats > state\n    # echo update_schemes_tried_regions > state\n    # echo update_schemes_tried_bytes > state\n    # echo update_schemes_effective_quotas > state\n    # echo update_tuned_intervals > state\n\nGuard all commands (except OFF) at the entry point of\ndamon_sysfs_handle_cmd().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04778,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1bfe9fb5ed2667fb075682408b776b5273162615","https://git.kernel.org/stable/c/1e8da792672481d603fa7cd0d815577220a3ee27","https://git.kernel.org/stable/c/708033c231bd782858f4ddbb46ee874a5a5fbdab","https://git.kernel.org/stable/c/aba546061341b56e9ffb37e1eb661a3628b6ec12","https://git.kernel.org/stable/c/bbe03ad3fb9e714191757ca7b41582f930be7be2"],"published_time":"2026-04-22T14:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31459","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: fix param_ctx leak on damon_sysfs_new_test_ctx() failure\n\nPatch series \"mm/damon/sysfs: fix memory leak and NULL dereference\nissues\", v4.\n\nDAMON_SYSFS can leak memory under allocation failure, and do NULL pointer\ndereference when a privileged user make wrong sequences of control.  Fix\nthose.\n\n\nThis patch (of 3):\n\nWhen damon_sysfs_new_test_ctx() fails in damon_sysfs_commit_input(),\nparam_ctx is leaked because the early return skips the cleanup at the out\nlabel.  Destroy param_ctx before returning.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/7fe000eb32904758a85e62f6ea9483f89d5dabfc","https://git.kernel.org/stable/c/e9de9f3ce06b133a348006668bc8d25c6e504867","https://git.kernel.org/stable/c/f76f0a964bc3d7b7e253b43c669c41356bc54e71"],"published_time":"2026-04-22T14:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31460","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: check if ext_caps is valid in BL setup\n\nLVDS connectors don't have extended backlight caps so check\nif the pointer is valid before accessing it.\n\n(cherry picked from commit 3f797396d7f4eb9bb6eded184bbc6f033628a6f6)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04944,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/60b0524bfb7d691ab378cdc788209f11cd34da89","https://git.kernel.org/stable/c/9da4f9964abcaeb6e19797d5e3b10faad338a786"],"published_time":"2026-04-22T14:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31461","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix drm_edid leak in amdgpu_dm\n\n[WHAT]\nWhen a sink is connected, aconnector->drm_edid was overwritten without\nfreeing the previous allocation, causing a memory leak on resume.\n\n[HOW]\nFree the previous drm_edid before updating it.\n\n(cherry picked from commit 52024a94e7111366141cfc5d888b2ef011f879e5)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/37c2caa167b0b8aca4f74c32404c5288b876a2a3","https://git.kernel.org/stable/c/52db857e94b9be4e6315586602b0257d1d2b165a","https://git.kernel.org/stable/c/eb95595194e4755b62360aa821f40a79b0953105"],"published_time":"2026-04-22T14:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31462","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: prevent immediate PASID reuse case\n\nPASID resue could cause interrupt issue when process\nimmediately runs into hw state left by previous\nprocess exited with the same PASID, it's possible that\npage faults are still pending in the IH ring buffer when\nthe process exits and frees up its PASID. To prevent the\ncase, it uses idr cyclic allocator same as kernel pid's.\n\n(cherry picked from commit 8f1de51f49be692de137c8525106e0fce2d1912d)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/14b81abe7bdc25f8097906fc2f91276ffedb2d26","https://git.kernel.org/stable/c/51ccaf0e30c303149244c34820def83d74c86288","https://git.kernel.org/stable/c/9e5ebfe99b223bb0eb9c50a125c9c02f4ef4c71b","https://git.kernel.org/stable/c/c0b3882836de8ac991b626823966f385555bbcff"],"published_time":"2026-04-22T14:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31455","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: stop reclaim before pushing AIL during unmount\n\nThe unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while\nbackground reclaim and inodegc are still running. This is broken\nindependently of any use-after-free issues - background reclaim and\ninodegc should not be running while the AIL is being pushed during\nunmount, as inodegc can dirty and insert inodes into the AIL during the\nflush, and background reclaim can race to abort and free dirty inodes.\n\nReorder xfs_unmount_flush_inodes() to stop inodegc and cancel background\nreclaim before pushing the AIL. Stop inodegc before cancelling\nm_reclaim_work because the inodegc worker can re-queue m_reclaim_work\nvia xfs_inodegc_set_reclaimable.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/239d734c00644072862fa833805c4471573b1445","https://git.kernel.org/stable/c/4f24a767e3d64a5f58c595b5c29b6063a201f1e3","https://git.kernel.org/stable/c/558e3275d8a3b101be18a7fe7d1634053e9d9b07","https://git.kernel.org/stable/c/8147e304d7d32fd5c3e943babc296ce2873dc279","https://git.kernel.org/stable/c/a89434a6188d8430ea31120da96e3e4cefb58686","https://git.kernel.org/stable/c/bda27fc0b4eb3a425d9a18475c4cb94fbe862c60","https://git.kernel.org/stable/c/d38135af04a3ad8a585c899d176efc8e97853115","https://git.kernel.org/stable/c/e6cc490048f78b009259a5f032acead9f789c34c"],"published_time":"2026-04-22T14:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31456","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/pagewalk: fix race between concurrent split and refault\n\nThe splitting of a PUD entry in walk_pud_range() can race with a\nconcurrent thread refaulting the PUD leaf entry causing it to try walking\na PMD range that has disappeared.\n\nAn example and reproduction of this is to try reading numa_maps of a\nprocess while VFIO-PCI is setting up DMA (specifically the\nvfio_pin_pages_remote call) on a large BAR for that process.\n\nThis will trigger a kernel BUG:\nvfio-pci 0000:03:00.0: enabling device (0000 -> 0002)\nBUG: unable to handle page fault for address: ffffa23980000000\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\n...\nRIP: 0010:walk_pgd_range+0x3b5/0x7a0\nCode: 8d 43 ff 48 89 44 24 28 4d 89 ce 4d 8d a7 00 00 20 00 48 8b 4c 24\n28 49 81 e4 00 00 e0 ff 49 8d 44 24 ff 48 39 c8 4c 0f 43 e3 <49> f7 06\n   9f ff ff ff 75 3b 48 8b 44 24 20 48 8b 40 28 48 85 c0 74\nRSP: 0018:ffffac23e1ecf808 EFLAGS: 00010287\nRAX: 00007f44c01fffff RBX: 00007f4500000000 RCX: 00007f44ffffffff\nRDX: 0000000000000000 RSI: 000ffffffffff000 RDI: ffffffff93378fe0\nRBP: ffffac23e1ecf918 R08: 0000000000000004 R09: ffffa23980000000\nR10: 0000000000000020 R11: 0000000000000004 R12: 00007f44c0200000\nR13: 00007f44c0000000 R14: ffffa23980000000 R15: 00007f44c0000000\nFS:  00007fe884739580(0000) GS:ffff9b7d7a9c0000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffa23980000000 CR3: 000000c0650e2005 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n __walk_page_range+0x195/0x1b0\n walk_page_vma+0x62/0xc0\n show_numa_map+0x12b/0x3b0\n seq_read_iter+0x297/0x440\n seq_read+0x11d/0x140\n vfs_read+0xc2/0x340\n ksys_read+0x5f/0xe0\n do_syscall_64+0x68/0x130\n ? get_page_from_freelist+0x5c2/0x17e0\n ? mas_store_prealloc+0x17e/0x360\n ? vma_set_page_prot+0x4c/0xa0\n ? __alloc_pages_noprof+0x14e/0x2d0\n ? __mod_memcg_lruvec_state+0x8d/0x140\n ? __lruvec_stat_mod_folio+0x76/0xb0\n ? __folio_mod_stat+0x26/0x80\n ? do_anonymous_page+0x705/0x900\n ? __handle_mm_fault+0xa8d/0x1000\n ? __count_memcg_events+0x53/0xf0\n ? handle_mm_fault+0xa5/0x360\n ? do_user_addr_fault+0x342/0x640\n ? arch_exit_to_user_mode_prepare.constprop.0+0x16/0xa0\n ? irqentry_exit_to_user_mode+0x24/0x100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fe88464f47e\nCode: c0 e9 b6 fe ff ff 50 48 8d 3d be 07 0b 00 e8 69 01 02 00 66 0f 1f\n84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00\n   f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28\nRSP: 002b:00007ffe6cd9a9b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fe88464f47e\nRDX: 0000000000020000 RSI: 00007fe884543000 RDI: 0000000000000003\nRBP: 00007fe884543000 R08: 00007fe884542010 R09: 0000000000000000\nR10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n </TASK>\n\nFix this by validating the PUD entry in walk_pmd_range() using a stable\nsnapshot (pudp_get()).  If the PUD is not present or is a leaf, retry the\nwalk via ACTION_AGAIN instead of descending further.  This mirrors the\nretry logic in walk_pte_range(), which lets walk_pmd_range() retry if the\nPTE is not being got by pte_offset_map_lock().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/38ec58670a0c5fc1edabdeccd857e586b7b3f318","https://git.kernel.org/stable/c/3b89863c3fa482912911cd65a12a3aeef662c250","https://git.kernel.org/stable/c/9bbbebd94dd5be25ec8c899d46ef01b33d5d22c0"],"published_time":"2026-04-22T14:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31450","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: publish jinode after initialization\n\next4_inode_attach_jinode() publishes ei->jinode to concurrent users.\nIt used to set ei->jinode before jbd2_journal_init_jbd_inode(),\nallowing a reader to observe a non-NULL jinode with i_vfs_inode\nstill unset.\n\nThe fast commit flush path can then pass this jinode to\njbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and\nmay crash.\n\nBelow is the crash I observe:\n```\nBUG: unable to handle page fault for address: 000000010beb47f4\nPGD 110e51067 P4D 110e51067 PUD 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014\nRIP: 0010:xas_find_marked+0x3d/0x2e0\nCode: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02\nRSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246\nRAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003\nRDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10\nRBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec\nR10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000\nR13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88\nFS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n<TASK>\nfilemap_get_folios_tag+0x87/0x2a0\n__filemap_fdatawait_range+0x5f/0xd0\n? srso_alias_return_thunk+0x5/0xfbef5\n? __schedule+0x3e7/0x10c0\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\n? cap_safe_nice+0x37/0x70\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\nfilemap_fdatawait_range_keep_errors+0x12/0x40\next4_fc_commit+0x697/0x8b0\n? ext4_file_write_iter+0x64b/0x950\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\n? vfs_write+0x356/0x480\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\next4_sync_file+0xf7/0x370\ndo_fsync+0x3b/0x80\n? syscall_trace_enter+0x108/0x1d0\n__x64_sys_fdatasync+0x16/0x20\ndo_syscall_64+0x62/0x2c0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n...\n```\n\nFix this by initializing the jbd2_inode first.\nUse smp_wmb() and WRITE_ONCE() to publish ei->jinode after\ninitialization. Readers use READ_ONCE() to fetch the pointer.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1aec30021edd410b986c156f195f3d23959a9d11","https://git.kernel.org/stable/c/2d2b648960147d078b000b9a7494017082024366","https://git.kernel.org/stable/c/33f486987af21531a7b18973d11795ede3da9ddd","https://git.kernel.org/stable/c/4855a59e21789c79f003a9b5f4135c95a7495c6b","https://git.kernel.org/stable/c/a070d5a872ffe0e0fe5c46eda6386140ded39adb","https://git.kernel.org/stable/c/be54c0055407a73b60349c093c8ce621cb8fa232","https://git.kernel.org/stable/c/e4325e84727e539c8597bd5b8491349f57f7fb17","https://git.kernel.org/stable/c/e76bcb727e4874a2f9d0297f8e3f8eced89b0764"],"published_time":"2026-04-22T14:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31451","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: replace BUG_ON with proper error handling in ext4_read_inline_folio\n\nReplace BUG_ON() with proper error handling when inline data size\nexceeds PAGE_SIZE. This prevents kernel panic and allows the system to\ncontinue running while properly reporting the filesystem corruption.\n\nThe error is logged via ext4_error_inode(), the buffer head is released\nto prevent memory leak, and -EFSCORRUPTED is returned to indicate\nfilesystem corruption.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04778,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/356227096eb66e41b23caf7045e6304877322edf","https://git.kernel.org/stable/c/65c6c30ce6362c1c684568744ea510c921a756cd","https://git.kernel.org/stable/c/823849a26af089ffc5dfdd2ae4b9d446b46a0cda","https://git.kernel.org/stable/c/a7d600e04732a7d29b107c91fe3aec64cf6ce7f2","https://git.kernel.org/stable/c/d4b3f370c3d8f7ce565d4a718572c9f7c12f77ed"],"published_time":"2026-04-22T14:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31452","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: convert inline data to extents when truncate exceeds inline size\n\nAdd a check in ext4_setattr() to convert files from inline data storage\nto extent-based storage when truncate() grows the file size beyond the\ninline capacity. This prevents the filesystem from entering an\ninconsistent state where the inline data flag is set but the file size\nexceeds what can be stored inline.\n\nWithout this fix, the following sequence causes a kernel BUG_ON():\n\n1. Mount filesystem with inode that has inline flag set and small size\n2. truncate(file, 50MB) - grows size but inline flag remains set\n3. sendfile() attempts to write data\n4. ext4_write_inline_data() hits BUG_ON(write_size > inline_capacity)\n\nThe crash occurs because ext4_write_inline_data() expects inline storage\nto accommodate the write, but the actual inline capacity (~60 bytes for\ni_block + ~96 bytes for xattrs) is far smaller than the file size and\nwrite request.\n\nThe fix checks if the new size from setattr exceeds the inode's actual\ninline capacity (EXT4_I(inode)->i_inline_size) and converts the file to\nextent-based storage before proceeding with the size change.\n\nThis addresses the root cause by ensuring the inline data flag and file\nsize remain consistent during truncate operations.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07c1a31af18290054da3d18221b8bf58983c5d3a","https://git.kernel.org/stable/c/110d7ef602659ce4d7947c5480f7ca2779696aaf","https://git.kernel.org/stable/c/699bac4d4c951974d55b045c983d1de777215949","https://git.kernel.org/stable/c/7920dcc571cef3d8aa9ee109c136125d61d41669","https://git.kernel.org/stable/c/93cb2d103e5c707de0f7ad58a39b7f0fddc27aa6","https://git.kernel.org/stable/c/c047332be7195833a5c5126816c2502df8269fe4","https://git.kernel.org/stable/c/ed9356a30e59c7cc3198e7fc46cfedf3767b9b17","https://git.kernel.org/stable/c/f53a5d9f32924bc2a810d2df243b7714da58b636"],"published_time":"2026-04-22T14:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31453","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: avoid dereferencing log items after push callbacks\n\nAfter xfsaild_push_item() calls iop_push(), the log item may have been\nfreed if the AIL lock was dropped during the push. Background inode\nreclaim or the dquot shrinker can free the log item while the AIL lock\nis not held, and the tracepoints in the switch statement dereference\nthe log item after iop_push() returns.\n\nFix this by capturing the log item type, flags, and LSN before calling\nxfsaild_push_item(), and introducing a new xfs_ail_push_class trace\nevent class that takes these pre-captured values and the ailp pointer\ninstead of the log item pointer.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/451c6329d9afa45862c36fe6677eb7750db60617","https://git.kernel.org/stable/c/7121b22b0bac89394cc4c6a54b5aebc15347bdf5","https://git.kernel.org/stable/c/79ef34ec0554ec04bdbafafbc9836423734e1bd6","https://git.kernel.org/stable/c/95fb5d643cc70959baa54cd17f52f80ffc3295e7","https://git.kernel.org/stable/c/c4d603e8e58a3bf35480135ccca2b4f7238abda5","https://git.kernel.org/stable/c/c8a2ab339b88d10fc34a3318c92f07d8a467019d"],"published_time":"2026-04-22T14:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31454","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: save ailp before dropping the AIL lock in push callbacks\n\nIn xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock\nis dropped to perform buffer IO. Once the cluster buffer no longer\nprotects the log item from reclaim, the log item may be freed by\nbackground reclaim or the dquot shrinker. The subsequent spin_lock()\ncall dereferences lip->li_ailp, which is a use-after-free.\n\nFix this by saving the ailp pointer in a local variable while the AIL\nlock is held and the log item is guaranteed to be valid.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/19437e4f7bb909afde832b39372aa2f3ce3cfd88","https://git.kernel.org/stable/c/394d70b86fae9fe865e7e6d9540b7696f73aa9b6","https://git.kernel.org/stable/c/4c7d50147316cf049462f327c4a3e9dc2b7f1dd0","https://git.kernel.org/stable/c/50f5f056807b7bed74f4f307f2ca0ed92f3e556d","https://git.kernel.org/stable/c/6dbe17f19c290a72ce57d5abc70e1fad0c3e14e5","https://git.kernel.org/stable/c/75669e987137f49c99ca44406bf0200d1892dd16","https://git.kernel.org/stable/c/d8fc60bbaf5aea1604bf9f4ed565da6a1ac7a87d","https://git.kernel.org/stable/c/edd1637d4e3911ab6c760f553f2040fe72f61a13"],"published_time":"2026-04-22T14:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31444","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free and NULL deref in smb_grant_oplock()\n\nsmb_grant_oplock() has two issues in the oplock publication sequence:\n\n1) opinfo is linked into ci->m_op_list (via opinfo_add) before\n   add_lease_global_list() is called.  If add_lease_global_list()\n   fails (kmalloc returns NULL), the error path frees the opinfo\n   via __free_opinfo() while it is still linked in ci->m_op_list.\n   Concurrent m_op_list readers (opinfo_get_list, or direct iteration\n   in smb_break_all_levII_oplock) dereference the freed node.\n\n2) opinfo->o_fp is assigned after add_lease_global_list() publishes\n   the opinfo on the global lease list.  A concurrent\n   find_same_lease_key() can walk the lease list and dereference\n   opinfo->o_fp->f_ci while o_fp is still NULL.\n\nFix by restructuring the publication sequence to eliminate post-publish\nfailure:\n\n- Set opinfo->o_fp before any list publication (fixes NULL deref).\n- Preallocate lease_table via alloc_lease_table() before opinfo_add()\n  so add_lease_global_list() becomes infallible after publication.\n- Keep the original m_op_list publication order (opinfo_add before\n  lease list) so concurrent opens via same_client_has_lease() and\n  opinfo_get_list() still see the in-flight grant.\n- Use opinfo_put() instead of __free_opinfo() on err_out so that\n  the RCU-deferred free path is used.\n\nThis also requires splitting add_lease_global_list() to take a\npreallocated lease_table and changing its return type from int to void,\nsince it can no longer fail.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04778,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/48623ec358c1c600fa1e38368746f933e0f1a617","https://git.kernel.org/stable/c/6d7e5a918c1d0aad06db0e17677b66fc9a471021","https://git.kernel.org/stable/c/7de55bba69cbf0f9280daaea385daf08bc076121","https://git.kernel.org/stable/c/9e785f004cbc56390479b77375726ea9b0d1a8a6","https://git.kernel.org/stable/c/a5c6f6d6ceefed2d5210ee420fb75f8362461f46"],"published_time":"2026-04-22T14:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31445","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: avoid use of half-online-committed context\n\nOne major usage of damon_call() is online DAMON parameters update.  It is\ndone by calling damon_commit_ctx() inside the damon_call() callback\nfunction.  damon_commit_ctx() can fail for two reasons: 1) invalid\nparameters and 2) internal memory allocation failures.  In case of\nfailures, the damon_ctx that attempted to be updated (commit destination)\ncan be partially updated (or, corrupted from a perspective), and therefore\nshouldn't be used anymore.  The function only ensures the damon_ctx object\ncan safely deallocated using damon_destroy_ctx().\n\nThe API callers are, however, calling damon_commit_ctx() only after\nasserting the parameters are valid, to avoid damon_commit_ctx() fails due\nto invalid input parameters.  But it can still theoretically fail if the\ninternal memory allocation fails.  In the case, DAMON may run with the\npartially updated damon_ctx.  This can result in unexpected behaviors\nincluding even NULL pointer dereference in case of damos_commit_dests()\nfailure [1].  Such allocation failure is arguably too small to fail, so\nthe real world impact would be rare.  But, given the bad consequence, this\nneeds to be fixed.\n\nAvoid such partially-committed (maybe-corrupted) damon_ctx use by saving\nthe damon_commit_ctx() failure on the damon_ctx object.  For this,\nintroduce damon_ctx->maybe_corrupted field.  damon_commit_ctx() sets it\nwhen it is failed.  kdamond_call() checks if the field is set after each\ndamon_call_control->fn() is executed.  If it is set, ignore remaining\ncallback requests and return.  All kdamond_call() callers including\nkdamond_fn() also check the maybe_corrupted field right after\nkdamond_call() invocations.  If the field is set, break the kdamond_fn()\nmain loop so that DAMON sill doesn't use the context that might be\ncorrupted.\n\n[sj@kernel.org: let kdamond_call() with cancel regardless of maybe_corrupted]","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b247cd0654a3a306996fa80741d79296c683a56","https://git.kernel.org/stable/c/26f775a054c3cda86ad465a64141894a90a9e145","https://git.kernel.org/stable/c/9c495f9d3781cd692bd199531cabd4627155e8cd"],"published_time":"2026-04-22T14:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31446","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in update_super_work when racing with umount\n\nCommit b98535d09179 (\"ext4: fix bug_on in start_this_handle during umount\nfilesystem\") moved ext4_unregister_sysfs() before flushing s_sb_upd_work\nto prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups\nreads during unmount. However, this introduced a use-after-free because\nupdate_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which\naccesses the kobject's kernfs_node after it has been freed by kobject_del()\nin ext4_unregister_sysfs():\n\n  update_super_work                ext4_put_super\n  -----------------                --------------\n                                   ext4_unregister_sysfs(sb)\n                                     kobject_del(&sbi->s_kobj)\n                                       __kobject_del()\n                                         sysfs_remove_dir()\n                                           kobj->sd = NULL\n                                         sysfs_put(sd)\n                                           kernfs_put()  // RCU free\n  ext4_notify_error_sysfs(sbi)\n    sysfs_notify(&sbi->s_kobj)\n      kn = kobj->sd              // stale pointer\n      kernfs_get(kn)             // UAF on freed kernfs_node\n                                   ext4_journal_destroy()\n                                     flush_work(&sbi->s_sb_upd_work)\n\nInstead of reordering the teardown sequence, fix this by making\next4_notify_error_sysfs() detect that sysfs has already been torn down\nby checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call\nin that case. A dedicated mutex (s_error_notify_mutex) serializes\next4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()\nto prevent TOCTOU races where the kobject could be deleted between the\nstate_in_sysfs check and the sysfs_notify() call.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/034053378dd81837fd6c7a43b37ee2e58d4f0b4e","https://git.kernel.org/stable/c/08b10e6f37fc533a759e9833af0692242e8b3f93","https://git.kernel.org/stable/c/9449f99ba04f5dd1c8423ad8a90b3651d7240d1d","https://git.kernel.org/stable/c/c4d829737329f2290dd41e290b7d75effdb2a7ff","https://git.kernel.org/stable/c/c8fe17a1b308c3d8c703ebfb049b325f844342c3","https://git.kernel.org/stable/c/c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe","https://git.kernel.org/stable/c/d15e4b0a418537aafa56b2cb80d44add83e83697"],"published_time":"2026-04-22T14:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31447","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: reject mount if bigalloc with s_first_data_block != 0\n\nbigalloc with s_first_data_block != 0 is not supported, reject mounting\nit.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3822743dc20386d9897e999dbb990befa3a5b3f8","https://git.kernel.org/stable/c/3a926957cc95899ef88529710836edadc03c71a1","https://git.kernel.org/stable/c/5ad6d994255e27a3254079dfb50ca861fc31f2d0","https://git.kernel.org/stable/c/7b58c110b4e1f028eb38eec9ed3555e9be81c8b0","https://git.kernel.org/stable/c/7d5b04290156c3fc316eecc86a4f9d201ab7d44a","https://git.kernel.org/stable/c/ad1f6d608f33f59d21a3d025615d6786a6443998","https://git.kernel.org/stable/c/b77de3fceafbb39f30e4ff5dc986f863d5456417","https://git.kernel.org/stable/c/d787d3ae96648dc14a3b7ca8fde817177e82c1c7"],"published_time":"2026-04-22T14:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31448","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid infinite loops caused by residual data\n\nOn the mkdir/mknod path, when mapping logical blocks to physical blocks,\nif inserting a new extent into the extent tree fails (in this example,\nbecause the file system disabled the huge file feature when marking the\ninode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to\nreclaim the physical block without deleting the corresponding data in\nthe extent tree. This causes subsequent mkdir operations to reference\nthe previously reclaimed physical block number again, even though this\nphysical block is already being used by the xattr block. Therefore, a\nsituation arises where both the directory and xattr are using the same\nbuffer head block in memory simultaneously.\n\nThe above causes ext4_xattr_block_set() to enter an infinite loop about\n\"inserted\" and cannot release the inode lock, ultimately leading to the\n143s blocking problem mentioned in [1].\n\nIf the metadata is corrupted, then trying to remove some extent space\ncan do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE\nwas passed, remove space wrongly update quota information.\nJan Kara suggests distinguishing between two cases:\n\n1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully\nconsistent and we must maintain its consistency including all the\naccounting. However these errors can happen only early before we've\ninserted the extent into the extent tree. So current code works correctly\nfor this case.\n\n2) Some other error - this means metadata is corrupted. We should strive to\ndo as few modifications as possible to limit damage. So I'd just skip\nfreeing of allocated blocks.\n\n[1]\nINFO: task syz.0.17:5995 blocked for more than 143 seconds.\nCall Trace:\n inode_lock_nested include/linux/fs.h:1073 [inline]\n __start_dirop fs/namei.c:2923 [inline]\n start_dirop fs/namei.c:2934 [inline]","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3a7667595bcad84da53fc156a418e110267c3412","https://git.kernel.org/stable/c/416c86f30f91b4fb2642ef6b102596ca898f41a5","https://git.kernel.org/stable/c/5422fe71d26d42af6c454ca9527faaad4e677d6c","https://git.kernel.org/stable/c/64f425b06b3bea9abc8977fd3982779b3ad070c9","https://git.kernel.org/stable/c/c66545e83a802c3851d9be27a41c0479dd29ff0c","https://git.kernel.org/stable/c/ecc50bfca9b5c2ee6aeef998181689b80477367b"],"published_time":"2026-04-22T14:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31449","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: validate p_idx bounds in ext4_ext_correct_indexes\n\next4_ext_correct_indexes() walks up the extent tree correcting\nindex entries when the first extent in a leaf is modified. Before\naccessing path[k].p_idx->ei_block, there is no validation that\np_idx falls within the valid range of index entries for that\nlevel.\n\nIf the on-disk extent header contains a corrupted or crafted\neh_entries value, p_idx can point past the end of the allocated\nbuffer, causing a slab-out-of-bounds read.\n\nFix this by validating path[k].p_idx against EXT_LAST_INDEX() at\nboth access sites: before the while loop and inside it. Return\n-EFSCORRUPTED if the index pointer is out of range, consistent\nwith how other bounds violations are handled in the ext4 extent\ntree code.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01bf1e0b997d82c0e353b51ed74ef99698043c33","https://git.kernel.org/stable/c/2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8","https://git.kernel.org/stable/c/407c944f217c17d4343148011acafebc604d55e1","https://git.kernel.org/stable/c/93f2e975ed658ce09db4d4c2877ca2c06540df83"],"published_time":"2026-04-22T14:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31438","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators\n\nWhen a process crashes and the kernel writes a core dump to a 9P\nfilesystem, __kernel_write() creates an ITER_KVEC iterator. This\niterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which\nonly handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types,\nhitting the BUG() for any other type.\n\nFix this by adding netfs_limit_kvec() following the same pattern as\nnetfs_limit_bvec(), since both kvec and bvec are simple segment arrays\nwith pointer and length fields. Dispatch it from netfs_limit_iter() when\nthe iterator type is ITER_KVEC.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00d6df7115f6972370974212de9088087820802e","https://git.kernel.org/stable/c/18c2e20b42dd21db599e42d05ddaeeb647b2bb6d","https://git.kernel.org/stable/c/4bc2d72c7695cedf6d4e1a558924903c2b28a78e","https://git.kernel.org/stable/c/67e467a11f62ff64ad219dc6aa5459e132c79d14"],"published_time":"2026-04-22T14:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31439","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: xilinx: xdma: Fix regmap init error handling\n\ndevm_regmap_init_mmio returns an ERR_PTR() upon error, not NULL.\nFix the error check and also fix the error message. Use the error code\nfrom ERR_PTR() instead of the wrong value in ret.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04778,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4b6e1da50b22e5528b9003f376a3cecccce4decc","https://git.kernel.org/stable/c/59f6ccd0f3345be2e8a78bdef2103e93f180633a","https://git.kernel.org/stable/c/9787b3d9b908785b40bc3f2e6d7082fdb8fdd98a","https://git.kernel.org/stable/c/e0adbf74e2a0455a6bc9628726ba87bcd0b42bf8","https://git.kernel.org/stable/c/f27197ccfd2ecd2c71f27fd57c6d507e892ad24d"],"published_time":"2026-04-22T14:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31440","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix leaking event log memory\n\nDuring the device remove process, the device is reset, causing the\nconfiguration registers to go back to their default state, which is\nzero. As the driver is checking if the event log support was enabled\nbefore deallocating, it will fail if a reset happened before.\n\nDo not check if the support was enabled, the check for 'idxd->evl'\nbeing valid (only allocated if the HW capability is available) is\nenough.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/9dfa00967e6ef43a9dd0887fe5c3a721a39da92e","https://git.kernel.org/stable/c/d94f9b0ba28a205caf95902ee88b42bdb8af83d0","https://git.kernel.org/stable/c/ee66bc29578391c9b48523dc9119af67bd5c7c0f","https://git.kernel.org/stable/c/facd0012708e942fc12890708738aebde497564e"],"published_time":"2026-04-22T14:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31441","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix memory leak when a wq is reset\n\nidxd_wq_disable_cleanup() which is called from the reset path for a\nworkqueue, sets the wq type to NONE, which for other parts of the\ndriver mean that the wq is empty (all its resources were released).\n\nOnly set the wq type to NONE after its resources are released.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c3d3ac57e3c52b570b8c695903306bff07e04c8","https://git.kernel.org/stable/c/39c1504e0e76bcfb93991fd94288a83e05d13b51","https://git.kernel.org/stable/c/54d77cc0c40ca2f894859dc7b3c52997574f1a2a","https://git.kernel.org/stable/c/a16098a2f0c11ee5e04e23aa7478ca1fcfb0f658","https://git.kernel.org/stable/c/a9e7815d38629bcf59d3005001f1f315424a58de","https://git.kernel.org/stable/c/d9cfb5193a047a92a4d3c0e91ea4cc87c8f7c478"],"published_time":"2026-04-22T14:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31442","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix possible invalid memory access after FLR\n\nIn the case that the first Function Level Reset (FLR) concludes\ncorrectly, but in the second FLR the scratch area for the saved\nconfiguration cannot be allocated, it's possible for a invalid memory\naccess to happen.\n\nAlways set the deallocated scratch area to NULL after FLR completes.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/504c0e6751001ac46917c73e703f2b1b92cfc026","https://git.kernel.org/stable/c/867d0c801f21370d561420fa32f2ea1a7dc3a22d","https://git.kernel.org/stable/c/d6077df7b75d26e4edf98983836c05d00ebabd8d"],"published_time":"2026-04-22T14:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31443","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix crash when the event log is disabled\n\nIf reporting errors to the event log is not supported by the hardware,\nand an error that causes Function Level Reset (FLR) is received, the\ndriver will try to restore the event log even if it was not allocated.\n\nAlso, only try to free the event log if it was properly allocated.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0e761079d653c25f838380cf7cef2730832110cc","https://git.kernel.org/stable/c/52d2edea0d63c935e82631e4b9e4a94eccf97b5b","https://git.kernel.org/stable/c/aa0ffc6d3990ec35976308a068dc23178037e564"],"published_time":"2026-04-22T14:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31192","summary":"Insufficient validation of Chrome extension identifiers in Raindrop.io Bookmark Manager Web App 5.6.76.0 allows attackers to obtain sensitive user data via a crafted request.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10222,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS","https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin","https://github.com/incoggeek/vulnerability-research/tree/master/CVE-2026-31192","https://support.google.com/chrome_webstore/answer/2664769?hl=en"],"published_time":"2026-04-22T14:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31434","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix leak of kobject name for sub-group space_info\n\nWhen create_space_info_sub_group() allocates elements of\nspace_info->sub_group[], kobject_init_and_add() is called for each\nelement via btrfs_sysfs_add_space_info_type(). However, when\ncheck_removing_space_info() frees these elements, it does not call\nbtrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is\nnot called and the associated kobj->name objects are leaked.\n\nThis memory leak is reproduced by running the blktests test case\nzbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak\nfeature reports the following error:\n\nunreferenced object 0xffff888112877d40 (size 16):\n  comm \"mount\", pid 1244, jiffies 4294996972\n  hex dump (first 16 bytes):\n    64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f  data-reloc......\n  backtrace (crc 53ffde4d):\n    __kmalloc_node_track_caller_noprof+0x619/0x870\n    kstrdup+0x42/0xc0\n    kobject_set_name_vargs+0x44/0x110\n    kobject_init_and_add+0xcf/0x150\n    btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs]\n    create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs]\n    create_space_info+0x211/0x320 [btrfs]\n    btrfs_init_space_info+0x15a/0x1b0 [btrfs]\n    open_ctree+0x33c7/0x4a50 [btrfs]\n    btrfs_get_tree.cold+0x9f/0x1ee [btrfs]\n    vfs_get_tree+0x87/0x2f0\n    vfs_cmd_create+0xbd/0x280\n    __do_sys_fsconfig+0x3df/0x990\n    do_syscall_64+0x136/0x1540\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTo avoid the leak, call btrfs_sysfs_remove_space_info() instead of\nkfree() for the elements.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1737ddeafbb1304f41ec2eede4f7366082e7c96a","https://git.kernel.org/stable/c/3c645c6f7e5470debbb81666b230056de48f36dc","https://git.kernel.org/stable/c/3c844d01f9874a43004c82970d8da94f9aba8949","https://git.kernel.org/stable/c/416484f21a9d1280cf6daa7ebc10c79b59c46e48","https://git.kernel.org/stable/c/94054ffd311a1f76b7093ba8ebf50bdb0d28337c","https://git.kernel.org/stable/c/a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41"],"published_time":"2026-04-22T14:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31435","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix read abandonment during retry\n\nUnder certain circumstances, all the remaining subrequests from a read\nrequest will get abandoned during retry.  The abandonment process expects\nthe 'subreq' variable to be set to the place to start abandonment from, but\nit doesn't always have a useful value (it will be uninitialised on the\nfirst pass through the loop and it may point to a deleted subrequest on\nlater passes).\n\nFix the first jump to \"abandon:\" to set subreq to the start of the first\nsubrequest expected to need retry (which, in this abandonment case, turned\nout unexpectedly to no longer have NEED_RETRY set).\n\nAlso clear the subreq pointer after discarding superfluous retryable\nsubrequests to cause an oops if we do try to access it.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3e5fd8f53b575ff2188f82071da19c977ca56c41","https://git.kernel.org/stable/c/7e57523490cd2efb52b1ea97f2e0a74c0fb634cd","https://git.kernel.org/stable/c/8f2f2bd128a8d9edbc1e785760da54ada3df69b7"],"published_time":"2026-04-22T14:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31436","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()\n\nAt the end of this function, d is the traversal cursor of flist, but the\ncode completes found instead. This can lead to issues such as NULL pointer\ndereferences, double completion, or descriptor leaks.\n\nFix this by completing d instead of found in the final\nlist_for_each_entry_safe() loop.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0e4f43779d550e559be13a5cdb763bad92c4cc99","https://git.kernel.org/stable/c/82656e8daf8de00935ae91b91bed43f4d6e0d644","https://git.kernel.org/stable/c/e1c9866173c5f8521f2d0768547a01508cb9ff27","https://git.kernel.org/stable/c/e21da2ad8844585040fe4b82be1ad2fe99d40074"],"published_time":"2026-04-22T14:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31437","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry\n\nWhen a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path\nin netfs_unbuffered_write() unconditionally calls stream->prepare_write()\nwithout checking if it is NULL.\n\nFilesystems such as 9P do not set the prepare_write operation, so\nstream->prepare_write remains NULL. When get_user_pages() fails with\n-EFAULT and the subrequest is flagged for retry, this results in a NULL\npointer dereference at fs/netfs/direct_write.c:189.\n\nFix this by mirroring the pattern already used in write_retry.c: if\nstream->prepare_write is NULL, skip renegotiation and directly reissue\nthe subrequest via netfs_reissue_write(), which handles iterator reset,\nIN_PROGRESS flag, stats update and reissue internally.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/7a5482f5ce891decbf36f2e6fab1e9fc4a76a684","https://git.kernel.org/stable/c/a4d1b4ba9754bac3efebd06f583a44a7af52c0ab","https://git.kernel.org/stable/c/e9075e420a1eb3b52c60f3b95893a55e77419ce8"],"published_time":"2026-04-22T14:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2013-10045","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2013-10056","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2014-125120","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-0539","summary":"Incorrect Default Permissions in pcvisit service binary on Windows allows a low-privileged local attacker to escalate their privileges by overwriting the service binary with arbitrary contents. This service binary is automatically launched with NT\\SYSTEM privileges on boot. This issue affects all versions after 22.6.22.1329 and was fixed in 25.12.3.1745.","cvss":8.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.5,"epss":0.00011,"ranking_epss":0.01344,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://labs.infoguard.ch/advisories/cve-2026-0539_pcvisit_local-privilege-escalation/","https://www.pcvisit.de/kundenbereich/release-notes"],"published_time":"2026-04-22T14:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2005-20001","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2008-20002","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2008-20003","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2009-20012","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2010-20110","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2010-20116","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2010-20117","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2010-20118","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2010-20124","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2011-10031","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2013-10041","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2000-5001","summary":"Rejected reason: This CVE has the been REJECTED and will not be published by the CNA.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-22T14:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6855","summary":"A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the `logs_dir` parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to unauthorized data modification or disclosure.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03116,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-6855","https://bugzilla.redhat.com/show_bug.cgi?id=2460013"],"published_time":"2026-04-22T13:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6857","summary":"A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00367,"ranking_epss":0.58613,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-6857","https://bugzilla.redhat.com/show_bug.cgi?id=2460003"],"published_time":"2026-04-22T13:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33600","summary":"An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04891,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"],"published_time":"2026-04-22T10:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33601","summary":"If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00212,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"],"published_time":"2026-04-22T10:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6848","summary":"A flaw was found in Red Hat Quay. When Red Hat Quay requests password re-verification for sensitive operations, such as token generation or robot account creation, the re-authentication prompt can be bypassed. This allows a user with a timed-out session, or an attacker with access to an idle authenticated browser session, to perform privileged actions without providing valid credentials. The vulnerability enables unauthorized execution of sensitive operations despite the user interface displaying an error for invalid credentials.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.0005,"ranking_epss":0.15357,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-6848","https://bugzilla.redhat.com/show_bug.cgi?id=2460119"],"published_time":"2026-04-22T10:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1930","summary":"The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's settings via the 'emailchef_disconnect' AJAX action.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01277,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/emailchef/tags/3.5.1/admin/class-emailchef-admin.php#L121","https://plugins.trac.wordpress.org/browser/emailchef/tags/3.5.1/admin/class-emailchef-admin.php#L200","https://plugins.trac.wordpress.org/browser/emailchef/trunk/admin/class-emailchef-admin.php#L121","https://plugins.trac.wordpress.org/browser/emailchef/trunk/admin/class-emailchef-admin.php#L200","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3474353%40emailchef&new=3474353%40emailchef&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/3ae02595-17f0-472d-bc4f-6169cce7a583?source=cve"],"published_time":"2026-04-22T10:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33256","summary":"An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":3e-05,"ranking_epss":0.00114,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"],"published_time":"2026-04-22T10:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33257","summary":"An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.00988,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html","https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html","https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"],"published_time":"2026-04-22T10:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33258","summary":"By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":3e-05,"ranking_epss":0.00114,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"],"published_time":"2026-04-22T10:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33259","summary":"Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":2e-05,"ranking_epss":0.00038,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"],"published_time":"2026-04-22T10:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33260","summary":"An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.00988,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html","https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html","https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"],"published_time":"2026-04-22T10:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33261","summary":"A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":2e-05,"ranking_epss":0.00049,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"],"published_time":"2026-04-22T10:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33262","summary":"An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00247,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"],"published_time":"2026-04-22T10:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1395","summary":"The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping combined with a custom unescaping routine that reintroduces dangerous characters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01297,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/gutentools/tags/1.1.3/core/blocks/post-slider.php#L232","https://plugins.trac.wordpress.org/browser/gutentools/trunk/core/blocks/post-slider.php#L232","https://plugins.trac.wordpress.org/browser/gutentools/trunk/core/gutentools_block.php#L123","https://plugins.trac.wordpress.org/changeset/3476597/gutentools/trunk/core/blocks/post-slider.php","https://www.wordfence.com/threat-intel/vulnerabilities/id/b2683b4e-b993-4c84-b7cc-a2cb511b4097?source=cve"],"published_time":"2026-04-22T10:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1913","summary":"The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login_link shortcode in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the 'prefix' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01132,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/gallagher-website-design/tags/2.6.4/gallagher-website-design.php#L203","https://plugins.trac.wordpress.org/browser/gallagher-website-design/trunk/gallagher-website-design.php#L203","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3454227%40gallagher-website-design&new=3454227%40gallagher-website-design&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/d8d013ae-a512-454a-bcfc-8725a6928fee?source=cve"],"published_time":"2026-04-22T10:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6844","summary":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02133,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-6844","https://bugzilla.redhat.com/show_bug.cgi?id=2460016"],"published_time":"2026-04-22T09:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6845","summary":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00267,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-6845","https://bugzilla.redhat.com/show_bug.cgi?id=2460012"],"published_time":"2026-04-22T09:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6846","summary":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.0266,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-6846","https://bugzilla.redhat.com/show_bug.cgi?id=2460006"],"published_time":"2026-04-22T09:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6041","summary":"The Buzz Comments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom Buzz Avatar' (buzz_comments_avatar_image) setting in all versions up to, and including, 0.9.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin settings page.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":8e-05,"ranking_epss":0.00777,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/buzz-comments/trunk/admin.tpl.php#L36","https://plugins.trac.wordpress.org/browser/buzz-comments/trunk/buzzComments_class.php#L187","https://www.wordfence.com/threat-intel/vulnerabilities/id/1516ebe7-4d16-4e97-9baa-bc5857f95126?source=cve"],"published_time":"2026-04-22T09:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6235","summary":"The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manage_admin_requests' function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the plugin's SMTP configuration, which can be leveraged to intercept all outbound emails from the site (including password reset emails).","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06826,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/includes/sendmachine_email_manager.php#L39","https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/sendmachine_wp_admin.php#L174","https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/sendmachine_wp_admin.php#L183","https://www.wordfence.com/threat-intel/vulnerabilities/id/7889e071-84a8-46ec-abe5-5c98980ce275?source=cve"],"published_time":"2026-04-22T09:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6236","summary":"The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01132,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/posts-map/tags/0.1.3/posts-map.php#L33","https://plugins.trac.wordpress.org/browser/posts-map/tags/0.1.3/posts-map.php#L78","https://wordpress.org/plugins/posts-map/","https://www.wordfence.com/threat-intel/vulnerabilities/id/e02c5817-7a54-4958-a076-71e5e7729cda?source=cve"],"published_time":"2026-04-22T09:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6246","summary":"The Simple Random Posts Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'container_right_width' attribute of the 'simple_random_posts' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/simple-random-posts-shortcode/tags/0.3/simple-random-posts-shortcode.php#L54","https://plugins.trac.wordpress.org/browser/simple-random-posts-shortcode/trunk/simple-random-posts-shortcode.php#L54","https://www.wordfence.com/threat-intel/vulnerabilities/id/7d61e6ea-4975-452a-8f9c-1c6d428372ac?source=cve"],"published_time":"2026-04-22T09:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6294","summary":"The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() function, which handles the plugin settings page. The settings form does not include a wp_nonce_field(), and the form handler does not call check_admin_referer() or wp_verify_nonce() before processing the POST request. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that changes the plugin's settings (stored via update_option()), such as the display style used to render the PageRank badge.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":8e-05,"ranking_epss":0.00822,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/google-pagerank-display/tags/1.4/gpdisplay.php#L32","https://plugins.trac.wordpress.org/browser/google-pagerank-display/tags/1.4/gpdisplay.php#L56","https://plugins.trac.wordpress.org/browser/google-pagerank-display/trunk/gpdisplay.php#L32","https://plugins.trac.wordpress.org/browser/google-pagerank-display/trunk/gpdisplay.php#L56","https://www.wordfence.com/threat-intel/vulnerabilities/id/e39ebe27-7780-48b6-8dca-7da7a78fce69?source=cve"],"published_time":"2026-04-22T09:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6396","summary":"The Fast & Fancy Filter – 3F plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce verification in the saveFields() function, which handles the fff_save_settins AJAX action. This makes it possible for unauthenticated attackers to modify plugin filter settings, update arbitrary options, or create new filter posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.0042,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/fast-fancy-filter-3f/tags/1.2.2/includes/admin/class-admin.php#L24","https://plugins.trac.wordpress.org/browser/fast-fancy-filter-3f/tags/1.2.2/includes/admin/class-admin.php#L419","https://plugins.trac.wordpress.org/browser/fast-fancy-filter-3f/trunk/includes/admin/class-admin.php#L24","https://plugins.trac.wordpress.org/browser/fast-fancy-filter-3f/trunk/includes/admin/class-admin.php#L419","https://www.wordfence.com/threat-intel/vulnerabilities/id/4b5fbf2c-1231-482f-b5a5-819f31da3524?source=cve"],"published_time":"2026-04-22T09:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6843","summary":"A flaw was found in nano. A local user could exploit a format string vulnerability in the `statusline()` function. By creating a directory with a name containing `printf` specifiers, the application attempts to display this name, leading to a segmentation fault (SEGV). This results in a Denial of Service (DoS) for the `nano` application.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02133,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-6843","https://bugzilla.redhat.com/show_bug.cgi?id=2460017"],"published_time":"2026-04-22T09:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4142","summary":"The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via filter_input_array(INPUT_POST) which applies no HTML sanitization (FILTER_DEFAULT), stores it unsanitized to the WordPress options table via update_option(), and then outputs the stored value directly into a textarea element without any escaping using PHP short echo tags (<?= ?>). An attacker can break out of the textarea element using a closing </textarea> tag and inject arbitrary HTML/JavaScript. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's settings page.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":0.00019,"ranking_epss":0.05161,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L262","https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L50","https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L75","https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L81","https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L87","https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L262","https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L50","https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L75","https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L81","https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L87","https://www.wordfence.com/threat-intel/vulnerabilities/id/7d11b2db-d097-433f-923c-f49ef2951c0e?source=cve"],"published_time":"2026-04-22T09:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4279","summary":"The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'breadbutter-customevent-button' shortcode in all versions up to, and including, 8.2.0.25. This is due to insufficient input sanitization and output escaping on the 'event' shortcode attribute. The customEventShortCodeButton() function takes the 'event' attribute value and directly interpolates it into a JavaScript string within an onclick HTML attribute without applying esc_attr() or esc_js(). Notably, the sister function customEventShortCode() properly uses esc_js() for the same attribute, but this was omitted in the button variant. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the page and clicks the injected button.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01297,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/bread-butter/tags/8.2.0.25/src/Base/Shortcode.php#L364","https://plugins.trac.wordpress.org/browser/bread-butter/tags/8.2.0.25/src/Base/Shortcode.php#L380","https://plugins.trac.wordpress.org/browser/bread-butter/trunk/src/Base/Shortcode.php#L364","https://plugins.trac.wordpress.org/browser/bread-butter/trunk/src/Base/Shortcode.php#L380","https://www.wordfence.com/threat-intel/vulnerabilities/id/0728b42b-5ec7-46a2-a9a5-3316107e9324?source=cve"],"published_time":"2026-04-22T09:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4280","summary":"The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3. This is due to the brnwp_ajax_form AJAX endpoint lacking both authorization checks and CSRF verification, combined with insufficient path validation when the brnwp_theme option value is passed directly to an include() statement in the brnwp_show_breaking_news_wp() shortcode handler. While sanitize_text_field() is applied to user input, it does not strip directory traversal sequences (../). This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the brnwp_theme option with a directory traversal payload (e.g., ../../../../etc/passwd) and subsequently trigger file inclusion of arbitrary files on the server when the shortcode is rendered.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00093,"ranking_epss":0.25971,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/breaking-news-wp/tags/1.3/breaking-news.php#L366","https://plugins.trac.wordpress.org/browser/breaking-news-wp/tags/1.3/breaking-news.php#L372","https://plugins.trac.wordpress.org/browser/breaking-news-wp/tags/1.3/breaking-news.php#L85","https://plugins.trac.wordpress.org/browser/breaking-news-wp/trunk/breaking-news.php#L366","https://plugins.trac.wordpress.org/browser/breaking-news-wp/trunk/breaking-news.php#L372","https://plugins.trac.wordpress.org/browser/breaking-news-wp/trunk/breaking-news.php#L85","https://www.wordfence.com/threat-intel/vulnerabilities/id/4772b482-f5e5-4707-b012-aca70fc89e49?source=cve"],"published_time":"2026-04-22T09:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4353","summary":"The CI HUB Connector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `cihub_metadata` shortcode in all versions up to, and including, 1.2.106 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/ci-hub-connector/tags/1.2.106/ci-hub-wordpress-connector.php#L645","https://plugins.trac.wordpress.org/browser/ci-hub-connector/trunk/ci-hub-wordpress-connector.php#L645","https://www.wordfence.com/threat-intel/vulnerabilities/id/f4b36468-319a-4de3-9112-bd4a3cf7d637?source=cve"],"published_time":"2026-04-22T09:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5748","summary":"The Text Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ts` shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/text-snippet/tags/0.0.1/text-snippet.php#L78","https://plugins.trac.wordpress.org/browser/text-snippet/trunk/text-snippet.php#L78","https://www.wordfence.com/threat-intel/vulnerabilities/id/8cc7a0f3-6a58-4e42-9341-aecf55d2ccb1?source=cve"],"published_time":"2026-04-22T09:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5767","summary":"The SlideShowPro SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `slideShowProSC` shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/slideshowpro-shortcode/tags/1.0.2/slideshowpro_sc.php#L287","https://plugins.trac.wordpress.org/browser/slideshowpro-shortcode/trunk/slideshowpro_sc.php#L287","https://www.wordfence.com/threat-intel/vulnerabilities/id/51467cef-9624-4dd9-a368-d3b5fac7bb3d?source=cve"],"published_time":"2026-04-22T09:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5820","summary":"The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 1.0.6. This is due to the front-end TOC rendering script reading heading text via `innerText` and inserting it into the page using `innerHTML` without proper sanitization. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/zypento-blocks/tags/1.0.6/assets/js/src/blocks/table-of-contents/view.js#L57","https://plugins.trac.wordpress.org/browser/zypento-blocks/tags/1.0.6/assets/js/src/blocks/table-of-contents/view.js#L71","https://www.wordfence.com/threat-intel/vulnerabilities/id/024a6a0f-f819-40e7-9618-71219c27aa64?source=cve"],"published_time":"2026-04-22T09:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4131","summary":"The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page (wpo_admin_page.php) lacking nonce generation (wp_nonce_field) and verification (wp_verify_nonce/check_admin_referer). This makes it possible for unauthenticated attackers to update all plugin settings including the 'wpo_image_url' parameter via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wp-popup-optin.php#L218","https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L103","https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L104","https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L15","https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L43","https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wp-popup-optin.php#L218","https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L103","https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L104","https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L15","https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L43","https://www.wordfence.com/threat-intel/vulnerabilities/id/0a8a49c4-21e8-447c-94da-8241c7d66c29?source=cve"],"published_time":"2026-04-22T09:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4132","summary":"The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading to Remote Code Execution in all versions up to and including 1.19.2. This is due to insufficient validation of the file path stored in the 'hh_htpasswd_path' option and lack of sanitization on the 'hh_www_authenticate_user' option value. The plugin allows administrators to set an arbitrary file path for the htpasswd file location and does not validate that the path has a safe file extension (e.g., restricting to .htpasswd). Additionally, the username field used for HTTP Basic Authentication is written directly into the file without sanitization. The apache_auth_credentials() function constructs the file content using the unsanitized username via sprintf('%s:{SHA}%s', $user, ...), and update_auth_credentials() writes this content to the attacker-controlled path via file_put_contents(). This makes it possible for authenticated attackers, with Administrator-level access and above, to write arbitrary content (including PHP code) to arbitrary file paths on the server, effectively achieving Remote Code Execution.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00323,"ranking_epss":0.55312,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L1296","https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L1298","https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L1403","https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L671","https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L722","https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L97","https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L1296","https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L1298","https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L1403","https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L671","https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L722","https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L97","https://www.wordfence.com/threat-intel/vulnerabilities/id/ce010c6f-16bd-4178-a621-31ba6378946a?source=cve"],"published_time":"2026-04-22T09:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4133","summary":"The TextP2P Texting Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.7. This is due to missing nonce validation in the imTextP2POptionPage() function which processes settings updates. The form at line 314 does not include a wp_nonce_field(), and the POST handler at line 7 does not call check_admin_referer() or wp_verify_nonce() before processing settings changes. This makes it possible for unauthenticated attackers to update all plugin settings including chat widget titles, messages, API credentials, colors, and reCAPTCHA configuration via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00293,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/textp2p-texting-widget/tags/1.7/inc/admin/im-textp2p-options.php#L299","https://plugins.trac.wordpress.org/browser/textp2p-texting-widget/tags/1.7/inc/admin/im-textp2p-options.php#L7","https://plugins.trac.wordpress.org/browser/textp2p-texting-widget/trunk/inc/admin/im-textp2p-options.php#L299","https://plugins.trac.wordpress.org/browser/textp2p-texting-widget/trunk/inc/admin/im-textp2p-options.php#L7","https://www.wordfence.com/threat-intel/vulnerabilities/id/2d36fa25-108b-462b-b84e-2e77943b1871?source=cve"],"published_time":"2026-04-22T09:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4138","summary":"The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for unauthenticated attackers to modify plugin settings (dxuc_authors_list and dxuc_comment_count) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.00875,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L13","https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L21","https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L25","https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L40","https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L13","https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L21","https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L25","https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L40","https://www.wordfence.com/threat-intel/vulnerabilities/id/e44dbd0e-d6a7-438b-b1bf-a6628734fec4?source=cve"],"published_time":"2026-04-22T09:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4139","summary":"The mCatFilter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.5.2. This is due to the complete absence of nonce verification and capability checks in the compute_post() function, which processes settings updates. The compute_post() function is called in the plugin constructor on every page load via the plugins_loaded hook, and it directly processes $_POST data to modify plugin settings via update_option() without any CSRF token validation. This makes it possible for unauthenticated attackers to modify all plugin settings, including category exclusion rules, feed exclusion flags, and tag page exclusion flags, via a forged POST request, granted they can trick a site administrator into performing an action such as clicking a link.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00377,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/mcatfilter/tags/0.5.2/mcatfilter.php#L138","https://plugins.trac.wordpress.org/browser/mcatfilter/tags/0.5.2/mcatfilter.php#L320","https://plugins.trac.wordpress.org/browser/mcatfilter/tags/0.5.2/mcatfilter.php#L339","https://plugins.trac.wordpress.org/browser/mcatfilter/trunk/mcatfilter.php#L138","https://plugins.trac.wordpress.org/browser/mcatfilter/trunk/mcatfilter.php#L320","https://plugins.trac.wordpress.org/browser/mcatfilter/trunk/mcatfilter.php#L339","https://www.wordfence.com/threat-intel/vulnerabilities/id/622ee6c8-7739-44ae-b88f-63a93c0a9b20?source=cve"],"published_time":"2026-04-22T09:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4140","summary":"The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.1.6. This is due to missing nonce validation in the ni_order_export_action() AJAX handler function. The handler processes settings updates when the 'page' parameter is set to 'nioe-order-settings', delegating to Ni_Order_Setting::page_ajax() which calls update_option('ni_order_export_option', $_REQUEST) without verifying any nonce or checking user capabilities. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00293,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/ni-woocommerce-order-export/tags/3.1.6/include/ni-order-export.php#L136","https://plugins.trac.wordpress.org/browser/ni-woocommerce-order-export/tags/3.1.6/include/ni-order-setting.php#L59","https://plugins.trac.wordpress.org/browser/ni-woocommerce-order-export/trunk/include/ni-order-export.php#L136","https://plugins.trac.wordpress.org/browser/ni-woocommerce-order-export/trunk/include/ni-order-setting.php#L59","https://www.wordfence.com/threat-intel/vulnerabilities/id/2d62c49c-3a33-4865-abcc-22d8e38ac198?source=cve"],"published_time":"2026-04-22T09:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4117","summary":"The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the requesting user has the 'manage_options' capability, and without any nonce verification. The plugin bootstrap file (calj.php) instantiates CalJSettingsPage whenever is_admin() returns true, which is the case for any authenticated user making requests to wp-admin URLs (including admin-ajax.php). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's API key setting and clear the Shabbat cache, effectively taking control of the plugin's API integration.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01377,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/calj/tags/1.5/CalJSettingsPage.php#L25","https://plugins.trac.wordpress.org/browser/calj/tags/1.5/CalJSettingsPage.php#L30","https://plugins.trac.wordpress.org/browser/calj/tags/1.5/calj.php#L17","https://plugins.trac.wordpress.org/browser/calj/trunk/CalJSettingsPage.php#L25","https://plugins.trac.wordpress.org/browser/calj/trunk/CalJSettingsPage.php#L30","https://plugins.trac.wordpress.org/browser/calj/trunk/calj.php#L17","https://www.wordfence.com/threat-intel/vulnerabilities/id/d1c7df8e-2f82-4474-88ef-8c8ddaeb4656?source=cve"],"published_time":"2026-04-22T09:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4118","summary":"The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cbox_options_page() function which handles saving, creating, and deleting plugin settings. The form rendered on the settings page does not include a wp_nonce_field(), and the save handler does not call wp_verify_nonce() or check_admin_referer() before processing settings updates via $wpdb->update(). This makes it possible for unauthenticated attackers to modify plugin settings such as call-to-action box title, content, link URL, image URL, colors, and other configuration options via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.00875,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/call-to-action-plugin/tags/3.1.3/call-to-action-plugin.php#L41","https://plugins.trac.wordpress.org/browser/call-to-action-plugin/tags/3.1.3/call-to-action-plugin.php#L55","https://plugins.trac.wordpress.org/browser/call-to-action-plugin/tags/3.1.3/call-to-action-plugin.php#L69","https://plugins.trac.wordpress.org/browser/call-to-action-plugin/tags/3.1.3/call-to-action-plugin.php#L76","https://plugins.trac.wordpress.org/browser/call-to-action-plugin/trunk/call-to-action-plugin.php#L41","https://plugins.trac.wordpress.org/browser/call-to-action-plugin/trunk/call-to-action-plugin.php#L55","https://plugins.trac.wordpress.org/browser/call-to-action-plugin/trunk/call-to-action-plugin.php#L69","https://plugins.trac.wordpress.org/browser/call-to-action-plugin/trunk/call-to-action-plugin.php#L76","https://www.wordfence.com/threat-intel/vulnerabilities/id/6d15f5de-9ec9-466d-aafe-6304356ccb39?source=cve"],"published_time":"2026-04-22T09:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4119","summary":"The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.0577,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L370","https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L376","https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L405","https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L408","https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L14","https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L69","https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L370","https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L376","https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L405","https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L408","https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L14","https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L69","https://www.wordfence.com/threat-intel/vulnerabilities/id/d1a3bc4b-cc17-4728-b242-13841b5f7660?source=cve"],"published_time":"2026-04-22T09:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4121","summary":"The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler (admin/setting.php). The settings form does not include a wp_nonce_field() and the form processing code does not call wp_verify_nonce() or check_admin_referer() before saving settings to the database via $wpdb->update(). This makes it possible for unauthenticated attackers to modify the plugin's CAPTCHA settings (enabling or disabling CAPTCHA on login, registration, lost password, and comment forms) via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00377,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L12","https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L30","https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L47","https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L12","https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L30","https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L47","https://www.wordfence.com/threat-intel/vulnerabilities/id/a6c1c73b-76e3-4cb9-ad53-9d5d4e7519c9?source=cve"],"published_time":"2026-04-22T09:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4125","summary":"The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the wpmk_block_shortcode() function, the 'class' attribute is extracted from user-controllable shortcode attributes and directly concatenated into an HTML div element's class attribute without any escaping (e.g., esc_attr()). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01297,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wpmk-block/tags/1.0.1/classes/wpmk-block-class.php#L82","https://plugins.trac.wordpress.org/browser/wpmk-block/tags/1.0.1/classes/wpmk-block-class.php#L97","https://plugins.trac.wordpress.org/browser/wpmk-block/trunk/classes/wpmk-block-class.php#L82","https://plugins.trac.wordpress.org/browser/wpmk-block/trunk/classes/wpmk-block-class.php#L97","https://www.wordfence.com/threat-intel/vulnerabilities/id/5e397c7a-2aef-4c23-a224-e324ea4bb4b1?source=cve"],"published_time":"2026-04-22T09:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4126","summary":"The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'table_manager' shortcode. The shortcode handler `tablemanager_render_table_shortcode()` takes a user-controlled `table` attribute, applies only `sanitize_key()` for sanitization, and concatenates the value with `$wpdb->prefix` to form a full database table name. It then executes `DESC` and `SELECT *` queries against this table and renders all rows and columns to the frontend. There is no allowlist check to ensure only plugin-created tables can be accessed — the `tablemanager_created_tables` option is only referenced in admin functions, never in the shortcode handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from arbitrary WordPress database tables.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01529,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L561","https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L572","https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L573","https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L561","https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L572","https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L573","https://www.wordfence.com/threat-intel/vulnerabilities/id/25b3607c-f99e-4359-8228-0f3452f80aac?source=cve"],"published_time":"2026-04-22T09:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4128","summary":"The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete_term() function, which handles the 'tpmcattt_delete_term' AJAX action, does not perform any capability check (e.g., current_user_can()) to verify the user has sufficient permissions. While it does verify a nonce via check_ajax_referer(), this nonce is generated for all authenticated users via the admin_enqueue_scripts hook and exposed on any wp-admin page (including profile.php, which subscribers can access). This makes it possible for authenticated attackers, with Subscriber-level access and above, to permanently delete taxonomy term records from the plugin's trash/backup tables by sending a crafted AJAX request with a valid nonce and an arbitrary term_id.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00633,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/tags/1.0.1/admin/class-tp-move-categories-and-taxonomies-to-trash-admin.php#L474","https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/tags/1.0.1/includes/class-tp-move-categories-and-taxonomies-to-trash.php#L169","https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/trunk/admin/class-tp-move-categories-and-taxonomies-to-trash-admin.php#L474","https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/trunk/includes/class-tp-move-categories-and-taxonomies-to-trash.php#L169","https://www.wordfence.com/threat-intel/vulnerabilities/id/53a0749f-86e9-4f62-9de2-a6759c78ba2f?source=cve"],"published_time":"2026-04-22T09:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4076","summary":"The Slider Bootstrap Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'category' and 'template' shortcode attributes in all versions up to and including 1.0.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The plugin uses extract() on shortcode_atts() to parse attributes, then directly outputs the $category variable into multiple HTML attributes (id, data-target, href) on lines 38, 47, 109, and 113 without applying esc_attr(). Similarly, the $template attribute flows into a class attribute on line 93 without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00016,"ranking_epss":0.03474,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L109","https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L113","https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L38","https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L47","https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L7","https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L93","https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L109","https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L113","https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L38","https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L47","https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L7","https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L93","https://www.wordfence.com/threat-intel/vulnerabilities/id/26fe0b7b-dbf8-467f-b5e2-86a858eeaf89?source=cve"],"published_time":"2026-04-22T09:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4082","summary":"The ER Swiffy Insert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [swiffy] shortcode in all versions up to and including 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes ('n', 'w', 'h'). These attributes are extracted using extract() and directly interpolated into the HTML output without any escaping such as esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01297,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/er-swiffy-insert/tags/1.0.0/er-swiffy-insert.php#L49","https://plugins.trac.wordpress.org/browser/er-swiffy-insert/tags/1.0.0/er-swiffy-insert.php#L56","https://plugins.trac.wordpress.org/browser/er-swiffy-insert/trunk/er-swiffy-insert.php#L49","https://plugins.trac.wordpress.org/browser/er-swiffy-insert/trunk/er-swiffy-insert.php#L56","https://www.wordfence.com/threat-intel/vulnerabilities/id/074d9712-9b26-47da-9e24-49854fd7257c?source=cve"],"published_time":"2026-04-22T09:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4085","summary":"The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper_class' shortcode attribute of the 'my-instagram-feed' shortcode in all versions up to, and including, 3.1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. Specifically, the plugin uses sanitize_text_field() instead of esc_attr() when outputting the 'wrapper_class' attribute inside a double-quoted HTML class attribute. Since sanitize_text_field() does not encode double quotes, an attacker can break out of the class attribute and inject arbitrary HTML event handlers. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01297,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/my-instagram-feed/tags/3.1.2/frontend/class-my-instagram-feed-frontend.php#L53","https://plugins.trac.wordpress.org/browser/my-instagram-feed/tags/3.1.2/frontend/views/feed.php#L102","https://plugins.trac.wordpress.org/browser/my-instagram-feed/trunk/frontend/class-my-instagram-feed-frontend.php#L53","https://plugins.trac.wordpress.org/browser/my-instagram-feed/trunk/frontend/views/feed.php#L102","https://www.wordfence.com/threat-intel/vulnerabilities/id/8640724c-0bd4-4684-9fd1-027f2af64e67?source=cve"],"published_time":"2026-04-22T09:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4088","summary":"The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppw_cta_box' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'cta_box_button_link', 'cta_box_button_id', 'cta_box_button_text', and 'cta_box_description'. The shortcode reads post meta from a user-specified post ID and echoes these values directly into HTML output without any escaping functions (no esc_attr(), esc_url(), or esc_html()). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05867,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L14","https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L18","https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L2","https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/shortcode_setup.php#L8","https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L14","https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L18","https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L2","https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/shortcode_setup.php#L8","https://www.wordfence.com/threat-intel/vulnerabilities/id/19a3fc90-b81c-4451-80e0-cead99a2dcd9?source=cve"],"published_time":"2026-04-22T09:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4089","summary":"The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttt_twittee_tweeter() function uses extract() to pull shortcode attributes into local variables and then directly concatenates them into HTML output without any escaping. Specifically, the $id parameter is inserted into an HTML id attribute context without esc_attr(), allowing an attacker to break out of the attribute and inject arbitrary HTML event handlers. Additionally, the $tweet, $content, $balloon, and $theme attributes are similarly injected into inline JavaScript without escaping (lines 87, 93, 101, 117). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01297,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/twittee-text-tweet/tags/1.0.8/ttt-twittee-text-tweet.php#L55","https://plugins.trac.wordpress.org/browser/twittee-text-tweet/tags/1.0.8/ttt-twittee-text-tweet.php#L87","https://plugins.trac.wordpress.org/browser/twittee-text-tweet/trunk/ttt-twittee-text-tweet.php#L55","https://plugins.trac.wordpress.org/browser/twittee-text-tweet/trunk/ttt-twittee-text-tweet.php#L87","https://www.wordfence.com/threat-intel/vulnerabilities/id/4d678e97-f466-4640-83ee-a3a24550e8d8?source=cve"],"published_time":"2026-04-22T09:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4090","summary":"The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd_ic_settings_page function when processing settings form submissions. This makes it possible for unauthenticated attackers to update the plugin's settings, including injecting malicious scripts that will be stored and executed in the admin area, via a forged request granted they can trick an administrator into performing an action such as clicking on a link.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01242,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/inquiry-cart-shortcode.php#L32","https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/inquiry-cart-shortcode.php#L34","https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L21","https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L46","https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L47","https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L48","https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L49","https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L6","https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/inquiry-cart-shortcode.php#L32","https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/inquiry-cart-shortcode.php#L34","https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L21","https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L46","https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L47","https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L48","https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L49","https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L6","https://www.wordfence.com/threat-intel/vulnerabilities/id/772e9b2b-b2d5-4950-804b-d0914004710c?source=cve"],"published_time":"2026-04-22T09:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2719","summary":"The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Exceptions' setting in all versions up to, and including, 0.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":8e-05,"ranking_epss":0.00777,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/private-wp-suite/tags/0.4.1/private-wp-suite.php#L153","https://plugins.trac.wordpress.org/browser/private-wp-suite/trunk/private-wp-suite.php#L153","https://www.wordfence.com/threat-intel/vulnerabilities/id/af88a631-c4ec-47ec-ad9b-1ef38ea1be09?source=cve"],"published_time":"2026-04-22T09:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31431","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Revert to operating out-of-place\n\nThis mostly reverts commit 72548b093ee3 except for the copying of\nthe associated data.\n\nThere is no benefit in operating in-place in algif_aead since the\nsource and destination come from different mappings.  Get rid of\nall the complexity added for in-place operation and just copy the\nAD directly.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00597,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5","https://git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237","https://git.kernel.org/stable/c/fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8"],"published_time":"2026-04-22T09:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31432","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix OOB write in QUERY_INFO for compound requests\n\nWhen a compound request such as READ + QUERY_INFO(Security) is received,\nand the first command (READ) consumes most of the response buffer,\nksmbd could write beyond the allocated buffer while building a security\ndescriptor.\n\nThe root cause was that smb2_get_info_sec() checked buffer space using\nppntsd_size from xattr, while build_sec_desc() often synthesized a\nsignificantly larger descriptor from POSIX ACLs.\n\nThis patch introduces smb_acl_sec_desc_scratch_len() to accurately\ncompute the final descriptor size beforehand, performs proper buffer\nchecking with smb2_calc_max_out_buf_len(), and uses exact-sized\nallocation + iov pinning.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":8e-05,"ranking_epss":0.00692,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/075ea208c648cc2bcd616295b711d3637c61de45","https://git.kernel.org/stable/c/515c2daab46021221bdf406bef19bc90a44ec617","https://git.kernel.org/stable/c/d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09","https://git.kernel.org/stable/c/fda9522ed6afaec45cabc198d8492270c394c7bc"],"published_time":"2026-04-22T09:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31433","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potencial OOB in get_file_all_info() for compound requests\n\nWhen a compound request consists of QUERY_DIRECTORY + QUERY_INFO\n(FILE_ALL_INFORMATION) and the first command consumes nearly the entire\nmax_trans_size, get_file_all_info() would blindly call smbConvertToUTF16()\nwith PATH_MAX, causing out-of-bounds write beyond the response buffer.\nIn get_file_all_info(), there was a missing validation check for\nthe client-provided OutputBufferLength before copying the filename into\nFileName field of the smb2_file_all_info structure.\nIf the filename length exceeds the available buffer space, it could lead to\npotential buffer overflows or memory corruption during smbConvertToUTF16\nconversion. This calculating the actual free buffer size using\nsmb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is\ninsufficient and updating smbConvertToUTF16 to use the actual filename\nlength (clamped by PATH_MAX) to ensure a safe copy operation.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02004,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/358cdaa1f7fbf2712cb4c5f6b59cb9a5c673c5fe","https://git.kernel.org/stable/c/3a852f9d1c981fb14f6bf4e24999e0ea8088a7d7","https://git.kernel.org/stable/c/4cca3eff2099b18672934a39cee70aed835d652c","https://git.kernel.org/stable/c/7aec5a769d2356cbf344d85bcfd36de592ac96a5","https://git.kernel.org/stable/c/9d7032851d6f5adbe2739601ca456c0ad3b422f0","https://git.kernel.org/stable/c/b0cd9725fe2bcc9f37d096b132318a9060373f5d","https://git.kernel.org/stable/c/beef2634f81f1c086208191f7228bce1d366493d"],"published_time":"2026-04-22T09:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3362","summary":"The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Minimum Count' settings field in all versions up to and including 2.2. This is due to insufficient input sanitization (no sanitize callback on register_setting) and missing output escaping (no esc_attr() on the echoed value in the input's value attribute). The option value is stored via update_option() and rendered unescaped in an HTML attribute context. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses that page. This is particularly impactful in WordPress multisite installations or when DISALLOW_UNFILTERED_HTML is set, where administrators are not granted the unfiltered_html capability.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04834,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/short-comment-filter/tags/2.2/classes/short-comment-filter-settings.php#L21","https://plugins.trac.wordpress.org/browser/short-comment-filter/tags/2.2/classes/short-comment-filter-settings.php#L54","https://plugins.trac.wordpress.org/browser/short-comment-filter/tags/2.2/classes/short-comment-filter-settings.php#L61","https://plugins.trac.wordpress.org/browser/short-comment-filter/tags/2.2/views/settings.php#L25","https://plugins.trac.wordpress.org/browser/short-comment-filter/trunk/classes/short-comment-filter-settings.php#L21","https://plugins.trac.wordpress.org/browser/short-comment-filter/trunk/classes/short-comment-filter-settings.php#L54","https://plugins.trac.wordpress.org/browser/short-comment-filter/trunk/classes/short-comment-filter-settings.php#L61","https://plugins.trac.wordpress.org/browser/short-comment-filter/trunk/views/settings.php#L25","https://www.wordfence.com/threat-intel/vulnerabilities/id/4ba46475-bf54-49a8-9b0e-fae3fb4e1df9?source=cve"],"published_time":"2026-04-22T09:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4074","summary":"The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran_live_render() function of quran-live.php receives shortcode attributes and passes them directly through shortcode_atts() and extract() without any sanitization. These values are then passed to Render_Quran_Live::render_verse_quran_live() where they are echoed directly into inline <script> blocks using PHP short tags (<?=$cheikh;?> and <?=$lang;?>) at lines 191, 216, 217, 245, and 246 of Class_QuranLive.php. Since the output occurs inside a JavaScript context within <script> tags, an attacker can break out of the JavaScript string and inject arbitrary script code. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00016,"ranking_epss":0.03474,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L191","https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L216","https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L217","https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L245","https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L246","https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/quran-live.php#L110","https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L191","https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L216","https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L217","https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L245","https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L246","https://plugins.trac.wordpress.org/browser/quran-live/trunk/quran-live.php#L110","https://www.wordfence.com/threat-intel/vulnerabilities/id/883484dd-d48d-46f9-ae96-223626c50039?source=cve"],"published_time":"2026-04-22T09:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1845","summary":"The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00628,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wordpress.org/plugins/re-pro/","https://www.wordfence.com/threat-intel/vulnerabilities/id/1978fd4f-f130-4e72-85df-24a6f9aebfe2?source=cve"],"published_time":"2026-04-22T09:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2714","summary":"The Institute Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Enquiry Form Title' setting in all versions up to, and including, 5.5. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":8e-05,"ranking_epss":0.00777,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/institute-management/tags/5.5/admin/inc/wl_im_settings.php#L47","https://plugins.trac.wordpress.org/browser/institute-management/trunk/admin/inc/wl_im_settings.php#L47","https://www.wordfence.com/threat-intel/vulnerabilities/id/1fd62c3d-2c15-4d1c-9210-4c2aca379fe3?source=cve"],"published_time":"2026-04-22T09:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2717","summary":"The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary newline characters and additional Apache directives into the .htaccess configuration file via the 'Custom Headers' settings, leading to Apache configuration parse errors and potential site-wide denial of service.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.02934,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L1098","https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L745","https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L1098","https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L745","https://www.wordfence.com/threat-intel/vulnerabilities/id/7716e77f-e899-4046-9421-86fc0c36c245?source=cve"],"published_time":"2026-04-22T09:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1379","summary":"The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00506,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/views/manual.php#L18","https://plugins.trac.wordpress.org/browser/http-headers/trunk/views/manual.php#L18","https://www.wordfence.com/threat-intel/vulnerabilities/id/02e63068-02a8-4106-b64e-430c24815e55?source=cve"],"published_time":"2026-04-22T09:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6023","summary":"In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00343,"ranking_epss":0.56918,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-deserialization-of-untrusted-data-cve-2026-6023"],"published_time":"2026-04-22T08:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6842","summary":"A flaw was found in nano. In environments with permissive umask settings, a local attacker can exploit incorrect directory permissions (0777 instead of 0700) for the `~/.local` directory. This allows the attacker to inject a malicious `.desktop` launcher, which could lead to unintended actions or information disclosure if the launcher is subsequently processed.","cvss":2.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.5,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.01006,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-6842","https://bugzilla.redhat.com/show_bug.cgi?id=2460018"],"published_time":"2026-04-22T08:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40542","summary":"Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":null,"epss":0.00073,"ranking_epss":0.21915,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97","http://www.openwall.com/lists/oss-security/2026/04/22/5"],"published_time":"2026-04-22T08:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6022","summary":"In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.121,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-uncontrolled-resource-consumption-cve-2026-6022"],"published_time":"2026-04-22T08:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6840","summary":"Missing bounds validation for operator could  allow out of range operator-code lookup during model loading\nAffected version is prior to commit  1.30.0.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02155,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/ONE/pull/16481"],"published_time":"2026-04-22T07:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6839","summary":"Improper validation of STRING tensor offsets could allows malformed string metadata to trigger out of bounds access during constant tensor import in Samsung Open Source ONE\nAffected version is prior to commit  1.30.0.","cvss":6.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.6,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.0486,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/ONE/pull/16481"],"published_time":"2026-04-22T07:16:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40449","summary":"Integer overflow in buffer size calculation could result in out of bounds memory access when handling large tensors in Samsung Open Source ONE.\nAffected version is prior to commit  1.30.0.","cvss":6.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.6,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01929,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/ONE/pull/16481"],"published_time":"2026-04-22T07:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40450","summary":"Integer overflow in output tensor copy size calculation in Samsung Open Source ONE could cause incorrect copy length and memory corruption for oversized tensors.\nAffected version is prior to commit  1.30.0.","cvss":6.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.6,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.02909,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/ONE/pull/16481"],"published_time":"2026-04-22T07:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41664","summary":"Integer overflow in memory copy size calculation in Samsung Open Source ONE could lead to invalid memory operations with large tensor shapes.\nAffected version is prior to commit  1.30.0.","cvss":6.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.6,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01929,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/ONE/pull/16481"],"published_time":"2026-04-22T07:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41665","summary":"Integer overflow in scratch buffer initialization size calculation in Samsung Open Source ONE cause incorrect memory initialization for large intermediate tensors.\nAffected version is prior to commit  1.30.0.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02155,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/ONE/pull/16481"],"published_time":"2026-04-22T07:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41666","summary":"Integer overflow in tensor copy size calculation in Samsung Open Source ONE could lead to out of bounds access during loop state propagation.\nAffected version is prior to commit  1.30.0.","cvss":6.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.6,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01929,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/ONE/pull/16481"],"published_time":"2026-04-22T07:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41667","summary":"Integer overflow in constant tensor data size calculation in Samsung Open Source ONE could cause incorrect buffer sizing for large constant nodes.\nAffected version is prior to commit  1.30.0.","cvss":6.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.6,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01929,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/ONE/pull/16481"],"published_time":"2026-04-22T07:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40448","summary":"Potential Integer overflow in tensor allocation size calculation could lead to insufficient memory allocation for large tensors in Samsung Open Source ONE.\nAffected version is prior to commit  1.30.0.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02155,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/ONE/pull/16481"],"published_time":"2026-04-22T07:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22748","summary":"Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder  or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator<Jwt> separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.12906,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://spring.io/security/cve-2026-22748"],"published_time":"2026-04-22T06:16:04","vendor":"vmware","product":"spring_security","version":null},{"cve_id":"CVE-2026-22753","summary":"Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00047,"ranking_epss":0.14447,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://spring.io/security/cve-2026-22753"],"published_time":"2026-04-22T06:16:04","vendor":"vmware","product":"spring_security","version":null},{"cve_id":"CVE-2026-22754","summary":"Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path=\"/servlet-path\" pattern=\"/endpoint/**\"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07943,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://spring.io/security/cve-2026-22754"],"published_time":"2026-04-22T06:16:04","vendor":"vmware","product":"spring_security","version":null},{"cve_id":"CVE-2026-22747","summary":"Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.\nThis issue affects Spring Security: from 7.0.0 through 7.0.4.","cvss":6.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.03999,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://spring.io/security/cve-2026-22747"],"published_time":"2026-04-22T06:16:03","vendor":"vmware","product":"spring_security","version":null},{"cve_id":"CVE-2026-22746","summary":"Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00037,"ranking_epss":0.10995,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://spring.io/security/cve-2026-22746"],"published_time":"2026-04-22T06:16:02","vendor":"vmware","product":"spring_security","version":null},{"cve_id":"CVE-2026-40451","summary":"DeepL Chrome browser extension versions from v1.22.0 to v.1.23.0 contain a cross-site scripting vulnerability, which allows an attacker to execute arbitrary script in a user's browser, and inject malicious HTML into web pages viewed by the user.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":5.1,"epss":0.00031,"ranking_epss":0.09126,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/DeepLcom/deepl-chrome-extension/security/advisories/GHSA-4x2r-q3p9-xhx4","https://jvn.jp/en/jp/JVN37524771/"],"published_time":"2026-04-22T05:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6834","summary":"The a+HRD developed by aEnrich has a Missing Authorization vulnerability, allowing authenticated remote attackers to arbitrarily read database contents through a specific API method.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00038,"ranking_epss":0.11483,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.twcert.org.tw/en/cp-139-10834-eb3ee-2.html","https://www.twcert.org.tw/tw/cp-132-10833-e3a53-1.html"],"published_time":"2026-04-22T04:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6835","summary":"The a+HCM developed by aEnrich has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload arbitrary files to any path, including HTML documents, which may result in a XSS-like effect.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":5.1,"epss":0.0003,"ranking_epss":0.08448,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.twcert.org.tw/en/cp-139-10836-ed15f-2.html","https://www.twcert.org.tw/tw/cp-132-10835-cb0c2-1.html"],"published_time":"2026-04-22T04:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6833","summary":"The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00035,"ranking_epss":0.10364,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.twcert.org.tw/en/cp-139-10834-eb3ee-2.html","https://www.twcert.org.tw/tw/cp-132-10833-e3a53-1.html"],"published_time":"2026-04-22T04:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41458","summary":"OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":0.00312,"ranking_epss":0.5439,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/owntone/owntone-server/commit/dca94641a5ed66500822dd51281774794cdb6c22","https://github.com/owntone/owntone-server/pull/1980","https://www.vulncheck.com/advisories/owntone-server-race-condition-dos-via-daap-login"],"published_time":"2026-04-22T03:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5398","summary":"The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session.  If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory.\n\nA malicious process can abuse the dangling pointer to grant itself root privileges.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02177,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.freebsd.org/advisories/FreeBSD-SA-26:10.tty.asc"],"published_time":"2026-04-22T03:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6386","summary":"In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries.  The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3) interface.  In particular, it would always treat a page directory page entry as pointing to another page table page.\n\nThe bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access.","cvss":6.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.freebsd.org/advisories/FreeBSD-SA-26:11.amd64.asc"],"published_time":"2026-04-22T03:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6392","summary":"Tanium addressed an information disclosure vulnerability in Threat Response.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.0703,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.tanium.com/TAN-2026-011"],"published_time":"2026-04-22T03:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6408","summary":"Tanium addressed an information disclosure vulnerability in Tanium Server.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06384,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.tanium.com/TAN-2026-012"],"published_time":"2026-04-22T03:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6416","summary":"Tanium addressed an uncontrolled resource consumption vulnerability in Interact.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10532,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.tanium.com/TAN-2026-010"],"published_time":"2026-04-22T03:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41457","summary":"OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00036,"ranking_epss":0.10635,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/owntone/owntone-server/commit/d4784ebf2099ed1a4203333aee957e5c7553c217","https://www.vulncheck.com/advisories/owntone-server-sql-injection-via-query-and-filter-parameters"],"published_time":"2026-04-22T03:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41146","summary":"facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, `fio_json_parse` can enter an infinite loop when it encounters a nested JSON value starting with `i` or `I`. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because `iodine` vendors the same parser code, the issue also affects `iodine` when it parses attacker-controlled JSON. The smallest reproducer I found is `[i`. The quoted-value form that originally exposed the issue, `[\"\"i`, reaches the same bug because the parser tolerates missing commas and then treats the trailing `i` as the start of another value. Commit 5128747363055201d3ecf0e29bf0a961703c9fa0 fixes the issue.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.00042,"ranking_epss":0.12865,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/boazsegev/facil.io/commit/5128747363055201d3ecf0e29bf0a961703c9fa0","https://github.com/boazsegev/facil.io/security/advisories/GHSA-2x79-gwq3-vxxm","https://github.com/boazsegev/facil.io/security/advisories/GHSA-2x79-gwq3-vxxm"],"published_time":"2026-04-22T02:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40344","summary":"MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (`PutObjectExtractHandler`) allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. When `authTypeStreamingUnsignedTrailer` support was added, the new auth type was handled in `PutObjectHandler` and `PutObjectPartHandler` but was never added to `PutObjectExtractHandler`. The snowball auto-extract handler's `switch rAuthType` block has no case for `authTypeStreamingUnsignedTrailer`, so execution falls through with zero signature verification. The `isPutActionAllowed` call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature. An attacker sends a PUT request with `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, `X-Amz-Meta-Snowball-Auto-Extract: true`, and an `Authorization` header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket. Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.","cvss":8.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.8,"epss":0.00154,"ranking_epss":0.35884,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091","https://github.com/minio/minio/pull/16484","https://github.com/minio/minio/security/advisories/GHSA-9c4q-hq6p-c237"],"published_time":"2026-04-22T01:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41145","summary":"MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path\nallows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. `PutObjectHandler` and `PutObjectPartHandler` call `newUnsignedV4ChunkedReader` with a signature verification gate based solely on the presence of the `Authorization` header. Meanwhile, `isPutActionAllowed` extracts credentials from either the `Authorization` header or the\n`X-Amz-Credential` query parameter, and trusts whichever it finds. An attacker omits the `Authorization` header and supplies credentials exclusively via the query string. The signature gate evaluates to `false`, `doesSignatureMatch` is never called, and the request proceeds with the permissions of the impersonated access key. This affects `PutObjectHandler` (standard and tables/warehouse bucket paths) and `PutObjectPartHandler` (multipart uploads). Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-11T03-20-12Z` or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer. Clients can use `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit `s3:PutObject` grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.","cvss":8.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.8,"epss":0.00113,"ranking_epss":0.29693,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091","https://github.com/minio/minio/pull/16484","https://github.com/minio/minio/security/advisories/GHSA-hv4r-mvr4-25vw"],"published_time":"2026-04-22T01:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41131","summary":"OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. The preconditions for vulnerability are the model having relations which rely on condition evaluation and the user having caching enabled. OpenFGA v1.14.1 contains a fix.","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":0.00034,"ranking_epss":0.0993,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openfga/openfga/releases/tag/v1.14.1","https://github.com/openfga/openfga/security/advisories/GHSA-57j5-qwp2-vqp6"],"published_time":"2026-04-22T00:16:29","vendor":"openfga","product":"helm_charts","version":null},{"cve_id":"CVE-2026-41131","summary":"OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. The preconditions for vulnerability are the model having relations which rely on condition evaluation and the user having caching enabled. OpenFGA v1.14.1 contains a fix.","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":0.00034,"ranking_epss":0.0993,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openfga/openfga/releases/tag/v1.14.1","https://github.com/openfga/openfga/security/advisories/GHSA-57j5-qwp2-vqp6"],"published_time":"2026-04-22T00:16:29","vendor":"openfga","product":"openfga","version":null},{"cve_id":"CVE-2026-41133","summary":"pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions. This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature. Commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 contains a fix for the issue.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.0925,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1","https://github.com/pyload/pyload/security/advisories/GHSA-66hx-chf7-3332","https://github.com/pyload/pyload/security/advisories/GHSA-66hx-chf7-3332"],"published_time":"2026-04-22T00:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41135","summary":"free5GC UDR is the Policy Control Function (PCF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. A memory leak vulnerability in versions prior to 1.4.3 allows any unauthenticated attacker with network access to the PCF SBI interface to cause uncontrolled memory growth by sending repeated HTTP requests to the OAM endpoint. The root cause is a `router.Use()` call inside an HTTP handler that registers a new CORS middleware on every incoming request, permanently growing the Gin router's handler chain. This leads to progressive memory exhaustion and eventual Denial of Service of the PCF, preventing all UEs from obtaining AM and SM policies and blocking 5G session establishment. Version 1.4.3 contains a patch.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00095,"ranking_epss":0.26225,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/free5gc/free5gc/security/advisories/GHSA-98cp-84m9-q3qp","https://github.com/free5gc/pcf/commit/599803b1b2eb4611e26d5216481ee142bce71a16","https://github.com/free5gc/free5gc/security/advisories/GHSA-98cp-84m9-q3qp"],"published_time":"2026-04-22T00:16:29","vendor":"free5gc","product":"free5gc","version":null},{"cve_id":"CVE-2026-41135","summary":"free5GC UDR is the Policy Control Function (PCF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. A memory leak vulnerability in versions prior to 1.4.3 allows any unauthenticated attacker with network access to the PCF SBI interface to cause uncontrolled memory growth by sending repeated HTTP requests to the OAM endpoint. The root cause is a `router.Use()` call inside an HTTP handler that registers a new CORS middleware on every incoming request, permanently growing the Gin router's handler chain. This leads to progressive memory exhaustion and eventual Denial of Service of the PCF, preventing all UEs from obtaining AM and SM policies and blocking 5G session establishment. Version 1.4.3 contains a patch.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00095,"ranking_epss":0.26225,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/free5gc/free5gc/security/advisories/GHSA-98cp-84m9-q3qp","https://github.com/free5gc/pcf/commit/599803b1b2eb4611e26d5216481ee142bce71a16","https://github.com/free5gc/free5gc/security/advisories/GHSA-98cp-84m9-q3qp"],"published_time":"2026-04-22T00:16:29","vendor":"free5gc","product":"pcf","version":null},{"cve_id":"CVE-2026-41136","summary":"free5GC AMF provides Access & Mobility Management Function (AMF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. Prior to version 1.4.3, the `HTTPUEContextTransfer` handler in `internal/sbi/api_communication.go` does not include a `default` case in the `Content-Type` switch statement. When a request arrives with an unsupported `Content-Type`, the deserialization step is silently skipped, `err` remains `nil`, and the processor is invoked with a completely uninitialized `UeContextTransferRequest` object. Version 1.4.3 contains a fix.","cvss":5.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":5.5,"epss":0.00026,"ranking_epss":0.07273,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/free5gc/amf/releases/tag/v1.4.3","https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5","https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5"],"published_time":"2026-04-22T00:16:29","vendor":"free5gc","product":"amf","version":null},{"cve_id":"CVE-2026-41136","summary":"free5GC AMF provides Access & Mobility Management Function (AMF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. Prior to version 1.4.3, the `HTTPUEContextTransfer` handler in `internal/sbi/api_communication.go` does not include a `default` case in the `Content-Type` switch statement. When a request arrives with an unsupported `Content-Type`, the deserialization step is silently skipped, `err` remains `nil`, and the processor is invoked with a completely uninitialized `UeContextTransferRequest` object. Version 1.4.3 contains a fix.","cvss":5.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":5.5,"epss":0.00026,"ranking_epss":0.07273,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/free5gc/amf/releases/tag/v1.4.3","https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5","https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5"],"published_time":"2026-04-22T00:16:29","vendor":"free5gc","product":"free5gc","version":null},{"cve_id":"CVE-2026-41144","summary":"F´ (F Prime) is a framework that enables development and deployment of spaceflight and other embedded software applications. Prior to version 4.2.0, the bounds check byteOffset + dataSize > fileSize uses U32 addition that wraps around on overflow. An attacker-crafted DataPacket with byteOffset=0xFFFFFF9C and dataSize=100 overflows to 0, bypassing the check entirely. The subsequent file write proceeds at the original ~4GB offset. Additionally, Svc/FileUplink/File.cpp:20-31 performs no sanitization on the destination file path. Combined, these allow writing arbitrary data to any file at any offset. The impact is arbitrary file write leading to remote code execution on embedded targets. Note that this is a logic bug. ASAN does not detect it because all memory accesses are within valid buffers — the corruption occurs in file I/O. Version 4.2.0 contains a patch. No known workarounds are available.","cvss":0.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":0.0,"cvss_v4":null,"epss":0.00103,"ranking_epss":0.28064,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nasa/fprime/commit/cacdd555456bd83ab395b521d56c0330470ea798","https://github.com/nasa/fprime/security/advisories/GHSA-qmvv-rxh4-ccqh"],"published_time":"2026-04-22T00:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41304","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.","cvss":8.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.01311,"ranking_epss":0.79863,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/473c609fc2defdea8b937b00e86ce88eba1f15bb","https://github.com/WWBN/AVideo/security/advisories/GHSA-xr6f-h4x7-r6qp","https://github.com/WWBN/AVideo/security/advisories/GHSA-xr6f-h4x7-r6qp"],"published_time":"2026-04-22T00:16:29","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-41064","summary":"WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.094,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3","https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536","https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc","https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j","https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc"],"published_time":"2026-04-22T00:16:28","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-41126","summary":"BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter \"logoutURL.\" Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No known workarounds are available.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.08028,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-cvwj-4pcp-f3g8"],"published_time":"2026-04-22T00:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41127","summary":"BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on who is able to submit captions. No known workarounds are available.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00022,"ranking_epss":0.05961,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-q387-2q28-mg33"],"published_time":"2026-04-22T00:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41128","summary":"Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty `groups` value removes all existing group memberships. Version 5.9.15 contains a patch.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.00031,"ranking_epss":0.09131,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/cms/commit/b135384808ad43fcf8836a9dd9b877fb0087bc27","https://github.com/craftcms/cms/security/advisories/GHSA-jq2f-59pj-p3m3"],"published_time":"2026-04-22T00:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41129","summary":"Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: \"Edit assets in the <VolumeName> volume\" and \"Create assets in the <VolumeName> volume.\" Versions 4.17.9 and 5.9.15 patch the issue.","cvss":5.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.5,"epss":0.00029,"ranking_epss":0.08313,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f","https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx"],"published_time":"2026-04-22T00:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41130","summary":"Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. \nWhen `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.","cvss":5.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.5,"epss":0.00036,"ranking_epss":0.10514,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783","https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh","https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh"],"published_time":"2026-04-22T00:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40343","summary":"free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior. As of time of publication, a patched version is not available.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.8,"cvss_v4":6.9,"epss":0.00037,"ranking_epss":0.11139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjm"],"published_time":"2026-04-22T00:16:27","vendor":"free5gc","product":"free5gc","version":null},{"cve_id":"CVE-2026-40343","summary":"free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior. As of time of publication, a patched version is not available.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.8,"cvss_v4":6.9,"epss":0.00037,"ranking_epss":0.11139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjm"],"published_time":"2026-04-22T00:16:27","vendor":"free5gc","product":"udr","version":null},{"cve_id":"CVE-2026-40575","summary":"OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-regex` or `--skip-auth-route` is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application. This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session. Impacted users are deployments that run oauth2-proxy with `--reverse-proxy` enabled and configure at least one `--skip-auth-regex` or `--skip-auth-route` rule. This issue is patched in `v7.15.2`. Some workarounds are available for those who cannot upgrade immediately. Strip any client-provided `X-Forwarded-Uri` header at the reverse proxy or load balancer level; explicitly overwrite `X-Forwarded-Uri` with the actual request URI before forwarding requests to OAuth2 Proxy; restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy; and/or remove or narrow `--skip-auth-regex` / `--skip-auth-route` rules where possible. For nginx-based deployments, ensure `X-Forwarded-Uri` is set by nginx and not passed through from the client.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00077,"ranking_epss":0.22866,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x"],"published_time":"2026-04-22T00:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41059","summary":"OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of `skip_auth_routes` or the legacy `skip_auth_regex`; use of patterns that can be widened by attacker-controlled suffixes, such as `^/foo/.*/bar$` causing potential exposure of `/foo/secret`; and protected upstream applications that interpret `#` as a fragment delimiter or otherwise route the request to the protected base path. In deployments that rely on these settings, an unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form `%23`, so that OAuth2 Proxy matches a public allowlist rule while the backend serves a protected resource. Deployments that do not use these skip-auth options, or that only allow exact public paths with tightly scoped method and path rules, are not affected. A fix has been implemented in version 7.15.2 to normalize request paths more conservatively before skip-auth matching so fragment content does not influence allowlist decisions. Users who cannot upgrade immediately can reduce exposure by tightening or removing `skip_auth_routes` and `skip_auth_regex` rules, especially patterns that use broad wildcards across path segments. Recommended mitigations include replacing broad rules with exact, anchored public paths and explicit HTTP methods; rejecting requests whose path contains `%23` or `#` at the ingress, load balancer, or WAF level; and/or avoiding placing sensitive application paths behind broad `skip_auth_routes` rules.","cvss":8.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.2,"cvss_v4":null,"epss":0.00133,"ranking_epss":0.32695,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg"],"published_time":"2026-04-22T00:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4821","summary":"An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Management Console administrator to execute arbitrary OS commands via shell metacharacter injection in proxy configuration fields such as http_proxy. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and administrator privileges to the Management Console. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.","cvss":8.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.1,"epss":0.00014,"ranking_epss":0.02524,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.24","https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21","https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17","https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14","https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8","https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5","https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"],"published_time":"2026-04-21T23:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4872","summary":"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-21T23:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5512","summary":"An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not perform an early authorization check, and validation error messages included the full repository name for repositories the caller did not have access to. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.0005,"ranking_epss":0.15475,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26","https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21","https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17","https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14","https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8","https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5","https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"],"published_time":"2026-04-21T23:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5845","summary":"An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.","cvss":7.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.2,"epss":0.00013,"ranking_epss":0.02089,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26","https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21","https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17","https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14","https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8","https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5","https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"],"published_time":"2026-04-21T23:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5921","summary":"A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.","cvss":8.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.9,"epss":0.00049,"ranking_epss":0.15088,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26","https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21","https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17","https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14","https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8","https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5","https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"],"published_time":"2026-04-21T23:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41058","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00045,"ranking_epss":0.13841,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/3c729717c26f160014a5c86b0b6accdbd613e7b2","https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284","https://github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf2","https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226","https://github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf2"],"published_time":"2026-04-21T23:16:21","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-41060","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an attacker can reach arbitrary ports on the AVideo server by using the site's public hostname with a non-standard port. The response body is saved to a web-accessible path, enabling full exfiltration. Commit a0156a6398362086390d949190f9d52a823000ba fixes the issue.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.08023,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/a0156a6398362086390d949190f9d52a823000ba","https://github.com/WWBN/AVideo/security/advisories/GHSA-j432-4w3j-3w8j","https://github.com/WWBN/AVideo/security/advisories/GHSA-j432-4w3j-3w8j"],"published_time":"2026-04-21T23:16:21","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-41061","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration prefix. The crafted duration is stored in the database and rendered without HTML escaping via `echo Video::getCleanDuration()` on trending pages, playlist pages, and video gallery thumbnails, resulting in stored cross-site scripting. Commit bcba324644df8b4ed1f891462455f1cd26822a45 contains a fix.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08201,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/bcba324644df8b4ed1f891462455f1cd26822a45","https://github.com/WWBN/AVideo/security/advisories/GHSA-8pv3-29pp-pf8f","https://github.com/WWBN/AVideo/security/advisories/GHSA-8pv3-29pp-pf8f"],"published_time":"2026-04-21T23:16:21","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-41062","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream function `try_get_contents_from_local()` in `objects/functionsFile.php` uses `explode('/videos/', $url)` on the **full URL string** including the query string. An attacker can place the `/videos/../../` traversal payload in the query string to bypass the security check and read arbitrary files from the server filesystem. Commit bd11c16ec894698e54e2cdae25026c61ad1ed441 contains an updated fix.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00202,"ranking_epss":0.4217,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/2375eb5e0a6d3cbcfb05377657d0820a7d470b1d","https://github.com/WWBN/AVideo/commit/bd11c16ec894698e54e2cdae25026c61ad1ed441","https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33","https://github.com/WWBN/AVideo/security/advisories/GHSA-m63r-m9jh-3vc6","https://github.com/WWBN/AVideo/security/advisories/GHSA-m63r-m9jh-3vc6"],"published_time":"2026-04-21T23:16:21","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-41063","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08698,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d","https://github.com/WWBN/AVideo/commit/cae8f0dadbdd962c89b91d0095c76edb8aadcacf","https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j","https://github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hc","https://github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hc"],"published_time":"2026-04-21T23:16:21","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-4296","summary":"An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. This could allow the attacker to gain unauthorized access to the victim's account with the scopes granted to the OAuth application. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.","cvss":7.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.5,"epss":0.0005,"ranking_epss":0.15475,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26","https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21","https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17","https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14","https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8","https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5","https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"],"published_time":"2026-04-21T23:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40926","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` — enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's `updateScript()` method in the admin's session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00019,"ranking_epss":0.05258,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/ee5615153c40628ab3ec6fe04962d1f92e67d3e2","https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w","https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w"],"published_time":"2026-04-21T23:16:20","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-40928","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently cast/flip the victim's like/dislike on any comment (`objects/comments_like.json.php`), post a comment authored by the victim on any video, with attacker-chosen text (`objects/commentAddNew.json.php`), and/or delete assets from any category (`objects/categoryDeleteAssets.json.php`) when the victim has category management rights. Each endpoint is reachable from a browser via a simple `<img src=\"…\">` tag or form submission, so exploitation only requires the victim to load an attacker-controlled HTML resource. Commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c contains a fix.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04381,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c","https://github.com/WWBN/AVideo/security/advisories/GHSA-x2pw-9c38-cp2j","https://github.com/WWBN/AVideo/security/advisories/GHSA-x2pw-9c38-cp2j"],"published_time":"2026-04-21T23:16:20","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-40929","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim's `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04381,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/184f36b1896f3364f864f17c1acca3dd8df3af27","https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr","https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr"],"published_time":"2026-04-21T23:16:20","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-40935","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined with a case-insensitive `strcasecmp` comparison over a ~33-character alphabet and the fact that failed validations do NOT consume the stored session token, an attacker can trivially brute-force the CAPTCHA on any endpoint that relies on `Captcha::validation()` (user registration, password recovery, contact form, etc.) in at most ~33 requests per session. Commit bf1c76989e6a9054be4f0eb009d68f0f2464b453 contains a fix.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.09491,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/bf1c76989e6a9054be4f0eb009d68f0f2464b453","https://github.com/WWBN/AVideo/security/advisories/GHSA-hg7g-56h5-5pqr","https://github.com/WWBN/AVideo/security/advisories/GHSA-hg7g-56h5-5pqr"],"published_time":"2026-04-21T23:16:20","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-41055","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10743,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917","https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8","https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp","https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw","https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp"],"published_time":"2026-04-21T23:16:20","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-41056","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` — the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00052,"ranking_epss":0.16007,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/caf705f38eae0ccfac4c3af1587781355d24495e","https://github.com/WWBN/AVideo/security/advisories/GHSA-ccq9-r5cw-5hwq","https://github.com/WWBN/AVideo/security/advisories/GHSA-ccq9-r5cw-5hwq"],"published_time":"2026-04-21T23:16:20","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-41057","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 unconditionally reflect any origin before application code runs, and (2) `allowOrigin(true)` called by `get.json.php` and `set.json.php` reflects any origin with `Access-Control-Allow-Credentials: true`. An attacker can make cross-origin credentialed requests to any API endpoint and read authenticated responses containing user PII, email, admin status, and session-sensitive data. Commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13 contains a fix.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03401,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13","https://github.com/WWBN/AVideo/security/advisories/GHSA-ff5q-cc22-fgp4","https://github.com/WWBN/AVideo/security/advisories/GHSA-ff5q-cc22-fgp4"],"published_time":"2026-04-21T23:16:20","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-3307","summary":"An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.00046,"ranking_epss":0.14118,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.25","https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.20","https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.16","https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.13","https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.7","https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.4","https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"],"published_time":"2026-04-21T23:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6832","summary":"Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system.","cvss":7.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":7.2,"epss":0.00093,"ranking_epss":0.25894,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nesquena/hermes-webui/commit/3cc5839bf303fa6758bfdac538507407a2929655","https://github.com/nesquena/hermes-webui/pull/409","https://github.com/nesquena/hermes-webui/pull/412","https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132","https://github.com/nesquena/hermes-webui/releases/tag/v0.50.32","https://www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-file-deletion-via-unvalidated-session-id"],"published_time":"2026-04-21T22:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40945","summary":"Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.0005,"ranking_epss":0.15328,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/oxia-db/oxia/security/advisories/GHSA-pm7q-rjjx-979p"],"published_time":"2026-04-21T22:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40946","summary":"Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2.","cvss":9.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.2,"epss":0.0005,"ranking_epss":0.15328,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/oxia-db/oxia/security/advisories/GHSA-fhvp-9hcj-6m33"],"published_time":"2026-04-21T22:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41527","summary":"KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.","cvss":6.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.9,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01757,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://commits.kde.org/kleopatra/73471abb92d99c56354adb582bfaec2764c22b79","https://github.com/KDE/kleopatra/releases","https://kde.org/info/security/advisory-20260408-1.txt"],"published_time":"2026-04-21T22:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6799","summary":"A security flaw has been discovered in Comfast CF-N1-S 2.6.0.1. Affected by this issue is some unknown functionality of the file /cgi-bin/mbox-config?method=SET&section=ping_config of the component Endpoint. Performing a manipulation of the argument destination results in command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00841,"ranking_epss":0.74795,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Blackhole23-Lab/-/blob/main/Comfast-CF-N1-S-Router-VUDB.md","https://vuldb.com/submit/795203","https://vuldb.com/vuln/358492","https://vuldb.com/vuln/358492/cti"],"published_time":"2026-04-21T22:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6829","summary":"nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/start, and /api/workspaces/add. Attackers can repoint a session workspace to a directory outside the intended trusted root and then use ordinary file read and write APIs to access or modify files outside the intended workspace boundary within the permissions of the hermes-webui process.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.0003,"ranking_epss":0.08658,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nesquena/hermes-webui/commit/2a7a5ddfaf39e3b0094b7ac37e9f1dbcf40a3918","https://github.com/nesquena/hermes-webui/pull/416","https://github.com/nesquena/hermes-webui/releases/tag/v0.50.34","https://www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-workspace-directory-access"],"published_time":"2026-04-21T22:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6830","summary":"nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":4.8,"epss":0.00012,"ranking_epss":0.01767,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nesquena/hermes-webui/commit/88dc8bbe26a6055161d3251b70f5cd3d3c5831b0","https://github.com/nesquena/hermes-webui/pull/351","https://github.com/nesquena/hermes-webui/releases/tag/v0.50.12","https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132","https://www.vulncheck.com/advisories/nesquena-hermes-webui-environment-variable-credential-leakage-via-profile-switch"],"published_time":"2026-04-21T22:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40706","summary":"In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.01937,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/tuxera/ntfs-3g/blob/d3ace19838ce37cfde55294e76841e6d2f393f9e/libntfs-3g/acls.c#L4011-L4027","https://github.com/tuxera/ntfs-3g/releases/tag/2026.2.25","https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-4cwv-5285-63v9","https://www.openwall.com/lists/oss-security/2026/04/21/4","http://www.openwall.com/lists/oss-security/2026/04/21/4","https://lists.debian.org/debian-lts-announce/2026/04/msg00024.html"],"published_time":"2026-04-21T22:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40931","summary":"Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but fails to account for the actual filesystem state. By exploiting this \"Logical vs. Physical\" divergence, an attacker can bypass the security check using a Directory Poisoning technique (pre-existing symbolic links). This vulnerability is fixed in 2.1.1 and 1.10.5.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":0.00016,"ranking_epss":0.03771,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/node-modules/compressing/security/advisories/GHSA-4c3q-x735-j3r5","https://github.com/node-modules/compressing/security/advisories/GHSA-4c3q-x735-j3r5"],"published_time":"2026-04-21T22:16:19","vendor":"node-modules","product":"compressing","version":null},{"cve_id":"CVE-2026-40933","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas - where any user can add a new MCP, when doing so - adding a new MCP using stdio, the user can add any command, even though your code have input sanitization checks such as validateCommandInjection and validateArgsForLocalFileAccess, and a list of predefined specific safe commands - these commands, for example \"npx\" can be combined with code execution arguments (\"-c touch /tmp/pwn\") that enable direct code execution on the underlying OS. This vulnerability is fixed in 3.1.0.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.0007,"ranking_epss":0.21159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-c9gw-hvqq-f33r","https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem","https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp","https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-c9gw-hvqq-f33r"],"published_time":"2026-04-21T22:16:19","vendor":"flowiseai","product":"flowise","version":null},{"cve_id":"CVE-2026-40939","summary":"The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This vulnerability is fixed in 2.1.0.","cvss":6.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.8,"epss":0.00017,"ranking_epss":0.04314,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://dsf.dev/operations/v2.1.0/bpe/oidc.html","https://dsf.dev/operations/v2.1.0/fhir/oidc.html","https://github.com/datasharingframework/dsf/commit/f4ecb002f7d12642f92da6b79371ed367d0140e7","https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5"],"published_time":"2026-04-21T22:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40942","summary":"The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired. This vulnerability is fixed in 2.1.0.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.0004,"ranking_epss":0.12083,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/datasharingframework/dsf/commit/31c2e974dfd4351756104ee8c53dbcd666192fef","https://github.com/datasharingframework/dsf/commit/d3ca59b4daccde16a006fedeccce28fd1f826908","https://github.com/datasharingframework/dsf/security/advisories/GHSA-xmj9-7625-f634"],"published_time":"2026-04-21T22:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40943","summary":"Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.00038,"ranking_epss":0.11404,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/oxia-db/oxia/security/advisories/GHSA-5gqc-qhrj-9xw8"],"published_time":"2026-04-21T22:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40944","summary":"Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. This silently breaks certificate chain validation for mTLS. This vulnerability is fixed in 0.16.2.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00023,"ranking_epss":0.06421,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/oxia-db/oxia/security/advisories/GHSA-7jrq-q4pq-rhm6"],"published_time":"2026-04-21T22:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1354","summary":"Zero Motorcycles firmware versions 44 and prior enable an attacker to \nforcibly pair a device with the motorcycle via Bluetooth. Once paired, \nan attacker can utilize over-the-air firmware updating functionality to \npotentially upload malicious firmware to the motorcycle. The motorcycle \nmust first be in Bluetooth pairing mode, and the attacker must be in \nproximity of the vehicle and understand the full pairing process, to be \nable to pair their device with the vehicle. The attacker's device must \nremain paired with and in proximity of the motorcycle for the entire \nduration of the firmware update.","cvss":5.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":5.9,"epss":0.0002,"ranking_epss":0.05648,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-06.json","https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-06"],"published_time":"2026-04-21T22:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6796","summary":"A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the component Failed Login Handler. This manipulation of the argument errorPassword causes cleartext storage in a file or on disk. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.3,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00012,"ranking_epss":0.01849,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://vuldb.com/submit/794797","https://vuldb.com/vuln/358490","https://vuldb.com/vuln/358490/cti"],"published_time":"2026-04-21T21:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6797","summary":"A vulnerability was identified in Sanluan PublicCMS up to 6.202506.d. Affected by this vulnerability is the function ZipSecureFile.setMinflateRatio of the file common/src/main/java/com/publiccms/common/tools/DocToHtmlUtils.java. Such manipulation leads to resource consumption. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.3,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00035,"ranking_epss":0.10154,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://vuldb.com/submit/794798","https://vuldb.com/vuln/358491","https://vuldb.com/vuln/358491/cti"],"published_time":"2026-04-21T21:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6823","summary":"HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = [\"*\"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools.","cvss":8.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.2,"cvss_v4":8.3,"epss":0.00077,"ranking_epss":0.22791,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/HKUDS/OpenHarness/commit/fab40c6eabfb15f2bdf23cddd3cfe66a64ea203d","https://github.com/HKUDS/OpenHarness/pull/147","https://github.com/HKUDS/OpenHarness/releases/tag/v0.1.7","https://www.vulncheck.com/advisories/hkuds-openharness-insecure-default-remote-channel-allowlist","https://github.com/HKUDS/OpenHarness/pull/147"],"published_time":"2026-04-21T21:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40927","summary":"Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08576,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/docmost/docmost/security/advisories/GHSA-4gv6-jw3v-wc34"],"published_time":"2026-04-21T21:16:46","vendor":"docmost","product":"docmost","version":null},{"cve_id":"CVE-2026-40938","summary":"Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to before 1.11.0, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack=<binary>. Combined with the validateRepoURL function explicitly permitting URLs that begin with / (local filesystem paths), a tenant who can submit ResolutionRequest objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The tekton-pipelines-resolvers ServiceAccount holds cluster-wide get/list/watch on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration. This vulnerability is fixed in 1.11.1.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0007,"ranking_epss":0.21339,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/tektoncd/pipeline/releases/tag/v1.11.1","https://github.com/tektoncd/pipeline/security/advisories/GHSA-94jr-7pqp-xhcq","https://github.com/tektoncd/pipeline/security/advisories/GHSA-94jr-7pqp-xhcq"],"published_time":"2026-04-21T21:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40910","summary":"frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password. This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature. This vulnerability is fixed in 0.68.1.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12622,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9","https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9"],"published_time":"2026-04-21T21:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40911","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":null,"epss":0.00166,"ranking_epss":0.37379,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/c08694bf6264eb4decceb78c711baee2609b4efd","https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr","https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr"],"published_time":"2026-04-21T21:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40923","summary":"Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal paths by using .. path traversal components. The restriction check uses strings.HasPrefix without filepath.Clean, so a path like /tekton/home/../results passes validation but resolves to /tekton/results at runtime. This vulnerability is fixed in 1.11.1.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11315,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/tektoncd/pipeline/releases/tag/v1.11.1","https://github.com/tektoncd/pipeline/security/advisories/GHSA-rx35-6rhx-7858"],"published_time":"2026-04-21T21:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40924","summary":"Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response body within the 1-minute timeout window, causing the tekton-pipelines-resolvers pod to be OOM-killed by Kubernetes. Because all resolver types (Git, Hub, Bundle, Cluster, HTTP) run in the same pod, crashing this pod denies resolution service to the entire cluster. Repeated exploitation causes a sustained crash loop. The same vulnerable code path is reached by both the deprecated pkg/resolution/resolver/http and the current pkg/remoteresolution/resolver/http implementations. This vulnerability is fixed in 1.11.1.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12002,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/tektoncd/pipeline/releases/tag/v1.11.1","https://github.com/tektoncd/pipeline/security/advisories/GHSA-m2cx-gpqf-qf74","https://github.com/tektoncd/pipeline/security/advisories/GHSA-m2cx-gpqf-qf74"],"published_time":"2026-04-21T21:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40925","summary":"WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix.","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.0429,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/WWBN/AVideo/commit/f9492f5e6123dff0292d5bb3164fde7665dc36b4","https://github.com/WWBN/AVideo/security/advisories/GHSA-vvfw-4m39-fjqf","https://github.com/WWBN/AVideo/security/advisories/GHSA-vvfw-4m39-fjqf"],"published_time":"2026-04-21T21:16:45","vendor":"wwbn","product":"avideo","version":null},{"cve_id":"CVE-2026-40892","summary":"PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when using pre-computed digest credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential data using cred_info->data.slen as the length without an upper-bound check, which can overflow the fixed-size ha1 stack buffer (128 bytes) if data.slen exceeds the expected digest string length.","cvss":8.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":8.1,"epss":0.00048,"ranking_epss":0.14931,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pjsip/pjproject/commit/c82123ea6f3c3652bbc9ebd5e9e658c301451687","https://github.com/pjsip/pjproject/security/advisories/GHSA-2wcg-w3c4-48r7"],"published_time":"2026-04-21T21:16:44","vendor":"pjsip","product":"pjsip","version":null},{"cve_id":"CVE-2026-40895","summary":"follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":6.9,"epss":0.00042,"ranking_epss":0.12816,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653"],"published_time":"2026-04-21T21:16:44","vendor":"follow-redirects_project","product":"follow-redirects","version":null},{"cve_id":"CVE-2026-40905","summary":"LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By manipulating this header during a password reset request, an attacker can inject an attacker-controlled domain into the reset link sent via email. As a result, the victim receives a password reset email containing a malicious link pointing to an attacker-controlled domain. When the victim clicks the link, the password reset token is transmitted to the attacker-controlled server. An attacker can capture this token and use it to reset the victim’s password, leading to full account takeover. This vulnerability is fixed in 2.5.4.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08599,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Kovah/LinkAce/security/advisories/GHSA-48wv-jpf4-vjfv"],"published_time":"2026-04-21T21:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40906","summary":"Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08707,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/electric-sql/electric/pull/4081","https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj","https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj"],"published_time":"2026-04-21T21:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35249","summary":"Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).   The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.  While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).","cvss":3.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.2,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02621,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:41","vendor":"oracle","product":"vm_virtualbox","version":null},{"cve_id":"CVE-2026-35250","summary":"Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).   The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 2.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).","cvss":2.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.3,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03055,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:41","vendor":"oracle","product":"vm_virtualbox","version":null},{"cve_id":"CVE-2026-35251","summary":"Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).   The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.  While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06776,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:41","vendor":"oracle","product":"vm_virtualbox","version":null},{"cve_id":"CVE-2026-35252","summary":"Vulnerability in the Oracle Security Service product of Oracle Fusion Middleware (component: C Oracle SSL API).  Supported versions that are affected are 12.2.1.4.0 and  12.1.3.0.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Security Service.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Security Service accessible data as well as  unauthorized access to critical data or complete access to all Oracle Security Service accessible data. CVSS 3.1 Base Score 6.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.08023,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35242","summary":"Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).   The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.  While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06776,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:40","vendor":"oracle","product":"vm_virtualbox","version":null},{"cve_id":"CVE-2026-35243","summary":"Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces).  Supported versions that are affected are 12.2.1.4.0 and  14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF).  Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01729,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:40","vendor":"oracle","product":"application_development_framework","version":null},{"cve_id":"CVE-2026-35244","summary":"Vulnerability in the Oracle Hyperion Infrastructure Technology product of Oracle Hyperion (component: Lifecycle Management).   The supported version that is affected is 11.2.24.0.000. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Infrastructure Technology.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Infrastructure Technology accessible data as well as  unauthorized read access to a subset of Oracle Hyperion Infrastructure Technology accessible data. CVSS 3.1 Base Score 5.2 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N).","cvss":5.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.2,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06384,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35245","summary":"Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).   The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via RDP to compromise Oracle VM VirtualBox.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00037,"ranking_epss":0.10877,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:40","vendor":"oracle","product":"vm_virtualbox","version":null},{"cve_id":"CVE-2026-35246","summary":"Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).   The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.  While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06776,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:40","vendor":"oracle","product":"vm_virtualbox","version":null},{"cve_id":"CVE-2026-35247","summary":"Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).   The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.  While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).","cvss":6.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.0,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04379,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:40","vendor":"oracle","product":"vm_virtualbox","version":null},{"cve_id":"CVE-2026-35248","summary":"Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).   The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.  While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data as well as  unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 5.0 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L).","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.02909,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:40","vendor":"oracle","product":"vm_virtualbox","version":null},{"cve_id":"CVE-2026-35235","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS).  Supported versions that are affected are 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08653,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:39","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-35236","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08653,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:39","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-35237","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08653,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:39","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-35238","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08653,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:39","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-35239","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08653,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:39","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-35240","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08653,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:39","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-35241","summary":"Vulnerability in the PeopleSoft Enterprise CS Student Records product of Oracle PeopleSoft (component: Research Tracking).   The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Student Records.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all PeopleSoft Enterprise CS Student Records accessible data. CVSS 3.1 Base Score 5.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N).","cvss":5.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.7,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.08023,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:39","vendor":"oracle","product":"peoplesoft_enterprise_cs_student_records","version":null},{"cve_id":"CVE-2026-34324","summary":"Vulnerability in the Oracle Life Sciences InForm product of Oracle Life Science Applications (component: App Server).  Supported versions that are affected are 7.0.1.0 and  7.0.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences InForm.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Life Sciences InForm accessible data as well as  unauthorized read access to a subset of Oracle Life Sciences InForm accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.07034,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:38","vendor":"oracle","product":"life_sciences_inform","version":null},{"cve_id":"CVE-2026-34325","summary":"Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: User Interface).  Supported versions that are affected are 8.0.7.9, 8.0.8.7 and  8.1.2.5. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Financial Services Analytical Applications Infrastructure executes to compromise Oracle Financial Services Analytical Applications Infrastructure.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data as well as  unauthorized update, insert or delete access to some of Oracle Financial Services Analytical Applications Infrastructure accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Financial Services Analytical Applications Infrastructure. CVSS 3.1 Base Score 6.8 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:H).","cvss":6.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02841,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:38","vendor":"oracle","product":"financial_services_analytical_applications_infrastructure","version":null},{"cve_id":"CVE-2026-35229","summary":"Vulnerability in the Java VM component of Oracle Database Server.  Supported versions that are affected are 19.3-19.30 and  21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Java VM.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.09177,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35230","summary":"Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).   The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.  While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06776,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:38","vendor":"oracle","product":"vm_virtualbox","version":null},{"cve_id":"CVE-2026-35231","summary":"Vulnerability in the Oracle Financial Services Transaction Filtering product of Oracle Financial Services Applications (component: User Interface).   The supported version that is affected is 8.1.2.8.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Transaction Filtering.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Financial Services Transaction Filtering accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.09177,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35232","summary":"Vulnerability in Oracle Fusion Middleware (component: Dynamic Monitoring Service).  Supported versions that are affected are 12.2.1.4.0 and  14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Fusion Middleware.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Fusion Middleware, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Fusion Middleware accessible data as well as  unauthorized read access to a subset of Oracle Fusion Middleware accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.07007,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35234","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition).  Supported versions that are affected are 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08653,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:38","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-34315","summary":"Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services).  Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and  15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.5 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07943,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:37","vendor":"oracle","product":"weblogic_server","version":null},{"cve_id":"CVE-2026-34317","summary":"Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes to compromise MySQL Shell.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Shell. CVSS 3.1 Base Score 5.0 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H).","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02108,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34318","summary":"Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Shell.  While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N).","cvss":5.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.8,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.08052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34319","summary":"Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes to compromise MySQL Shell.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Shell. CVSS 3.1 Base Score 5.0 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H).","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02108,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34320","summary":"Vulnerability in the Oracle Financial Services Customer Screening product of Oracle Financial Services Applications (component: User Interface).   The supported version that is affected is 8.1.2.8.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Customer Screening.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Financial Services Customer Screening accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.09177,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34321","summary":"Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: User Interface).  Supported versions that are affected are 8.0.7.9, 8.0.8.7 and  8.1.2.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N).","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":0.00034,"ranking_epss":0.09818,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:37","vendor":"oracle","product":"financial_services_analytical_applications_infrastructure","version":null},{"cve_id":"CVE-2026-34323","summary":"Vulnerability in the Oracle Life Sciences InForm product of Oracle Life Science Applications (component: IDM Authentication).  Supported versions that are affected are 7.0.1.0 and  7.0.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences InForm.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Life Sciences InForm accessible data as well as  unauthorized read access to a subset of Oracle Life Sciences InForm accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Life Sciences InForm. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08263,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:37","vendor":"oracle","product":"life_sciences_inform","version":null},{"cve_id":"CVE-2026-34307","summary":"Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Workflow).  Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as  unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.07007,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:36","vendor":"oracle","product":"peoplesoft_enterprise_peopletools","version":null},{"cve_id":"CVE-2026-34308","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: JSON).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10439,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:36","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-34309","summary":"Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security).  Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessible data as well as  unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.08023,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:36","vendor":"oracle","product":"peoplesoft_enterprise_peopletools","version":null},{"cve_id":"CVE-2026-34310","summary":"Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform).  Supported versions that are affected are 8.0.7.9, 8.0.8.7 and  8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.09177,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:36","vendor":"oracle","product":"financial_services_analytical_applications_infrastructure","version":null},{"cve_id":"CVE-2026-34312","summary":"Vulnerability in the RDBMS component of Oracle Database Server.  Supported versions that are affected are 19.3-19.30. Easily exploitable vulnerability allows high privileged attacker having Row Access Method privilege with network access via multiple protocols to compromise RDBMS.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized read access to a subset of RDBMS accessible data. CVSS 3.1 Base Score 2.4 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N).","cvss":2.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.4,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06384,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34313","summary":"Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform).  Supported versions that are affected are 8.0.7.9, 8.0.8.7 and  8.1.2.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.1084,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:36","vendor":"oracle","product":"financial_services_analytical_applications_infrastructure","version":null},{"cve_id":"CVE-2026-34314","summary":"Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform).  Supported versions that are affected are 8.0.7.9, 8.0.8.7 and  8.1.2.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Financial Services Analytical Applications Infrastructure accessible data as well as  unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 6.8 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N).","cvss":6.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":null,"epss":0.00066,"ranking_epss":0.20197,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:36","vendor":"oracle","product":"financial_services_analytical_applications_infrastructure","version":null},{"cve_id":"CVE-2026-34299","summary":"Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management).   The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Maintenance Management.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Maintenance Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.08023,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:35","vendor":"oracle","product":"peoplesoft_enterprise_fin_maintenance_management","version":null},{"cve_id":"CVE-2026-34300","summary":"Vulnerability in the PeopleSoft Enterprise FIN Contracts product of Oracle PeopleSoft (component: Contracts).   The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Contracts.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Contracts accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08778,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34301","summary":"Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management).   The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Maintenance Management.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Maintenance Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.08023,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:35","vendor":"oracle","product":"peoplesoft_enterprise_fin_maintenance_management","version":null},{"cve_id":"CVE-2026-34302","summary":"Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader).  Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow.  While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L).","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.09579,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:35","vendor":"oracle","product":"workflow","version":null},{"cve_id":"CVE-2026-34303","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10439,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:35","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-34304","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.0956,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:35","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-34305","summary":"Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services).  Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and  15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08864,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:35","vendor":"oracle","product":"weblogic_server","version":null},{"cve_id":"CVE-2026-34306","summary":"Vulnerability in the PeopleSoft Enterprise FIN Project Costing product of Oracle PeopleSoft (component: Projects).   The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Project Costing.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Project Costing accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.08023,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:35","vendor":"oracle","product":"peoplesoft_enterprise_fin_project_costing","version":null},{"cve_id":"CVE-2026-34292","summary":"Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).  Supported versions that are affected are 12.2.1.4.0 and  14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server.  Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00075,"ranking_epss":0.2247,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:34","vendor":"oracle","product":"weblogic_server","version":null},{"cve_id":"CVE-2026-34293","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).  Supported versions that are affected are 8.0.0-8.0.45. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.0956,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:34","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-34294","summary":"Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Microsoft Active Directory).   The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows low privileged attacker with network access via LDAP to compromise Oracle Identity Manager Connector.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as  unauthorized read access to a subset of Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N).","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05713,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:34","vendor":"oracle","product":"identity_manager_connector","version":null},{"cve_id":"CVE-2026-34295","summary":"Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing).   The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purchasing.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all PeopleSoft Enterprise SCM Purchasing accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00034,"ranking_epss":0.09818,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:34","vendor":"oracle","product":"peoplesoft_enterprise_scm_purchasing","version":null},{"cve_id":"CVE-2026-34296","summary":"Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Product Quality Management).   The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Agile Product Lifecycle Management for Process accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06996,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:34","vendor":"oracle","product":"agile_product_lifecycle_management_for_process","version":null},{"cve_id":"CVE-2026-34297","summary":"Vulnerability in the Oracle HCM Common Architecture product of Oracle E-Business Suite (component: Knowledge Integration).  Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HCM Common Architecture.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle HCM Common Architecture accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00037,"ranking_epss":0.10944,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:34","vendor":"oracle","product":"hcm_common_architecture","version":null},{"cve_id":"CVE-2026-34298","summary":"Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization).  Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications Framework.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as  unauthorized read access to a subset of Oracle Applications Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Applications Framework. CVSS 3.1 Base Score 4.7 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.09046,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:34","vendor":"oracle","product":"applications_framework","version":null},{"cve_id":"CVE-2026-34285","summary":"Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core).   The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as  unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00047,"ranking_epss":0.1459,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:33","vendor":"oracle","product":"identity_manager_connector","version":null},{"cve_id":"CVE-2026-34286","summary":"Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core).   The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as  unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00047,"ranking_epss":0.1459,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:33","vendor":"oracle","product":"identity_manager_connector","version":null},{"cve_id":"CVE-2026-34287","summary":"Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core).   The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as  unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00047,"ranking_epss":0.1459,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:33","vendor":"oracle","product":"identity_manager_connector","version":null},{"cve_id":"CVE-2026-34288","summary":"Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core).   The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager Connector.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11253,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:33","vendor":"oracle","product":"identity_manager_connector","version":null},{"cve_id":"CVE-2026-34289","summary":"Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core).   The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11253,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:33","vendor":"oracle","product":"identity_manager_connector","version":null},{"cve_id":"CVE-2026-34290","summary":"Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core).   The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Identity Manager Connector.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Identity Manager Connector. CVSS 3.1 Base Score 7.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10545,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:33","vendor":"oracle","product":"identity_manager_connector","version":null},{"cve_id":"CVE-2026-34291","summary":"Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core).  Supported versions that are affected are 12.2.1.4.0 and  14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server.  While the vulnerability is in Oracle HTTP Server, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server accessible data as well as  unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).","cvss":8.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.7,"cvss_v4":null,"epss":0.00047,"ranking_epss":0.1459,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:33","vendor":"oracle","product":"http_server","version":null},{"cve_id":"CVE-2026-34278","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.0-8.0.45. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.0956,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:32","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-34279","summary":"Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management).  Supported versions that are affected are 13.5 and  24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform.  While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10641,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:32","vendor":"oracle","product":"enterprise_manager_base_platform","version":null},{"cve_id":"CVE-2026-34280","summary":"Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Job Profile Manager).   The supported version that is affected is 9.2. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise HCM Human Resources accessible data as well as  unauthorized access to critical data or complete access to all PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12501,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:32","vendor":"oracle","product":"peoplesoft_enterprise_hcm_human_resources","version":null},{"cve_id":"CVE-2026-34281","summary":"Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel).   The supported version that is affected is 11.4. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.  While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04419,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:32","vendor":"oracle","product":"solaris","version":null},{"cve_id":"CVE-2026-34282","summary":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.121,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34283","summary":"Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Identity Console).  Supported versions that are affected are 12.2.1.4.0 and  14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Identity Manager accessible data as well as  unauthorized read access to a subset of Oracle Identity Manager accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.07034,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:32","vendor":"oracle","product":"identity_manager","version":null},{"cve_id":"CVE-2026-34284","summary":"Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Human workflow 11g+).  Supported versions that are affected are 12.2.1.4.0 and  14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Process Management Suite.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Process Management Suite, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Business Process Management Suite accessible data as well as  unauthorized read access to a subset of Oracle Business Process Management Suite accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.07034,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:32","vendor":"oracle","product":"business_process_management_suite","version":null},{"cve_id":"CVE-2026-34272","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10439,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:31","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-34273","summary":"Vulnerability in Oracle GoldenGate (component: Libraries).  Supported versions that are affected are 23.4-23.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle GoldenGate.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle GoldenGate accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.078,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34274","summary":"Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface).  Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Configurator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Configurator accessible data as well as  unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.07034,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:31","vendor":"oracle","product":"configurator","version":null},{"cve_id":"CVE-2026-34275","summary":"Vulnerability in the Oracle Advanced Inbound Telephony product of Oracle E-Business Suite (component: Setup and Administration).  Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Inbound Telephony.  Successful attacks of this vulnerability can result in takeover of Oracle Advanced Inbound Telephony. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12601,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34276","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10439,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:31","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-34277","summary":"Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Fluid Core).  Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools.  While the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as  unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L).","cvss":6.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.6,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08477,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:31","vendor":"oracle","product":"peoplesoft_enterprise_peopletools","version":null},{"cve_id":"CVE-2026-34266","summary":"Vulnerability in the PeopleSoft Enterprise HCM Absence Management product of Oracle PeopleSoft (component: Absence Management).   The supported version that is affected is 9.2. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Absence Management.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise HCM Absence Management accessible data as well as  unauthorized access to critical data or complete access to all PeopleSoft Enterprise HCM Absence Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12501,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:30","vendor":"oracle","product":"peoplesoft_enterprise_human_capital_management_absence_management","version":null},{"cve_id":"CVE-2026-34267","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.0-8.0.45. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.0956,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:30","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-34268","summary":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).","cvss":2.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.9,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01704,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34269","summary":"Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal).  Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as  unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.07034,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:30","vendor":"oracle","product":"peoplesoft_enterprise_peopletools","version":null},{"cve_id":"CVE-2026-34270","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10439,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:30","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-34271","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10439,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:30","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-22019","summary":"Vulnerability in the PeopleSoft Enterprise HCM Shared Components product of Oracle PeopleSoft (component: Person Search).   The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Shared Components.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Shared Components, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Shared Components accessible data as well as  unauthorized read access to a subset of PeopleSoft Enterprise HCM Shared Components accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06518,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:29","vendor":"oracle","product":"peoplesoft_enterprise_hcm_shared_components","version":null},{"cve_id":"CVE-2026-22021","summary":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11666,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33518","summary":"An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12601,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin"],"published_time":"2026-04-21T21:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33519","summary":"An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00043,"ranking_epss":0.12965,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin"],"published_time":"2026-04-21T21:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22014","summary":"Vulnerability in the Oracle User Management product of Oracle E-Business Suite (component: Workflow and Business Events).  Supported versions that are affected are 12.2.7-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle User Management.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle User Management accessible data as well as  unauthorized read access to a subset of Oracle User Management accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).","cvss":3.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.8,"cvss_v4":null,"epss":0.00022,"ranking_epss":0.06073,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:28","vendor":"oracle","product":"user_management","version":null},{"cve_id":"CVE-2026-22015","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06996,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:28","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-22016","summary":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.09722,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22017","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10439,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:28","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-22018","summary":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11666,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22009","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10439,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:27","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-22010","summary":"Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform).  Supported versions that are affected are 8.0.7.9, 8.0.8.7 and  8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11253,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:27","vendor":"oracle","product":"financial_services_analytical_applications_infrastructure","version":null},{"cve_id":"CVE-2026-22011","summary":"Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: ADPatch).  Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications DBA, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Applications DBA. CVSS 3.1 Base Score 7.6 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).","cvss":7.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.6,"cvss_v4":null,"epss":0.00069,"ranking_epss":0.21065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:27","vendor":"oracle","product":"applications_dba","version":null},{"cve_id":"CVE-2026-22013","summary":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12118,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22005","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.0956,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:26","vendor":"oracle","product":"mysql_server","version":null},{"cve_id":"CVE-2026-22006","summary":"Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Employee Snapshot).   The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Human Resources, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Human Resources accessible data as well as  unauthorized read access to a subset of PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06332,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:26","vendor":"oracle","product":"peoplesoft_enterprise_hcm_human_resources","version":null},{"cve_id":"CVE-2026-22007","summary":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).","cvss":2.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.9,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01704,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22008","summary":"Vulnerability in Oracle Java SE (component: Libraries).   The supported version that is affected is Oracle Java SE: 25.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07437,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:26","vendor":"oracle","product":"jdk","version":null},{"cve_id":"CVE-2026-22008","summary":"Vulnerability in Oracle Java SE (component: Libraries).   The supported version that is affected is Oracle Java SE: 25.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07437,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:26","vendor":"oracle","product":"jre","version":null},{"cve_id":"CVE-2026-21999","summary":"Vulnerability in the XML Database component of Oracle Database Server.  Supported versions that are affected are 23.4.0-23.26.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise XML Database.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all XML Database accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08864,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22001","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema).  Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and  9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpuapr2026.html"],"published_time":"2026-04-21T21:16:25","vendor":"oracle","product":"mysql_server","version":null}]}