{"cves":[{"cve_id":"CVE-2026-28780","summary":"Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server.\nIf mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.\n\nThis issue affects Apache HTTP Server: through 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://httpd.apache.org/security/vulnerabilities_24.html","http://www.openwall.com/lists/oss-security/2026/05/05/9"],"published_time":"2026-05-05T22:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40075","summary":"OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a filesystem path from user-controlled input without performing path boundary validation — the getFile() method concatenates the user-supplied path into an absolute filesystem path without calling normalize() or checking that the result stays within the allowed module resources directory. Because this endpoint serves static resources required for rendering the login page, it is not protected by authentication filters, allowing unauthenticated exploitation.\n\nAn attacker can traverse directories and read arbitrary files from the server filesystem, including /etc/passwd and application configuration files containing database credentials. Successful exploitation requires the target deployment to run on Apache Tomcat versions prior to 8.5.31, where the ..; path parameter bypass is not mitigated by the container. Deployments on Tomcat 8.5.31 or later and Tomcat 9.0.10 or later are protected at the container level, though the underlying code defect remains. This issue has been fixed in versions after 2.7.8 (within the 2.7.x branch) and in version 2.8.6 and later.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openmrs/openmrs-core/security/advisories/GHSA-jjgj-cx3q-pw4w"],"published_time":"2026-05-05T22:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40110","summary":"Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended to match only a trusted domain (e.g., trusted.example.com) will also match any origin that begins with that domain followed by additional characters (e.g., trusted.example.com.evil.com). An attacker who controls such a domain can bypass the CORS origin restriction and make cross-origin requests to the Jupyter Server API from an untrusted site. This issue has been fixed in version 2.18.0.","cvss":7.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.6,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jupyter-server/jupyter_server/commit/057869a327c46730afede3eab0ca2d2e3e74acea","https://github.com/jupyter-server/jupyter_server/commit/49b34392feaa97735b3b777e3baf8f22f2a14ed8","https://github.com/jupyter-server/jupyter_server/pull/603","https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p"],"published_time":"2026-05-05T22:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40934","summary":"Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.","cvss":7.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.6,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f"],"published_time":"2026-05-05T22:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40068","summary":"In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code to bypass its trust confirmation dialog and immediately execute hooks defined in `.claude/settings.json`. Exploitation requires the victim to clone the malicious repository and run Claude Code within it, and the attacker must know or guess a path the victim had already trusted. This issue has been fixed in version 2.1.84.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/anthropics/claude-code/security/advisories/GHSA-q5hj-mxqh-vv77"],"published_time":"2026-05-05T21:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41950","summary":"Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":6.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/langgenius/dify/releases/tag/1.14.0","https://huntr.com/bounties/181136ec-d957-4b75-8ea7-6fa7b8abd01d","https://www.vulncheck.com/advisories/dify-authorization-bypass-via-file-uuid"],"published_time":"2026-05-05T21:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35527","summary":"Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD request to a user-supplied URL before validating the request against project restrictions such as restricted.images.servers. The imgPostURLInfo function constructs and sends a HEAD request directly from the attacker-supplied source URL to resolve image metadata, and this network interaction occurs before the flow reaches the point where the import would be rejected by policy. Although the actual image download is blocked by the project restriction, an authenticated user can coerce the daemon into making blind HEAD requests to arbitrary destinations.\n\nThese requests include server metadata in custom headers (Incus-Server-Architectures, Incus-Server-Version), which discloses information about the host environment to the attacker-controlled endpoint. This blind SSRF primitive can be used to probe internal services, unroutable address space, or cloud metadata endpoints reachable from the host.\n\nThis vulnerability pattern is similar to CVE-2026-24767. This issue has been fixed in version 7.0.0.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/lxc/incus/blob/v6.22.0/cmd/incusd/images.go","https://github.com/lxc/incus/security/advisories/GHSA-8gw4-p4wq-4hcv"],"published_time":"2026-05-05T21:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35579","summary":"CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containing a TSIG record is treated as authenticated over DoH and DoH3, even if the key name is invalid and the MAC is arbitrary.\n\nAn unauthenticated network attacker can exploit this to bypass TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behavior. The DoH and DoH3 variants have a lower exploitation bar because the attacker does not need to know a valid TSIG key name.\n\nThis issue has been fixed in version 1.14.3. As a workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required, or restrict network-level access to affected transport ports to trusted sources only.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9"],"published_time":"2026-05-05T21:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39383","summary":"Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The FilterDeadline function in filter.go is intended to gate outbound URLs, but when both the allow-list and deny-list are empty (the default configuration), it returns nil unconditionally and permits any URL. \n\nThis is a blind SSRF: Gotenberg POSTs the converted document to the webhook URL and only checks whether the response status code is an error, but never returns the target's response body to the attacker. An attacker can use this to probe internal network infrastructure by observing whether the error callback is invoked, force POST requests against internal services that perform side effects, and confirm reachability of cloud metadata endpoints. The retryable HTTP client issues up to 4 automatic retries per request, amplifying each probe.\n\nThis issue has been fixed in version 8.31.0. As a workaround, configure the GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to restrict webhook URLs to known receivers, or set GOTENBERG_API_WEBHOOK_DENY_LIST to block RFC-1918 and link-local address ranges.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5vh4-rgv7-p9g4"],"published_time":"2026-05-05T21:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39402","summary":"lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a deletion request, the interface name comparison can set the authorization flag based on a name match alone, even when the ownership, type, and link fields in that database entry belong to a different user. The vulnerable check sits after the goto next label handling, meaning it is reachable on lines where earlier ownership checks failed or were skipped. Because nothing downstream of this authorization signal re-verifies that the matched database line actually belongs to the caller, an unprivileged attacker with a valid lxc-usernet policy entry can trigger deletion of another user's OVS port on the same bridge. \n\nThis is limited to multi-tenant environments using lxc-user-nic with OpenVSwitch bridges. The impact is denial of service - one tenant can repeatedly disconnect networking from containers run by another tenant on shared infrastructure. This is patched in version 7.0.0.","cvss":4.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/lxc/lxc/security/advisories/GHSA-3m9j-g9gc-vcvq"],"published_time":"2026-05-05T21:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39849","summary":"Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pi-hole/FTL/commit/0c46e4ec7fe57f762fce261625f2cf5d43806e6d","https://github.com/pi-hole/FTL/releases/tag/v6.6.1","https://github.com/pi-hole/FTL/security/advisories/GHSA-9cqv-839p-gpq2"],"published_time":"2026-05-05T21:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39852","summary":"Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2.","cvss":8.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.8,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9"],"published_time":"2026-05-05T21:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7856","summary":"A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part of the file /url_member.asp of the component Web Management Interface. Executing a manipulation of the argument Name can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used.","cvss":7.3,"cvss_version":4.0,"cvss_v2":8.3,"cvss_v3":7.2,"cvss_v4":7.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/draw-ctf/report/blob/main/DI-8100/url_member_asp_overflow.md","https://vuldb.com/submit/807849","https://vuldb.com/vuln/361133","https://vuldb.com/vuln/361133/cti","https://www.dlink.com/"],"published_time":"2026-05-05T20:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7857","summary":"A vulnerability has been found in D-Link DI-8100 16.07.26A1. This vulnerability affects the function sprintf of the file /user_group.asp of the component CGI Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.","cvss":7.3,"cvss_version":4.0,"cvss_v2":8.3,"cvss_v3":7.2,"cvss_v4":7.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/draw-ctf/report/blob/main/DI-8100/user_group_asp_overflow.md","https://vuldb.com/submit/807853","https://vuldb.com/vuln/361134","https://vuldb.com/vuln/361134/cti","https://www.dlink.com/"],"published_time":"2026-05-05T20:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40331","summary":"Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the unauthenticated JSON API accepts an altTable parameter that is stored via the setAltTable() method without validation or sanitization. This value is injected directly into a SQL FROM clause within feedGateway.cfc. An unauthenticated attacker can pass an arbitrary subquery into the altTable parameter to read sensitive data from any table in the database in a single HTTP request, including administrative credentials and password reset tokens.\n\nThis issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, apply validation to the setAltTable function in core/mura/content/feed/feedBean.cfc to restrict input to simple alphanumeric table names, or disable the JSON API if it is not required.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-jphh-r686-6w7j"],"published_time":"2026-05-05T20:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-44331","summary":"In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When \"UseReverseDNS on\" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/proftpd/proftpd/commit/766622456440fbca33abd7927c523673a11d1ed1","https://github.com/proftpd/proftpd/issues/2057"],"published_time":"2026-05-05T20:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34596","summary":"Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation. When a user installs an addon through the SandMan interface, UpdUtil.exe is spawned as SYSTEM by SbieSvc but stages files in the user-writable %TEMP%\\sandboxie-updater directory. After UpdUtil verifies file hashes against the signed addon manifest, install.bat extracts files.cab and executes config.exe from its contents. Between hash verification and extraction, an unprivileged user can replace files.cab with a crafted cabinet containing a malicious executable, which is then run as SYSTEM. No UAC prompt is required.\n\nThis issue has been fixed in version 1.17.3.","cvss":5.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.4,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-xjvp-63f2-v585"],"published_time":"2026-05-05T20:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35397","summary":"Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the root_dir. For example, with a root_dir named \"test\", the API permits access to a sibling directory named \"testtest\" through a crafted request to the /api/contents endpoint using encoded path components. An attacker can read, write, and delete files in affected sibling directories. Multi-tenant deployments using predictable naming schemes are particularly at risk, as a user with a directory named \"user1\" could access directories for user10 through user19 and beyond. A user who can choose a single-character folder name could gain access to a significant number of sibling directories. \n\nVersion 2.18.0 contains a fix. As a workaround, ensure folder names do not share a common prefix with any sibling directory.","cvss":7.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.6,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3"],"published_time":"2026-05-05T20:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35453","summary":"PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ \"items\"). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.8,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6wpp-88cp-7q68"],"published_time":"2026-05-05T20:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38947","summary":"FluentCMS 1.2.3 is vulnerable to Cross Site Scripting (XSS) in TextHTML plugin.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/fluentcms/FluentCMS/issues/2405"],"published_time":"2026-05-05T20:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40280","summary":"Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/. \n\nThis bypasses the same security control that was patched in CVE-2026-27018.\n\nThis issue has been fixed in version 8.31.0.","cvss":7.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.8,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/advisories/GHSA-jjwv-57xh-xr6r","https://github.com/gotenberg/gotenberg/commit/3f01ca18d3cc21375a1e2da4b5a3f261c8548e47","https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5q7p-7jgv-ww56"],"published_time":"2026-05-05T20:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40329","summary":"Masa CMS is an open source content management system. In versions 7.5.2 and earlier, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's processing of the sortBy parameter. The application fails to properly sanitize or parameterize this input before incorporating it into dynamic SQL statements. An unauthenticated remote attacker can execute arbitrary SQL commands against the database, potentially gaining access to sensitive data, modifying or deleting records, or escalating privileges to administrative control.\n\nThis issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, configure WAF rules to block malicious SQL patterns in the sortBy parameter sent to beanFeed.cfc.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-3xpq-q494-8qq4"],"published_time":"2026-05-05T20:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40330","summary":"Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's handling of the sortDirection parameter. The parameter value is concatenated directly into SQL queries without sanitization or parameterization. An unauthenticated remote attacker can exploit this to extract sensitive information, modify or delete database records, or potentially achieve remote code execution on the underlying database server.\n\nThis issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, use a WAF to block or restrict access to the beanFeed.cfc component, or deploy rules to detect SQL injection patterns targeting the sortDirection parameter.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-56cc-gxfr-hqp8"],"published_time":"2026-05-05T20:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34084","summary":"PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0.","cvss":9.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-q4q6-r8wh-5cgh","https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-q4q6-r8wh-5cgh"],"published_time":"2026-05-05T20:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34458","summary":"Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions (EditAdminOnly and ConfigPassword) and inject arbitrary directives into the global Sandboxie.ini configuration file. The background service skips authorization checks for IPC messages targeting sections beginning with UserSettings_, but does not sanitize CRLF characters in either the value parameter (via MSGID_SBIE_INI_ADD_SETTING) or the setting name parameter (via MSGID_SBIE_INI_SET_SETTING). An attacker can inject a new sandbox section header with unrestricted permissions, enabling sandbox escape and SYSTEM privilege escalation. This issue has been fixed in version 1.17.3.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3","https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-6xqg-2cjq-95qf"],"published_time":"2026-05-05T20:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34459","summary":"Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler contains two vulnerabilities that can be chained for sandbox escape. First, when a sandboxed process sends an IPC request with cbSize set to 0, up to 32KB of uninitialized stack memory from the service process is returned, leaking return addresses and stack cookies which bypass ASLR and /GS protections. Second, the handler performs a memcpy with an attacker-controlled length without verifying it fits within the 32KB stack buffer, enabling a stack buffer overflow. By chaining the information leak with the overflow, a sandboxed process can execute a ROP chain to achieve SYSTEM privilege escalation, even from a Security Hardened Sandbox. Hardware-enforced shadow stacks (Intel CET) prevent the ROP chain execution but do not mitigate the information leak. This issue has been fixed in version 1.17.3.","cvss":8.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.8,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-7cpc-5hv7-rfmh"],"published_time":"2026-05-05T20:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34461","summary":"Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieIniServer RunSbieCtrl handler contains a stack buffer overflow. The MSGID_SBIE_INI_RUN_SBIE_CTRL message is handled before normal sandbox and impersonation checks, and for non-sandboxed callers, the handler copies the trailing message payload into a fixed-size WCHAR ctrlCmd[128] stack buffer using memcpy without verifying the length fits within the buffer. The service pipe is created with a NULL DACL, allowing any local interactive process to connect and send an oversized payload to overflow the stack. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.","cvss":7.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-wpjw-jh2p-gwx7"],"published_time":"2026-05-05T20:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34462","summary":"Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, several ProcessServer handlers (KillAllHandler, SuspendAllHandler, and RunSandboxedHandler) copy a WCHAR boxname[34] field from request structures into WCHAR[40] stack buffers using wcscpy without verifying null termination. Because the service pipe accepts variable-length packets larger than the request structure, an attacker can fill the boxname field with non-zero data and append additional controlled wide characters after the structure. wcscpy then reads past the fixed field and overflows the destination stack buffer. The service pipe is created with a NULL DACL, allowing any local process to connect, and the unsafe copy occurs before authorization checks. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.","cvss":7.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-9cjg-vh9m-hhx4"],"published_time":"2026-05-05T20:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34464","summary":"Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, NamedPipeServer::OpenHandler copies the server field from NAMED_PIPE_OPEN_REQ into a fixed WCHAR pipename[160] stack buffer using wcscat without verifying null termination. The handler only enforces a minimum packet size, and since the service pipe accepts variable-length messages, a sandboxed caller can fill the server[48] field with non-zero data and append additional controlled wide characters after the structure. wcscat then reads past the fixed field and overflows the stack buffer in the SYSTEM service. This message is restricted to sandboxed callers, making it a sandbox escape vector. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.","cvss":8.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.8,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-cf8x-f33g-vwfg"],"published_time":"2026-05-05T20:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34527","summary":"Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, SbieIniServer::HashPassword converts a SHA-1 digest to hexadecimal incorrectly. The high nibble of each byte is shifted right by 8 instead of 4, which always produces zero for an 8-bit value. As a result, the stored EditPassword hash only preserves the low nibble of each digest byte, reducing the effective entropy from 160 bits to 80 bits. This is layered on top of an unsalted SHA-1 scheme. The reduced entropy makes leaked or backed-up password hashes materially easier to brute-force.\n\nThis issue has been fixed in version 1.17.3.","cvss":2.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w37h-qm9p-h4x2"],"published_time":"2026-05-05T20:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32936","summary":"CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/coredns/coredns/releases/tag/v1.14.3","https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr","https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr"],"published_time":"2026-05-05T20:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33190","summary":"CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer's TsigStatus() instead of performing verification itself. The DoH and DoH3 writer's TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/coredns/coredns/releases/tag/v1.14.3","https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh"],"published_time":"2026-05-05T20:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33324","summary":"SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided question parameter is directly concatenated into the LLM prompt without filtering or escaping, and the SQL extracted from the LLM response is executed against the database without validation or sanitization. An authenticated attacker can craft a malicious question to manipulate the LLM into generating and executing arbitrary SQL statements. When connected to a PostgreSQL data source, this can lead to remote code execution via COPY FROM PROGRAM. This issue has been fixed in version 1.7.1.","cvss":9.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.4,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/dataease/SQLBot/security/advisories/GHSA-q2q6-gqqh-4xrx","https://github.com/dataease/SQLBot/security/advisories/GHSA-q2q6-gqqh-4xrx"],"published_time":"2026-05-05T20:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33420","summary":"Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get_org_collections_details endpoint (GET /api/organizations/{org_id}/collections/details) is missing the has_full_access() authorization check that exists on the sibling get_org_collections endpoint. This allows any Manager-role user with accessAll=False and no collection assignments to retrieve the names, UUIDs, user-to-collection mappings, and group-to-collection mappings for all collections in the organization. This issue has been fixed in version 1.35.5.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.5","https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-jjxg-p3v6-52ww"],"published_time":"2026-05-05T20:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33489","summary":"CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic string comparison instead of an actual longest-suffix match to select the winning zone. As a result, a permissive parent-zone transfer rule can override a restrictive subzone rule depending on zone name ordering (e.g., \"example.org.\" > \"a.example.org.\" lexicographically). This allows an unauthorized remote client to perform AXFR/IXFR for the subzone and retrieve its full zone contents. This issue has been fixed in version 1.14.3.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/coredns/coredns/releases/tag/v1.14.3","https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3","https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3"],"published_time":"2026-05-05T20:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33975","summary":"Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex form (e.g., ::ffff:169.254.169.254 becomes ::ffff:a9fe:a9fe), but the isPrivateIp utility only recognizes the dotted-decimal notation. As a result, the hex form passes the SSRF check unchecked. Additionally, the socket lookup validation event does not fire for IP literal addresses, bypassing the second validation layer. An authenticated user can reach any internal IP, including cloud metadata endpoints, to exfiltrate credentials such as IAM keys.","cvss":8.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/twentyhq/twenty/security/advisories/GHSA-vrcj-hv2q-c58m"],"published_time":"2026-05-05T20:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31893","summary":"Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02.","cvss":6.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.8,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.0beta02","https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69","https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69"],"published_time":"2026-05-05T20:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32603","summary":"Sandboxie is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a local denial of service vulnerability exists in the Sandboxie kernel driver. An unprivileged process running inside a Standard Sandbox can send a malformed IOCTL to the \\Device\\SandboxieDriverApi driver, triggering an immediate kernel crash (BSOD). The vulnerability affects the Standard Sandbox configuration both with and without dropped administrator privileges, but does not affect the Security Hardened Sandbox configuration. This issue has been fixed in version 1.17.3. Users who cannot update can use the Security Hardened Sandbox configuration as a workaround.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3","https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-vvf8-cf4j-v8fv"],"published_time":"2026-05-05T20:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32699","summary":"FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3","https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3"],"published_time":"2026-05-05T20:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32934","summary":"CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/coredns/coredns/releases/tag/v1.14.3","https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5"],"published_time":"2026-05-05T20:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-52911","summary":"Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. The earliest affected version is 0.14.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bitcoincore.org","https://bitcoincore.org/en/2026/05/05/disclose-cve-2024-52911/","https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures"],"published_time":"2026-05-05T20:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7854","summary":"A security vulnerability has been detected in D-Link DI-8100 16.07.26A1. Affected by this vulnerability is the function url_rule_asp of the file /url_rule.asp of the component POST Parameter Handler. Such manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/draw-ctf/report/blob/main/DI-8100/url_rule_asp_overflow.md","https://vuldb.com/submit/807838","https://vuldb.com/vuln/361131","https://vuldb.com/vuln/361131/cti","https://www.dlink.com/"],"published_time":"2026-05-05T19:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7855","summary":"A vulnerability was detected in D-Link DI-8100 16.07.26A1. Affected by this issue is the function tggl_asp of the file /tggl.asp of the component HTTP Request Handler. Performing a manipulation of the argument Name results in buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/draw-ctf/report/blob/main/DI-8100/tggl_asp_overflow.md","https://vuldb.com/submit/807841","https://vuldb.com/vuln/361132","https://vuldb.com/vuln/361132/cti","https://www.dlink.com/"],"published_time":"2026-05-05T19:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42997","summary":"An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.openwall.com/lists/oss-security/2026/05/05/10","http://www.openwall.com/lists/oss-security/2026/05/05/10"],"published_time":"2026-05-05T19:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27960","summary":"OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-6vvv-vmfr-xhrx"],"published_time":"2026-05-05T19:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30923","summary":"ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a single character. An attacker can exploit this to crash worker processes, causing a denial of service. Service resumes once the attack stops as worker processes recover from the segfault. All versions before 3.0.15 of libModSecurity3 are affected. This has been patched in version 3.0.15.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.15","https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qrjc-3jpc-3h2g","https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qrjc-3jpc-3h2g"],"published_time":"2026-05-05T19:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31835","summary":"Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1backup_eligible1 and 1backup_state flags1) based on unverified `authenticatorData` before signature validation is performed. An attacker who knows a user's password but cannot produce a valid WebAuthn signature can permanently modify the stored backup flags for that user's credential. If signature verification fails, the database update is not rolled back. This can result in a persistent denial of service of WebAuthn two-factor authentication for affected credentials. This issue has been fixed in version 1.35.5.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.5","https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-x7g7-cgx5-jhx2"],"published_time":"2026-05-05T19:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38428","summary":"Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x","https://www.link.com"],"published_time":"2026-05-05T19:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7853","summary":"A weakness has been identified in D-Link DI-8100 16.07.26A1. Affected is the function sprintf of the file /auto_reboot.asp of the component HTTP Handler. This manipulation of the argument enable/time causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/draw-ctf/report/blob/main/DI-8100/auto_reboot_asp_overflow.md","https://vuldb.com/submit/807837","https://vuldb.com/vuln/361130","https://vuldb.com/vuln/361130/cti","https://www.dlink.com/"],"published_time":"2026-05-05T18:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7851","summary":"A vulnerability was identified in D-Link DI-8100 16.07.26A1. This affects the function sprintf of the file yyxz.asp. The manipulation of the argument ID leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.","cvss":7.3,"cvss_version":4.0,"cvss_v2":8.3,"cvss_v3":7.2,"cvss_v4":7.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/draw-ctf/report/blob/main/DI-8100/yyxz_dlink_asp_overflow.md","https://vuldb.com/submit/807798","https://vuldb.com/vuln/361128","https://vuldb.com/vuln/361128/cti","https://www.dlink.com/"],"published_time":"2026-05-05T18:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7847","summary":"A vulnerability was found in chatchat-space Langchain-Chatchat up to 0.3.1.3. The affected element is the function _get_file_id of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Uploaded File Handler. Performing a manipulation results in insufficiently random values. Access to the local network is required for this attack. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":1.2,"cvss_version":4.0,"cvss_v2":1.4,"cvss_v3":2.6,"cvss_v4":1.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-3-Predictable-File-ID.md","https://github.com/chatchat-space/Langchain-Chatchat/","https://github.com/chatchat-space/Langchain-Chatchat/issues/5464","https://vuldb.com/submit/807796","https://vuldb.com/vuln/361126","https://vuldb.com/vuln/361126/cti"],"published_time":"2026-05-05T17:17:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38429","summary":"OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/alkacon/opencms-core/commit/e3e41e5a96d71383279e7d23c627efc9934008c1"],"published_time":"2026-05-05T17:17:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38431","summary":"ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://c0wking.hashnode.dev/ssti-in-erpnext-frappe-email-template-engine"],"published_time":"2026-05-05T17:17:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38432","summary":"ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://c0wking.hashnode.dev/stored-xss-in-erpnext-frappe-email-template-engine"],"published_time":"2026-05-05T17:17:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43002","summary":"An issue was discovered in OpenStack Horizon 25.6 and 25.7 before 25.7.3. There is a write operation to the session storage backend before authentication and thus storage can be exhausted by unauthenticated requests. This is a regression of the CVE-2014-8124 fix.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugs.launchpad.net/horizon/+bug/2150331","https://www.openwall.com/lists/oss-security/2026/05/05/7","https://bugs.launchpad.net/horizon/+bug/2150331"],"published_time":"2026-05-05T17:17:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23631","summary":"Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3.","cvss":6.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/redis/redis/releases/tag/8.6.3","https://github.com/redis/redis/security/advisories/GHSA-8ghh-qpmp-7826"],"published_time":"2026-05-05T17:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25243","summary":"Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/redis/redis/releases/tag/8.6.3","https://github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4"],"published_time":"2026-05-05T17:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25588","summary":"RedisTimeSeries is a time-series module for Redis. In all versions before 1.12.14 of RedisTimeSeries, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisTimeSeries module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This has been patched in version 1.12.14.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/RedisTimeSeries/RedisTimeSeries/releases/tag/v1.12.14","https://github.com/RedisTimeSeries/RedisTimeSeries/security/advisories/GHSA-7jwr-g5qv-w3gw"],"published_time":"2026-05-05T17:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25589","summary":"RedisBloom is a probabilistic data structures module for Redis. In all versions of RedisBloom before 2.8.20, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisBloom module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This issue is fixed in version 2.8.20.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/RedisBloom/RedisBloom/releases/tag/v2.8.20","https://github.com/RedisBloom/RedisBloom/security/advisories/GHSA-7862-34pw-44wv"],"published_time":"2026-05-05T17:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23479","summary":"Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/redis/redis/releases/tag/8.6.3","https://github.com/redis/redis/security/advisories/GHSA-93m2-935m-8rj3"],"published_time":"2026-05-05T17:17:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7844","summary":"A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Compatible File Service. The manipulation results in missing authentication. The attacker must have access to the local network to execute the attack. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":5.8,"cvss_v3":6.3,"cvss_v4":2.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-4-Missing-Auth-File-Endpoints.md","https://github.com/chatchat-space/Langchain-Chatchat/","https://github.com/chatchat-space/Langchain-Chatchat/issues/5465","https://vuldb.com/submit/807790","https://vuldb.com/vuln/361123","https://vuldb.com/vuln/361123/cti"],"published_time":"2026-05-05T16:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7845","summary":"A flaw has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. This issue affects the function PIL.Image.tobytes of the file libs/chatchat-server/chatchat/webui_pages/dialogue/dialogue.py of the component Vision Chat Paste Image Handler. This manipulation of the argument paste_image.image_data causes use of weak hash. The attacker needs to be present on the local network. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":1.2,"cvss_version":4.0,"cvss_v2":1.4,"cvss_v3":2.6,"cvss_v4":1.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-1-tobytes-Hash-Collision.md","https://github.com/chatchat-space/Langchain-Chatchat/","https://github.com/chatchat-space/Langchain-Chatchat/issues/5462","https://vuldb.com/submit/807794","https://vuldb.com/vuln/361124","https://vuldb.com/vuln/361124/cti","https://github.com/chatchat-space/Langchain-Chatchat/issues/5462"],"published_time":"2026-05-05T16:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7846","summary":"A vulnerability has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. Impacted is the function files of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component OpenAI-Compatible File Upload API. Such manipulation of the argument file.filename leads to time-of-check time-of-use. Access to the local network is required for this attack to succeed. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":1.2,"cvss_version":4.0,"cvss_v2":1.4,"cvss_v3":2.6,"cvss_v4":1.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-2-Silent-File-Overwrite.md","https://github.com/chatchat-space/Langchain-Chatchat/","https://github.com/chatchat-space/Langchain-Chatchat/issues/5463","https://vuldb.com/submit/807795","https://vuldb.com/vuln/361125","https://vuldb.com/vuln/361125/cti"],"published_time":"2026-05-05T16:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7865","summary":"A hidden console command is vulnerable to command injection\nflaw when control characters are passed to its second argument. \n\nA third party researcher Eugene Lim had discovered vulnerability\nin the way console command passes to a popen function call. Attackers with\nauthenticated access to SSH console of Crestron devices may use to run\nunderlying OS commands.","cvss":7.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.4,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.crestron.com/Software-Firmware/Firmware/Touchpanels/TS-770-TS-1070-TSS-770-TSS-1070-TSW-570/3-003-0015-001","https://www.crestron.com/release_notes/tsw-xx70_3.003.0015.001_release_notes.pdf"],"published_time":"2026-05-05T16:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6907","summary":"An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\n`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmad Sadeddin for reporting this issue.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":2.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.djangoproject.com/en/dev/releases/security/","https://groups.google.com/g/django-announce","https://www.djangoproject.com/weblog/2026/may/05/security-releases/"],"published_time":"2026-05-05T16:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7411","summary":"In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.eclipse.org/security/cve-assignment/-/issues/102","https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423"],"published_time":"2026-05-05T16:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7412","summary":"In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.eclipse.org/security/cve-assignment/-/issues/103","https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423"],"published_time":"2026-05-05T16:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5766","summary":"An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\nASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation.\r\n \r\nAs a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Kyle Agronick for reporting this issue.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.djangoproject.com/en/dev/releases/security/","https://groups.google.com/g/django-announce","https://www.djangoproject.com/weblog/2026/may/05/security-releases/"],"published_time":"2026-05-05T16:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43068","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()\n\nThere's issue as follows:\n...\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2243 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2239 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): error count since last fsck: 1\nEXT4-fs (mmcblk0p1): initial error at time 1765597433: ext4_mb_generate_buddy:760\nEXT4-fs (mmcblk0p1): last error at time 1765597433: ext4_mb_generate_buddy:760\n...\n\nAccording to the log analysis, blocks are always requested from the\ncorrupted block group. This may happen as follows:\next4_mb_find_by_goal\n  ext4_mb_load_buddy\n   ext4_mb_load_buddy_gfp\n     ext4_mb_init_cache\n      ext4_read_block_bitmap_nowait\n      ext4_wait_block_bitmap\n       ext4_validate_block_bitmap\n        if (!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp))\n         return -EFSCORRUPTED; // There's no logs.\n if (err)\n  return err;  // Will return error\next4_lock_group(ac->ac_sb, group);\n  if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) // Unreachable\n   goto out;\n\nAfter commit 9008a58e5dce (\"ext4: make the bitmap read routines return\nreal error codes\") merged, Commit 163a203ddb36 (\"ext4: mark block group\nas corrupt on block bitmap error\") is no real solution for allocating\nblocks from corrupted block groups. This is because if\n'EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)' is true, then\n'ext4_mb_load_buddy()' may return an error. This means that the block\nallocation will fail.\nTherefore, check block group if corrupted when ext4_mb_load_buddy()\nreturns error.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0b84571c886719823d537f05f4f07cad6357c4b7","https://git.kernel.org/stable/c/1895f7904be71c48f1e6f338b28f24dabd6b8aeb","https://git.kernel.org/stable/c/1c0d7c4cde38a887c6d74e0c89ddb25226943c78","https://git.kernel.org/stable/c/2d31a5073f86a177edf44015e0dedb0c47cfd6d8","https://git.kernel.org/stable/c/46066e3a06647c5b186cc6334409722622d05c44","https://git.kernel.org/stable/c/9370207b36d26e45a8c8ef0500706d37036edd6b","https://git.kernel.org/stable/c/fea6b2e250ff48f10d166011b57a8516ae5438c9","https://git.kernel.org/stable/c/ffc0a282462d45fee5957621be5afa29752f3b6d"],"published_time":"2026-05-05T16:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43069","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_ll: Fix firmware leak on error path\n\nSmatch reports:\n\ndrivers/bluetooth/hci_ll.c:587 download_firmware() warn:\n'fw' from request_firmware() not released on lines: 544.\n\nIn download_firmware(), if request_firmware() succeeds but the returned\nfirmware content is invalid (no data or zero size), the function returns\nwithout releasing the firmware, resulting in a resource leak.\n\nFix this by calling release_firmware() before returning when\nrequest_firmware() succeeded but the firmware content is invalid.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/28904375d54b436a757641fb0331537778c0de5a","https://git.kernel.org/stable/c/31148a7be723aa9f2e8fbd62424825ab8d577973","https://git.kernel.org/stable/c/5213ef54528dd1ac79b846e30d8f72ce092794aa","https://git.kernel.org/stable/c/95e8601af227b2b4390eecf8db6abdb9f6a91f17","https://git.kernel.org/stable/c/9ecbfd93cd6de6c78cb7fd51fe079e36c7ff074b","https://git.kernel.org/stable/c/a7803df606a7d22e896b030f619e1d9d20ae0c6b","https://git.kernel.org/stable/c/b2dfbf1b5ff192cefd49574b951a4af9ddd32213","https://git.kernel.org/stable/c/e6d95488c8c964d1df0d3e1db44c958706311e86"],"published_time":"2026-05-05T16:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43070","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reset register ID for BPF_END value tracking\n\nWhen a register undergoes a BPF_END (byte swap) operation, its scalar\nvalue is mutated in-place. If this register previously shared a scalar ID\nwith another register (e.g., after an `r1 = r0` assignment), this tie must\nbe broken.\n\nCurrently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END.\nConsequently, if a conditional jump checks the swapped register, the\nverifier incorrectly propagates the learned bounds to the linked register,\nleading to false confidence in the linked register's value and potentially\nallowing out-of-bounds memory accesses.\n\nFix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case\nto break the scalar tie, similar to how BPF_NEG handles it via\n`__mark_reg_known`.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0d15c3611a2cc5d08993545d4032055ae10ae2c1","https://git.kernel.org/stable/c/a17443af874229408ce6b78e2c8a2b5adeb4b7d8","https://git.kernel.org/stable/c/a3125bc01884431d30d731461634c8295b6f0529"],"published_time":"2026-05-05T16:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43071","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndcache: Limit the minimal number of bucket to two\n\nThere is an OOB read problem on dentry_hashtable when user sets\n'dhash_entries=1':\n  BUG: unable to handle page fault for address: ffff888b30b774b0\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  Oops: Oops: 0000 [#1] SMP PTI\n  RIP: 0010:__d_lookup+0x56/0x120\n   Call Trace:\n    d_lookup.cold+0x16/0x5d\n    lookup_dcache+0x27/0xf0\n    lookup_one_qstr_excl+0x2a/0x180\n    start_dirop+0x55/0xa0\n    simple_start_creating+0x8d/0xa0\n    debugfs_start_creating+0x8c/0x180\n    debugfs_create_dir+0x1d/0x1c0\n    pinctrl_init+0x6d/0x140\n    do_one_initcall+0x6d/0x3d0\n    kernel_init_freeable+0x39f/0x460\n    kernel_init+0x2a/0x260\n\nThere will be only one bucket in dentry_hashtable when dhash_entries is\nset as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,\nfollowing process will access more than one buckets(which memory region\nis not allocated) in dentry_hashtable:\n d_lookup\n  b = d_hash(hash)\n    dentry_hashtable + ((u32)hashlen >> d_hash_shift)\n    // The C standard defines the behavior of right shift amounts\n    // exceeding the bit width of the operand as undefined. The\n    // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',\n    // so 'b' will point to an unallocated memory region.\n  hlist_bl_for_each_entry_rcu(b)\n   hlist_bl_first_rcu(head)\n    h->first  // read OOB!\n\nFix it by limiting the minimal number of dentry_hashtable bucket to two,\nso that 'd_hash_shift' won't exceeds the bit width of type u32.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/277cedabb0ab86baae83fa58218be13c6d3e5526","https://git.kernel.org/stable/c/426ef05e82ee52c8d0e95fc0808b7383d8352d73","https://git.kernel.org/stable/c/5718df131ab78897a9dd1f2e71c3ba732d4392af","https://git.kernel.org/stable/c/755b40903eff563768d4d96fd4ef51ec48adde3b","https://git.kernel.org/stable/c/ddd57ebce245f9c7e2f6902a6c087d6186d2385d","https://git.kernel.org/stable/c/f08fe8891c3eeb63b73f9f1f6d97aa629c821579"],"published_time":"2026-05-05T16:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43072","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: platform_get_irq_byname() returns an int\n\nplatform_get_irq_byname() will return a negative value if an error\nhappens, so it should be checked and not just passed directly into\ndevm_request_threaded_irq() hoping all will be ok.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0185e0494a561edfc482507f9de89c2ad798b33d","https://git.kernel.org/stable/c/0c1b117f7ba46fb8f6ebc5e0bfe5b58568c301ba","https://git.kernel.org/stable/c/63c11b19cdc154fa848a6c3b535bfb1dc7b60378","https://git.kernel.org/stable/c/9c10b83a004442c93d7a484c3d221a06a45821e1","https://git.kernel.org/stable/c/e597a809a2b97e927060ba182f58eb3e6101bc70","https://git.kernel.org/stable/c/ef2ee9db13b68c5e332b77c0a7108a2d4d56e114"],"published_time":"2026-05-05T16:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43073","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86-64: rename misleadingly named '__copy_user_nocache()' function\n\nThis function was a masterclass in bad naming, for various historical\nreasons.\n\nIt claimed to be a non-cached user copy.  It is literally _neither_ of\nthose things.  It's a specialty memory copy routine that uses\nnon-temporal stores for the destination (but not the source), and that\ndoes exception handling for both source and destination accesses.\n\nAlso note that while it works for unaligned targets, any unaligned parts\n(whether at beginning or end) will not use non-temporal stores, since\nonly words and quadwords can be non-temporal on x86.\n\nThe exception handling means that it _can_ be used for user space\naccesses, but not on its own - it needs all the normal \"start user space\naccess\" logic around it.\n\nBut typically the user space access would be the source, not the\nnon-temporal destination.  That was the original intention of this,\nwhere the destination was some fragile persistent memory target that\nneeded non-temporal stores in order to catch machine check exceptions\nsynchronously and deal with them gracefully.\n\nThus that non-descriptive name: one use case was to copy from user space\ninto a non-cached kernel buffer.  However, the existing users are a mix\nof that intended use-case, and a couple of random drivers that just did\nthis as a performance tweak.\n\nSome of those random drivers then actively misused the user copying\nversion (with STAC/CLAC and all) to do kernel copies without ever even\ncaring about the exception handling, _just_ for the non-temporal\ndestination.\n\nRename it as a first small step to actually make it halfway sane, and\nchange the prototype to be more normal: it doesn't take a user pointer\nunless the caller has done the proper conversion, and the argument size\nis the full size_t (it still won't actually copy more than 4GB in one\ngo, but there's also no reason to silently truncate the size argument in\nthe caller).\n\nFinally, use this now sanely named function in the NTB code, which\nmis-used a user copy version (with STAC/CLAC and all) of this interface\ndespite it not actually being a user copy at all.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd","https://git.kernel.org/stable/c/c6d4e0599e7e73abc04e2488dfeb7940c4039660","https://git.kernel.org/stable/c/d187a86de793f84766ea40b9ade7ac60aabbb4fe","https://git.kernel.org/stable/c/d993e1723aa2a085aa0d72e70ea889031fc225b4","https://git.kernel.org/stable/c/efea91ad1729ff1853d7418e4d3bc27d085e72d0"],"published_time":"2026-05-05T16:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43060","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: drop pending enqueued packets on removal\n\nPackets sitting in nfqueue might hold a reference to:\n\n- templates that specify the conntrack zone, because a percpu area is\n  used and module removal is possible.\n- conntrack timeout policies and helper, where object removal leave\n  a stale reference.\n\nSince these objects can just go away, drop enqueued packets to avoid\nstale reference to them.\n\nIf there is a need for finer grain removal, this logic can be revisited\nto make selective packet drop upon dependencies.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/36eae0956f659e48d5366d9b083d9417f3263ddc","https://git.kernel.org/stable/c/3da0b946835f33bf36b459ead764c61a761e689b","https://git.kernel.org/stable/c/6802ff8beceb9c4254318e81c1395720438f2cc2","https://git.kernel.org/stable/c/77da55dee67720e2b8d2db49a53334e6c017ee7b","https://git.kernel.org/stable/c/8a64e76933672b08bd85b63086f33432070fd729","https://git.kernel.org/stable/c/ab50302190b303f847c4eba0e31a01a56dec596e","https://git.kernel.org/stable/c/e68a8db3a0546482b34e9ca5ca886bcf73eb37bb","https://git.kernel.org/stable/c/f29a055e4f593e577805b41228b142b58f48df1b"],"published_time":"2026-05-05T16:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43061","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: Fix TX deadlock when using DMA\n\n`dmaengine_terminate_async` does not guarantee that the\n`__dma_tx_complete` callback will run. The callback is currently the\nonly place where `dma->tx_running` gets cleared. If the transaction is\ncanceled and the callback never runs, then `dma->tx_running` will never\nget cleared and we will never schedule new TX DMA transactions again.\n\nThis change makes it so we clear `dma->tx_running` after we terminate\nthe DMA transaction. This is \"safe\" because `serial8250_tx_dma_flush`\nis holding the UART port lock. The first thing the callback does is also\ngrab the UART port lock, so access to `dma->tx_running` is serialized.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2a72403b985aea6b4aac3171830492f9a387f9e1","https://git.kernel.org/stable/c/5f6b17562f03fc65c7d3474ef8f1959b19d1ca41","https://git.kernel.org/stable/c/79a19bd936bb35f56ef0ccab1b3b59ebce8c762d","https://git.kernel.org/stable/c/8190f9ab6ad90cb97652adbebd238b874a4ef70d","https://git.kernel.org/stable/c/a424a34b8faddf97b5af41689087e7a230f79ba7","https://git.kernel.org/stable/c/b5ad887339503103d0fbe9827b16ad287597c275","https://git.kernel.org/stable/c/d2719a0a9c3439abf67843a5504b7afccd9ded93","https://git.kernel.org/stable/c/f76d91271bcacbd759a2e4ee3ea61faa6a727ccf"],"published_time":"2026-05-05T16:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43062","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()\n\nl2cap_ecred_reconf_rsp() casts the incoming data to struct\nl2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with\nresult at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes\nwith result at offset 0).\n\nThis causes two problems:\n\n - The sizeof(*rsp) length check requires 8 bytes instead of the\n   correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected\n   with -EPROTO.\n\n - rsp->result reads from offset 6 instead of offset 0, returning\n   wrong data when the packet is large enough to pass the check.\n\nFix by using the correct type.  Also pass the already byte-swapped\nresult variable to BT_DBG instead of the raw __le16 field.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/111f74547eee8cfedfb854284e80f35c8a491186","https://git.kernel.org/stable/c/15145675690cab2de1056e7ed68e59cbd0452529","https://git.kernel.org/stable/c/21d3ba696918d6373233aac0b9d51fcabdedddc0","https://git.kernel.org/stable/c/3b94e62caa1dc1198d0d55d97bd710da1dee15d7","https://git.kernel.org/stable/c/5a1ea296f8589ce8f1e3141b2b123b34ad010e19","https://git.kernel.org/stable/c/d90150c72d2e6a8a3079e88755dafcfbe91c746d","https://git.kernel.org/stable/c/dd3b221e21079ade8263fbb7176f3d55ad75d3b6","https://git.kernel.org/stable/c/f110b8f58b254bf997cec1bd60701b7798e9bb82"],"published_time":"2026-05-05T16:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43063","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: don't irele after failing to iget in xfs_attri_recover_work\n\nxlog_recovery_iget* never set @ip to a valid pointer if they return\nan error, so this irele will walk off a dangling pointer.  Fix that.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/40082d08b638485cbaa543dc8087a3d1844d6f08","https://git.kernel.org/stable/c/70685c291ef82269180758130394ecdc4496b52c","https://git.kernel.org/stable/c/a1a5df1038f0b3c560d204270373621a4e622808","https://git.kernel.org/stable/c/b5c5a50c2f513d4a13a6763564a07b470e69cc5a"],"published_time":"2026-05-05T16:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43064","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix not releasing workqueue on .release()\n\nThe workqueue associated with an DSA/IAA device is not released when\nthe object is freed.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2bb9e9e93adff9cc8a138ae9a3a8d59b3452272e","https://git.kernel.org/stable/c/3d33de353b1ff9023d5ec73b9becf80ea87af695","https://git.kernel.org/stable/c/958e96533ddbd1edd127feb7624a7eed0cc379dc","https://git.kernel.org/stable/c/d02c24af126dee45247dc7890409c86d1831859d","https://git.kernel.org/stable/c/fc34f199eb576b3a73089452fdf0056cc9a9301d","https://git.kernel.org/stable/c/fd4cb61bbd0fc3a749a8da6145cbb56d8f6dba35"],"published_time":"2026-05-05T16:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43065","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: always drain queued discard work in ext4_mb_release()\n\nWhile reviewing recent ext4 patch[1], Sashiko raised the following\nconcern[2]:\n\n> If the filesystem is initially mounted with the discard option,\n> deleting files will populate sbi->s_discard_list and queue\n> s_discard_work. If it is then remounted with nodiscard, the\n> EXT4_MOUNT_DISCARD flag is cleared, but the pending s_discard_work is\n> neither cancelled nor flushed.\n\n[1] https://lore.kernel.org/r/20260319094545.19291-1-qiang.zhang@linux.dev/\n[2] https://sashiko.dev/#/patchset/20260319094545.19291-1-qiang.zhang%40linux.dev\n\nThe concern was valid, but it had nothing to do with the patch[1].\nOne of the problems with Sashiko in its current (early) form is that\nit will detect pre-existing issues and report it as a problem with the\npatch that it is reviewing.\n\nIn practice, it would be hard to hit deliberately (unless you are a\nmalicious syzkaller fuzzer), since it would involve mounting the file\nsystem with -o discard, and then deleting a large number of files,\nremounting the file system with -o nodiscard, and then immediately\nunmounting the file system before the queued discard work has a change\nto drain on its own.\n\nFix it because it's a real bug, and to avoid Sashiko from raising this\nconcern when analyzing future patches to mballoc.c.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1c82f863f090ab899085bdfade073313384b514b","https://git.kernel.org/stable/c/812b6a7cd3e7f3a3e8a24db85bc6313c26cb1098","https://git.kernel.org/stable/c/9b4d9dda6a71ad3425c8109d27c4c6bfb9da97b8","https://git.kernel.org/stable/c/9ee29d20aab228adfb02ca93f87fb53c56c2f3af","https://git.kernel.org/stable/c/b4737e26d4688b8aea88ad6ea4dbfeb6e78b0327","https://git.kernel.org/stable/c/c360e9d0def4f4ae03254a67c683103908555b75","https://git.kernel.org/stable/c/e96c2354b170aaa53300c8e8fd59e41b133160f7"],"published_time":"2026-05-05T16:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43066","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix iloc.bh leak in ext4_fc_replay_inode() error paths\n\nDuring code review, Joseph found that ext4_fc_replay_inode() calls\next4_get_fc_inode_loc() to get the inode location, which holds a\nreference to iloc.bh that must be released via brelse().\n\nHowever, several error paths jump to the 'out' label without\nreleasing iloc.bh:\n\n - ext4_handle_dirty_metadata() failure\n - sync_dirty_buffer() failure\n - ext4_mark_inode_used() failure\n - ext4_iget() failure\n\nFix this by introducing an 'out_brelse' label placed just before\nthe existing 'out' label to ensure iloc.bh is always released.\n\nAdditionally, make ext4_fc_replay_inode() propagate errors\nproperly instead of always returning 0.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0892f12cd49fde5d5db68137923db107f894f3a3","https://git.kernel.org/stable/c/19782b4c793b49a6aa4abbb307ddff3610009d21","https://git.kernel.org/stable/c/5a63033696e60b5d70816f1d119645ac5b0b0a03","https://git.kernel.org/stable/c/9c90449a9ac2cd1ba540ad2561b8b70c1bfb0a25","https://git.kernel.org/stable/c/c426231e3d51916e83b6d1ab7ed8a65e83bca5b4","https://git.kernel.org/stable/c/ca99cbcc316cdfd2040cc2b13d1426ccb3b3b50b","https://git.kernel.org/stable/c/ec0a7500d8eace5b4f305fa0c594dd148f0e8d29","https://git.kernel.org/stable/c/f7817ad399d604e8639005d87d148b5ec626ad26"],"published_time":"2026-05-05T16:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43067","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: handle wraparound when searching for blocks for indirect mapped blocks\n\nCommit 4865c768b563 (\"ext4: always allocate blocks only from groups\ninode can use\") restricts what blocks will be allocated for indirect\nblock based files to block numbers that fit within 32-bit block\nnumbers.\n\nHowever, when using a review bot running on the latest Gemini LLM to\ncheck this commit when backporting into an LTS based kernel, it raised\nthis concern:\n\n   If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal\n   group was populated via stream allocation from s_mb_last_groups),\n   then start will be >= ngroups.\n\n   Does this allow allocating blocks beyond the 32-bit limit for\n   indirect block mapped files? The commit message mentions that\n   ext4_mb_scan_groups_linear() takes care to not select unsupported\n   groups. However, its loop uses group = *start, and the very first\n   iteration will call ext4_mb_scan_group() with this unsupported\n   group because next_linear_group() is only called at the end of the\n   iteration.\n\nAfter reviewing the code paths involved and considering the LLM\nreview, I determined that this can happen when there is a file system\nwhere some files/directories are extent-mapped and others are\nindirect-block mapped.  To address this, add a safety clamp in\next4_mb_scan_groups().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1","https://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503","https://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29","https://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c","https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f","https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930"],"published_time":"2026-05-05T16:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43059","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix list corruption and UAF in command complete handlers\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") introduced\nmgmt_pending_valid(), which not only validates the pending command but\nalso unlinks it from the pending list if it is valid. This change in\nsemantics requires updates to several completion handlers to avoid list\ncorruption and memory safety issues.\n\nThis patch addresses two left-over issues from the aforementioned rework:\n\n1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()\nis replaced with mgmt_pending_free() in the success path. Since\nmgmt_pending_valid() already unlinks the command at the beginning of\nthe function, calling mgmt_pending_remove() leads to a double list_del()\nand subsequent list corruption/kernel panic.\n\n2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error\npath is removed. Since the current command is already unlinked by\nmgmt_pending_valid(), this foreach loop would incorrectly target other\npending mesh commands, potentially freeing them while they are still being\nprocessed concurrently (leading to UAFs). The redundant mgmt_cmd_status()\nis also simplified to use cmd->opcode directly.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/02023ff760cc104a5d86a82ef5b8dd89098ad78d","https://git.kernel.org/stable/c/17f89341cb4281d1da0e2fb0de5406ab7c4e25ef","https://git.kernel.org/stable/c/695b45b2262fcb5e71bed1175aad59c72f92aa78","https://git.kernel.org/stable/c/b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77"],"published_time":"2026-05-05T16:16:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35192","summary":"An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\nResponse headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.djangoproject.com/en/dev/releases/security/","https://groups.google.com/g/django-announce","https://www.djangoproject.com/weblog/2026/may/05/security-releases/"],"published_time":"2026-05-05T16:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39103","summary":"Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svg_attributes.c, svg_parse_strings(), gf_svg_parse_attribute()","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/gpac/gpac/commit/391dc7f4d234988ea0bc3cc294eb725eddf8f702","https://github.com/gpac/gpac/issues/3506"],"published_time":"2026-05-05T16:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31195","summary":"The ping diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://altice.com","http://gr140dg.com","https://xerod.io/advisories/XEROD-2026-0001"],"published_time":"2026-05-05T16:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31196","summary":"The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://altice.com","http://gr140dg.com","https://xerod.ai/advisories/XEROD-2026-0002"],"published_time":"2026-05-05T16:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32689","summary":"Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport's NDJSON body handling.\n\nIn 'Elixir.Phoenix.Transports.LongPoll':publish/4, when a POST request is received with Content-Type: application/x-ndjson, the request body is split on newline characters using String.split/2 with no limit on the number of resulting segments. An attacker can send a body consisting entirely of newline bytes, causing a 1:1 amplification into a list of empty binaries — a 1 MB body produces approximately one million list elements, an 8 MB body approximately 8.4 million. Each element is then walked by Enum.map, materializing another list of the same size. This exhausts BEAM memory and schedulers, crashing the node and terminating all active sessions.\n\nA session token required to reach the vulnerable endpoint is freely obtainable by any client via an unauthenticated GET request to the same URL with a matching Origin header, making this attack effectively unauthenticated.\n\nThis issue affects phoenix: from 1.7.0 before 1.7.22 and 1.8.6.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.erlef.org/cves/CVE-2026-32689.html","https://github.com/phoenixframework/phoenix/commit/1a67c61ff9ce0a7711662ac7354861917a7c80f7","https://github.com/phoenixframework/phoenix/commit/912ea181fd247c21dbcc49fb97d0053b947d81bf","https://github.com/phoenixframework/phoenix/security/advisories/GHSA-628h-q48j-jr6q","https://osv.dev/vulnerability/EEF-CVE-2026-32689"],"published_time":"2026-05-05T16:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34000","summary":"A flaw was found in the X.Org X server. This out-of-bounds read vulnerability in the XKB geometry processing, specifically within the `CheckSetGeom()` and `XkbAddGeomKeyAlias` functions, allows an attacker to read uninitialized or out-of-bounds memory. An attacker with a connection to the X11 server, either locally or remotely, can exploit this without user interaction. This could lead to the disclosure of memory contents or cause a denial of service by crashing the server.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-34000","https://bugzilla.redhat.com/show_bug.cgi?id=2451107"],"published_time":"2026-05-05T16:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34002","summary":"A flaw was found in the X.Org X server. This vulnerability, an out-of-bounds read, affects the XKB (X Keyboard Extension) modifier map handling. An attacker with access to the X11 server can exploit this by sending a malformed request, which causes the server to read beyond its intended memory boundaries. This can lead to the exposure of sensitive information or cause the server to crash, resulting in a denial of service.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-34002","https://bugzilla.redhat.com/show_bug.cgi?id=2451112"],"published_time":"2026-05-05T16:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34956","summary":"A flaw was found in Open vSwitch. When Open vSwitch is configured with a conntrack flow using FTP helpers over the userspace datapath, a remote attacker can send a specially crafted FTP stream with an EPASV command exceeding 255 characters. This heap access error can lead to a crash, resulting in a Denial of Service (DoS) for the affected system.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-34956","https://bugzilla.redhat.com/show_bug.cgi?id=2453459","http://www.openwall.com/lists/oss-security/2026/03/31/15"],"published_time":"2026-05-05T16:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-61669","summary":"Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w","https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w"],"published_time":"2026-05-05T16:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-66369","summary":"An issue was discovered in MM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect handling of 5G NR NAS registration accept messages leads to a Denial of Service.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://semiconductor.samsung.com/support/quality-support/product-security-updates/","https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-66369/"],"published_time":"2026-05-05T16:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-52206","summary":"ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS) via the system status webpage.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://ispconfig.com","https://www.ispconfig.org/blog/ispconfig-3-3-0p2-released-security-update/"],"published_time":"2026-05-05T16:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4304","summary":"The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the 'consent' parameter in all versions up to, and including, 3.4.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://codecanyon.net/item/weepie-cookie-allow-easy-complete-cookie-consent-plugin/10342528","https://weepie-plugins.com/changelog-weepie-cookie-allow-plugin/","https://www.wordfence.com/threat-intel/vulnerabilities/id/f783e626-37c0-4ad9-9074-c5332583a0cb?source=cve"],"published_time":"2026-05-05T14:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7778","summary":"An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (5.0, Medium). This issue was fixed in version v4.0.260416.0 of the runZero Platform.","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://help.runzero.com/docs/release-notes/#402604160","https://www.runzero.com/advisories/runzero-platform-dashboard-configuration-exposure-cve-2026-7778/"],"published_time":"2026-05-05T14:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7834","summary":"A security vulnerability has been detected in EFM ipTIME NAS1dual 1.5.24. This issue affects the function get_csrf_whites of the file /cgi/advanced/misc_main.cgi. Such manipulation leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/glkfc/IoT-Vulnerability/blob/main/iptime/nas1dual/iptime2_en.md","https://vuldb.com/submit/807787","https://vuldb.com/vuln/361113","https://vuldb.com/vuln/361113/cti"],"published_time":"2026-05-05T14:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-29168","summary":"Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data.\n\nThis issue affects Apache HTTP Server: from 2.4.30 through 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://httpd.apache.org/security/vulnerabilities_24.html","http://www.openwall.com/lists/oss-security/2026/05/05/6"],"published_time":"2026-05-05T14:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34408","summary":"An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://herolab.usd.de/security-advisories/usd-2024-0002/","https://www.gambio.de/forum/threads/wichtiges-security-update-2024-02-v1-0-fuer-gx4-v4-0-0-0-bis-v4-9-2-0.50896/"],"published_time":"2026-05-05T14:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36355","summary":"The rtl8192cd Wi-Fi kernel driver in the Realtek rtl819x Jungle SDK (all known versions through v3.4.14B) does not perform any access control checks on the write_mem (ioctl 0x89F5) and read_mem (ioctl 0x89F6) debug handlers, which are compiled into production builds via the unconditionally defined _IOCTL_DEBUG_CMD_ macro in 8192cd_cfg.h","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://realtek.com","https://github.com/totekuh/CVE-2026-36355","https://github.com/totekuh/CVE-2026-36355"],"published_time":"2026-05-05T14:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36356","summary":"The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://forgeslt711.com","http://meig.com","https://github.com/totekuh/CVE-2026-36356","https://github.com/totekuh/CVE-2026-36356"],"published_time":"2026-05-05T14:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7832","summary":"A security flaw has been discovered in IObit Advanced SystemCare 19. This affects an unknown part of the file ASC.exe of the component Service. The manipulation results in symlink following. Attacking locally is a requirement. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks.","cvss":6.4,"cvss_version":4.0,"cvss_v2":6.0,"cvss_v3":7.0,"cvss_v4":6.4,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/usernameone101/Writeups/blob/main/IObit%20Zero%20Day%20(Updated%20v2).pdf","https://vuldb.com/submit/797630","https://vuldb.com/vuln/361111","https://vuldb.com/vuln/361111/cti"],"published_time":"2026-05-05T13:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7833","summary":"A weakness has been identified in EFM ipTIME C200 up to 1.092. This vulnerability affects the function sub_408F90 of the file /cgi/iux_set.cgi of the component ApplyRestore Endpoint. This manipulation of the argument RestoreFile causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":7.3,"cvss_version":4.0,"cvss_v2":8.3,"cvss_v3":7.2,"cvss_v4":7.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/glkfc/IoT-Vulnerability/blob/main/iptime/c200/sub_409054_vulnerability_report_EN.md","https://vuldb.com/submit/807786","https://vuldb.com/vuln/361112","https://vuldb.com/vuln/361112/cti"],"published_time":"2026-05-05T13:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6918","summary":"In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/eclipse-openj9/openj9/pull/23793","https://github.com/eclipse-openj9/openj9/security/advisories/GHSA-q393-vr4c-969r","https://github.com/eclipse-openj9/openj9/security/advisories/GHSA-q393-vr4c-969r"],"published_time":"2026-05-05T13:16:30","vendor":"eclipse","product":"openj9","version":null},{"cve_id":"CVE-2026-27693","summary":"Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/traccar/traccar/blob/v6.11.0/src/main/java/org/traccar/reports/GpxExportProvider.java#L52-L54","https://github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656"],"published_time":"2026-05-05T13:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27694","summary":"Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/traccar/traccar/security/advisories/GHSA-6hfr-mj4m-hrvv","https://github.com/traccar/traccar/security/advisories/GHSA-6hfr-mj4m-hrvv"],"published_time":"2026-05-05T13:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-28510","summary":"eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an attacker-controlled TOTP secret and bypass the additional factor. This could result in unauthorized account access. This issue is fixed in version 5.4.2.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/elabftw/elabftw/commit/8b7a575aef128870861187eaa2b2f0f08654ecf9","https://github.com/elabftw/elabftw/security/advisories/GHSA-x5wv-c9q4-fj65"],"published_time":"2026-05-05T13:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30246","summary":"Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621","https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92","https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8","https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8"],"published_time":"2026-05-05T13:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27644","summary":"Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/traccar/traccar/blob/v6.11.1/src/main/java/org/traccar/reports/CsvExportProvider.java#L89-L91","https://github.com/traccar/traccar/security/advisories/GHSA-745r-9qgj-x7m7","https://github.com/traccar/traccar/security/advisories/GHSA-745r-9qgj-x7m7"],"published_time":"2026-05-05T13:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43572","summary":"OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation, allowing unauthorized access to Teams SSO signin functionality.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.3,"epss":0.00028,"ranking_epss":0.0784,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/80b1fa17bfc3f6a668492f0326ea52f48bb89776","https://github.com/openclaw/openclaw/security/advisories/GHSA-gc9r-867r-j85f","https://www.vulncheck.com/advisories/openclaw-missing-sender-authorization-in-microsoft-teams-sso-invoke-handler"],"published_time":"2026-05-05T12:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43573","summary":"OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.","cvss":4.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":4.9,"epss":0.00027,"ranking_epss":0.07433,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/daeb74920d5ad986cb600625180037e23221e93a","https://github.com/openclaw/openclaw/security/advisories/GHSA-527m-976r-jf79","https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-existing-session-browser-interaction-routes"],"published_time":"2026-05-05T12:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43574","summary":"OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":6.0,"epss":0.00027,"ranking_epss":0.07542,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/0a105c0900de701d2ee9f1abc96b017afbd0afdd","https://github.com/openclaw/openclaw/security/advisories/GHSA-49cg-279w-m73x","https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-empty-approver-lists"],"published_time":"2026-05-05T12:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6261","summary":"The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the upload_icons() function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file types. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files (including PHP) and achieve remote code execution via the Icons icon-pack upload flow.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00236,"ranking_epss":0.46401,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://support.muffingroup.com/changelog/","https://www.wordfence.com/threat-intel/vulnerabilities/id/722c04c3-8f74-4081-b3a4-cb1ae2027312?source=cve"],"published_time":"2026-05-05T12:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6262","summary":"The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the upload_icons() function workflow using a user-controlled upload path (`mfn-icon-upload`) in a filesystem move operation without constraining it to the uploads directory. This makes it possible for authenticated attackers, with contributor-level access and above, to move/delete arbitrary local files via path traversal.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00046,"ranking_epss":0.13929,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://support.muffingroup.com/changelog/","https://www.wordfence.com/threat-intel/vulnerabilities/id/3486f114-5625-4751-a25e-2c5ab7b15b38?source=cve"],"published_time":"2026-05-05T12:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43566","summary":"OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded.","cvss":9.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":9.1,"epss":0.00103,"ranking_epss":0.27685,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/31281bc92f55796817a92bc43f722cba1e77ab42","https://github.com/openclaw/openclaw/security/advisories/GHSA-g2hm-779g-vm32","https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-untrusted-webhook-wake-events"],"published_time":"2026-05-05T12:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43567","summary":"OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPath parameter that bypasses workspace-only filesystem guards. Attackers can exploit this by specifying an outPath outside the workspace boundary to write files to unintended locations on the system.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00025,"ranking_epss":0.06949,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/635bb35b68d8faa5bfa2fda35feadd315122748a","https://github.com/openclaw/openclaw/security/advisories/GHSA-jf25-7968-h2h5","https://www.vulncheck.com/advisories/openclaw-path-traversal-in-screen-record-outpath-parameter"],"published_time":"2026-05-05T12:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43568","summary":"OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming endpoint to escalate privileges.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00025,"ranking_epss":0.06949,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/6af17b39e11f5f35e23b7e5a5f71a7d0aa3c7310","https://github.com/openclaw/openclaw/security/advisories/GHSA-5gjc-grvm-m88j","https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-memory-dreaming-configuration-in-dreaming-endpoint"],"published_time":"2026-05-05T12:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43569","summary":"OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically selected and enabled during authentication setup without explicit user consent.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":7.7,"epss":0.00068,"ranking_epss":0.2054,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/2d97eae53e212ae26f3aebcd6a50ffc6877f770d","https://github.com/openclaw/openclaw/security/advisories/GHSA-939r-rj45-g2rj","https://www.vulncheck.com/advisories/openclaw-untrusted-provider-plugin-auto-enablement-via-workspace-provider-auth"],"published_time":"2026-05-05T12:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43570","summary":"OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":6.0,"epss":0.00036,"ranking_epss":0.10541,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/94b0062e90467e1582b47cc971f308457c537f3a","https://github.com/openclaw/openclaw/commit/b1dd3ded3589f6fa60ab85b3930a82d538edaeae","https://github.com/openclaw/openclaw/security/advisories/GHSA-cr8r-7g2h-6wr6","https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-remote-marketplace-repository-path-handling"],"published_time":"2026-05-05T12:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43571","summary":"OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":7.7,"epss":0.0004,"ranking_epss":0.11936,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/1fede43b948df40ca8674511d4bd08d39f6c5837","https://github.com/openclaw/openclaw/security/advisories/GHSA-82qx-6vj7-p8m2","https://www.vulncheck.com/advisories/openclaw-untrusted-workspace-plugin-shadow-resolution-in-channel-setup"],"published_time":"2026-05-05T12:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43529","summary":"OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-condition swap the target file between validation and preflight read, causing the validator to inspect a different file identity than the one that passed the initial boundary check.","cvss":2.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":2.5,"cvss_v4":2.0,"epss":0.0001,"ranking_epss":0.01188,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/b024fae9e5df43e9b69b2daebb72be3469d52e91","https://github.com/openclaw/openclaw/security/advisories/GHSA-gj9q-8w99-mp8j","https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-toctou-race-condition-in-exec-script-preflight-validator"],"published_time":"2026-05-05T12:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43530","summary":"OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and weaken risk classification of unsafe applet invocations.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00051,"ranking_epss":0.15518,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/666f48d9b882a8a1415ca53f9567c72499d850c9","https://github.com/openclaw/openclaw/security/advisories/GHSA-2cq5-mf3v-mx44","https://www.vulncheck.com/advisories/openclaw-weakened-exec-approval-binding-via-busybox-and-toybox-applet-execution"],"published_time":"2026-05-05T12:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43531","summary":"OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior.","cvss":7.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":7.0,"epss":0.00012,"ranking_epss":0.01666,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/dbfcef319618158fa40b31cdac386ea34c392c0c","https://github.com/openclaw/openclaw/security/advisories/GHSA-7wv4-cc7p-jhxc","https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-env-file"],"published_time":"2026-05-05T12:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43532","summary":"OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters in sandbox media processing. Attackers can bypass media normalization to inject host-local media references into channel action paths expecting normalized media.","cvss":4.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":4.9,"epss":0.00037,"ranking_epss":0.10993,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/979c6f09d6fad96596feb91c905934be7e0b4f15","https://github.com/openclaw/openclaw/security/advisories/GHSA-c9h3-5p7r-mrjh","https://www.vulncheck.com/advisories/openclaw-sandbox-media-normalization-bypass-via-discord-event-cover-image"],"published_time":"2026-05-05T12:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43533","summary":"OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling.","cvss":8.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":8.9,"epss":0.00041,"ranking_epss":0.12213,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/604777e4414cc3b2ff8861f18f4fb04374c702c6","https://github.com/openclaw/openclaw/security/advisories/GHSA-66r7-m7xm-v49h","https://www.vulncheck.com/advisories/openclaw-arbitrary-local-file-read-via-qqbot-media-tags"],"published_time":"2026-05-05T12:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43534","summary":"OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":9.3,"epss":0.00015,"ranking_epss":0.02949,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/e3a845bde5b54f4f1e742d0a51ba9860f9619b29","https://github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqr","https://www.vulncheck.com/advisories/openclaw-unsanitized-external-input-in-agent-hook-events"],"published_time":"2026-05-05T12:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43535","summary":"OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a more privileged sender's context, causing earlier messages to execute with elevated permissions.","cvss":7.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":7.6,"epss":0.00022,"ranking_epss":0.06096,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/43d4be902755c970b3d15608679761877718da69","https://github.com/openclaw/openclaw/security/advisories/GHSA-jwrq-8g5x-5fhm","https://www.vulncheck.com/advisories/openclaw-authorization-context-reuse-in-collect-mode-queue-batches"],"published_time":"2026-05-05T12:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42436","summary":"OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content by exploiting route-driven navigation without proper policy re-validation.","cvss":4.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":4.9,"epss":0.00027,"ranking_epss":0.07433,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/b75ad800a59009fc47eaa3471410f69046150e59","https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qm-58hj-j6pj","https://www.vulncheck.com/advisories/openclaw-internal-page-content-exposure-via-browser-snapshot-and-screenshot-routes"],"published_time":"2026-05-05T12:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42437","summary":"OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the webhook path.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.2,"epss":0.00091,"ranking_epss":0.25445,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/afadb7dae6738819ad9c7d2597ace0516957d20e","https://github.com/openclaw/openclaw/security/advisories/GHSA-vw3h-q6xq-jjm5","https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-oversized-websocket-frames-in-voice-call-realtime-path"],"published_time":"2026-05-05T12:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42438","summary":"OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading to bypass sender and group-scoped authorization boundaries and retrieve readable local files through the outbound media path.","cvss":4.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":4.9,"epss":0.00027,"ranking_epss":0.07433,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/c949af9fabf3873b5b7c484090cb5f5ab6049a98","https://github.com/openclaw/openclaw/security/advisories/GHSA-jhpv-5j76-m56h","https://www.vulncheck.com/advisories/openclaw-sender-policy-bypass-in-host-media-attachment-reads"],"published_time":"2026-05-05T12:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42439","summary":"OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations.","cvss":4.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.5,"cvss_v4":4.9,"epss":0.00027,"ranking_epss":0.07433,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/48c0347921b7e9438af0312968fc360ca88023f3","https://github.com/openclaw/openclaw/security/advisories/GHSA-rj2p-j66c-mgqh","https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-browser-tabs-action-routes"],"published_time":"2026-05-05T12:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43526","summary":"OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel.","cvss":8.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.2,"cvss_v4":8.3,"epss":0.0003,"ranking_epss":0.08393,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a","https://github.com/openclaw/openclaw/commit/ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d","https://github.com/openclaw/openclaw/security/advisories/GHSA-2767-2q9v-9326","https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-qqbot-reply-media-url-handling"],"published_time":"2026-05-05T12:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43527","summary":"OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":6.3,"epss":0.00032,"ranking_epss":0.09315,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/024f4614a1a1831406e763adc40ef226e3d5e9ed","https://github.com/openclaw/openclaw/commit/1dabfef28db523e7de81edeb3dd689e9171236a2","https://github.com/openclaw/openclaw/commit/213c36cf51121ef6c05cfccd78037371f968f31a","https://github.com/openclaw/openclaw/commit/7eecfa411df3d12e6b810e6ca5df47254fc3db3f","https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c","https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-private-network-navigation"],"published_time":"2026-05-05T12:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43528","summary":"OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication material, and channel credentials that should have been redacted.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00055,"ranking_epss":0.16892,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/86734ef93a2f25063371b04f1946eb300548acd4","https://github.com/openclaw/openclaw/security/advisories/GHSA-8372-7vhw-cm6q","https://www.vulncheck.com/advisories/openclaw-redaction-bypass-via-sourceconfig-and-runtimeconfig-aliases"],"published_time":"2026-05-05T12:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-54346","summary":"WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then construct direct download URLs to retrieve sensitive backup archives containing full database dumps.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.0004,"ranking_epss":0.12053,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://backupbliss.com/","https://downloads.wordpress.org/plugin/backup-backup.1.2.8.zip","https://www.exploit-db.com/exploits/51445","https://www.vulncheck.com/advisories/wordpress-plugin-backup-migration-unauthenticated-database-backup-download"],"published_time":"2026-05-05T12:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-54347","summary":"OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically test username and password combinations without account lockout restrictions.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.00148,"ranking_epss":0.34769,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz","https://www.exploit-db.com/exploits/51413","https://www.open-emr.org/","https://www.vulncheck.com/advisories/openemr-authentication-brute-force-mitigation-bypass"],"published_time":"2026-05-05T12:16:17","vendor":"open-emr","product":"openemr","version":null},{"cve_id":"CVE-2023-54348","summary":"ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00067,"ranking_epss":0.20314,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426","https://rajodiya.com/","https://www.exploit-db.com/exploits/51220","https://www.vulncheck.com/advisories/erpgo-saas-csv-injection-via-vendor-creation"],"published_time":"2026-05-05T12:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-54349","summary":"AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search functionality. Attackers can enter script tags in the search box to execute arbitrary JavaScript that fires when search history is viewed or results are displayed.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":5.1,"epss":0.00061,"ranking_epss":0.18609,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://codecanyon.net/item/amazcart-laravel-ecommerce-system-cms/34962179","https://spondonit.com/","https://www.exploit-db.com/exploits/51219","https://www.vulncheck.com/advisories/amazcart-cms-reflected-cross-site-scripting-via-search"],"published_time":"2026-05-05T12:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42433","summary":"OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access controls to mutate persistent profile configuration through non-owner message-tool runs.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00025,"ranking_epss":0.06949,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/fe0f686c9228fffcec6de4011da45e69a6e23e54","https://github.com/openclaw/openclaw/security/advisories/GHSA-7jp6-r74r-995q","https://www.vulncheck.com/advisories/openclaw-unauthorized-matrix-profile-config-persistence-access-via-operator-write-message-tools"],"published_time":"2026-05-05T12:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42434","summary":"OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability allowing sandboxed agents to override exec routing by specifying host=node. Attackers can bypass sandbox boundaries and route execution to remote nodes instead of intended sandbox paths.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00051,"ranking_epss":0.15518,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/dffad08529202edbf34e4808788e1182fe10f6a9","https://github.com/openclaw/openclaw/security/advisories/GHSA-736r-jwj6-4w23","https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-host-parameter-override-in-exec-routing"],"published_time":"2026-05-05T12:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42435","summary":"OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and PS4, affecting execution semantics and security controls.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00096,"ranking_epss":0.2629,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/8f8492d172f4c5b4fd7dd9a47855ed620c8770ab","https://github.com/openclaw/openclaw/security/advisories/GHSA-j6c7-3h5x-99g9","https://www.vulncheck.com/advisories/openclaw-shell-wrapper-detection-bypass-via-environment-variable-assignment-injection"],"published_time":"2026-05-05T12:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-54344","summary":"Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Attackers can connect to the OSGi console port and send base64-encoded bash commands wrapped in fork directives to achieve code execution and establish reverse shell connections.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00195,"ranking_epss":0.41082,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.exploit-db.com/exploits/51879","https://www.vulncheck.com/advisories/eclipse-equinox-osgi-remote-code-execution-via-console"],"published_time":"2026-05-05T12:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-54345","summary":"Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the gi_frame attribute to traverse the call stack and invoke os.popen to execute system commands.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00096,"ranking_epss":0.26146,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://erpnext.org","https://frappeframework.com/docs/v13/user/en/desk/scripting/server-script","https://gist.github.com/lebr0nli/c2fc617390451f0e5a4c31c87d8720b6","https://github.com/frappe/frappe/","https://github.com/frappe/frappe/blob/v13.4.0/frappe/utils/safe_exec.py#L42","https://ur4ndom.dev/posts/2023-07-02-uiuctf-rattler-read/","https://www.exploit-db.com/exploits/51580","https://www.vulncheck.com/advisories/frappe-framework-erpnext-remote-code-execution"],"published_time":"2026-05-05T12:16:16","vendor":"frappe","product":"erpnext","version":null},{"cve_id":"CVE-2023-54342","summary":"Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the fork command functionality. Attackers can establish a telnet connection to the OSGi console, perform a telnet handshake, and send fork commands to download and execute malicious Java code, establishing a reverse shell connection.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00192,"ranking_epss":0.40732,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.exploit-db.com/exploits/51878","https://www.vulncheck.com/advisories/eclipse-equinox-osgi-console-remote-code-execution"],"published_time":"2026-05-05T12:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6322","summary":"fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08109,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.openjsf.org/security-advisories.html","https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc"],"published_time":"2026-05-05T11:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-42611","summary":"RouterOS provides various services that rely on correct\nverification of client and server certificates to secure confidentiality and\nintegrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X),\namong others.\n\n\n\nThe vulnerability lies in shared certificate validation\nlogic which uses the system certificate store that is shared and equally\ntrusted by all system services. This causes confusion of scope, allowing any\ncertificate authority present in the system-wide trust store to be trusted in\nany context (with some exceptions), allowing partial or full authentication\nbypass in CAPsMAN, OpenVPN, Dot1X and potentially others.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00019,"ranking_epss":0.05324,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.cert.si/en/cve-2025-42611/"],"published_time":"2026-05-05T11:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43868","summary":"Memory Allocation with Excessive Size Value vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/zj76dtwnbbs1m7z3focf4wd51pqpsmn9"],"published_time":"2026-05-05T09:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43870","summary":"Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00298,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/pgtfq44ltc9t63kxcbqmwqzt45pnhqdy","http://www.openwall.com/lists/oss-security/2026/05/05/4"],"published_time":"2026-05-05T09:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3359","summary":"The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00069,"ranking_epss":0.20951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3518461/form-maker","https://www.wordfence.com/threat-intel/vulnerabilities/id/f37cc880-d8a4-431a-9639-abf01163030a?source=cve"],"published_time":"2026-05-05T09:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3601","summary":"The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to append shortcode content to arbitrary pages they do not own or have permission to edit.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08962,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.2/includes/admin/class-ur-admin-assets.php#L370","https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.2/includes/class-ur-ajax.php#L1003","https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/admin/class-ur-admin-assets.php#L370","https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/class-ur-ajax.php#L1003","https://plugins.trac.wordpress.org/changeset/3485702/user-registration/trunk/includes/class-ur-ajax.php?contextall=1","https://www.wordfence.com/threat-intel/vulnerabilities/id/c8798fb2-4cab-4960-9e32-fd74bb4a5091?source=cve"],"published_time":"2026-05-05T09:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43869","summary":"Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":4e-05,"ranking_epss":0.00156,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/3hsgl1b69wzq3ry39scqbv2dhyl3j52r","http://www.openwall.com/lists/oss-security/2026/05/05/3"],"published_time":"2026-05-05T08:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7824","summary":"An issue was discovered in the PaperCut Hive Ricoh embedded application. When the \"Deep Logging\" (diagnostic) mode is enabled, the application inadvertently records administrative credentials in plain text within the log files.\n\n\n\nAn attacker with administrative access to the PaperCut Hive management portal could remotely enable deep logging and subsequently retrieve sensitive device passwords from the logs after an authorized user authenticates at the device. This exposure allows for the lateral movement or unauthorized configuration of the physical print hardware.","cvss":5.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.9,"epss":0.00046,"ranking_epss":0.13959,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/"],"published_time":"2026-05-05T07:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3454","summary":"The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that the user has the edit_posts capability but does not verify the user has permission to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive information from arbitrary posts including author email addresses and non-protected post meta values by crafting dynamic tag payloads such as {{post_meta id:<target>|key:<meta_key>}} and {{post_title id:<target>|link:author_email}}.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02441,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/class-meta-handler.php#L335","https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tag-callbacks.php#L364","https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tag-callbacks.php#L64","https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L392","https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L424","https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L501","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3495827%40generateblocks%2Ftrunk&old=3415721%40generateblocks%2Ftrunk&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/0297d524-e016-4f8d-920c-d58c62edb2a0?source=cve"],"published_time":"2026-05-05T07:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40797","summary":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder LLC WebinarIgnition allows Blind SQL Injection.\n\nThis issue affects WebinarIgnition: from n/a through 4.08.253.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01107,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/webinar-ignition/vulnerability/wordpress-webinarignition-plugin-4-06-08-sql-injection-vulnerability?_s_id=cve"],"published_time":"2026-05-05T07:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5192","summary":"The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 1.52.1 via the 'upload-1[file][file_path]' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Successful exploitation requires a publicly accessible form with a File Upload field where Save and Continue is enabled in that form's Behavior settings and the Save and Continue email notification is configured to attach uploaded files in Email Notifications.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00043,"ranking_epss":0.12819,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3500671/forminator","https://www.wordfence.com/threat-intel/vulnerabilities/id/788422c4-e070-48aa-a85d-a5d5a25a6a1d?source=cve"],"published_time":"2026-05-05T07:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6180","summary":"A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notification fails to reach the server, the server may reject the initial data chunk while erroneously accepting subsequent chunks before a connection reset completes.\n\n\n\nThis leads to the registration of a truncated badge ID string. While this typically results in an authentication failure, the vulnerability is compounded in environments utilizing custom badge-ID post-processing scripts. In such configurations, the truncated string may be transformed into a valid ID belonging to a different user, leading to unauthorized session establishment (Incorrect User Login) on the device.","cvss":4.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.1,"epss":0.0004,"ranking_epss":0.12066,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/"],"published_time":"2026-05-05T07:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6418","summary":"An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization.\n\n\n\nDue to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file paths on the local file system. This allows for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files.\n\n\n\nWhen the synchronization process is triggered, the application attempts to parse the contents of the specified file, subsequently exposing the data within the application's account management interface. This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running.","cvss":4.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.6,"epss":0.00033,"ranking_epss":0.09433,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/"],"published_time":"2026-05-05T07:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2729","summary":"The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04394,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3500669/forminator","https://www.wordfence.com/threat-intel/vulnerabilities/id/1afb94ab-b3ba-4598-8ff4-f9ffc6717371?source=cve"],"published_time":"2026-05-05T07:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7823","summary":"A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setAppFilterCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable results in os command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_330/README.md","https://vuldb.com/submit/807775","https://vuldb.com/vuln/361075","https://vuldb.com/vuln/361075/cti","https://www.totolink.net/"],"published_time":"2026-05-05T05:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4362","summary":"The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type by visiting a specially crafted URL. The widget's custom designs, text, and configurations are permanently replaced with a blank template.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00198,"ranking_epss":0.41545,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/init.php#L37","https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L10","https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L27","https://plugins.trac.wordpress.org/changeset/3499543/elementskit-lite/trunk/modules/widget-builder/live-action.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Felementskit-lite/tags/3.8.2&new_path=%2Felementskit-lite/tags/3.9.0","https://www.wordfence.com/threat-intel/vulnerabilities/id/7740fdfb-65b2-4d27-935f-b0e73487f0c4?source=cve"],"published_time":"2026-05-05T05:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7811","summary":"A vulnerability has been found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The affected element is the function is_safe_path of the file src/code_mcp/server.py of the component MCP File Handler. Such manipulation leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00046,"ranking_epss":0.13877,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/54yyyu/code-mcp/","https://github.com/54yyyu/code-mcp/issues/4","https://vuldb.com/submit/807751","https://vuldb.com/vuln/361071","https://vuldb.com/vuln/361071/cti"],"published_time":"2026-05-05T05:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7812","summary":"A vulnerability was found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The impacted element is the function git_operation of the file src/code_mcp/server.py of the component MCP Tool. Performing a manipulation of the argument operation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.01039,"ranking_epss":0.77506,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/54yyyu/code-mcp/","https://github.com/54yyyu/code-mcp/issues/5","https://vuldb.com/submit/807752","https://vuldb.com/vuln/361072","https://vuldb.com/vuln/361072/cti"],"published_time":"2026-05-05T05:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7822","summary":"A vulnerability was identified in itsourcecode Courier Management System 1.0. This impacts an unknown function of the file /print_pdets.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00028,"ranking_epss":0.07901,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ltranquility/submit/issues/14","https://itsourcecode.com/","https://vuldb.com/submit/807773","https://vuldb.com/vuln/361074","https://vuldb.com/vuln/361074/cti"],"published_time":"2026-05-05T05:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5294","summary":"The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00192,"ranking_epss":0.40732,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3497169/geeky-bot","https://www.wordfence.com/threat-intel/vulnerabilities/id/a1817c58-e807-4ef2-a382-28ca2fd5239e?source=cve"],"published_time":"2026-05-05T04:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5957","summary":"The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to and including 1.6.5. This is due to a flawed path traversal validation in the create_template() method of the CheckForm class, where realpath() is called on the allowed base directory (wp-content/uploads/emailkit/templates/) which may not exist, causing it to return false. In PHP 8.x, strpos($real_path, false) implicitly converts false to an empty string, and strpos() with an empty needle always returns 0, causing the check strpos(...) !== 0 to evaluate to false and bypassing the path validation entirely. This makes it possible for authenticated attackers, with Author-level access and above, to read arbitrary files from the server, including sensitive files such as wp-config.php, by supplying an absolute path to the emailkit-editor-template REST API parameter.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00064,"ranking_epss":0.19543,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L163","https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L166","https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L170","https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/EmailSettings/MetformEmailSettings.php#L252","https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L163","https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L166","https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L170","https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/EmailSettings/MetformEmailSettings.php#L252","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3511701%40emailkit%2Ftrunk&old=3496714%40emailkit%2Ftrunk&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/ae58e5b0-b587-4503-8519-c5a50245891a?source=cve"],"published_time":"2026-05-05T04:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7810","summary":"A flaw has been found in UsamaK98 python-notebook-mcp up to a05a232815809a7e425b5fa7be26e0d4369894c2. Impacted is the function create_notebook/read_notebook/edit_cell/add_cell of the file server.py. This manipulation causes path traversal. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00046,"ranking_epss":0.13877,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/UsamaK98/python-notebook-mcp/","https://github.com/UsamaK98/python-notebook-mcp/issues/5","https://vuldb.com/submit/807748","https://vuldb.com/vuln/361070","https://vuldb.com/vuln/361070/cti"],"published_time":"2026-05-05T04:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4803","summary":"The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wpr_update_form_action_meta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a publicly leaked nonce that allows unauthenticated access to the AJAX handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00104,"ranking_epss":0.27857,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L21","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L73","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-submissions-cpt.php#L23","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plugin.php#L613","https://plugins.trac.wordpress.org/changeset/3503219/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php","https://www.wordfence.com/threat-intel/vulnerabilities/id/c91a14d3-bc41-4490-888c-486ad2994095?source=cve"],"published_time":"2026-05-05T04:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5159","summary":"The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that exploitation requires that an administrator has previously configured the Instagram Feed widget with a valid Instagram access token on the site.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.12692,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L2181-L2193","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5528-L5530","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5623-L5625","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L2181-L2193","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5528-L5530","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5623-L5625","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3514368%40royal-elementor-addons%2Ftrunk&old=3503219%40royal-elementor-addons%2Ftrunk&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/ee96d8c5-baf0-4c5c-9ace-e88bbb95ee0a?source=cve"],"published_time":"2026-05-05T04:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4665","summary":"The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox `data-caption` attributes in all versions up to, and including, 2.7.10. This is due to the `fancybox-config.js` script reading the carousel container's `id` attribute directly from the DOM to construct a jQuery selector without sanitization. When a Contributor crafts an HTML block with a malformed carousel container ID (containing characters invalid for jQuery selectors), the custom fancybox configuration throws a JavaScript error and fails to initialize. This causes the bundled fancybox library (v3.5.7) to fall back to its default caption handling, which renders the `data-caption` attribute content as raw HTML. Since WordPress allows `data-*` attributes through `wp_kses_post()`, this makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks an image in the crafted carousel lightbox.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08588,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wp-carousel-free/tags/2.7.10/public/js/fancybox-config.js#L3","https://plugins.trac.wordpress.org/browser/wp-carousel-free/trunk/public/js/fancybox-config.js#L3","https://plugins.trac.wordpress.org/changeset/3506878/wp-carousel-free/trunk/public/js/fancybox.js","https://www.wordfence.com/threat-intel/vulnerabilities/id/e75815a3-2414-47f3-b0c4-e5d3e2cb369d?source=cve"],"published_time":"2026-05-05T04:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35228","summary":"Vulnerability in the Oracle MCP Server Helper Tool product of Oracle Open Source Projects (component: helper tool). The supported versions that is affected is 1.0.1-1.0.156. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle MCP Server Helper Tool. Successful attacks of this vulnerability can result in Oracle MCP Server Helper Tool executing malicious SQL.","cvss":8.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.7,"cvss_v4":null,"epss":0.00055,"ranking_epss":0.17036,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html"],"published_time":"2026-05-05T04:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3456","summary":"The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the 'attributekey' parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00064,"ranking_epss":0.19699,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3474168/geeky-bot","https://www.wordfence.com/threat-intel/vulnerabilities/id/4c716fd3-6297-4b3a-a796-65f68f2986cf?source=cve"],"published_time":"2026-05-05T04:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2948","summary":"The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the import_images() function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06994,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3507804/gutenverse","https://www.wordfence.com/threat-intel/vulnerabilities/id/ac909a4b-d949-42eb-871a-963bc6242c12?source=cve"],"published_time":"2026-05-05T04:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6704","summary":"The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00087,"ranking_epss":0.24736,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/blog-settings/tags/1.0/blog-settings.php#L173","https://plugins.trac.wordpress.org/browser/blog-settings/tags/1.0/blog-settings.php#L46","https://wordpress.org/plugins/blog-settings/","https://www.wordfence.com/threat-intel/vulnerabilities/id/d28e5374-dd34-4745-a20b-059e9846d96d?source=cve"],"published_time":"2026-05-05T03:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5505","summary":"The WP-Clippy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `clippy` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.09324,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wp-clippy/tags/1.0.0/wp-clippy.php#L23","https://plugins.trac.wordpress.org/browser/wp-clippy/tags/1.0.0/wp-clippy.php#L26","https://plugins.trac.wordpress.org/browser/wp-clippy/trunk/wp-clippy.php#L23","https://plugins.trac.wordpress.org/browser/wp-clippy/trunk/wp-clippy.php#L26","https://www.wordfence.com/threat-intel/vulnerabilities/id/ec49ed83-a09d-460d-be34-0fb79032b543?source=cve"],"published_time":"2026-05-05T03:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6255","summary":"The Simple Owl Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'num' attribute of the 'owls_wrapper' shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.0803,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/simple-owl-shortcodes/tags/2.1.1/inc/owls_wrapper.php#L11","https://plugins.trac.wordpress.org/browser/simple-owl-shortcodes/trunk/inc/owls_wrapper.php#L11","https://www.wordfence.com/threat-intel/vulnerabilities/id/e33a2f27-20c2-4963-9558-1eead0515690?source=cve"],"published_time":"2026-05-05T03:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6696","summary":"The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'first_name', 'last_name', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00104,"ranking_epss":0.27857,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L104","https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L62","https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L71","https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L79","https://wordpress.org/plugins/zingaya-click-to-call/","https://www.wordfence.com/threat-intel/vulnerabilities/id/5bdd515c-6b52-467c-9446-6ae9b3b75e50?source=cve"],"published_time":"2026-05-05T03:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6700","summary":"The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_build function. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a forged request that modifies the plugin's configuration options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02162,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/dx-sources/tags/2.0.1/inc/settings.class.php#L46","https://plugins.trac.wordpress.org/browser/dx-sources/tags/2.0.1/inc/settings.class.php#L79","https://plugins.trac.wordpress.org/browser/dx-sources/trunk/inc/settings.class.php#L46","https://plugins.trac.wordpress.org/browser/dx-sources/trunk/inc/settings.class.php#L79","https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c96e57-0300-4ea7-a0c6-5d060b6e979d?source=cve"],"published_time":"2026-05-05T03:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6701","summary":"The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04962,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace.php#L312","https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace.php#L45","https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L30","https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L59","https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L83","https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace.php#L312","https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace.php#L45","https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L30","https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L59","https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L83","https://www.wordfence.com/threat-intel/vulnerabilities/id/40eaeb28-c721-4977-951d-582b7dc2bd12?source=cve"],"published_time":"2026-05-05T03:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6702","summary":"The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.02917,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/admin.php#L136","https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/admin.php#L76","https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/prefs.php#L219","https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/admin.php#L136","https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/admin.php#L76","https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/prefs.php#L219","https://www.wordfence.com/threat-intel/vulnerabilities/id/c0dc5349-139a-4bf3-8503-0e75b132c68c?source=cve"],"published_time":"2026-05-05T03:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1921","summary":"The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom `loco_admin` capability required, granted to the `translator` role and administrators by default), to read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the server filesystem outside the intended translation directory. Files named wp-config.php are excluded.","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.00217,"ranking_epss":0.43986,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.php#L12","https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.php#L92","https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.php#L12","https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.php#L92","https://plugins.trac.wordpress.org/changeset/3482475/loco-translate/trunk/tpl/admin/config/version.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Floco-translate/tags/2.8.2&new_path=%2Floco-translate/tags/2.8.3","https://www.wordfence.com/threat-intel/vulnerabilities/id/f9ff3058-a08c-40ed-b756-81e703b2277a?source=cve"],"published_time":"2026-05-05T03:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2868","summary":"The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'separatorIconSVG' parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08092,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3507804/gutenverse","https://www.wordfence.com/threat-intel/vulnerabilities/id/cc540e5c-180f-4743-b1fb-608aa0e3ae79?source=cve"],"published_time":"2026-05-05T03:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4409","summary":"The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00049,"ranking_epss":0.15073,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/templates/user.php#L37","https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/utils/stcr_utils.php#L164","https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/wp_subscribe_reloaded.php#L1613","https://www.wordfence.com/threat-intel/vulnerabilities/id/91f9235e-f578-475f-92c3-34062d6d1e3d?source=cve"],"published_time":"2026-05-05T03:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4730","summary":"The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'chartid' shortcode attribute in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08588,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/charts-ninja-graphs-and-charts/tags/2.1.0/chartsninja.php#L24","https://plugins.trac.wordpress.org/browser/charts-ninja-graphs-and-charts/trunk/chartsninja.php#L24","https://wordpress.org/plugins/charts-ninja-graphs-and-charts","https://www.wordfence.com/threat-intel/vulnerabilities/id/491c7680-d270-41ed-a756-9397a0bd86bc?source=cve"],"published_time":"2026-05-05T03:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5100","summary":"The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00103,"ranking_epss":0.27772,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L168","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L174","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L63","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L70","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1240","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1258","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1269","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1276","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/class-awpcp.php#L339","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/class-awpcp.php#L342","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L795","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L804","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L881","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L887","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L890","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L895","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L902","https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L903","https://www.wordfence.com/threat-intel/vulnerabilities/id/7908d167-f831-4ed0-b754-2b390b5c3b2c?source=cve"],"published_time":"2026-05-05T03:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5247","summary":"The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the [futureaction] shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The plugin uses esc_html() to escape the value, but esc_html() only encodes HTML entities and does not prevent attribute injection when the value is used as an HTML tag name in a sprintf() call. An attacker can inject event handler attributes via spaces in the wrapper value. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Since it is also possible for administrators to make this functionality available to lower-privileged users, this introduces the possibility of abuse by contributors.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07757,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/publishpress/publishpress-future/releases","https://plugins.trac.wordpress.org/browser/post-expirator/tags/4.9.4/src/Modules/Expirator/Controllers/ShortcodeController.php#L173","https://plugins.trac.wordpress.org/browser/post-expirator/trunk/src/Modules/Expirator/Controllers/ShortcodeController.php#L173","https://www.wordfence.com/threat-intel/vulnerabilities/id/9acf80aa-8354-4430-9836-18fa17854521?source=cve"],"published_time":"2026-05-05T03:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-13618","summary":"The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.0007,"ranking_epss":0.21086,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://mentoring-wp.dreamsmarketplace.com/documentation/changelog.html","https://themeforest.net/item/mentoring-education-wordpress-theme/36457081","https://www.wordfence.com/threat-intel/vulnerabilities/id/7192fb4c-0434-4e11-a2a7-c205b8d6b68e?source=cve"],"published_time":"2026-05-05T03:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5722","summary":"The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00198,"ranking_epss":0.4159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://moreconvert.com/changelog/","https://wordpress.org/plugins/smart-wishlist-for-more-convert/","https://www.wordfence.com/threat-intel/vulnerabilities/id/fe887475-f7e8-4fda-a793-bc6f37b70f3e?source=cve"],"published_time":"2026-05-05T02:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-44029","summary":"An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via \"nix-prefetch-url --unpack\" or \"nix store prefetch-file --unpack\" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7);","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00241,"ranking_epss":0.47198,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407","https://github.com/NixOS/nix/security/advisories/GHSA-gr92-w2r5-qw5p","https://www.openwall.com/lists/oss-security/2026/05/04/33"],"published_time":"2026-05-05T01:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-44028","summary":"An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00324,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407","https://github.com/NixOS/nix/security/advisories/GHSA-vh5x-56v6-4368","https://www.openwall.com/lists/oss-security/2026/05/04/32","https://www.openwall.com/lists/oss-security/2026/05/04/33"],"published_time":"2026-05-05T01:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7788","summary":"A security flaw has been discovered in Axle-Bucamp MCP-Docusaurus up to 404bc028e15ec304c9a045528560f4b5f27a17e0. The affected element is the function update_document/continue_document/delete_document/get_content of the file app/routes/document.py. Performing a manipulation of the argument DOCS_DIR/path results in path traversal. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00046,"ranking_epss":0.13877,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Axle-Bucamp/MCP-Docusaurus/","https://github.com/Axle-Bucamp/MCP-Docusaurus/issues/2","https://vuldb.com/submit/807746","https://vuldb.com/vuln/360994","https://vuldb.com/vuln/360994/cti"],"published_time":"2026-05-05T00:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7783","summary":"A flaw has been found in CodeCanyon Perfex CRM up to 3.4.1. This vulnerability affects the function AbstractKanban::applySortQuery of the file application/services/AbstractKanban.php of the component Admin Kanban Endpoint. This manipulation of the argument this causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00026,"ranking_epss":0.0731,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bytium.com/insights/blind-sql-injection-in-perfex-crm-3-4-1","https://vuldb.com/submit/807743","https://vuldb.com/vuln/360980","https://vuldb.com/vuln/360980/cti"],"published_time":"2026-05-05T00:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7784","summary":"A vulnerability has been found in RTGS2017 NagaAgent up to 5.1.0. This issue affects some unknown processing of the file apiserver/routes/extensions.py of the component Skills Endpoint. Such manipulation of the argument Name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00021,"ranking_epss":0.05764,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/RTGS2017/NagaAgent/","https://github.com/RTGS2017/NagaAgent/issues/311","https://vuldb.com/submit/807744","https://vuldb.com/vuln/360981","https://vuldb.com/vuln/360981/cti"],"published_time":"2026-05-05T00:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7785","summary":"A security flaw has been discovered in A-G-U-P-T-A wireshark-mcp edaf604416fbc94a201b4043092d4a1b09a12275/400c3da70074f22f3cce7ccb65304cafc7089c89. This affects the function quick_capture of the file pyshark_mcp.py. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.01039,"ranking_epss":0.77506,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/A-G-U-P-T-A/wireshark-mcp/","https://github.com/A-G-U-P-T-A/wireshark-mcp/issues/1","https://vuldb.com/submit/807745","https://vuldb.com/vuln/360985","https://vuldb.com/vuln/360985/cti"],"published_time":"2026-05-05T00:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7781","summary":"A security vulnerability has been detected in Open5GS up to 2.7.7. Affected by this issue is the function udm_nudm_uecm_handle_amf_registration_update of the file /src/udm/nudm-handler.c of the component amf-3gpp-access Endpoint. The manipulation leads to denial of service. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00039,"ranking_epss":0.11536,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/","https://github.com/open5gs/open5gs/issues/4420","https://vuldb.com/submit/806251","https://vuldb.com/vuln/360978","https://vuldb.com/vuln/360978/cti"],"published_time":"2026-05-04T23:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7782","summary":"A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component Tenant Handler. The manipulation of the argument ID results in authorization bypass. The attack may be performed from remote. The exploit is now public and may be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00034,"ranking_epss":0.09716,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bytium.com/insights/perfex-crm-3-4-1-cross-tenant-broken-access-control-on-project-discussion-comments","https://vuldb.com/submit/807683","https://vuldb.com/vuln/360979","https://vuldb.com/vuln/360979/cti"],"published_time":"2026-05-04T23:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7776","summary":"Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.09388,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://discuss.hashicorp.com/t/hcsec-2026-11-boundary-workers-vulnerable-to-denial-of-service-during-tls-handshake"],"published_time":"2026-05-04T22:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7780","summary":"A weakness has been identified in Open5GS up to 2.7.7. Affected by this vulnerability is the function udm_state_operational of the file /src/udm/udm-sm.c of the component smf-registrations Endpoint. Executing a manipulation can lead to denial of service. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00039,"ranking_epss":0.11536,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/","https://github.com/open5gs/open5gs/issues/4419","https://vuldb.com/submit/806250","https://vuldb.com/vuln/360977","https://vuldb.com/vuln/360977/cti"],"published_time":"2026-05-04T22:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7791","summary":"Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM.","cvss":8.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":8.5,"epss":0.00012,"ranking_epss":0.01664,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://aws.amazon.com/security/security-bulletins/2026-025-aws/"],"published_time":"2026-05-04T22:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7779","summary":"A security flaw has been discovered in Open5GS up to 2.7.7. Affected is the function udm_nudr_dr_handle_subscription_authentication of the file /src/udm/nudr-handler.c of the component authentication-subscription Endpoint. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00106,"ranking_epss":0.28129,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/","https://github.com/open5gs/open5gs/issues/4418","https://vuldb.com/submit/806249","https://vuldb.com/vuln/360976","https://vuldb.com/vuln/360976/cti"],"published_time":"2026-05-04T21:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42221","summary":"Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; it does not authenticate who is allowed to perform installation. A remote attacker who reaches the service before the legitimate operator can set the admin email, username, and password, causing permanent initial-instance takeover. This issue has been patched in version 2.3.8.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00085,"ranking_epss":0.24374,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8","https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h27v-ph7w-m9fp","https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h27v-ph7w-m9fp"],"published_time":"2026-05-04T21:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42222","summary":"Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-mxqh-q9h6-v8pq"],"published_time":"2026-05-04T21:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42223","summary":"Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:\"true\" - however, this tag is only enforced during writes (via ProtectedFill in SaveSettings) and is completely ignored during reads. This exposes 40+ protected fields including JwtSecret (enabling auth token forgery), NodeSecret (enabling cluster node impersonation), OIDC ClientSecret (enabling OAuth account takeover), and the IP whitelist configuration. This issue has been patched in version 2.3.8.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08663,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8","https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-q4w7-56hr-83rm","https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-q4w7-56hr-83rm"],"published_time":"2026-05-04T21:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42238","summary":"Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application's configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui — typically root in Docker deployments. This issue has been patched in version 2.3.8.","cvss":9.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.0,"epss":0.0023,"ranking_epss":0.45564,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8","https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr","https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr"],"published_time":"2026-05-04T21:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42220","summary":"Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret query parameter), causing the request to be treated as authenticated via the trusted-node path and associated with the init user. This issue has been patched in version 2.3.8.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.0793,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8","https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-7jrr-xw9c-mj39"],"published_time":"2026-05-04T21:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7768","summary":"@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.1188,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.openjsf.org/security-advisories.html","https://github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg"],"published_time":"2026-05-04T20:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6321","summary":"fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08422,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.openjsf.org/security-advisories.html","https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6"],"published_time":"2026-05-04T20:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41923","summary":"WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsanitized parameter concatenation in the set_add_routing function to inject shell commands that are executed via popen() with partial output reflected in the HTTP response.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.00502,"ranking_epss":0.66089,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html","https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China","https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-internet-cgi"],"published_time":"2026-05-04T20:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41924","summary":"WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions. Attackers can craft a POST request with specially crafted ampersand-delimited parameters to bypass input sanitization and execute commands with a maximum length of 31 bytes through the date command or channel parameter processing.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.00211,"ranking_epss":0.43369,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html","https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China","https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-makerequest-cgi"],"published_time":"2026-05-04T20:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41925","summary":"WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter. Attackers can send a crafted request with shell metacharacters in the reboot_time parameter when reboot_enabled=1 to achieve remote code execution.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.00452,"ranking_epss":0.63745,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html","https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China","https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-adm-cgi-reboot-time"],"published_time":"2026-05-04T20:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41926","summary":"WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.00438,"ranking_epss":0.63139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html","https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China","https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-firewall-cgi"],"published_time":"2026-05-04T20:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41927","summary":"WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains a stack-based buffer overflow vulnerability in the firewall.cgi and makeRequest.cgi binaries that allows unauthenticated attackers to overwrite the saved return address by sending a POST request with a Content-Length header exceeding 512 bytes. Attackers can exploit insufficient length validation in the fgets() call to achieve arbitrary code execution through return-oriented programming or return-to-libc techniques.","cvss":8.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.3,"epss":0.00042,"ranking_epss":0.1255,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html","https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China","https://www.vulncheck.com/advisories/wdr201a-wifi-extender-stack-based-buffer-overflow-via-firewall-cgi"],"published_time":"2026-05-04T20:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34882","summary":"Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2026-6074. Reason: This record is a reservation duplicate of CVE-2026-6074. Notes: All CVE users should reference CVE-2026-6074 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-05-04T20:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41922","summary":"WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.0085,"ranking_epss":0.74968,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html","https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China","https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-wireless-cgi"],"published_time":"2026-05-04T20:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-67796","summary":"IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04441,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/ikus-soft/rdiffweb","https://gitlab.com/ikus-soft/rdiffweb#2106-2025-10-02"],"published_time":"2026-05-04T20:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43964","summary":"Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11473,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html","http://www.openwall.com/lists/oss-security/2026/05/04/30"],"published_time":"2026-05-04T19:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42234","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.1,"epss":0.0007,"ranking_epss":0.21244,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-44v6-jhgm-p3m4"],"published_time":"2026-05-04T19:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42235","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim's authenticated n8n browser session, enabling credential and session token theft, workflow manipulation, or privilege escalation. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","cvss":8.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.8,"epss":0.00091,"ranking_epss":0.25328,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq"],"published_time":"2026-05-04T19:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42236","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the MCP OAuth client registration endpoint accepted unauthenticated requests and stored client data without adequate resource controls. An unauthenticated remote attacker could exhaust server memory resources by sending large registration payloads, rendering the n8n instance unavailable. The MCP enable/disable toggle gates MCP access but did not restrict client registrations, meaning the endpoint is reachable regardless of whether MCP access is enabled on the instance. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.00141,"ranking_epss":0.33749,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-49m9-pgww-9vq6"],"published_time":"2026-05-04T19:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42237","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.0003,"ranking_epss":0.08501,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-hp3c-vfpm-q4f7"],"published_time":"2026-05-04T19:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42229","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operations allowed user-controlled input to be concatenated directly into SQL query strings without escaping or parameterization. In workflows where external user input is passed via expressions into the SeaTable node's search or row retrieval parameters, an attacker could manipulate the constructed query to retrieve unintended rows from the connected SeaTable base, bypassing row-level filtering logic implemented in the workflow. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.00047,"ranking_epss":0.14123,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-mp4j-h6gh-f6mp"],"published_time":"2026-05-04T19:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42230","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing arbitrary redirect_uri values to be registered. When a user denies the MCP OAuth consent dialog, the handleDeny handler redirects the user to the registered redirect_uri without validation, enabling an open redirect to an attacker-controlled URL. An attacker can craft a phishing link and send it to a victim; if the victim clicks \"Deny\" on the consent page, they are silently redirected to an external site. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.1,"epss":0.00063,"ranking_epss":0.19253,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-f6x8-65q6-j9m9"],"published_time":"2026-05-04T19:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42231","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node's SSH operations, achieve remote code execution on the n8n host. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","cvss":9.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.4,"epss":0.00476,"ranking_epss":0.64925,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5"],"published_time":"2026-05-04T19:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42232","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","cvss":9.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.4,"epss":0.00053,"ranking_epss":0.16303,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r"],"published_time":"2026-05-04T19:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42233","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.00047,"ranking_epss":0.14123,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755"],"published_time":"2026-05-04T19:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42151","summary":"Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01256,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/prometheus/prometheus/pull/18587","https://github.com/prometheus/prometheus/pull/18590","https://github.com/prometheus/prometheus/releases/tag/v3.11.3","https://github.com/prometheus/prometheus/releases/tag/v3.5.3","https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj"],"published_time":"2026-05-04T19:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42154","summary":"Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05785,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/prometheus/prometheus/pull/18584","https://github.com/prometheus/prometheus/pull/18585","https://github.com/prometheus/prometheus/releases/tag/v3.11.3","https://github.com/prometheus/prometheus/releases/tag/v3.5.3","https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm"],"published_time":"2026-05-04T19:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42226","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supply a foreign credential ID in the request body, causing the backend to decrypt and use that credential in a helper execution path where the caller also controls the destination URL. This allowed the caller to force the backend to authenticate against attacker-controlled infrastructure using a credential belonging to another user, effectively exfiltrating a reusable API key. The issue is not limited to any single node type; any node that resolves credentials dynamically through these endpoints may be affected. This issue has been patched in versions 1.123.33, 2.17.5, and 2.18.0.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.1,"epss":0.00058,"ranking_epss":0.17824,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-r4v6-9fqc-w5jr"],"published_time":"2026-05-04T19:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42227","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller. If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately. This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.0,"epss":0.00038,"ranking_epss":0.11339,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-756q-gq9h-fp22"],"published_time":"2026-05-04T19:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42228","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /chat WebSocket endpoint used by the Chat Trigger node's Hosted Chat feature did not verify that an incoming connection was authorized to interact with the target execution. An unauthenticated remote attacker who could identify a valid execution ID for a workflow in a waiting state could attach to that execution, receive the pending prompt intended for the legitimate user, and submit arbitrary input to resume or influence downstream workflow behavior. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00262,"ranking_epss":0.4944,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-f77h-j2v7-g6mw"],"published_time":"2026-05-04T19:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38751","summary":"OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php)","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/devcode-it/openstamanager","https://github.com/fuutianyii/poc"],"published_time":"2026-05-04T19:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41686","summary":"Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes (0o666 for files, 0o777 for directories), leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. This issue has been patched in version 0.91.1.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.8,"epss":0.00013,"ranking_epss":0.02158,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-p7fg-763f-g4gf"],"published_time":"2026-05-04T19:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25863","summary":"Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.00072,"ranking_epss":0.21679,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wordpress.org/plugins/cf7-conditional-fields/#developers","https://www.vulncheck.com/advisories/conditional-fields-for-contact-form-7-dos-via-uncontrolled-resource-consumption"],"published_time":"2026-05-04T19:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42796","summary":"Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.","cvss":9.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.2,"epss":0.00277,"ranking_epss":0.51042,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Arelle/Arelle/pull/2320","https://github.com/Arelle/Arelle/releases/tag/2.39.10","https://www.vulncheck.com/advisories/arelle-unauthenticated-rce-via-rest-configure"],"published_time":"2026-05-04T18:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43616","summary":"Detect-It-Easy prior to 3.21 contains a path traversal vulnerability that allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries with relative traversal sequences or absolute paths. Attackers can exploit insufficient path normalization during archive extraction to write files outside the intended extraction directory and achieve persistent code execution by overwriting user startup scripts.","cvss":6.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":6.8,"epss":0.00018,"ranking_epss":0.04659,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/horsicq/DIE-engine/commit/7fd300b926daf19707b2a36f0abe8b60a51308ee","https://github.com/horsicq/DIE-engine/commit/cbbe1688e58ffd430d284bf65f336973f083db69","https://github.com/horsicq/DIE-engine/releases/tag/3.21","https://github.com/horsicq/Detect-It-Easy","https://github.com/horsicq/Formats/commit/56cdf50ee3c72c56284e2819b23e98332842d259","https://github.com/horsicq/XArchive/commit/6a2aa84c2fd120b704f76bb5c5ee3e9b5a7a0fcc","https://www.vulncheck.com/advisories/detect-it-easy-path-traversal-arbitrary-file-write"],"published_time":"2026-05-04T18:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42088","summary":"OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. This issue has been patched in version 7.0.0-rc3.","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06554,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/OpenC3/cosmos/releases/tag/v7.0.0","https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3","https://github.com/OpenC3/cosmos/security/advisories/GHSA-2wvh-87g2-89hr","https://github.com/OpenC3/cosmos/security/advisories/GHSA-2wvh-87g2-89hr"],"published_time":"2026-05-04T18:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42091","summary":"goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02521,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32","https://github.com/patrickhener/goshs/releases/tag/v2.0.2","https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm","https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm"],"published_time":"2026-05-04T18:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42092","summary":"titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as google_secret, openai_apikey, and google_clientid. At time of publication no public patch is available.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08663,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/titraio/titra/security/advisories/GHSA-4h9p-49hg-vppw"],"published_time":"2026-05-04T18:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42138","summary":"Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/files/upload, which requires authentication through the application API, is also vulnerable. This issue has been patched in version 1.13.1.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00149,"ranking_epss":0.3492,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/langgenius/dify/releases/tag/1.13.1","https://github.com/langgenius/dify/security/advisories/GHSA-cg94-8v83-7hjj","https://github.com/langgenius/dify/security/advisories/GHSA-cg94-8v83-7hjj"],"published_time":"2026-05-04T18:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42140","summary":"PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to \"render\" the diagram. This issue has been patched in version 2.4.1.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06947,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/xwiki-contrib/macro-plantuml/commit/c8b19bda93058794e04c8862fc7ca85c59b5fe5c","https://github.com/xwiki-contrib/macro-plantuml/security/advisories/GHSA-42fc-7w97-8vrc","https://jira.xwiki.org/browse/PLANTUML-25"],"published_time":"2026-05-04T18:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42144","summary":"CImg Library is a C++ library for image processing. Prior to commit 4ca26bc, there is an integer overflow vulnerability in the W*H*D size computation inside _load_pnm() that can bypass the memory allocation guard. A crafted PNM/PGM/PPM file with large dimension values causes the overflow to wrap around, allocating an undersized buffer and potentially triggering a heap buffer overflow. Any application using CImg to load untrusted image files is affected. This issue has been patched via commit 4ca26bc.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01639,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/GreycLab/CImg/commit/4ca26bce4d8c61fcd1507d5f9401b9fb1222c27d","https://github.com/GreycLab/CImg/issues/478","https://github.com/GreycLab/CImg/releases/tag/v.3.7.5","https://github.com/GreycLab/CImg/security/advisories/GHSA-4663-63fm-44gc"],"published_time":"2026-05-04T18:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42146","summary":"CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nb_colors value triggers an out-of-memory condition, crashing any application that uses CImg to load untrusted BMP files. This issue has been patched via commit c3aacf5.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01639,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/GreycLab/CImg/commit/c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3","https://github.com/GreycLab/CImg/issues/477","https://github.com/GreycLab/CImg/releases/tag/v.3.7.5","https://github.com/GreycLab/CImg/security/advisories/GHSA-g54r-qmgx-c6fv"],"published_time":"2026-05-04T18:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42052","summary":"Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping is only performed by <%- ... %>. Rendered output is then inserted with .html(...), allowing attacker-controlled markup to become active DOM. This issue has been patched in version 2.10.0.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.0,"epss":0.00047,"ranking_epss":0.14314,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/beetbox/beets/releases/tag/v2.10.0","https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847"],"published_time":"2026-05-04T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42084","summary":"OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07807,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776","https://github.com/OpenC3/cosmos/releases/tag/v6.10.5","https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3","https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7"],"published_time":"2026-05-04T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42085","summary":"OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, OpenC3 COSMOS contains a design flaw in the save_tool_config() function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path traversal attacks, by canonicalizing filename to an absolute path, all plugins share this same root directory. That enables users to create arbitrary file structures and overwrite existing configuration files within the shared /plugins directory. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11768,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/OpenC3/cosmos/commit/9957a9fa460c0c0cf5cdbf6a5931bbdd025246a5","https://github.com/OpenC3/cosmos/commit/e6efccbd148ba0e3361c5891027f2373aa140d42","https://github.com/OpenC3/cosmos/releases/tag/v6.10.5","https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3","https://github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h","https://github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h"],"published_time":"2026-05-04T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42086","summary":"OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.09404,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x","https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x"],"published_time":"2026-05-04T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42087","summary":"OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version 7.0.0-rc3, a SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The tsdb_lookup function in the cvt_model.rb file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary SQL commands, including deleting data. This issue has been patched in version 7.0.0-rc3.","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06813,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/OpenC3/cosmos/commit/9ba60c09c8836a37a2e4ea67ab35fe403e041415","https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3","https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5","https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5"],"published_time":"2026-05-04T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41471","summary":"Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.2,"epss":0.0016,"ranking_epss":0.36357,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/4lec4st/9fd04b4bfadb3f7e388f61588f5f2564","https://wordpress.org/plugins/easy-paypal-events-tickets","https://www.vulncheck.com/advisories/easy-paypal-events-tickets-information-disclosure-via-qr-code-endpoint"],"published_time":"2026-05-04T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41571","summary":"Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt(\"null\") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: \"null\" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3.","cvss":9.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.4,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12047,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/enchant97/note-mark/releases/tag/v0.19.3","https://github.com/enchant97/note-mark/security/advisories/GHSA-pxf8-6wqm-r6hh","https://github.com/enchant97/note-mark/security/advisories/GHSA-pxf8-6wqm-r6hh"],"published_time":"2026-05-04T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41572","summary":"Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw \"JOIN books ...\" clauses used by the note and asset queries. This issue has been patched in version 0.19.3.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07936,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/enchant97/note-mark/releases/tag/v0.19.3","https://github.com/enchant97/note-mark/security/advisories/GHSA-3gr9-485j-v4xf","https://github.com/enchant97/note-mark/security/advisories/GHSA-3gr9-485j-v4xf"],"published_time":"2026-05-04T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37459","summary":"An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11838,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FRRouting/frr/commit/693a2e02687cdc9d16501275e05136edea9650d9"],"published_time":"2026-05-04T18:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32834","summary":"Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.00098,"ranking_epss":0.26532,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/4lec4st/eb20f9934f8c23b4b241f74a8d884ce9","https://wordpress.org/plugins/easy-paypal-events-tickets","https://www.vulncheck.com/advisories/easy-paypal-events-tickets-authentication-bypass-via-qr-code-scanning"],"published_time":"2026-05-04T18:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-0073","summary":"In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed. User interaction is not needed for exploitation.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01486,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://source.android.com/docs/security/bulletin/2026/2026-05-01"],"published_time":"2026-05-04T18:16:26","vendor":"google","product":"android","version":null},{"cve_id":"CVE-2026-29004","summary":"BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Attackers can exploit incorrect heap buffer allocation calculations in the option_to_env() function to cause denial of service or achieve arbitrary code execution on embedded systems without heap hardening.","cvss":7.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":7.2,"epss":0.00012,"ranking_epss":0.01621,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://busybox.net/","https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a","https://github.com/vda-linux/busybox_mirror/commit/d368f3f7836d1c2484c8f839316e5c93e76d4409","https://www.vulncheck.com/advisories/busybox-dhcpv6-client-heap-buffer-overflow-via-dns-servers"],"published_time":"2026-05-04T18:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2828","summary":"Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-05-04T18:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42376","summary":"D-Link DIR-456U Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /etc/init0.d/S80telnetd.sh with the username \"Alphanetworks\" and the static password \"whdrv01_dlob_dir456U\" read from /etc/config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18845,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.securin.io/zero-day/cve-2026-42376-hardcoded-telnet-backdoor-in-d-link-dir-456u-a1-end-of-life-","https://www.securin.io/zero-day/cve-2026-42376-hardcoded-telnet-backdoor-in-d-link-dir-456u-a1-end-of-life-"],"published_time":"2026-05-04T17:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42440","summary":"OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader \n\nVersions Affected: \n\nbefore 2.5.9\n\nbefore 3.0.0-M3 \n\nDescription:\n\n\nThe AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and getPredicates() each read a 32-bit signed integer count field from a binary model stream and pass that value directly to an array allocation (new String[numOutcomes], new int[numOCTypes][], new String[NUM_PREDS]) without validating that the value is non-negative or within a reasonable bound. The count is therefore fully attacker-controlled when the model file originates from an untrusted source.\n\n\nA crafted .bin model file in which any of these count fields is set to Integer.MAX_VALUE (or any value large enough to exhaust the available heap) triggers an OutOfMemoryError at the array allocation itself, before the corresponding label or pattern data is consumed from the stream. The error occurs very early in deserialization: for a GIS model, getOutcomes() is reached after only the model-type string, the correction constant, and the correction parameter have been read; so the attacker pays no meaningful size cost to weaponize a payload, and a single small file can crash a JVM that loads it. Any code path that deserializes a .bin model is affected, including direct use of GenericModelReader and any higher-level component that delegates to it during model load.\n\n\nThe practical impact is denial of service against processes that load model files from untrusted or semi-trusted origins.  \n\n\nMitigation:\n\n\n\n  *  2.x users should upgrade to 2.5.9.\n\n  *  3.x users should upgrade to 3.0.0-M3.\n\n\n\n\nNote: The fix introduces an upper bound on each of the three count fields, checked before array allocation; counts that are negative or exceed the bound cause an IllegalArgumentException to be thrown and the read to fail fast with no large allocation. The default bound is 10,000,000, which is well above the entry counts of legitimate OpenNLP models but far below any value that would threaten heap exhaustion. Deployments that legitimately need to load models with more entries than the default can raise the limit at JVM startup by setting the OPENNLP_MAX_ENTRIES system property to the desired positive integer (e.g. -DOPENNLP_MAX_ENTRIES=50000000); invalid or non-positive values fall back to the default.\n\n\nUsers who cannot upgrade immediately should treat all .bin model files as untrusted input unless their provenance is verified, and should avoid loading models supplied by end users or fetched from third-party repositories without integrity checks.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00019,"ranking_epss":0.05333,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/s8xlkx1gqbxfsq48py5h6jphjvgqp1jo","http://www.openwall.com/lists/oss-security/2026/05/01/21"],"published_time":"2026-05-04T17:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42809","summary":"Apache Polaris can issue broad temporary (\"vended\") storage credentials during\nstaged\ntable creation before the effective table location has been validated or\ndurably reserved. \nThose temporary credentials are meant to limit the scope\nof\naccessible table data and metadata, but this scope limitation becomes\nattacker-\ndirected because the attacker can choose a reachable target location.\n\n\n\nIn the confirmed variant, if the caller supplies a custom `location` during\nstage create and requests credential vending, Apache Polaris uses that location to\nconstruct delegated storage credentials immediately. The stage-create path\nitself neither runs the normal location validation nor the overlap checks\nbefore those credentials are issued.\n\n\n\nClosely related to that, the staged-create flow also accepts\n`write.data.path` / `write.metadata.path` in the request properties and\nfeeds\nthose location overrides into the same effective table location set used for\ncredential vending. Those fields are secondary to the main custom-`location`\nexploit, but they are still attacker-influenced location inputs that should\nbe\nvalidated before any credentials are issued.","cvss":9.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":9.4,"epss":0.00058,"ranking_epss":0.17779,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r","http://www.openwall.com/lists/oss-security/2026/05/02/10"],"published_time":"2026-05-04T17:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42810","summary":"Apache Polaris accepts literal `*` characters in namespace and table names. When it\nlater builds temporary S3 access policies for delegated table access, those\nsame characters appear to be reused unescaped in S3 IAM resource patterns\nand\n`s3:prefix` conditions.\n\n\n\nIn S3 IAM policy matching, `*` is treated as a wildcard rather than as\nordinary text. That means temporary credentials issued for one crafted table\ncan match the storage path of a different table.\n\n\n\nIn private testing against Polaris 1.4.0 using Polaris' AWS S3 temporary-\ncredential path on both MinIO and real AWS S3, credentials returned for\ncrafted tables such as `f*.t1`, `f*.*`, `*.*`, and `foo.*` could reach other\ntables' S3 locations.\n\n\nThe confirmed behavior includes:\n\n\n- reading another table's metadata control file ([Iceberg metadata JSON]);\n\n- listing another table's exact S3 table prefix ([table prefix]);\n\n- and, when write delegation was returned for the crafted table, creating\nand\ndeleting an object under another table's exact S3 table prefix.\n\n\n\nA control case using ordinary different names did not allow the same\ncross-table access.\n\n\n\nA least-privilege AWS S3 variant was also confirmed in which the attacker\nprincipal had no Polaris permissions on the victim table and only the\nminimal permissions required to create and use a crafted wildcard table\n(namespace-scoped `TABLE_CREATE` and `TABLE_WRITE_DATA` on `*`). In that\nsetup, direct Polaris access to `foo.t1` remained forbidden, but the\nattacker\ncould still create and load `*.*`, receive delegated S3 credentials, and use\nthose credentials to list, read, create, and delete objects under `foo.t1`.\n\n\n\nIn Iceberg, the metadata JSON file is a control file: it tells readers which\ndata files belong to the table, which snapshots exist, and which table\nversion\nto read. So unauthorized access to it is already a meaningful\nconfidentiality\nproblem. The confirmed write-capable variant means the issue is not limited\nto\ndisclosure.","cvss":9.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":9.4,"epss":0.00061,"ranking_epss":0.18787,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/gg3qq9sqg4hdjmprqy46p40xmln61dm9","http://www.openwall.com/lists/oss-security/2026/05/02/11"],"published_time":"2026-05-04T17:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42811","summary":"In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials\nthat\nonly work for one table's files, but a crafted namespace or table name can\ncause those credentials to work across the configured bucket instead.\n\n\nApache Polaris builds Google Cloud Storage downscoped credentials by creating a\nCredential Access Boundary (CAB) with CEL conditions that are intended to\nrestrict access to the requested table's storage path.\n\n\n\nThe relevant CEL string is built from the bucket name and the table path.\nThat\ntable path is derived from namespace and table identifiers. In current code,\nthat path appears to be inserted into the CEL expression without escaping.\n\n\n\nAs a result, a namespace or table identifier containing a single quote and\nother URI-safe CEL fragments can break out of the intended quoted string and\nchange the meaning of the CEL condition.\n\n\n\nIn private testing against Polaris 1.4.0 on real Google Cloud Storage, it was confirmed that Polaris accepted a crafted identifier and returned delegated\nGCS\ncredentials whose CEL path restriction had effectively collapsed.\n\n\nThose delegated credentials could then:\n\n\n- list another table's object prefix;\n\n- read another table's metadata control file (Iceberg metadata JSON);\n\n- create and delete an object under another table's object prefix;\n\n- and also list, read, create, and delete objects under an unrelated\nexternal\nprefix in the same bucket that was not part of any table path.\n\n\n\nThat last point is important. The issue is not limited to \"another table\".\nIn\nthe confirmed setup, once Apache Polaris returned credentials for the crafted\ntable,\nthe path restriction inside the configured bucket was effectively gone.\n\nThe practical effect is that temporary credentials for one crafted table\ncan be\nbroader than the table Polaris was asked to authorize, and can become\neffectively bucket-wide within the configured bucket.\n\n\n\nThe current GCS testing used a Polaris principal with broad catalog\nprivileges for setup. A separate least-privilege Polaris RBAC variant\nhas not yet been tested on GCS. However, the storage-credential\nbroadening behavior itself has been confirmed on GCS.","cvss":9.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":9.4,"epss":0.0007,"ranking_epss":0.21174,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/hovn5hmkj9wj7v9cd8sn67svg03klgvg","http://www.openwall.com/lists/oss-security/2026/05/02/12"],"published_time":"2026-05-04T17:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42812","summary":"In Apache Iceberg, the table's metadata files are control files: they tell readers\nwhich data files belong to the table and which table version to read.\n\n\n\n`write.metadata.path` is an optional table property that tells Polaris\nwhere to\nwrite those metadata files. \nFor a table already registered in a\nPolaris-managed\ncatalog, changing only that property through an `ALTER TABLE`-style settings\nchange (not a row-level `INSERT`, `SELECT`, `UPDATE`, or `DELETE`) bypasses\nthe commit-time branch that is supposed to revalidate storage locations.\n\nThe full persisted / credential-vending variant requires the affected\ncatalog\nto have `polaris.config.allow.unstructured.table.location=true`, with\n`allowedLocations` broad enough to include the attacker-chosen target.\n\n\n`allowedLocations` is the admin-configured allowlist of storage paths that\nthe\ncatalog is allowed to use. Public project materials suggest that this flag\nis a\nreal supported compatibility / layout mode, not just a contrived lab-only\nprerequisite.\n\n\nIn that configuration, a user who can change table settings can cause Apache Polaris\nitself to write new table metadata to an attacker-chosen reachable storage\nlocation before the intended location-validation branch runs.\n\nIf the later concrete-path validation also accepts that location, Polaris\npersists the resulting metadata path into stored table state. Later\ntable-load\nand credential APIs can then return temporary cloud-storage credentials for\nthe\nsame location without revalidating it. In plain terms, Polaris can later\nhand\nout temporary storage access for the same attacker-chosen area.\n\nThat attacker-chosen area does not need to be limited to the poisoned\ntable's\nown files. If it is a broader storage prefix, another table's prefix, or,\ndepending on configuration or provider behavior, even a bucket/container\nroot,\nthe resulting disclosure or corruption scope can extend to any data and\nmetadata Polaris can reach there.\n\n\n\nThe practical consequences are therefore similar to the staged-create\ncredential-vending issue already discussed: data and metadata reachable in\nthat\nstorage scope can be exposed and, if write-capable credentials are later\nissued, modified, corrupted, or removed. Even before that later credential\nstep, Polaris itself performs the metadata write to the unchecked location.\n\nSo the core issue is not only later credential vending. \n\nThe primary defect\nis\nthat Polaris skips its intended location checks before performing a\nsecurity-\nsensitive metadata write when only `write.metadata.path` changes.\n\n\n\nWhen `polaris.config.allow.unstructured.table.location=false`, current code\nreview suggests the later `updateTableLike(...)` validation usually rejects\nout-of-tree metadata locations before the unsafe path is persisted. That may\nreduce the persisted / credential-vending variant, but it does not prevent\nthe\nunderlying defect: Polaris still skips the intended pre-write location check\nwhen only `write.metadata.path` changes.","cvss":9.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":9.4,"epss":0.00058,"ranking_epss":0.17779,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/wxd2wj3p0smvrk84msv317wg5tp3jtw9","http://www.openwall.com/lists/oss-security/2026/05/02/13"],"published_time":"2026-05-04T17:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42080","summary":"PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, there is an arbitrary file write vulnerability via `save_generated_slides`. This issue has been patched via commit 418491a.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10425,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00","https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-pxhg-7xr2-w7xg"],"published_time":"2026-05-04T17:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42090","summary":"Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20.","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00158,"ranking_epss":0.36105,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/streetwriters/notesnook/releases/tag/3.3.20-android","https://github.com/streetwriters/notesnook/releases/tag/v3.3.15","https://github.com/streetwriters/notesnook/security/advisories/GHSA-fjm8-jg78-89h4"],"published_time":"2026-05-04T17:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42372","summary":"D-Link DIR-605L Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username \"Alphanetworks\" and the static password \"wrgn35_dlwbr_dir605l\" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00019,"ranking_epss":0.05082,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.securin.io/zero-day/cve-2026-42372-hardcoded-telnet-backdoor-in-d-link-dir-605l-a1-end-of-life-","https://www.securin.io/zero-day/cve-2026-42372-hardcoded-telnet-backdoor-in-d-link-dir-605l-a1-end-of-life-"],"published_time":"2026-05-04T17:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42373","summary":"D-Link DIR-605L Hardware Revision B2 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username \"Alphanetworks\" and the static password \"wrgn76_dlwbr_dir605L\" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18845,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.securin.io/zero-day/cve-2026-42373-hardcoded-telnet-backdoor-in-d-link-dir-605l-b2-end-of-life-","https://www.securin.io/zero-day/cve-2026-42373-hardcoded-telnet-backdoor-in-d-link-dir-605l-b2-end-of-life-"],"published_time":"2026-05-04T17:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42374","summary":"D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username \"Alphanetworks\" and the static password \"wrgn61_dlwbr_dir600L\" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control.  The device has reached End-of-Life (EOL) and will not receive patches.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00082,"ranking_epss":0.23689,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.securin.io/zero-day/cve-2026-42374-hardcoded-telnet-backdoor-in-d-link-dir-600l-b1-end-of-life-","https://www.securin.io/zero-day/cve-2026-42374-hardcoded-telnet-backdoor-in-d-link-dir-600l-b1-end-of-life-"],"published_time":"2026-05-04T17:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42375","summary":"D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username \"Alphanetworks\" and the static password \"wrgn35_dlwbr_dir600l\" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18845,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.securin.io/zero-day/cve-2026-42375-hardcoded-telnet-backdoor-in-d-link-dir-600l-a1-end-of-life-","https://www.securin.io/zero-day/cve-2026-42375-hardcoded-telnet-backdoor-in-d-link-dir-600l-a1-end-of-life-"],"published_time":"2026-05-04T17:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42027","summary":"Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader\n\n\n\n\n\nVersions Affected: before 2.5.9, before 3.0.0-M3\n\n\n\n\n\nDescription: \n\nThe ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName() and invokes its no-arg constructor, with the class name sourced from the manifest.properties entry of a model archive. The existing isAssignableFrom check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory for factory=, ArtifactSerializer for serializer-class-*), but the check runs after Class.forName() has already loaded and initialized the named class. \n\nClass.forName() with default initialization semantics executes the target class's static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. \n\nExploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory or ArtifactSerializer subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load.\n\n\n\n\n\nMitigation: \n\n\n\n  *  2.x users should upgrade to 2.5.9. \n  *  3.x users should upgrade to 3.0.0-M3. \n\n\n\n\nNote: The fix introduces a package-prefix allowlist that is consulted before Class.forName() is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp. prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.* must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String) before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES system property to a comma-separated list of allowed package prefixes. \n\nUsers who cannot upgrade immediately should ensure that all model files are sourced from trusted origins and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00286,"ranking_epss":0.51951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7q1gcb2y","http://www.openwall.com/lists/oss-security/2026/05/01/20"],"published_time":"2026-05-04T17:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42075","summary":"Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00206,"ranking_epss":0.42529,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/EvoMap/evolver/releases/tag/v1.69.3","https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j","https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j"],"published_time":"2026-05-04T17:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42076","summary":"Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00398,"ranking_epss":0.60589,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/EvoMap/evolver/releases/tag/v1.69.3","https://github.com/EvoMap/evolver/security/advisories/GHSA-j5w5-568x-rq53","https://github.com/EvoMap/evolver/security/advisories/GHSA-j5w5-568x-rq53"],"published_time":"2026-05-04T17:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42077","summary":"Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. This issue has been patched in version 1.69.3.","cvss":5.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.2,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02718,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/EvoMap/evolver/releases/tag/v1.69.3","https://github.com/EvoMap/evolver/security/advisories/GHSA-2cjr-5v3h-v2w4"],"published_time":"2026-05-04T17:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42078","summary":"PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary file write and directory creation via markdown_table_to_image. This issue has been patched via commit 418491a.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10425,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00","https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-hrcw-xc63-g29m"],"published_time":"2026-05-04T17:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42079","summary":"PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary code execution via Python eval() of LLM-generated code with builtins in scope. This issue has been patched via commit 418491a.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06459,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00","https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-89g2-xw5c-v95p","https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-89g2-xw5c-v95p"],"published_time":"2026-05-04T17:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37461","summary":"An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04026,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/osrg/gobgp/blob/v4.3.0/pkg/packet/bgp/bgp.go","https://github.com/osrg/gobgp/commit/362cce3e325f56e7a4f792ccb9689b3bdda9e682","https://github.com/osrg/gobgp/commit/9ce8936672ebc07df524da77fa4c6ae26d92be6d"],"published_time":"2026-05-04T17:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38669","summary":"wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08178,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/thv930/yumeng_wu/tree/main/1/readme.md","https://github.com/thv930/yumeng_wu/tree/main/1/readme.md"],"published_time":"2026-05-04T17:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40682","summary":"XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor\n\n\nVersions Affected: before 2.5.9, before 3.0.0-M3\n\n\nDescription: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURE_SECURE_PROCESSING or disabling DTD processing. When create(InputStream, EntryInserter) is invoked, the only feature set on the XMLReader is namespace support — external entity resolution and DOCTYPE declarations remain fully enabled. An attacker who can supply a crafted dictionary file (e.g., a stop-word list or domain dictionary) containing a malicious DOCTYPE declaration can trigger local file disclosure via file:// entity references or server-side request forgery via http:// entity references during SAX parsing, before the application processes a single dictionary entry. This is inconsistent with the project's own XmlUtil.createSaxParser() helper, which correctly sets FEATURE_SECURE_PROCESSING and disallow-doctype-decl and is used by all other XML parsing paths in the codebase. The public Dictionary(InputStream) constructor delegates directly to this method and is the documented API for loading user-supplied dictionaries, making untrusted input a realistic scenario.\n\n\nMitigation: 2.x users should upgrade to 2.5.9. 3.x users should upgrade to 3.0.0-M3. Users who cannot upgrade immediately should ensure that all dictionary files are sourced from trusted origins and should consider wrapping the Dictionary(InputStream) constructor with input validation that rejects any XML containing a DOCTYPE declaration before it reaches the parser.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08022,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/r6jpt0qr9nj67gqhppqg7jxf8vsbo0w6","http://www.openwall.com/lists/oss-security/2026/05/01/19"],"published_time":"2026-05-04T17:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25266","summary":"Memory corruption while processing IOCTL command when device is in power-save state.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03218,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html"],"published_time":"2026-05-04T17:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25293","summary":"Buffer overflow due to incorrect authorization in PLC FW","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html"],"published_time":"2026-05-04T17:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26332","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00063,"ranking_epss":0.19232,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/patriksimek/vm2/releases/tag/v3.11.0","https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95","https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95"],"published_time":"2026-05-04T17:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26956","summary":"vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00092,"ranking_epss":0.25501,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/patriksimek/vm2/releases/tag/v3.10.5","https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66","https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66"],"published_time":"2026-05-04T17:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-29514","summary":"NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox's call interception mechanism, achieving remote code execution as the NetBox service user.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00028,"ranking_epss":0.07766,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chocapikk.com/posts/2026/netbox-export-template-rce/","https://github.com/netbox-community/netbox/issues/22079","https://github.com/netbox-community/netbox/pull/22078","https://www.vulncheck.com/advisories/netbox-rce-via-rendertemplatemixin"],"published_time":"2026-05-04T17:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-47407","summary":"Memory corruption while creating a process on the digital signal processor due to allocation failure at the kernel level.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02561,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html"],"published_time":"2026-05-04T17:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-47408","summary":"Memory corruption when another driver calls an IOCTL with invalid input/output buffer.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03244,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html"],"published_time":"2026-05-04T17:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-24082","summary":"Memory Corruption when copying data from a freed source while executing performance counter deselect operation.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03244,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html"],"published_time":"2026-05-04T17:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-24118","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.0013,"ranking_epss":0.31945,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3","https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74","https://github.com/patriksimek/vm2/releases/tag/v3.11.0","https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p","https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p"],"published_time":"2026-05-04T17:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-24120","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.0008,"ranking_epss":0.23223,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/patriksimek/vm2/releases/tag/v3.10.5","https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p","https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p"],"published_time":"2026-05-04T17:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-24781","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00137,"ranking_epss":0.3308,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189","https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c","https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228","https://github.com/patriksimek/vm2/releases/tag/v3.11.0","https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c"],"published_time":"2026-05-04T17:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-47401","summary":"Transient DOS when processing target power rate tables during channel configuration.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00016,"ranking_epss":0.03433,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html"],"published_time":"2026-05-04T17:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-47403","summary":"Transient DOS when processing a malformed Fast Transition response frame with an invalid header structure during wireless roaming.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00016,"ranking_epss":0.03433,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html"],"published_time":"2026-05-04T17:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-47404","summary":"Memory corruption when dynamically changing the size of a previously allocated buffer while its contents are being modified.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03398,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html"],"published_time":"2026-05-04T17:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-47405","summary":"Memory corruption when processing camera sensor input/output control codes with invalid output buffers.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03244,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html"],"published_time":"2026-05-04T17:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-47406","summary":"Information Disclosure while processing IOCTL handler callbacks without verifying buffer size.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02199,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html"],"published_time":"2026-05-04T17:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36365","summary":"An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04794,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Lymphatus/caesium-image-compressor","https://github.com/Lymphatus/caesium-image-compressor/blob/main/src/utils/PostCompressionActions.cpp","https://github.com/Lymphatus/caesium-image-compressor/pull/376","https://github.com/mertsatilmaz/vulnerability-research/blob/main/advisories/CVE-2026-36365.md"],"published_time":"2026-05-04T16:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37458","summary":"Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FRRouting/frr/commit/8102a8aeceb9f86fdfe1f80cd77080522bab69c8","https://github.com/mertsatilmaz/vulnerability-research/blob/main/advisories/CVE-2026-36365.md"],"published_time":"2026-05-04T16:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40563","summary":"Description:\nImproper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas\nApache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data\n\n\n\n\nAffect Version:\nThis issue affects Apache Atlas: from 0.8 through 2.4.0.\n\n\n\nFor the affect version >= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration.\n\n\natlas.dsl.executor.traversal=false\n\n\n\nMitigation:\nUsers are recommended to upgrade to version 2.5.0, which fixes the issue.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.09071,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/vd0oggmqxl2k1skm0z2f9p0plx7jhmfl","http://www.openwall.com/lists/oss-security/2026/05/03/9"],"published_time":"2026-05-04T16:16:02","vendor":"apache","product":"atlas","version":null},{"cve_id":"CVE-2025-70071","summary":"An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXParser.cpp, ParseVectorDataArray()","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.09059,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://assimp.com","https://gist.github.com/GunP4ng/6d80919905037929ce9266ccd207b9ea","https://gist.github.com/GunP4ng/6d80919905037929ce9266ccd207b9ea"],"published_time":"2026-05-04T16:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6500","summary":"Plaintext storage of a password vulnerability in ILM Informatique OpenConcerto allows Retrieve Embedded Sensitive Data.\n\nThis issue affects OpenConcerto: 1.7.5.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.8,"epss":0.00013,"ranking_epss":0.02158,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.openconcerto.org/fr/version-1.7.html"],"published_time":"2026-05-04T15:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6501","summary":"Improper restriction of XML external entity reference vulnerability in ILM Informatique jOpenDocument allows Data Serialization External Entities Blowup.\n\nThis issue affects jOpenDocument: 1.5.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.00057,"ranking_epss":0.17401,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.jopendocument.org/documentation.html"],"published_time":"2026-05-04T15:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33007","summary":"A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes this issue.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00323,"ranking_epss":0.55275,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://httpd.apache.org/security/vulnerabilities_24.html","http://www.openwall.com/lists/oss-security/2026/05/04/22"],"published_time":"2026-05-04T15:16:04","vendor":"apache","product":"http_server","version":null},{"cve_id":"CVE-2026-33523","summary":"HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers.\n\nThis issue affects Apache HTTP Server: from through 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00164,"ranking_epss":0.36823,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://httpd.apache.org/security/vulnerabilities_24.html","http://www.openwall.com/lists/oss-security/2026/05/04/23"],"published_time":"2026-05-04T15:16:04","vendor":"apache","product":"http_server","version":null},{"cve_id":"CVE-2025-70070","summary":"An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXMeshGeometry.cpp, MeshGeometry::MeshGeometry()","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00105,"ranking_epss":0.27942,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://assimp.com","https://gist.github.com/GunP4ng/a2118ba977b10074a4477322afa7b763","https://gist.github.com/GunP4ng/a2118ba977b10074a4477322afa7b763"],"published_time":"2026-05-04T15:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-70072","summary":"An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp, FBXConverter::ConvertMeshMultiMaterial() components","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0009,"ranking_epss":0.25175,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://assimp.com","https://gist.github.com/GunP4ng/cdaf0cb89dc6f1d09a9e88fa1135894e","https://gist.github.com/GunP4ng/cdaf0cb89dc6f1d09a9e88fa1135894e"],"published_time":"2026-05-04T15:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23918","summary":"Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.\n\nThis issue affects Apache HTTP Server: 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18765,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://httpd.apache.org/security/vulnerabilities_24.html","http://www.openwall.com/lists/oss-security/2026/05/04/19"],"published_time":"2026-05-04T15:16:03","vendor":"apache","product":"http_server","version":null},{"cve_id":"CVE-2026-29169","summary":"A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs.\n\nThe only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0.\n\nUsers are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00292,"ranking_epss":0.525,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://httpd.apache.org/security/vulnerabilities_24.html","http://www.openwall.com/lists/oss-security/2026/05/04/20","http://www.openwall.com/lists/oss-security/2026/05/05/12"],"published_time":"2026-05-04T15:16:03","vendor":"apache","product":"http_server","version":null},{"cve_id":"CVE-2026-33006","summary":"A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes this issue.","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":0.00117,"ranking_epss":0.29896,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://httpd.apache.org/security/vulnerabilities_24.html","http://www.openwall.com/lists/oss-security/2026/05/04/21"],"published_time":"2026-05-04T15:16:03","vendor":"apache","product":"http_server","version":null},{"cve_id":"CVE-2025-13605","summary":"3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P (hardware version V2.2.0) allows authenticated users to execute arbitrary shell commands in the context of the root user by providing payload in the \"IP address\" field of the diagnosis test tools.\nThis issue has been resolved in firmware version 3.0.59B2024080600R4353","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.00022,"ranking_epss":0.0609,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert.pl/en/posts/2026/05/CVE-2025-13605"],"published_time":"2026-05-04T15:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6499","summary":"Incorrect Permission Assignment for Critical Resource vulnerability in ILM Informatique OpenConcerto allows Replace Binaries.\n\nThis issue affects OpenConcerto: 1.7.5.","cvss":2.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.4,"epss":0.00013,"ranking_epss":0.02158,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.openconcerto.org/fr/version-1.7.html"],"published_time":"2026-05-04T14:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4928","summary":"Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-05-04T14:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6266","summary":"A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.12621,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2026:13508","https://access.redhat.com/errata/RHSA-2026:13512","https://access.redhat.com/errata/RHSA-2026:13545","https://access.redhat.com/security/cve/CVE-2026-6266","https://bugzilla.redhat.com/show_bug.cgi?id=2458142"],"published_time":"2026-05-04T14:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33857","summary":"Out-of-bounds Read vulnerability in mod_proxy_ajp of \n\nApache HTTP Server.\n\nThis issue affects Apache HTTP Server: through 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00103,"ranking_epss":0.27694,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://httpd.apache.org/security/vulnerabilities_24.html","http://www.openwall.com/lists/oss-security/2026/05/04/15"],"published_time":"2026-05-04T14:16:33","vendor":"apache","product":"http_server","version":null},{"cve_id":"CVE-2026-34032","summary":"Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server.\n\nThis issue affects Apache HTTP Server: through 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00103,"ranking_epss":0.27694,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://httpd.apache.org/security/vulnerabilities_24.html","http://www.openwall.com/lists/oss-security/2026/05/04/16"],"published_time":"2026-05-04T14:16:33","vendor":"apache","product":"http_server","version":null},{"cve_id":"CVE-2026-31205","summary":"Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to escalate privileges via the editpage.php and the sanitizePageContent function","cvss":5.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.7,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11986,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pluck-cms/pluck/blob/main/data/inc/editpage.php","https://github.com/pluck-cms/pluck/blob/main/data/inc/functions.all.php#L207","https://github.com/pluck-cms/pluck/issues/141","https://medium.com/@nakah_/pluck-cms-stored-xss-in-page-editor-cve-2026-31205-3b0526743e1d?postPublishedType=initial","https://medium.com/@nakah_/pluck-cms-stored-xss-in-page-editor-cve-2026-31205-3b0526743e1d?postPublishedType=initial"],"published_time":"2026-05-04T14:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-70067","summary":"Buffer Overflow vulnerability exists in Assimp versions up to 6.0.2 in the FBX Importer. The vulnerability occurs in aiMaterial::AddBinaryProperty, where a property key string from a crafted FBX file is copied into a fixed-size heap buffer using strcpy() without runtime length validation","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://assimp.com","https://gist.github.com/GunP4ng/b6653184a4c5c3e608e6368227397505","https://github.com/assimp/assimp"],"published_time":"2026-05-04T14:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-70069","summary":"An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp and ConvertMeshMultiMaterial() method","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00107,"ranking_epss":0.28409,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://assimp.com","https://gist.github.com/GunP4ng/9080ae7f0470c889a59cc3bfca445223"],"published_time":"2026-05-04T14:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-58074","summary":"A privilege escalation vulnerability exists during the installation of Norton Secure VPN via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in deletion of arbitrary files that can lead to elevation of privileges.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02103,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2025-2276","https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2276"],"published_time":"2026-05-04T14:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7482","summary":"Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).","cvss":8.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":8.8,"epss":0.0009,"ranking_epss":0.25139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ollama/ollama/commit/88d57d0483cca907e0b23a968c83627a20b21047","https://github.com/ollama/ollama/pull/14406","https://github.com/ollama/ollama/releases/tag/v0.17.1"],"published_time":"2026-05-04T13:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-24072","summary":"An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes this issue.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00065,"ranking_epss":0.19852,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://httpd.apache.org/security/vulnerabilities_24.html","http://www.openwall.com/lists/oss-security/2026/05/04/18"],"published_time":"2026-05-04T13:16:00","vendor":"apache","product":"http_server","version":null},{"cve_id":"CVE-2026-34059","summary":"Buffer Over-read vulnerability in Apache HTTP Server.\n\nThis issue affects Apache HTTP Server: through 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00062,"ranking_epss":0.19056,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://httpd.apache.org/security/vulnerabilities_24.html","http://www.openwall.com/lists/oss-security/2026/05/04/17"],"published_time":"2026-05-04T13:16:00","vendor":"apache","product":"http_server","version":null},{"cve_id":"CVE-2026-3120","summary":"Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection.\n\nThis issue affects SambaBox: from 5.1 before 5.3.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.0005,"ranking_epss":0.15179,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.usom.gov.tr/bildirim/tr-26-0155"],"published_time":"2026-05-04T12:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7749","summary":"A security vulnerability has been detected in Totolink N300RH 3.2.4-B20220812. This affects the function setWanConfig of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument priDns leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00077,"ranking_epss":0.2258,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-setWanConfig-34553a41781f80ed8500d9b8d54074f2","https://vuldb.com/submit/807203","https://vuldb.com/vuln/360924","https://vuldb.com/vuln/360924/cti","https://www.totolink.net/"],"published_time":"2026-05-04T10:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7750","summary":"A vulnerability was detected in Totolink N300RH 3.2.4-B20220812. This vulnerability affects the function setMacFilterRules of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument mac_address results in buffer overflow. The attack may be launched remotely. The exploit is now public and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00077,"ranking_epss":0.2258,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-setMacFilterRules-34553a41781f809cb952cdcb71ce90d8","https://vuldb.com/submit/807204","https://vuldb.com/vuln/360925","https://vuldb.com/vuln/360925/cti","https://www.totolink.net/"],"published_time":"2026-05-04T10:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7748","summary":"A weakness has been identified in Totolink N300RH 3.2.4-B20220812. Affected by this issue is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Executing a manipulation of the argument FileName can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00077,"ranking_epss":0.2258,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-setUpgradeFW-34553a41781f80abb1d1c627d7ff4329?pvs=73","https://vuldb.com/submit/807202","https://vuldb.com/vuln/360923","https://vuldb.com/vuln/360923/cti","https://www.totolink.net/"],"published_time":"2026-05-04T10:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33846","summary":"A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00063,"ranking_epss":0.19224,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2026:13274","https://access.redhat.com/security/cve/CVE-2026-33846","https://bugzilla.redhat.com/show_bug.cgi?id=2450625"],"published_time":"2026-05-04T10:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7747","summary":"A security flaw has been discovered in Totolink N300RH 3.2.4-B20220812. Affected by this vulnerability is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. Performing a manipulation of the argument Password results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00077,"ranking_epss":0.22668,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-loginauth_password-34553a41781f80c0ad36f4d95122fd40?pvs=73","https://vuldb.com/submit/807201","https://vuldb.com/vuln/360922","https://vuldb.com/vuln/360922/cti","https://www.totolink.net/"],"published_time":"2026-05-04T09:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7745","summary":"A vulnerability was determined in CodeAstro Online Classroom 1.0. This impacts an unknown function of the file /OnlineClassroom/facultydetails. This manipulation of the argument deleteid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00028,"ranking_epss":0.07901,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://codeastro.com/","https://github.com/yuji0903/silver-guide/issues/22","https://vuldb.com/submit/807697","https://vuldb.com/vuln/360920","https://vuldb.com/vuln/360920/cti"],"published_time":"2026-05-04T09:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7746","summary":"A vulnerability was identified in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected is an unknown function of the file /product_expiry/edit-admin.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00028,"ranking_epss":0.07901,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/mjh134/CVE/issues/1","https://vuldb.com/submit/807693","https://vuldb.com/vuln/360921","https://vuldb.com/vuln/360921/cti","https://www.sourcecodester.com/"],"published_time":"2026-05-04T09:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-14320","summary":"Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Tegsoft Management and Information Services Trade Limited Company Online Support Application allows Reflected XSS.\n\nThis issue affects Online Support Application: from V3 through 31122025.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00048,"ranking_epss":0.14518,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.usom.gov.tr/bildirim/tr-26-0142"],"published_time":"2026-05-04T09:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7744","summary":"A vulnerability was found in CodeAstro Online Classroom 1.0. This affects an unknown function of the file /OnlineClassroom/addnewstudent. The manipulation of the argument fname results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00028,"ranking_epss":0.07901,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://codeastro.com/","https://github.com/yuji0903/silver-guide/issues/21","https://vuldb.com/submit/807696","https://vuldb.com/vuln/360919","https://vuldb.com/vuln/360919/cti"],"published_time":"2026-05-04T08:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7741","summary":"A vulnerability was detected in CodeAstro Online Classroom 1.0. Impacted is an unknown function of the file /OnlineClassroom/studentlogin. Performing a manipulation of the argument sid results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00028,"ranking_epss":0.07901,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://codeastro.com/","https://github.com/yuji0903/silver-guide/issues/18","https://vuldb.com/submit/807692","https://vuldb.com/vuln/360916","https://vuldb.com/vuln/360916/cti"],"published_time":"2026-05-04T08:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7742","summary":"A flaw has been found in CodeAstro Online Classroom 1.0. The affected element is an unknown function of the file /OnlineClassroom/facultylogin. Executing a manipulation of the argument fid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00028,"ranking_epss":0.07901,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://codeastro.com/","https://github.com/yuji0903/silver-guide/issues/19","https://vuldb.com/submit/807694","https://vuldb.com/vuln/360917","https://vuldb.com/vuln/360917/cti"],"published_time":"2026-05-04T08:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7743","summary":"A vulnerability has been found in CodeAstro Online Classroom 1.0. The impacted element is an unknown function of the file /OnlineClassroom/studentdetails. The manipulation of the argument deleteid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00028,"ranking_epss":0.07901,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://codeastro.com/","https://github.com/yuji0903/silver-guide/issues/20","https://vuldb.com/submit/807695","https://vuldb.com/vuln/360918","https://vuldb.com/vuln/360918/cti"],"published_time":"2026-05-04T08:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7739","summary":"A weakness has been identified in justdan96 tsMuxer up to 2.7.0. This vulnerability affects the function HevcVpsUnit::setFPS of the file /AFLplusplus/tsMuxer_prev/tsMuxer/hevc.cpp. This manipulation of the argument track_id causes denial of service. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer.","cvss":1.9,"cvss_version":4.0,"cvss_v2":1.7,"cvss_v3":3.3,"cvss_v4":1.9,"epss":0.00013,"ranking_epss":0.02061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/justdan96/tsMuxer/","https://github.com/justdan96/tsMuxer/issues/895","https://github.com/user-attachments/files/16812270/poc1.zip","https://vuldb.com/submit/807647","https://vuldb.com/vuln/360914","https://vuldb.com/vuln/360914/cti"],"published_time":"2026-05-04T07:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7740","summary":"A security vulnerability has been detected in justdan96 tsMuxer up to 2.7.0. This issue affects the function VvcVpsUnit::setFPS of the file tsMuxer/vvc.cpp. Such manipulation of the argument track_id leads to denial of service. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.","cvss":1.9,"cvss_version":4.0,"cvss_v2":1.7,"cvss_v3":3.3,"cvss_v4":1.9,"epss":0.00013,"ranking_epss":0.02061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/justdan96/tsMuxer/","https://github.com/justdan96/tsMuxer/issues/899","https://github.com/user-attachments/files/16812319/poc5.zip","https://vuldb.com/submit/807651","https://vuldb.com/vuln/360915","https://vuldb.com/vuln/360915/cti"],"published_time":"2026-05-04T07:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43863","summary":"mutt before 2.3.2 has an infinite loop in data_object_to_stream in crypt-gpgme.c.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.09613,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/muttmua/mutt/commit/fdc04a171777327218a1e78db504926c388b48c4"],"published_time":"2026-05-04T07:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43864","summary":"mutt before 2.3.2 has a show_sig_summary NULL pointer dereference.","cvss":2.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02283,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/muttmua/mutt/commit/ebfa2969042d89303d15334193fcc32866c8a8df"],"published_time":"2026-05-04T07:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5335","summary":"The Magic Export & Import WordPress plugin before 1.2.0 stores exported CSV files at a publicly accessible location, making it possible for any visitors to leak sensitive user information.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07715,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/ed6f00de-bbae-4e89-9d0e-ded0d70e781c/"],"published_time":"2026-05-04T07:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7736","summary":"A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by this vulnerability is the function parseRibEntry of the file pkg/packet/mrt/mrt.go. Executing a manipulation can lead to integer underflow. It is possible to launch the attack remotely. Upgrading to version 4.4.0 addresses this issue. This patch is called 76d911046344a3923cbe573364197aa081944592. It is suggested to upgrade the affected component.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.00046,"ranking_epss":0.14082,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/osrg/gobgp/","https://github.com/osrg/gobgp/commit/76d911046344a3923cbe573364197aa081944592","https://github.com/osrg/gobgp/releases/tag/v4.4.0","https://vuldb.com/submit/807604","https://vuldb.com/vuln/360911","https://vuldb.com/vuln/360911/cti"],"published_time":"2026-05-04T07:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7737","summary":"A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by this issue is the function BMPPeerUpNotification.ParseBody/BMPStatisticsReport.ParseBody of the file pkg/packet/bmp/bmp.go of the component BMP Parser. The manipulation leads to out-of-bounds read. The attack can be initiated remotely. Upgrading to version 4.4.0 can resolve this issue. The identifier of the patch is bc77597d42335c78464bc8e15a471d887bbdf260. Upgrading the affected component is recommended.","cvss":6.9,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00047,"ranking_epss":0.14084,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/osrg/gobgp/","https://github.com/osrg/gobgp/commit/bc77597d42335c78464bc8e15a471d887bbdf260","https://github.com/osrg/gobgp/releases/tag/v4.4.0","https://vuldb.com/submit/807605","https://vuldb.com/vuln/360912","https://vuldb.com/vuln/360912/cti"],"published_time":"2026-05-04T07:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7738","summary":"A security flaw has been discovered in puchunjie doc-tools-mcp 1.0.18. This affects the function create_document/open_document of the file src/mcp-server.ts of the component MCP Interface. The manipulation of the argument filePath results in path traversal. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00069,"ranking_epss":0.20884,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/BruceJqs/public_exp/issues/38","https://github.com/puchunjie/doc-tools-mcp/","https://github.com/puchunjie/doc-tools-mcp/issues/4","https://vuldb.com/submit/807642","https://vuldb.com/vuln/360913","https://vuldb.com/vuln/360913/cti","https://github.com/puchunjie/doc-tools-mcp/issues/4"],"published_time":"2026-05-04T07:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-29200","summary":"A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.","cvss":9.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.9,"epss":0.00041,"ranking_epss":0.12207,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://support.cometbackup.com/hc/en-us/articles/40090945484823--CVE-2026-29200-%D0%A1ritical-IDOR-vulnerability-in-Comet-Backup"],"published_time":"2026-05-04T07:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43859","summary":"mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08109,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8662a31caed129f136f4805"],"published_time":"2026-05-04T07:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43860","summary":"mutt before 2.3.2 sometimes truncates the hash_passwd by one byte for IMAP auth_cram MD5 digest.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08109,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8662a31caed129f136f4805"],"published_time":"2026-05-04T07:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43861","summary":"mutt before 2.3.2 does not check for '\\0' in url_pct_decode.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08109,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/muttmua/mutt/commit/12f54fe3b61f761c096fe95e95d5e3072af00ed2"],"published_time":"2026-05-04T07:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43862","summary":"In mutt before 2.3.2, the imap_auth_gss security level is mishandled.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08109,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/muttmua/mutt/commit/f547a849cdacb512800a5f477c27de217e1c8151"],"published_time":"2026-05-04T07:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-20448","summary":"In geniezone, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10708513; Issue ID: MSV-6281.","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01436,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://corp.mediatek.com/product-security-bulletin/May-2026"],"published_time":"2026-05-04T07:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-20449","summary":"In Modem, there is a possible system crash due to a heap buffer overflow. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01760138; Issue ID: MSV-6148.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00045,"ranking_epss":0.13726,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://corp.mediatek.com/product-security-bulletin/May-2026"],"published_time":"2026-05-04T07:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-20450","summary":"In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01753620; Issue ID: MSV-6100.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0005,"ranking_epss":0.15217,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://corp.mediatek.com/product-security-bulletin/May-2026"],"published_time":"2026-05-04T07:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-20451","summary":"In slbc, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10828685; Issue ID: MSV-6504.","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01739,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://corp.mediatek.com/product-security-bulletin/May-2026"],"published_time":"2026-05-04T07:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-29199","summary":"phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08329,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://hackerone.com/reports/3543246"],"published_time":"2026-05-04T07:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-20447","summary":"In geniezone, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10724073; Issue ID: MSV-6296.","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01739,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://corp.mediatek.com/product-security-bulletin/May-2026"],"published_time":"2026-05-04T07:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7733","summary":"A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 59. To fix this issue, it is recommended to deploy a patch.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00045,"ranking_epss":0.13591,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitee.com/funadmin/funadmin/","https://gitee.com/funadmin/funadmin/issues/IJ8NXT","https://gitee.com/funadmin/funadmin/pulls/59","https://vuldb.com/submit/807559","https://vuldb.com/vuln/360908","https://vuldb.com/vuln/360908/cti"],"published_time":"2026-05-04T06:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7734","summary":"A vulnerability has been found in osrg GoBGP up to 4.3.0. This impacts the function SRv6L3ServiceAttribute.DecodeFromBytes of the file pkg/packet/bgp/prefix_sid.go of the component SRv6 L3 Service. Such manipulation of the argument data leads to denial of service. The attack may be performed from remote. Upgrading to version 4.4.0 will fix this issue. The name of the patch is f9f7b55ec258e514be0264871fa645a2c3edad11. You should upgrade the affected component.","cvss":6.9,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00057,"ranking_epss":0.17647,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/osrg/gobgp/","https://github.com/osrg/gobgp/commit/f9f7b55ec258e514be0264871fa645a2c3edad11","https://github.com/osrg/gobgp/releases/tag/v4.4.0","https://vuldb.com/submit/807581","https://vuldb.com/vuln/360909","https://vuldb.com/vuln/360909/cti"],"published_time":"2026-05-04T06:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7735","summary":"A vulnerability was found in osrg GoBGP up to 4.3.0. Affected is the function PathAttributeAigp.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component AIGP Attribute Parser. Performing a manipulation results in buffer overflow. It is possible to initiate the attack remotely. Upgrading to version 4.4.0 is able to address this issue. The patch is named 51ad1ada06cb41ce47b7066799981816f50b7ced. The affected component should be upgraded.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.00058,"ranking_epss":0.17728,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/osrg/gobgp/","https://github.com/osrg/gobgp/commit/51ad1ada06cb41ce47b7066799981816f50b7ced","https://github.com/osrg/gobgp/releases/tag/v4.4.0","https://vuldb.com/submit/807600","https://vuldb.com/vuln/360910","https://vuldb.com/vuln/360910/cti"],"published_time":"2026-05-04T06:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7731","summary":"A security vulnerability has been detected in code-projects BloodBank Managing System 1.0. The affected element is an unknown function of the file get_state.php. The manipulation of the argument G_STATE_ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00028,"ranking_epss":0.07901,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/QAp89/CVE/blob/main/SQL3.md","https://vuldb.com/submit/807557","https://vuldb.com/vuln/360906","https://vuldb.com/vuln/360906/cti"],"published_time":"2026-05-04T06:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7732","summary":"A vulnerability was detected in code-projects BloodBank Managing System 1.0. The impacted element is an unknown function of the file request_blood.php. The manipulation results in unrestricted upload. The attack can be executed remotely. The exploit is now public and may be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00036,"ranking_epss":0.10551,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/QAp89/CVE/blob/main/Arbitrary%20file%20upload%20leading%20to%20RCE1.md","https://vuldb.com/submit/807558","https://vuldb.com/vuln/360907","https://vuldb.com/vuln/360907/cti","https://vuldb.com/submit/807558"],"published_time":"2026-05-04T06:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7729","summary":"A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00043,"ranking_epss":0.1278,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/BruceJqs/public_exp/issues/36","https://github.com/pixelsock/directus-mcp/","https://github.com/pixelsock/directus-mcp/issues/13","https://github.com/pixelsock/directus-mcp/pull/14","https://vuldb.com/submit/807539","https://vuldb.com/vuln/360904","https://vuldb.com/vuln/360904/cti"],"published_time":"2026-05-04T05:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7730","summary":"A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function child_process.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00734,"ranking_epss":0.72831,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/BruceJqs/public_exp/issues/37","https://github.com/privsim/mcp-test-runner/","https://github.com/privsim/mcp-test-runner/issues/24","https://vuldb.com/submit/807541","https://vuldb.com/vuln/360905","https://vuldb.com/vuln/360905/cti"],"published_time":"2026-05-04T05:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7725","summary":"A vulnerability was found in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commit_sha/directories results in argument injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 3.6.25.dev7 can resolve this issue. The patch is identified as 6a9d9918716ce4ee0297b69f3046f7067ef1faae. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00051,"ranking_epss":0.15471,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/nedlir/c37d90dda5f715790eafc970b2ef0c8a","https://github.com/PrefectHQ/prefect/","https://github.com/PrefectHQ/prefect/commit/6a9d9918716ce4ee0297b69f3046f7067ef1faae","https://github.com/PrefectHQ/prefect/pull/21384","https://github.com/PrefectHQ/prefect/releases/tag/3.6.25.dev7","https://vuldb.com/submit/807356","https://vuldb.com/vuln/360901","https://vuldb.com/vuln/360901/cti","https://vuldb.com/submit/807356"],"published_time":"2026-05-04T05:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7727","summary":"A vulnerability was determined in Shandong Hoteam Software PDM Product Data Management System up to 8.3.9. This affects the function GetQueryMachineGridOnePageData of the file /Base/BaseService.asmx/DataService. This manipulation of the argument SortOrder causes sql injection. The attack can be initiated remotely. Upgrading to version 8.3.10 is able to mitigate this issue. You should upgrade the affected component.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08508,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://en.hoteamsoft.com/pdm","https://ucn9h68n9289.feishu.cn/wiki/KvbxwRlmRihO8ZkT1E1c64pdngh","https://vuldb.com/submit/803268","https://vuldb.com/vuln/360902","https://vuldb.com/vuln/360902/cti","https://ucn9h68n9289.feishu.cn/wiki/KvbxwRlmRihO8ZkT1E1c64pdngh"],"published_time":"2026-05-04T05:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7728","summary":"A vulnerability was identified in ryanjoachim mcp-rtfm 0.1.0. This vulnerability affects the function get_doc_content/read_doc/update_doc of the component MCP Interface. Such manipulation of the argument docFile leads to path traversal. The attack can be launched remotely. The exploit is publicly available and might be used. The name of the patch is e6f0686fc36012f78236e7fed172c81444904b0b. It is best practice to apply a patch to resolve this issue.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00051,"ranking_epss":0.15604,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/BruceJqs/public_exp/issues/35","https://github.com/ryanjoachim/mcp-rtfm/","https://github.com/ryanjoachim/mcp-rtfm/commit/e6f0686fc36012f78236e7fed172c81444904b0b","https://github.com/ryanjoachim/mcp-rtfm/issues/5","https://vuldb.com/submit/807538","https://vuldb.com/vuln/360903","https://vuldb.com/vuln/360903/cti"],"published_time":"2026-05-04T05:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7723","summary":"A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called f8afecadf88ea5f73694dafa3a365b9d8fae1ad6. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00115,"ranking_epss":0.29615,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/nedlir/f1ab8aa038aafbcc6beeef21fab1d74f","https://github.com/PrefectHQ/prefect/","https://github.com/PrefectHQ/prefect/commit/f8afecadf88ea5f73694dafa3a365b9d8fae1ad6","https://github.com/PrefectHQ/prefect/pull/20372","https://github.com/PrefectHQ/prefect/releases/tag/3.6.14","https://vuldb.com/submit/807256","https://vuldb.com/vuln/360899","https://vuldb.com/vuln/360899/cti"],"published_time":"2026-05-04T03:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7724","summary":"A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.6.28.dev2 addresses this issue. The identifier of the patch is 7c70ac54a5e101431d83b9f2681ec88d5e0021ed. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.","cvss":1.3,"cvss_version":4.0,"cvss_v2":4.6,"cvss_v3":5.0,"cvss_v4":1.3,"epss":0.00066,"ranking_epss":0.20053,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/nedlir/fa99777e8989414585d08c3625bf044a","https://github.com/PrefectHQ/prefect/","https://github.com/PrefectHQ/prefect/commit/7c70ac54a5e101431d83b9f2681ec88d5e0021ed","https://github.com/PrefectHQ/prefect/pull/21591","https://github.com/PrefectHQ/prefect/releases/tag/3.6.28.dev2","https://linear.app/prefect/issue/OSS-7874/fix-dns-rebinding-toctou-bypass-in-validate-restricted-url","https://vuldb.com/submit/807303","https://vuldb.com/vuln/360900","https://vuldb.com/vuln/360900/cti"],"published_time":"2026-05-04T03:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7721","summary":"A security vulnerability has been detected in Totolink WA300 5.2cu.7112_B20190227. This affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument hostTime leads to command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.02949,"ranking_epss":0.86518,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-NTPSyncWithHost-34553a41781f80808f3cfd14e1c603e7","https://vuldb.com/submit/807199","https://vuldb.com/vuln/360897","https://vuldb.com/vuln/360897/cti","https://www.totolink.net/"],"published_time":"2026-05-04T03:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7722","summary":"A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. The patch is named e21617125335025b4b27e7d6f0ca028e8e8f3b79. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.","cvss":5.5,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":5.3,"cvss_v4":5.5,"epss":0.00073,"ranking_epss":0.21886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/nedlir/f576abbb0e491dc9bb7e106c140dda04","https://github.com/PrefectHQ/prefect/","https://github.com/PrefectHQ/prefect/commit/e21617125335025b4b27e7d6f0ca028e8e8f3b79","https://github.com/PrefectHQ/prefect/pull/21063","https://github.com/PrefectHQ/prefect/releases/tag/3.6.22","https://vuldb.com/submit/807255","https://vuldb.com/vuln/360898","https://vuldb.com/vuln/360898/cti"],"published_time":"2026-05-04T03:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7718","summary":"A vulnerability was identified in Totolink WA300 5.2cu.7112_B20190227. Impacted is the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument webWlanIdx leads to command injection. The attack may be initiated remotely. The exploit is publicly available and might be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.0227,"ranking_epss":0.84719,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-setWebWlanIdx-34553a41781f800ab40ae0c3d68c78a6?pvs=73","https://vuldb.com/submit/807196","https://vuldb.com/vuln/360894","https://vuldb.com/vuln/360894/cti","https://www.totolink.net/"],"published_time":"2026-05-04T02:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7719","summary":"A security flaw has been discovered in Totolink WA300 5.2cu.7112_B20190227. The affected element is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument http_host results in buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00077,"ranking_epss":0.22668,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-loginAuth-34553a41781f8050b8ffc9e90a103cd5","https://vuldb.com/submit/807197","https://vuldb.com/vuln/360895","https://vuldb.com/vuln/360895/cti","https://www.totolink.net/"],"published_time":"2026-05-04T02:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7720","summary":"A weakness has been identified in Totolink WA300 5.2cu.7112_B20190227. The impacted element is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument langType causes command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.02949,"ranking_epss":0.86518,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-setLanguageCfg-34553a41781f8007b6c5c7964d424286","https://vuldb.com/submit/807198","https://vuldb.com/vuln/360896","https://vuldb.com/vuln/360896/cti","https://www.totolink.net/"],"published_time":"2026-05-04T02:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7715","summary":"A vulnerability has been found in ravenwits mcp-server-arangodb up to 0.4.7. This affects the function arango_backup of the file src/tools.ts of the component MCP Interface. Such manipulation of the argument outputDir leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00051,"ranking_epss":0.15604,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/BruceJqs/public_exp/issues/34","https://github.com/ravenwits/mcp-server-arangodb/","https://github.com/ravenwits/mcp-server-arangodb/issues/7","https://vuldb.com/submit/806913","https://vuldb.com/vuln/360891","https://vuldb.com/vuln/360891/cti"],"published_time":"2026-05-04T01:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7716","summary":"A vulnerability was found in code-projects Gym Management System In PHP and Windows NT 1.0. This vulnerability affects unknown code of the file /index.php. Performing a manipulation of the argument day results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00028,"ranking_epss":0.07901,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/QAp89/CVE/blob/main/SQL1.md","https://vuldb.com/submit/807105","https://vuldb.com/vuln/360892","https://vuldb.com/vuln/360892/cti"],"published_time":"2026-05-04T01:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7717","summary":"A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. This issue affects the function UploadCustomModule of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Executing a manipulation of the argument File can lead to buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00077,"ranking_epss":0.2258,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-UploadCustomModule-34553a41781f80a8a287e48a7fb04de9","https://vuldb.com/submit/807193","https://vuldb.com/vuln/360893","https://vuldb.com/vuln/360893/cti","https://www.totolink.net/"],"published_time":"2026-05-04T01:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42368","summary":"A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08435,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:04","vendor":"geovision","product":"gv-lpc2011_firmware","version":null},{"cve_id":"CVE-2026-42368","summary":"A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08435,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:04","vendor":"geovision","product":"gv-lpc2011","version":null},{"cve_id":"CVE-2026-42368","summary":"A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08435,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:04","vendor":"geovision","product":"gv-lpc2211_firmware","version":null},{"cve_id":"CVE-2026-42368","summary":"A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08435,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:04","vendor":"geovision","product":"gv-lpc2211","version":null},{"cve_id":"CVE-2026-42369","summary":"GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application accessed locally, but it is also possible to enable remote access via the \"WebCam Server\" feature.  Once enabled, it is possible to access to the management and monitoring feature via a regular Web interface. This webersever is another native application, compiled without ASLR, which makes exploitation much easier and more likely. \n\n\n\nMost of the features require authentication before being reachable and leverage a standard login page to grant access. However the `gvapi` endpoint uses its own authentication mechanism via an `HTTP Authorization` header. It supports both `Basic` authentication and the `Digest` modes of authentication.  \n\n\n\n#### Stack-overflow via unbound copy of base64 decoded string\n\nThe `b64decoder` string is sized dynamically, but it is then copied to the `Buffer` stack variable one character at the time at [0], and there's no bound-check. As such, if the decoded string is bigger than 256 characters (the size of the `Buffer` variable) then a stack overflow occurs. Because the data can be fully controlled by an attacker and lack of ASLR, this vulnerability can easily be exploited to gain full code execution as SYSTEM on the machine running the service.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":null,"epss":0.00157,"ranking_epss":0.35949,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42370","summary":"A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.","cvss":9.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.0,"cvss_v4":null,"epss":0.0013,"ranking_epss":0.31936,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:04","vendor":"geovision","product":"gv-vms_firmware","version":null},{"cve_id":"CVE-2026-42370","summary":"A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.","cvss":9.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.0,"cvss_v4":null,"epss":0.0013,"ranking_epss":0.31936,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:04","vendor":"geovision","product":"gv-vms","version":null},{"cve_id":"CVE-2026-7161","summary":"An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability.\n\n\nWhen interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the \"obscurity\" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":0.00044,"ranking_epss":0.13353,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:04","vendor":"geovision","product":"gv-ip_device_utility","version":null},{"cve_id":"CVE-2026-7371","summary":"Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11971,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:04","vendor":"geovision","product":"gv-lpc2011_firmware","version":null},{"cve_id":"CVE-2026-7371","summary":"Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11971,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:04","vendor":"geovision","product":"gv-lpc2011","version":null},{"cve_id":"CVE-2026-7371","summary":"Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11971,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:04","vendor":"geovision","product":"gv-lpc2211_firmware","version":null},{"cve_id":"CVE-2026-7371","summary":"Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11971,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:04","vendor":"geovision","product":"gv-lpc2211","version":null},{"cve_id":"CVE-2026-7372","summary":"A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.\n\n#### Stack-overflow via unconstrained sscanf\n\nThe call to `sscanf` at [1] to split the `Buffer` variable into the `username` and `password` variables doesn't limit the size of the extracted content to match the destination buffers' sizes. In this case, if either the username or password decoded from the authorization string exceeds `40` characters (the size the stack variables  `username` and `password`) then a stack overflow will occur. \n\n\n\nThe data is controlled by an attacker, but sronger constraints (e.g. no null bytes) may make exploitation harder. A successful attack could  lead to full code execution as SYSTEM on the machine running the service.","cvss":9.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.0,"cvss_v4":null,"epss":0.0013,"ranking_epss":0.31936,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:04","vendor":"geovision","product":"gv-vms_firmware","version":null},{"cve_id":"CVE-2026-7372","summary":"A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.\n\n#### Stack-overflow via unconstrained sscanf\n\nThe call to `sscanf` at [1] to split the `Buffer` variable into the `username` and `password` variables doesn't limit the size of the extracted content to match the destination buffers' sizes. In this case, if either the username or password decoded from the authorization string exceeds `40` characters (the size the stack variables  `username` and `password`) then a stack overflow will occur. \n\n\n\nThe data is controlled by an attacker, but sronger constraints (e.g. no null bytes) may make exploitation harder. A successful attack could  lead to full code execution as SYSTEM on the machine running the service.","cvss":9.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.0,"cvss_v4":null,"epss":0.0013,"ranking_epss":0.31936,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:04","vendor":"geovision","product":"gv-vms","version":null},{"cve_id":"CVE-2026-7714","summary":"A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwa_functions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":6.4,"cvss_v3":6.5,"cvss_v4":5.5,"epss":0.00094,"ranking_epss":0.25969,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/menelausx/1b45c952d352a2ebdc01cd8d5aa88e87","https://github.com/crocodilestick/Calibre-Web-Automated/","https://github.com/crocodilestick/Calibre-Web-Automated/issues/1304","https://github.com/crocodilestick/Calibre-Web-Automated/pull/1308","https://vuldb.com/submit/806468","https://vuldb.com/vuln/360890","https://vuldb.com/vuln/360890/cti"],"published_time":"2026-05-04T01:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42364","summary":"An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.00109,"ranking_epss":0.28721,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2011_firmware","version":null},{"cve_id":"CVE-2026-42364","summary":"An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.00109,"ranking_epss":0.28721,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2011","version":null},{"cve_id":"CVE-2026-42364","summary":"An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.00109,"ranking_epss":0.28721,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2211_firmware","version":null},{"cve_id":"CVE-2026-42364","summary":"An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.00109,"ranking_epss":0.28721,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2211","version":null},{"cve_id":"CVE-2026-42365","summary":"A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.00064,"ranking_epss":0.19543,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2011_firmware","version":null},{"cve_id":"CVE-2026-42365","summary":"A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.00064,"ranking_epss":0.19543,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2011","version":null},{"cve_id":"CVE-2026-42365","summary":"A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.00064,"ranking_epss":0.19543,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2211_firmware","version":null},{"cve_id":"CVE-2026-42365","summary":"A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.00064,"ranking_epss":0.19543,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2211","version":null},{"cve_id":"CVE-2026-42366","summary":"Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11971,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2011_firmware","version":null},{"cve_id":"CVE-2026-42366","summary":"Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11971,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2011","version":null},{"cve_id":"CVE-2026-42366","summary":"Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11971,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2211_firmware","version":null},{"cve_id":"CVE-2026-42366","summary":"Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11971,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2211","version":null},{"cve_id":"CVE-2026-42367","summary":"A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.05687,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2011_firmware","version":null},{"cve_id":"CVE-2026-42367","summary":"A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.05687,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2011","version":null},{"cve_id":"CVE-2026-42367","summary":"A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.05687,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2211_firmware","version":null},{"cve_id":"CVE-2026-42367","summary":"A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.05687,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/","https://www.geovision.com.tw/cyber_security.php"],"published_time":"2026-05-04T01:16:03","vendor":"geovision","product":"gv-lpc2211","version":null},{"cve_id":"CVE-2026-7713","summary":"A vulnerability was detected in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this vulnerability is the function generate_auth_token of the file cps/kobo_auth.py of the component Kobo auth-token Route. The manipulation results in improper authorization. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.0.7 addresses this issue. The patch is identified as 9f50bb2c16160564c9f8777dc2ceed3eb95e4807. The affected component should be upgraded.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00067,"ranking_epss":0.20361,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/menelausx/ef98aa78ed2869ccaa316ff45ed1a440","https://github.com/crocodilestick/Calibre-Web-Automated/","https://github.com/crocodilestick/Calibre-Web-Automated/issues/1303","https://github.com/new-usemame/Calibre-Web-NextGen/commit/9f50bb2c16160564c9f8777dc2ceed3eb95e4807","https://github.com/new-usemame/Calibre-Web-NextGen/pull/18","https://github.com/new-usemame/Calibre-Web-NextGen/releases/tag/v4.0.7","https://vuldb.com/submit/806403","https://vuldb.com/vuln/360889","https://vuldb.com/vuln/360889/cti"],"published_time":"2026-05-04T00:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6948","summary":"Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel.\n\n\n\nThis allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01695,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.velociraptor.app/announcements/advisories/cve-2026-6948/"],"published_time":"2026-05-04T00:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7710","summary":"A security flaw has been discovered in YunaiV yudao-cloud up to 3.8.0. This affects the function doFilterInternal of the file JwtAuthenticationTokenFilter.java of the component Ruoyi-Vue-Pro. Performing a manipulation of the argument mock-token results in improper authentication. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00061,"ranking_epss":0.18853,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/9str0IL/CVE/issues/5","https://vuldb.com/submit/806493","https://vuldb.com/vuln/360886","https://vuldb.com/vuln/360886/cti"],"published_time":"2026-05-04T00:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7711","summary":"A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00038,"ranking_epss":0.11147,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nn0nkey/JD-Security-SHENYI-Team/blob/main/MindsDB_BYOM_RCE.md","https://vuldb.com/submit/806822","https://vuldb.com/vuln/360887","https://vuldb.com/vuln/360887/cti"],"published_time":"2026-05-04T00:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7712","summary":"A security vulnerability has been detected in MindsDB up to 26.01. Affected is the function pickle.loads of the component Pickle Handler. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00041,"ranking_epss":0.12095,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nn0nkey/JD-Security-SHENYI-Team/blob/main/MindsDB_Pickle_RCE.md","https://vuldb.com/submit/806827","https://vuldb.com/vuln/360888","https://vuldb.com/vuln/360888/cti"],"published_time":"2026-05-04T00:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7707","summary":"A vulnerability was found in Open5GS up to 2.7.7. Impacted is the function udr_nudr_dr_handle_subscription_context of the file /src/udr/nudr-handler.c of the component UDR. The manipulation of the argument pei results in denial of service. The attack can be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00057,"ranking_epss":0.17628,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/","https://github.com/open5gs/open5gs/issues/4410","https://github.com/open5gs/open5gs/issues/4411","https://vuldb.com/submit/805699","https://vuldb.com/submit/805700","https://vuldb.com/vuln/360883","https://vuldb.com/vuln/360883/cti","https://github.com/open5gs/open5gs/issues/4410","https://vuldb.com/submit/805699","https://vuldb.com/submit/805700"],"published_time":"2026-05-03T23:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7708","summary":"A vulnerability was determined in Open5GS up to 2.7.7. The affected element is the function ogs_dbi_subscription_data in the library /lib/dbi/subscription.c of the component UDR. This manipulation of the argument supi_id causes denial of service. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00039,"ranking_epss":0.11536,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/","https://github.com/open5gs/open5gs/issues/4412","https://vuldb.com/submit/805701","https://vuldb.com/vuln/360884","https://vuldb.com/vuln/360884/cti"],"published_time":"2026-05-03T23:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7709","summary":"A vulnerability was identified in janeczku Calibre-Web up to 0.6.26. The impacted element is the function generate_auth_token of the file cps/kobo_auth.py of the component Endpoint. Such manipulation of the argument user_id leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00034,"ranking_epss":0.09716,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://drive.google.com/drive/folders/1rosrcfxcHrQM7_GOiBwzY_GnCfXoFuVR?usp=drive_link","https://vuldb.com/submit/805823","https://vuldb.com/vuln/360885","https://vuldb.com/vuln/360885/cti"],"published_time":"2026-05-03T23:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7705","summary":"A flaw has been found in JD Cloud JDCOS 4.5.1.r4518. This vulnerability affects the function set_iptv_info of the file /jdcap of the component Service Interface. Executing a manipulation of the argument vid can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00841,"ranking_epss":0.7481,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://vuldb.com/submit/805644","https://vuldb.com/vuln/360881","https://vuldb.com/vuln/360881/cti","https://www.notion.so/3430c75766a8802dbde3dc8a372c7f46"],"published_time":"2026-05-03T23:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7706","summary":"A vulnerability has been found in Open5GS up to 2.7.7. This issue affects the function gmm_handle_service_request of the file /src/amf/gmm-handler.c of the component AMF. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00039,"ranking_epss":0.11536,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/","https://github.com/open5gs/open5gs/issues/4409","https://vuldb.com/submit/805698","https://vuldb.com/vuln/360882","https://vuldb.com/vuln/360882/cti"],"published_time":"2026-05-03T23:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7703","summary":"A flaw has been found in AV Stumpfl Pixera Two Media Server up to 25.2 R2. Impacted is an unknown function of the component Websocket API. This manipulation causes code injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 25.2 R3 is recommended to address this issue. Upgrading the affected component is advised.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00047,"ranking_epss":0.14126,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/TrebledJ/585a20525e45549f299d282233632608","https://help.pixera.one/changelogs-version-overviews/pixera-252-overview-changelog","https://vuldb.com/submit/805274","https://vuldb.com/vuln/360872","https://vuldb.com/vuln/360872/cti"],"published_time":"2026-05-03T17:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7704","summary":"A vulnerability has been found in AV Stumpfl Pixera Two Media Server up to 25.1 R2. The affected element is an unknown function of the component Service Port 1338. Such manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. Upgrading to version 25.2 R3 is sufficient to fix this issue. It is advisable to upgrade the affected component.","cvss":2.1,"cvss_version":4.0,"cvss_v2":3.3,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00017,"ranking_epss":0.04007,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/TrebledJ/585a20525e45549f299d282233632608","https://help.pixera.one/changelogs-version-overviews/pixera-252-overview-changelog","https://vuldb.com/submit/805275","https://vuldb.com/vuln/360873","https://vuldb.com/vuln/360873/cti"],"published_time":"2026-05-03T17:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7701","summary":"A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.1,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00033,"ranking_epss":0.09611,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://vuldb.com/submit/804341","https://vuldb.com/vuln/360870","https://vuldb.com/vuln/360870/cti","https://www.youtube.com/watch?v=xo9Bplsy1K8","https://www.youtube.com/watch?v=xo9Bplsy1K8"],"published_time":"2026-05-03T16:15:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7702","summary":"A vulnerability was detected in toeverything AFFiNE up to 0.26.3. This issue affects the function allowDocPreview of the file /workspace/:workspaceId/:docId of the component Public Markdown Preview Endpoint. The manipulation results in authorization bypass. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.5,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":5.3,"cvss_v4":5.5,"epss":0.0003,"ranking_epss":0.08417,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ngocnn97/security-advisories/blob/main/AFFiNE_BAC_PoC.mp4","https://vuldb.com/submit/804455","https://vuldb.com/vuln/360871","https://vuldb.com/vuln/360871/cti"],"published_time":"2026-05-03T16:15:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7699","summary":"A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInjection of the file StrUtils.java. Performing a manipulation of the argument filtersfields results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00026,"ranking_epss":0.0731,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/xpp3901/CVE_APPLY/tree/main/V-M001_MaxKey_Filters_SQL_Injection","https://vuldb.com/submit/804260","https://vuldb.com/vuln/360868","https://vuldb.com/vuln/360868/cti"],"published_time":"2026-05-03T15:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7700","summary":"A weakness has been identified in langflow-ai langflow up to 1.8.4. This affects the function eval of the file src/lfx/src/lfx/components/llm_operations/lambda_filter.p of the component LambdaFilterComponent. Executing a manipulation can lead to code injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00041,"ranking_epss":0.12182,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://vuldb.com/submit/804305","https://vuldb.com/vuln/360869","https://vuldb.com/vuln/360869/cti","https://www.yuque.com/mengnanbulalei/ognlsk/hte2a98ro5gf8tp9?singleDoc#%20%E3%80%8AFirst%20release%20of%20Langflow%201.8.3%20Smart%20Transform%20eval()/Lambda%20injection%20RCE%20vulnerability%20analysis+POC%E3%80%8B"],"published_time":"2026-05-03T15:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7698","summary":"A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Affected by this vulnerability is an unknown functionality of the file /Easy7/rest/systemInfo/updateDbBackupInfo. Such manipulation of the argument week leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.01021,"ranking_epss":0.77328,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://ucn9h68n9289.feishu.cn/wiki/Yslcw7QqWiRjUZkCcvkcJI62n2c","https://vuldb.com/submit/804048","https://vuldb.com/vuln/360867","https://vuldb.com/vuln/360867/cti"],"published_time":"2026-05-03T14:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7697","summary":"A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected is an unknown function of the file /manager/card/cardhand_submit.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.0,"cvss_version":4.0,"cvss_v2":5.8,"cvss_v3":4.7,"cvss_v4":2.0,"epss":0.00026,"ranking_epss":0.07142,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/testnet0/testnet/issues/74","https://vuldb.com/submit/803272","https://vuldb.com/vuln/360866","https://vuldb.com/vuln/360866/cti"],"published_time":"2026-05-03T14:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7696","summary":"A vulnerability was found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This impacts an unknown function of the file /SubstationWEBV2/main/uploadH5Files. The manipulation of the argument File results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00034,"ranking_epss":0.09716,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://ucn9h68n9289.feishu.cn/wiki/X9PAw4i5kiPueKkZqCCcNVYZnnc?from=from_copylink","https://vuldb.com/submit/807944","https://vuldb.com/vuln/360865","https://vuldb.com/vuln/360865/cti"],"published_time":"2026-05-03T13:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7695","summary":"A vulnerability has been found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This affects an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. The manipulation of the argument fCircuitids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00028,"ranking_epss":0.07858,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://ucn9h68n9289.feishu.cn/wiki/QoXfwTAOiiYw2OkO0vAc7b7SnGg","https://vuldb.com/submit/803275","https://vuldb.com/vuln/360864","https://vuldb.com/vuln/360864/cti"],"published_time":"2026-05-03T13:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7694","summary":"A flaw has been found in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0. The impacted element is an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. Executing a manipulation of the argument fCircuitids can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00028,"ranking_epss":0.07858,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://ucn9h68n9289.feishu.cn/wiki/WZMewApmsiT3PMkCJfzcASEznOb","https://vuldb.com/submit/803271","https://vuldb.com/vuln/360863","https://vuldb.com/vuln/360863/cti"],"published_time":"2026-05-03T12:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7691","summary":"A security vulnerability has been detected in Wavlink WL-WN570HA1 R70HA1 V1410_221110. Impacted is the function set_sys_cmd of the file /cgi-bin/adm.cgi. Such manipulation of the argument command leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Once again the vendors acted very professional and confirms, \"that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website.\" This vulnerability only affects products that are no longer supported by the maintainer.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.01058,"ranking_epss":0.77718,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-set_sys_cmd-34753a41781f80ab88a1d95d4f798d1f?source=copy_link","https://vuldb.com/submit/807806","https://vuldb.com/vuln/360861","https://vuldb.com/vuln/360861/cti"],"published_time":"2026-05-03T11:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7692","summary":"A vulnerability was detected in Wavlink WL-WN570HA1 R70HA1 V1410_221110. The affected element is the function ping_ddns of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument DDNS results in command injection. The attack can be initiated remotely. The exploit is now public and may be used. Once again the vendors acted very professional and confirms, \"that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website.\" This vulnerability only affects products that are no longer supported by the maintainer.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00841,"ranking_epss":0.7481,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-ping_ddns-34753a41781f80c0a6c6c1b09b7cdf1c?source=copy_link","https://vuldb.com/submit/807807","https://vuldb.com/vuln/360862","https://vuldb.com/vuln/360862/cti"],"published_time":"2026-05-03T11:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7688","summary":"A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":1.3,"cvss_version":4.0,"cvss_v2":4.6,"cvss_v3":5.0,"cvss_v4":1.3,"epss":0.00021,"ranking_epss":0.05983,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://vuldb.com/submit/799337","https://vuldb.com/vuln/360858","https://vuldb.com/vuln/360858/cti","https://vuldb.com/submit/799337"],"published_time":"2026-05-03T10:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7689","summary":"A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.9,"cvss_version":4.0,"cvss_v2":2.6,"cvss_v3":3.7,"cvss_v4":2.9,"epss":8e-05,"ranking_epss":0.00704,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/Shaon-Xis/d6ae069fc54f006457b68a91d5a8e158","https://vuldb.com/submit/801794","https://vuldb.com/vuln/360859","https://vuldb.com/vuln/360859/cti"],"published_time":"2026-05-03T10:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7690","summary":"A weakness has been identified in Wavlink WL-WN570HA1 R70HA1 V1410_221110. This issue affects the function set_sys_adm of the file /cgi-bin/adm.cgi. This manipulation of the argument Username causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Once again the vendors acted very professional and confirms, \"that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website.\" This vulnerability only affects products that are no longer supported by the maintainer.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00841,"ranking_epss":0.7481,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-set_sys_adm-34753a41781f809d8043f0a7a3e07e50?source=copy_link","https://vuldb.com/submit/807805","https://vuldb.com/vuln/360860","https://vuldb.com/vuln/360860/cti"],"published_time":"2026-05-03T10:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7687","summary":"A vulnerability was determined in langflow-ai langflow up to 1.8.4. Affected by this issue is the function CodeParser.parse_callable_details of the file src/lfx/src/lfx/custom/code_parser/code_parser.py of the component Full Builtins Module Handler. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00841,"ranking_epss":0.7481,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://vuldb.com/submit/798731","https://vuldb.com/vuln/360857","https://vuldb.com/vuln/360857/cti","https://www.yuque.com/yuqueyonghuqy8yu4/ghuay4/ylrgoyyfrucp8opo?singleDoc=#g4kyb"],"published_time":"2026-05-03T09:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7686","summary":"A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit has been made public and could be used. Upgrading the affected component is recommended. The vendor provides additional details: \"The affected code path is a legacy Premium activation flow that has been deprecated. eyeo has already migrated to a new user account-based licensing system. The exploit does not grant permanent Premium access. The licensing server issues a short-lived trial license (valid for approximately 24 hours) for any submitted userId. On the next license check, the server validates against a real subscription and the trial expires if no valid subscription is found. The researcher's claim of permanently unlocking all Premium features is therefore incorrect. (...) The old flow has been present for years and has not been weaponized at scale to our knowledge. The risk to eyeo and to users is minimal.\"","cvss":5.5,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":5.3,"cvss_v4":5.5,"epss":0.0003,"ranking_epss":0.08534,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://adblockplus.org/en/download","https://github.com/xryj920/CVE/blob/main/adblock_plus_CVE_report.md","https://vuldb.com/submit/793551","https://vuldb.com/vuln/360856","https://vuldb.com/vuln/360856/cti"],"published_time":"2026-05-03T08:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7683","summary":"A weakness has been identified in Edimax BR-6428nC up to 1.16. This affects an unknown function of the file /goform/setWAN of the component Web Interface. This manipulation of the argument pppUserName/pptpUserName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00734,"ranking_epss":0.72831,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pppUserName-Command-Injection-33db5c52018a80dab299ef508e810d00","https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpUserName-Command-Injection-33db5c52018a80949cfbcc2091340c80","https://vuldb.com/submit/801597","https://vuldb.com/submit/801598","https://vuldb.com/vuln/360842","https://vuldb.com/vuln/360842/cti"],"published_time":"2026-05-03T07:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7684","summary":"A security vulnerability has been detected in Edimax BR-6428nC up to 1.16. This impacts an unknown function of the file /goform/setWAN. Such manipulation of the argument pptpDfGateway  leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00041,"ranking_epss":0.12271,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpDfGateway-Stack-Overflow-33db5c52018a80c1835dd4fab4b6c7f2","https://vuldb.com/submit/801599","https://vuldb.com/vuln/360843","https://vuldb.com/vuln/360843/cti"],"published_time":"2026-05-03T07:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7685","summary":"A vulnerability was detected in Edimax BR-6208AC up to 1.02. Affected is an unknown function of the file /goform/setWAN. Performing a manipulation of the argument pptpDfGateway  results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00041,"ranking_epss":0.12271,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpDfGateway-Stack-Overflow-33db5c52018a80c1835dd4fab4b6c7f2","https://vuldb.com/submit/801606","https://vuldb.com/vuln/360844","https://vuldb.com/vuln/360844/cti"],"published_time":"2026-05-03T07:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5337","summary":"During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference (IDOR) attack. This vulnerability exists because the Frontend File Manager Plugin WordPress plugin through 23.6 does not properly validate user authorization for the requested uploaded file when processing download requests. By modifying the value of the 'file_id' parameter in the download endpoint (e.g., http://localhost/?do=wpfm_download&file_id=40&nm_file_nonce=a36fb893f1), an attacker can access files belonging to other users, including privileged users such as administrators. This allows unauthorized access/read to sensitive data stored  within the application.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00034,"ranking_epss":0.09652,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/3e28aa78-3227-474a-b1db-1f5ea2c42d14/"],"published_time":"2026-05-03T07:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7682","summary":"A security flaw has been discovered in Edimax BR-6208AC 1.02. The impacted element is the function setWAN of the file /goform/setWAN of the component L2TP Mode. The manipulation of the argument L2TPUserName results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00841,"ranking_epss":0.7481,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://tzh00203.notion.site/Edimax-BR-6208AC-V2-1-02-setWAN-L2TPUserName-Command-Injection-33db5c52018a80c1b3aac6db8927bd0f","https://vuldb.com/submit/801572","https://vuldb.com/vuln/360841","https://vuldb.com/vuln/360841/cti"],"published_time":"2026-05-03T07:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7681","summary":"A security vulnerability has been detected in jsbroks COCO Annotator up to 0.11.1. Affected by this vulnerability is an unknown functionality of the file backend/webserver/api/datasets.py of the component Dataset API. The manipulation of the argument DatasetId leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.5,"cvss_version":4.0,"cvss_v2":6.4,"cvss_v3":6.5,"cvss_v4":5.5,"epss":0.00038,"ranking_epss":0.11149,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/natanmorette-thoropass/thoropass-vuln-research-program/tree/main/2026/Unauthenticated%20Dataset%20Modification%20via%20Missing%20Authentication","https://vuldb.com/submit/801408","https://vuldb.com/vuln/360834","https://vuldb.com/vuln/360834/cti"],"published_time":"2026-05-03T06:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5063","summary":"The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via POST parameter key names in the submit_nex_form() function in versions up to, and including, 9.1.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.0773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3513524/nex-forms-express-wp-form-builder","https://www.wordfence.com/threat-intel/vulnerabilities/id/9bac82ee-55bf-4381-b441-115a675e4834?source=cve"],"published_time":"2026-05-03T06:15:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7680","summary":"A weakness has been identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file backend/webserver/api/datasets.py of the component Data Endpoint. Executing a manipulation of the argument folder can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00013,"ranking_epss":0.02311,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/natanmorette-thoropass/thoropass-vuln-research-program/tree/main/2026/Path%20Traversal%20via%20Dataset%20Folder%20Parameter","https://vuldb.com/submit/801150","https://vuldb.com/vuln/360833","https://vuldb.com/vuln/360833/cti"],"published_time":"2026-05-03T06:15:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7678","summary":"A vulnerability was identified in YunaiV yudao-cloud up to 2026.01. This affects the function getDataBySQL of the file yudao-module-report-biz/src/main/java/io/github/ruoyi/report/service/impl/GoViewDataServiceImpl.java. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00026,"ranking_epss":0.0731,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/9str0IL/CVE/issues/2","https://vuldb.com/submit/800865","https://vuldb.com/vuln/360831","https://vuldb.com/vuln/360831/cti"],"published_time":"2026-05-03T05:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7679","summary":"A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This impacts the function getAccessToken of the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. Performing a manipulation results in improper authentication. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00082,"ranking_epss":0.23698,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/9str0IL/CVE/issues/1","https://vuldb.com/submit/800866","https://vuldb.com/vuln/360832","https://vuldb.com/vuln/360832/cti"],"published_time":"2026-05-03T05:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7676","summary":"A vulnerability was found in kerwincui FastBee up to 1.2.1. The affected element is the function ToolController.download of the file springboot/fastbee-open-api/src/main/java/com/fastbee/data/controller/ToolController.java of the component Tool Download Endpoint. The manipulation of the argument fileName results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00039,"ranking_epss":0.11499,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fx4tqqfvdw4.feishu.cn/docx/Yv1gdAzFpoHCUUxDdKSculR4nKf?from=from_copylink","https://vuldb.com/submit/800723","https://vuldb.com/vuln/360829","https://vuldb.com/vuln/360829/cti"],"published_time":"2026-05-03T05:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7677","summary":"A vulnerability was determined in kerwincui FastBee up to 1.2.1. The impacted element is the function Add of the file springboot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysNoticeController.java of the component System Notice Handler. This manipulation of the argument noticeContent causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.0,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":3.5,"cvss_v4":2.0,"epss":0.00029,"ranking_epss":0.08068,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fx4tqqfvdw4.feishu.cn/docx/Iu5Dd558UoS4uIxhH9YcgNsWnjc?from=from_copylink","https://vuldb.com/submit/800724","https://vuldb.com/vuln/360830","https://vuldb.com/vuln/360830/cti"],"published_time":"2026-05-03T05:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7675","summary":"A vulnerability has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. Impacted is the function start_lan of the file /apply.cgi. The manipulation of the argument Channel/ApCliSsid leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00043,"ranking_epss":0.13013,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/hmKunlun/lbt-t300-hw1/blob/main/generate_conf_router(Channel).md","https://vuldb.com/submit/800708","https://vuldb.com/submit/800709","https://vuldb.com/vuln/360828","https://vuldb.com/vuln/360828/cti"],"published_time":"2026-05-03T03:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7673","summary":"A vulnerability was detected in crmeb_java up to 1.3.4. This vulnerability affects unknown code of the file crmeb/crmeb-service/src/main/java/com/zbkj/service/service/impl/UploadServiceImpl.java of the component Admin Upload. Performing a manipulation of the argument model results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.0,"cvss_version":4.0,"cvss_v2":5.8,"cvss_v3":4.7,"cvss_v4":2.0,"epss":0.00033,"ranking_epss":0.09464,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fx4tqqfvdw4.feishu.cn/docx/EgMOdHyq6oyxhux5vpJcr5cgnAf?from=from_copylink","https://vuldb.com/submit/800684","https://vuldb.com/vuln/360826","https://vuldb.com/vuln/360826/cti"],"published_time":"2026-05-03T02:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7674","summary":"A flaw has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. This issue affects the function start_single_service of the component Web Management Interface. Executing a manipulation of the argument vpn_pptp_server/vpn_l2tp_server can lead to buffer overflow. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":8.7,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00043,"ranking_epss":0.13013,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/hmKunlun/lbt-t300-hw1/blob/main/reselov_vpn_server%EF%BC%88vpn_pptp_server%EF%BC%89.md","https://vuldb.com/submit/800705","https://vuldb.com/submit/800706","https://vuldb.com/vuln/360827","https://vuldb.com/vuln/360827/cti"],"published_time":"2026-05-03T02:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40561","summary":"Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence.\n\nStarlet incorrectly prioritizes \"Content-Length\" over \"Transfer-Encoding: chunked\" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.\n\nAn attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01231,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3","https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0.patch","http://www.openwall.com/lists/oss-security/2026/05/03/1"],"published_time":"2026-05-03T01:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7671","summary":"A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.9,"cvss_version":4.0,"cvss_v2":2.6,"cvss_v3":3.7,"cvss_v4":2.9,"epss":0.00019,"ranking_epss":0.05307,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://drive.proton.me/urls/M0WFM4137W#MY0jA6pjHYPO","https://vuldb.com/submit/799987","https://vuldb.com/vuln/360819","https://vuldb.com/vuln/360819/cti"],"published_time":"2026-05-03T00:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7672","summary":"A security vulnerability has been detected in youlaitech youlai-boot up to 2.21.1. This affects the function getUserList of the file src/main/java/com/youlai/boot/system/controller/UserController.java of the component Users Endpoint. Such manipulation of the argument order leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.0001,"ranking_epss":0.01208,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fx4tqqfvdw4.feishu.cn/docx/EBZLdUqt4ogm4Px7jxuck1RQnHe?from=from_copylink","https://vuldb.com/submit/800658","https://vuldb.com/vuln/360825","https://vuldb.com/vuln/360825/cti"],"published_time":"2026-05-03T00:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6481","summary":"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-05-02T23:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7670","summary":"A flaw has been found in Jinher OA 1.0. The affected element is an unknown function of the file /C6/JHSoft.Web.PlanSummarize/UserSel.aspx. This manipulation of the argument DeptIDList causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00028,"ranking_epss":0.07858,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/zzlln/cvecve/issues/1","https://vuldb.com/submit/799506","https://vuldb.com/vuln/360818","https://vuldb.com/vuln/360818/cti"],"published_time":"2026-05-02T23:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7669","summary":"A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation of the argument trust_remote_code with the input False as part of Boolean results in code injection. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. In get_tokenizer(), when the caller passes trust_remote_code=False and HuggingFace transformers v5 returns a TokenizersBackend instance (the generic fallback for tokenizer classes not in the registry), SGLang silently re-invokes AutoTokenizer.from_pretrained with trust_remote_code=True, overriding the caller's explicit security setting. A model repository containing a malicious tokenizer.py referenced via auto_map in tokenizer_config.json will execute arbitrary Python in the SGLang process during this second call. No log line or warning is emitted. The override affects all current SGLang versions because transformers==5.3.0 is pinned in pyproject.toml. Both tokenizer_mode=\"auto\" and tokenizer_mode=\"slow\" are affected. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":6.3,"cvss_version":4.0,"cvss_v2":5.1,"cvss_v3":5.6,"cvss_v4":6.3,"epss":0.00044,"ranking_epss":0.13109,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/gouldnicholas/CVE-2026-7669-PoC","https://vuldb.com/submit/799263","https://vuldb.com/vuln/360817","https://vuldb.com/vuln/360817/cti"],"published_time":"2026-05-02T22:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7668","summary":"A vulnerability was identified in MikroTik RouterOS 6.49.8. This vulnerability affects the function ASN1_STRING_data in the library nova/lib/www/scep.p of the component SCEP Endpoint. The manipulation of the argument transactionID/messageType leads to out-of-bounds read. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00039,"ranking_epss":0.11525,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ezio315/cve/issues/4","https://vuldb.com/submit/798623","https://vuldb.com/vuln/360804","https://vuldb.com/vuln/360804/cti"],"published_time":"2026-05-02T21:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7653","summary":"A security flaw has been discovered in r-huijts mcp-server-rijksmuseum up to 1.0.4. Affected is the function open_image_in_browser of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument imageUrl results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00197,"ranking_epss":0.41288,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/r-huijts/rijksmuseum-mcp/issues/9","https://vuldb.com/submit/806909","https://vuldb.com/vuln/360778","https://vuldb.com/vuln/360778/cti"],"published_time":"2026-05-02T16:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7645","summary":"A vulnerability was found in ruvnet sublinear-time-solver 1.5.0. Affected by this vulnerability is the function export_state of the file src/consciousness-explorer/mcp/server.js of the component MCP Interface. The manipulation results in path traversal. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":6.4,"cvss_v3":6.5,"cvss_v4":5.5,"epss":0.00062,"ranking_epss":0.19035,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ruvnet/sublinear-time-solver/","https://github.com/ruvnet/sublinear-time-solver/issues/19","https://vuldb.com/submit/806895","https://vuldb.com/vuln/360757","https://vuldb.com/vuln/360757/cti"],"published_time":"2026-05-02T16:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7642","summary":"A vulnerability was detected in pskill9 website-downloader up to 0.1.0. This affects the function download_website of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument outputPath results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00924,"ranking_epss":0.76094,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/BruceJqs/public_exp/issues/31","https://github.com/pskill9/website-downloader/","https://github.com/pskill9/website-downloader/issues/7","https://vuldb.com/submit/806812","https://vuldb.com/vuln/360754","https://vuldb.com/vuln/360754/cti"],"published_time":"2026-05-02T15:16:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7643","summary":"A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00016,"ranking_epss":0.03437,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ChatGPTNextWeb/NextChat/","https://github.com/ChatGPTNextWeb/NextChat/issues/6756","https://vuldb.com/submit/806833","https://vuldb.com/vuln/360755","https://vuldb.com/vuln/360755/cti"],"published_time":"2026-05-02T15:16:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7644","summary":"A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00041,"ranking_epss":0.12099,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ChatGPTNextWeb/NextChat/","https://github.com/ChatGPTNextWeb/NextChat/issues/6757","https://vuldb.com/submit/806851","https://vuldb.com/vuln/360756","https://vuldb.com/vuln/360756/cti"],"published_time":"2026-05-02T15:16:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7633","summary":"A vulnerability was identified in Totolink N300RH 6.1c.1353_B20190305. This impacts the function setUploadSetting of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument FileName leads to file inclusion. The attack may be performed from remote. The exploit is publicly available and might be used.","cvss":5.5,"cvss_version":4.0,"cvss_v2":6.4,"cvss_v3":6.5,"cvss_v4":5.5,"epss":0.0012,"ranking_epss":0.30378,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/xyh4ck/iot_poc/tree/main/TOTOLINK/N300RHv4/03_setUploadSetting_ECFNP","https://vuldb.com/submit/806597","https://vuldb.com/vuln/360579","https://vuldb.com/vuln/360579/cti","https://www.totolink.net/"],"published_time":"2026-05-02T15:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7630","summary":"A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper authentication. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is 45758e4ec22451ab944ae2ae826b1e70f6450dc9. It is recommended to apply a patch to fix this issue.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00098,"ranking_epss":0.26539,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/innocommerce/innoshop/","https://github.com/innocommerce/innoshop/commit/45758e4ec22451ab944ae2ae826b1e70f6450dc9","https://github.com/innocommerce/innoshop/issues/314","https://github.com/innocommerce/innoshop/issues/314#issuecomment-4357464458","https://vuldb.com/submit/806484","https://vuldb.com/vuln/360576","https://vuldb.com/vuln/360576/cti"],"published_time":"2026-05-02T14:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7631","summary":"A vulnerability was found in code-projects Online Hospital Management System 1.0. The impacted element is an unknown function of the component Registration Handler. The manipulation of the argument Username results in improper authorization. The attack can be executed remotely. The exploit has been made public and could be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":5.5,"cvss_v3":5.4,"cvss_v4":2.1,"epss":0.00036,"ranking_epss":0.10588,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/MyMySSS/CVE123/blob/main/cve2/cve2.md","https://vuldb.com/submit/806565","https://vuldb.com/vuln/360577","https://vuldb.com/vuln/360577/cti"],"published_time":"2026-05-02T14:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7632","summary":"A vulnerability was determined in code-projects Online Hospital Management System 1.0. This affects an unknown function of the file /viewappointment.php. This manipulation of the argument delid causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00033,"ranking_epss":0.09598,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/Sh1tKing/cve/blob/main/CVE-2026-7632.md","https://github.com/Sh1tKing/cve/blob/main/time-blind-sql.md","https://vuldb.com/submit/806633","https://vuldb.com/vuln/360578","https://vuldb.com/vuln/360578/cti"],"published_time":"2026-05-02T14:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-0703","summary":"The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_current_date' shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08588,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L79","https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L87","https://plugins.trac.wordpress.org/changeset/3482613/","https://www.wordfence.com/threat-intel/vulnerabilities/id/a8eab201-04a5-43df-bb9b-2964c50a1833?source=cve"],"published_time":"2026-05-02T14:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2554","summary":"The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00034,"ranking_epss":0.1,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-customer.php#L386","https://plugins.trac.wordpress.org/changeset/3483695/","https://www.wordfence.com/threat-intel/vulnerabilities/id/21e397a4-0b32-4b13-a46b-c465acea0796?source=cve"],"published_time":"2026-05-02T14:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3504","summary":"The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the '/dokan/v1/stores/{id}/reviews' REST API endpoint. This is due to the 'prepare_reviews_for_response' method including reviewer email addresses, usernames, and user IDs in the API response. This makes it possible for unauthenticated attackers to extract email addresses, usernames, and user IDs of all customers who left reviews on any vendor's store. The Pro version of the plugin must be installed and activated, with store reviews enabled, in order to exploit the vulnerability.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08579,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L125","https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L835","https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L854","https://plugins.trac.wordpress.org/changeset/3481799/","https://www.wordfence.com/threat-intel/vulnerabilities/id/02b0d7d7-8a10-48de-b1e1-7e1f1fda6ffe?source=cve"],"published_time":"2026-05-02T14:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7629","summary":"A flaw has been found in kleneway awesome-cursor-mpc-server up to 2.0.1. Impacted is the function runCodeReviewTool of the file src/tools/codeReview.ts of the component Ccode-Review Tool. Executing a manipulation can lead to command injection. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00924,"ranking_epss":0.76094,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/kleneway/awesome-cursor-mpc-server/","https://github.com/kleneway/awesome-cursor-mpc-server/issues/6","https://github.com/kleneway/awesome-cursor-mpc-server/pull/14","https://github.com/user-attachments/files/26019723/awesome-cursor-mpc-server_bug.pdf","https://vuldb.com/submit/806470","https://vuldb.com/vuln/360575","https://vuldb.com/vuln/360575/cti","https://github.com/kleneway/awesome-cursor-mpc-server/issues/6"],"published_time":"2026-05-02T14:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6817","summary":"The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rate_reason' parameter in all versions up to, and including, 6.7.1.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":5.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.8,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.12708,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3513370/quiz-maker","https://www.wordfence.com/threat-intel/vulnerabilities/id/fa995fa9-5fb1-434a-bf88-c60e986c45eb?source=cve"],"published_time":"2026-05-02T12:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7628","summary":"A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component RepoMix Command Handler. Performing a manipulation results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through a pull request but has not reacted yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00924,"ranking_epss":0.76094,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/crazyrabbitLTC/mcp-code-review-server/","https://github.com/crazyrabbitLTC/mcp-code-review-server/issues/4","https://github.com/crazyrabbitLTC/mcp-code-review-server/pull/5","https://github.com/user-attachments/files/26018245/mcp-code-review-server_bug.pdf","https://vuldb.com/submit/806469","https://vuldb.com/vuln/360574","https://vuldb.com/vuln/360574/cti"],"published_time":"2026-05-02T12:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4061","summary":"The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type' parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protection, followed by the unsanitized `map_post_type` value being concatenated into an `IN(...)` clause without `esc_sql()` or `$wpdb->prepare()`. The 'any' branch of the same code correctly applies `array_map('esc_sql', ...)`, but the else branch does not. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. Exploitation requires the Geo Search feature to be enabled in plugin settings.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00075,"ranking_epss":0.22204,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1748","https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Hooks/SearchResults.php#L39","https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Search.php#L152","https://plugins.trac.wordpress.org/changeset/3503627/","https://www.wordfence.com/threat-intel/vulnerabilities/id/cc3cf6c5-643e-49ca-b09c-bd7cfec328ee?source=cve"],"published_time":"2026-05-02T12:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4062","summary":"The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'object_ids' and 'exclude_object_ids' parameters in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective because the values are placed in an unquoted `IN(...)` / `NOT IN(...)` SQL context — `esc_sql()` only escapes quote characters and provides no protection against parenthesis or SQL keyword injection. Additionally, while a numeric-only sanitizer exists in `sanitize_query_args()`, it is only applied in the AJAX code path and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00075,"ranking_epss":0.22204,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1755","https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1759","https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/render-map.php#L166","https://plugins.trac.wordpress.org/changeset/3503627/","https://www.wordfence.com/threat-intel/vulnerabilities/id/abc5ed0a-504f-4d8c-9662-a4c9f7c7acb8?source=cve"],"published_time":"2026-05-02T12:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4100","summary":"The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the `wp_ajax_pmpro_stripe_create_webhook`, `wp_ajax_pmpro_stripe_delete_webhook`, and `wp_ajax_pmpro_stripe_rebuild_webhook` AJAX handlers. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete, create, or rebuild the site's Stripe webhook, disrupting all payment processing, subscription renewal synchronization, cancellation handling, and failed payment management.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.1068,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/strangerstudios/paid-memberships-pro/pull/3615","https://www.wordfence.com/threat-intel/vulnerabilities/id/5b333a3d-e416-42aa-9722-5406df0a64b3?source=cve"],"published_time":"2026-05-02T12:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4790","summary":"The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_svg' parameter in versions up to, and including, 4.11.70 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08092,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3495451/premium-addons-for-elementor","https://www.wordfence.com/threat-intel/vulnerabilities/id/ae6d07eb-3e64-45ee-ad5d-92b41ef11e43?source=cve"],"published_time":"2026-05-02T12:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6320","summary":"The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email attachments. This makes it possible for unauthenticated attackers to read arbitrary local files and exfiltrate them via booking confirmation email attachments.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.001,"ranking_epss":0.27188,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3512110/salon-booking-system","https://www.wordfence.com/threat-intel/vulnerabilities/id/e91b8082-e1c7-4989-82db-20e255b52854?source=cve"],"published_time":"2026-05-02T12:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6525","summary":"IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.4","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02126,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21008","https://www.wireshark.org/security/wnpa-sec-2026-36.html","https://gitlab.com/wireshark/wireshark/-/work_items/21008"],"published_time":"2026-05-02T12:16:16","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-4060","summary":"The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective in the `ORDER BY` context because the value is not enclosed in quotes. Additionally, while a `sanitize_sort_arg()` allowlist-based sanitizer was added in version 1.13.18, it is only applied in the AJAX code path (`sanitize_query_args()`) and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00075,"ranking_epss":0.22204,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1767","https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1785","https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/render-map.php#L166","https://plugins.trac.wordpress.org/changeset/3503627/","https://www.wordfence.com/threat-intel/vulnerabilities/id/2fa5ae9a-532c-40f9-b70a-217f0f9cd473?source=cve"],"published_time":"2026-05-02T12:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7627","summary":"A security vulnerability has been detected in 8nite metatrader-4-mcp 1.0.0. This vulnerability affects the function CallToolRequestSchema of the file src/index.ts of the component sync_ea_from_file. Such manipulation of the argument ea_name leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00017,"ranking_epss":0.0428,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/8nite/metatrader-4-mcp/","https://github.com/8nite/metatrader-4-mcp/issues/1","https://vuldb.com/submit/806286","https://vuldb.com/vuln/360573","https://vuldb.com/vuln/360573/cti"],"published_time":"2026-05-02T11:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7491","summary":"School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":8.6,"epss":0.00038,"ranking_epss":0.11302,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.twcert.org.tw/en/cp-139-10897-64257-2.html","https://www.twcert.org.tw/tw/cp-132-10896-e3240-1.html"],"published_time":"2026-05-02T10:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7609","summary":"A flaw has been found in TRENDnet TEW-821DAP up to 1.12B01. The impacted element is the function tools_diagnostic of the file /tmp/diagnostic of the component Firmware Udpate. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor explains: \"That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling\". This vulnerability only affects products that are no longer supported by the maintainer.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.01058,"ranking_epss":0.77718,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_CI2.md","https://vuldb.com/submit/806216","https://vuldb.com/vuln/360566","https://vuldb.com/vuln/360566/cti"],"published_time":"2026-05-02T10:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7610","summary":"A vulnerability has been found in TRENDnet TEW-821DAP 1.12B01. This affects an unknown function of the file /www/cgi/ssi of the component Firmware Update. Such manipulation leads to cleartext transmission of sensitive information. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been disclosed to the public and may be used. The vendor explains: \"That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling\". This vulnerability only affects products that are no longer supported by the maintainer.","cvss":2.9,"cvss_version":4.0,"cvss_v2":2.6,"cvss_v3":3.7,"cvss_v4":2.9,"epss":0.0002,"ranking_epss":0.05409,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Down.md","https://vuldb.com/submit/806217","https://vuldb.com/vuln/360567","https://vuldb.com/vuln/360567/cti"],"published_time":"2026-05-02T10:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7611","summary":"A vulnerability was found in TRENDnet TEW-821DAP up to 1.12B01. This impacts the function platform_do_upgrade_cameo_dev of the file cameo_dev.sh of the component Firmware Update Handler. Performing a manipulation results in insufficient verification of data authenticity. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The vendor explains: \"That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling\". This vulnerability only affects products that are no longer supported by the maintainer.","cvss":6.3,"cvss_version":4.0,"cvss_v2":2.6,"cvss_v3":3.7,"cvss_v4":6.3,"epss":0.00015,"ranking_epss":0.02907,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Inte.md","https://vuldb.com/submit/806218","https://vuldb.com/vuln/360568","https://vuldb.com/vuln/360568/cti"],"published_time":"2026-05-02T10:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7612","summary":"A vulnerability was determined in itsourcecode Courier Management System 1.0. Affected is an unknown function of the file /edit_user.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.","cvss":2.0,"cvss_version":4.0,"cvss_v2":5.8,"cvss_v3":4.7,"cvss_v4":2.0,"epss":0.00027,"ranking_epss":0.07702,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ltranquility/submit/issues/12","https://itsourcecode.com/","https://vuldb.com/submit/806275","https://vuldb.com/vuln/360569","https://vuldb.com/vuln/360569/cti"],"published_time":"2026-05-02T10:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7489","summary":"CTMS developed by Sunnet has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.0008,"ranking_epss":0.23354,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.twcert.org.tw/en/cp-139-10895-25ca1-2.html","https://www.twcert.org.tw/tw/cp-132-10894-1ac1f-1.html"],"published_time":"2026-05-02T10:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7490","summary":"CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":8.6,"epss":0.00212,"ranking_epss":0.43403,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.twcert.org.tw/en/cp-139-10895-25ca1-2.html","https://www.twcert.org.tw/tw/cp-132-10894-1ac1f-1.html"],"published_time":"2026-05-02T10:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5077","summary":"The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering the_title() inside HTML attribute context in the home blog section template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the malicious post to be published and displayed with a featured image in the Home Page blog section.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08092,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://themes.trac.wordpress.org/changeset/320590/total","https://www.wordfence.com/threat-intel/vulnerabilities/id/b1749bef-0952-4530-b607-4574765d2700?source=cve"],"published_time":"2026-05-02T10:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4024","summary":"The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_nopriv` hooks, making it accessible to unauthenticated users. Although a nonce is verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend JavaScript via `WprConfig.nonce` on any page that loads Royal Addons widgets, rendering the protection ineffective. The endpoint also lacks any capability or ownership checks and directly calls `update_post_meta()` with user-controlled input on a whitelisted set of form action meta keys. This makes it possible for unauthenticated attackers to modify form action configuration metadata (email, submissions, Mailchimp, and webhook settings) on any post, potentially leading to webhook/email action tampering and data exfiltration via modified webhook URLs.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02793,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/classes/modules/forms/wpr-actions-status.php#L21","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/classes/modules/forms/wpr-actions-status.php#L73","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/plugin.php#L592","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L21","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L73","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plugin.php#L592","https://www.wordfence.com/threat-intel/vulnerabilities/id/2ecec7d7-d1b2-4ccf-ade6-1f78224968c6?source=cve"],"published_time":"2026-05-02T09:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5324","summary":"The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when no file is uploaded, and the reversal of security encoding via html_entity_decode() followed by unescaped output in the admin view. The submit_form() function skips nonce verification for non-logged-in users (api.php:198). The handleFileTypeFields() function fails to overwrite user-supplied values when no file is attached. While htmlentities() is applied during storage, html_entity_decode() reverses this on display (form-entries.php:79). The form-data.php template outputs FileUpload values directly in href attributes without esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00091,"ranking_epss":0.25412,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/brizy/tags/2.7.24/admin/form-entries.php#L79","https://plugins.trac.wordpress.org/browser/brizy/tags/2.7.24/admin/views/form-data.php#L11","https://plugins.trac.wordpress.org/browser/brizy/tags/2.7.24/editor/forms/api.php#L198","https://plugins.trac.wordpress.org/browser/brizy/tags/2.7.24/editor/forms/api.php#L295","https://plugins.trac.wordpress.org/browser/brizy/trunk/admin/views/form-data.php#L11","https://plugins.trac.wordpress.org/changeset/3502206/brizy/trunk/admin/views/form-data.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Fbrizy/tags/2.8.11&new_path=%2Fbrizy/tags/2.8.12","https://www.wordfence.com/threat-intel/vulnerabilities/id/78ec499e-5edd-4f11-9090-f79868864fee?source=cve"],"published_time":"2026-05-02T09:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7608","summary":"A vulnerability was detected in TRENDnet TEW-821DAP up to 1.12B01. The affected element is the function tools_diagnostic. The manipulation results in os command injection. The exploit is now public and may be used. The vendor explains: \"That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling\". This vulnerability only affects products that are no longer supported by the maintainer.","cvss":2.0,"cvss_version":4.0,"cvss_v2":5.2,"cvss_v3":5.5,"cvss_v4":2.0,"epss":0.0124,"ranking_epss":0.79334,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_CI1.md","https://vuldb.com/submit/806215","https://vuldb.com/vuln/360565","https://vuldb.com/vuln/360565/cti"],"published_time":"2026-05-02T09:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7607","summary":"A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the function auto_update_firmware of the component Firmware Udpate. The manipulation of the argument str leads to buffer overflow. The attack may be initiated remotely. The vendor explains: \"That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling\". This vulnerability only affects products that are no longer supported by the maintainer.","cvss":8.7,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00041,"ranking_epss":0.12271,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_BO.md","https://vuldb.com/submit/806214","https://vuldb.com/vuln/360564","https://vuldb.com/vuln/360564/cti"],"published_time":"2026-05-02T08:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7649","summary":"The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.0.60 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00083,"ranking_epss":0.23869,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/core/classes/class.arm_members_directory.php#L1019","https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/core/classes/class.arm_shortcodes.php#L36","https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/core/classes/class.arm_shortcodes.php#L434","https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_members_directory.php#L1019","https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_shortcodes.php#L36","https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_shortcodes.php#L434","https://www.wordfence.com/threat-intel/vulnerabilities/id/eb064156-f54b-4401-9d4f-29f0952deb24?source=cve"],"published_time":"2026-05-02T08:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2052","summary":"The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via the Display Logic feature. This is due to the plugin using eval() on user-supplied Display Logic expressions with an insufficient blocklist/allowlist that can be bypassed using array_map with string concatenation, combined with a lack of authorization enforcement on the extended_widget_opts_block attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The vulnerability was partially patched in version 4.2.0.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00057,"ranking_epss":0.17642,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/extras.php#L495","https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/extras.php#L534","https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/widgets/gutenberg/gutenberg-toolbar.php#L843","https://plugins.trac.wordpress.org/changeset/3481338/","https://plugins.trac.wordpress.org/changeset/3514411/","https://www.wordfence.com/threat-intel/vulnerabilities/id/68023557-fc92-4cf6-96b4-405ff5a5fd5a?source=cve"],"published_time":"2026-05-02T08:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4650","summary":"The FundPress – WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in versions up to and including 2.0.8. This is due to missing authorization and nonce verification in the donate_action_status() AJAX handler, which is registered to be accessible to unauthenticated users via wp_ajax_nopriv. The function only validates that the schema parameter equals 'donate-ajax' and that the required POST parameters are present, but fails to verify user capabilities, nonce tokens, or donation ownership. This makes it possible for unauthenticated attackers to modify the status of any donation by providing its ID (which are sequential integers and easily enumerable), allowing them to mark donations as completed, pending, cancelled, or any arbitrary status, potentially triggering email notifications and related side effects.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00022,"ranking_epss":0.06151,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.8/inc/class-dn-ajax.php#L173","https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.8/inc/class-dn-ajax.php#L179","https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.8/inc/class-dn-donate.php#L189","https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.9/inc/class-dn-ajax.php#L179","https://plugins.trac.wordpress.org/browser/fundpress/trunk/inc/class-dn-ajax.php#L173","https://plugins.trac.wordpress.org/browser/fundpress/trunk/inc/class-dn-ajax.php#L179","https://plugins.trac.wordpress.org/browser/fundpress/trunk/inc/class-dn-donate.php#L189","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3502937%40fundpress&new=3502937%40fundpress&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/5db3c66f-0a9c-4233-923c-0965dec68c60?source=cve"],"published_time":"2026-05-02T08:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6229","summary":"The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including 'docs.google.com/spreadsheets' in a query parameter, and the subsequent use of these URLs in fopen() calls without blocking internal or private network addresses. This makes it possible for authenticated attackers, with Contributor-level access and above, to make requests to arbitrary URLs and retrieve sensitive information from internal services.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00016,"ranking_epss":0.03812,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/data-table/widgets/wpr-data-table.php#L1832","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/data-table/widgets/wpr-data-table.php#L1873","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/data-table/widgets/wpr-data-table.php#L1918","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/data-table/widgets/wpr-data-table.php#L2075","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/data-table/widgets/wpr-data-table.php#L1832","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/data-table/widgets/wpr-data-table.php#L1873","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/data-table/widgets/wpr-data-table.php#L1918","https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/data-table/widgets/wpr-data-table.php#L2075","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3514363%40royal-elementor-addons&new=3514363%40royal-elementor-addons&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/9744055a-b199-4945-afcc-4f5b85f5f1e8?source=cve"],"published_time":"2026-05-02T08:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6449","summary":"The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circuit flaw in authorization logic that causes token validation to be entirely skipped when a booking has a 'waiting' status. This makes it possible for unauthenticated attackers to approve any booking that is in 'waiting' status by sending a crafted request to the publicly-accessible admin-ajax endpoint.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02407,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.2/src/Application/Commands/Booking/Appointment/ApproveBookingRemotelyCommandHandler.php#L97","https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.2/src/Application/Controller/Booking/Appointment/ApproveBookingRemotelyController.php#L41","https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.2/src/Application/Services/User/UserApplicationService.php#L647","https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/src/Application/Commands/Booking/Appointment/ApproveBookingRemotelyCommandHandler.php#L97","https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/src/Application/Controller/Booking/Appointment/ApproveBookingRemotelyController.php#L41","https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/src/Application/Services/User/UserApplicationService.php#L647","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3516430%40ameliabooking&new=3516430%40ameliabooking&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/8d7cc468-eeba-497f-9e11-79d4bebdd7a2?source=cve"],"published_time":"2026-05-02T08:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6457","summary":"The Geo Mashup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geo_mashup_null_fields' parameter in all versions up to, and including, 1.13.19 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02597,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/geo-mashup/tags/1.13.18/geo-mashup-db.php#L1991","https://plugins.trac.wordpress.org/browser/geo-mashup/tags/1.13.18/geo-mashup-ui-managers.php#L388","https://plugins.trac.wordpress.org/browser/geo-mashup/tags/1.13.18/geo-mashup.php#L567","https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1991","https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-ui-managers.php#L388","https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup.php#L567","https://plugins.trac.wordpress.org/changeset/3519909/geo-mashup/trunk","https://www.wordfence.com/threat-intel/vulnerabilities/id/96a80b89-94e0-4bbd-88cf-5eb5349c320b?source=cve"],"published_time":"2026-05-02T08:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7606","summary":"A weakness has been identified in TRENDnet TEW-821DAP 1.12B01. This issue affects the function find_hwid/new_gui_update_firmware of the component Firmware Update Handler. Executing a manipulation of the argument dest can lead to insufficient verification of data authenticity. The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The vendor explains: \"That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling\". This vulnerability only affects products that are no longer supported by the maintainer.","cvss":6.3,"cvss_version":4.0,"cvss_v2":2.6,"cvss_v3":3.7,"cvss_v4":6.3,"epss":0.00015,"ranking_epss":0.02907,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Auth.md","https://vuldb.com/submit/806213","https://vuldb.com/vuln/360563","https://vuldb.com/vuln/360563/cti"],"published_time":"2026-05-02T08:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43058","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix pass-by-value structs causing MSAN warnings\n\nvidtv_ts_null_write_into() and vidtv_ts_pcr_write_into() take their\nargument structs by value, causing MSAN to report uninit-value warnings.\nWhile only vidtv_ts_null_write_into() has triggered a report so far,\nboth functions share the same issue.\n\nFix by passing both structs by const pointer instead, avoiding the\nstack copy of the struct along with its MSAN shadow and origin metadata.\nThe functions do not modify the structs, which is enforced by the const\nqualifier.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b2820c8a9887981634020db19f1a2425558b88e","https://git.kernel.org/stable/c/57b01d945ed68cebe486d495dadc4901a96d3aaa","https://git.kernel.org/stable/c/5f8e73bde67e931468bc2a1860d78d72f0c6ba41","https://git.kernel.org/stable/c/6d75a9ec5bdb8cf8382eaf8f8fe831ba7d58a9d4","https://git.kernel.org/stable/c/be57e52e27c7cbfb400a8f255e475cbcff242baa","https://git.kernel.org/stable/c/e3957eb26a3d570aefc6bb184fa8b8a1e9a4e508"],"published_time":"2026-05-02T07:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7605","summary":"A security flaw has been discovered in JeecgBoot up to 3.9.1. This vulnerability affects the function CommonController.uploadImgByHttp/HttpFileToMultipartFileUtil.httpFileToMultipartFile/HttpFileToMultipartFileUtil.downloadImageData of the file CommonController.java of the component uploadImgByHttpEndpoint. Performing a manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Upgrading the affected component is recommended. The vendor confirmed the issue and will provide a fix in the upcoming release.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00043,"ranking_epss":0.1278,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jeecgboot/JeecgBoot/","https://github.com/jeecgboot/JeecgBoot/issues/9555","https://github.com/jeecgboot/JeecgBoot/issues/9555#issuecomment-4251745271","https://vuldb.com/submit/805709","https://vuldb.com/vuln/360562","https://vuldb.com/vuln/360562/cti"],"published_time":"2026-05-02T07:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5113","summary":"The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wp_kses(), combined with insufficient output escaping. The state validation logic creates two hashes (raw input and wp_kses-sanitized input) and only fails validation if BOTH hashes don't match the original state. When an attacker injects XSS payloads using tags stripped by wp_kses() (like <svg>), the sanitized hash matches while the malicious raw value is preserved and saved to the database. When administrators view the Entries List page, the stored malicious consent label is retrieved and output without escaping, causing the XSS payload to execute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entries that will execute whenever an authenticated administrator accesses the entries list page.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01518,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.gravityforms.com/gravityforms-change-log/","https://www.wordfence.com/threat-intel/vulnerabilities/id/5890c0f1-f549-4076-9d57-74f5eaffdcb3?source=cve"],"published_time":"2026-05-02T06:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6447","summary":"The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":8e-05,"ranking_epss":0.00734,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/woocommerce-call-for-price/tags/4.2.0/includes/admin/class-wc-call-for-price-settings-product-types.php#L68","https://plugins.trac.wordpress.org/browser/woocommerce-call-for-price/tags/4.2.0/includes/class-wc-call-for-price.php#L681","https://plugins.trac.wordpress.org/browser/woocommerce-call-for-price/trunk/includes/admin/class-wc-call-for-price-settings-product-types.php#L68","https://plugins.trac.wordpress.org/browser/woocommerce-call-for-price/trunk/includes/class-wc-call-for-price.php#L681","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3513448%40woocommerce-call-for-price&new=3513448%40woocommerce-call-for-price&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/7bffb16d-38dc-49b8-96bd-c13923069d9c?source=cve"],"published_time":"2026-05-02T06:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6812","summary":"The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the ona_activate_child_theme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":8e-05,"ranking_epss":0.00768,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/ona/tags/1.23.2/inc/admin/theme-admin.php#L688","https://plugins.trac.wordpress.org/browser/ona/tags/1.23.2/inc/admin/theme-admin.php#L694","https://plugins.trac.wordpress.org/browser/ona/trunk/inc/admin/theme-admin.php#L688","https://plugins.trac.wordpress.org/browser/ona/trunk/inc/admin/theme-admin.php#L694","https://www.wordfence.com/threat-intel/vulnerabilities/id/0acb365c-b5f2-4377-875b-69278a8ff96e?source=cve"],"published_time":"2026-05-02T06:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6916","summary":"The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sg_content_number_prefix' parameter in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00016,"ranking_epss":0.0365,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/3.0.3/class/elements/elementor/class-fun-fact-elementor.php#L24","https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/3.0.3/class/elements/views/class-fun-fact-view.php#L71","https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/3.0.3/lib/jeg-element/includes/class/elements/class-elements-view-abstract.php#L251","https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/trunk/class/elements/elementor/class-fun-fact-elementor.php#L24","https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/trunk/class/elements/views/class-fun-fact-view.php#L71","https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/trunk/lib/jeg-element/includes/class/elements/class-elements-view-abstract.php#L251","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3519356%40jeg-elementor-kit&new=3519356%40jeg-elementor-kit&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/5000c86b-b535-48de-b3e0-0dd0d2fd9b1e?source=cve"],"published_time":"2026-05-02T06:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7049","summary":"The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The SSRF is blind because fetched response bodies are only parsed internally for YouTube/Vimeo patterns and are never returned to the attacker.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07196,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.4.1.1/includes/events/EmbeddedVideo.php#L66","https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.4.1.1/includes/events/EmbeddedVideo.php#L83","https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.4.1.1/includes/events/EmbeddedVideo.php#L92","https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.5.0/includes/events/EmbeddedVideo.php#L66","https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.5.0/includes/events/EmbeddedVideo.php#L83","https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.5.0/includes/events/EmbeddedVideo.php#L92","https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/trunk/includes/events/EmbeddedVideo.php#L66","https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/trunk/includes/events/EmbeddedVideo.php#L83","https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/trunk/includes/events/EmbeddedVideo.php#L92","https://www.wordfence.com/threat-intel/vulnerabilities/id/273e25aa-4c00-4463-afc5-d8b2433af064?source=cve"],"published_time":"2026-05-02T06:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7647","summary":"The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01247,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L13","https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L271","https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L13","https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L271","https://www.wordfence.com/threat-intel/vulnerabilities/id/c7b897f5-f988-4515-83bc-456f041d7e2e?source=cve"],"published_time":"2026-05-02T06:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5109","summary":"The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted values where the wp_kses()-sanitized version matches a legitimate option value, but then stores the raw unsanitized value in the database. When administrators view entry details via the Order Summary section, the option_label is output directly without escaping (view-order-summary.php line 32), executing the injected JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entry data that will execute whenever an administrator accesses the entry details page.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01518,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.gravityforms.com/gravityforms-change-log/","https://www.wordfence.com/threat-intel/vulnerabilities/id/651fa700-2462-4c9c-bd13-85f3a53a64df?source=cve"],"published_time":"2026-05-02T06:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5110","summary":"The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are nested within Repeater fields, the validation flow bypasses the state validation mechanism (failed_state_validation()) that would normally prevent tampering with field values. The validate_subfield() method only calls the field's validate() method, which for SingleProduct fields only validates the quantity field and does not check the product name field for tampering. As a result, an attacker can inject arbitrary HTML and JavaScript into the product name field (input .1). This malicious input is then saved to the database without sanitization because sanitize_entry_value() returns raw values when HTML is not expected for the field type. When an administrator views the entry in wp-admin/admin.php?page=gf_entries, the get_value_entry_detail() method outputs the product name without escaping, causing the stored XSS payload to execute in the administrator's browser. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses an entry containing the malicious payload.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01518,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.gravityforms.com/gravityforms-change-log/","https://www.wordfence.com/threat-intel/vulnerabilities/id/f9135799-00db-447d-b795-faafeafbce67?source=cve"],"published_time":"2026-05-02T06:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5111","summary":"The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping on Hidden Product field values when used inside Repeater fields, where repeater subfields bypass state validation checks and the Hidden Product validate() method only validates the quantity field while ignoring the product name field that is later output without proper escaping in the get_value_entry_detail() method. This makes it possible for unauthenticated attackers to inject arbitrary web scripts through form submissions that will execute whenever an administrator views the entry details.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01518,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.gravityforms.com/gravityforms-change-log/","https://www.wordfence.com/threat-intel/vulnerabilities/id/a50e7042-bf7b-49d8-8e62-d01ecdd769fd?source=cve"],"published_time":"2026-05-02T06:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5112","summary":"The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping of Calculation Product field product names when rendered inside Repeater fields. The validate() method in the GF_Field_Calculation class only validates the quantity field (.3) and completely ignores the product name field (.1), allowing malicious HTML to pass through validation. When the value is saved, the sanitize_entry_value() method returns the raw value without sanitization for fields where HTML is not expected. Subsequently, when an entry is viewed in wp-admin, the get_value_entry_detail() method concatenates the unescaped product name directly into the output string, which is then rendered by the repeater's get_value_entry_detail() method without further escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via form submissions that will execute whenever an authenticated administrator with the gravityforms_view_entries capability accesses the entry detail page.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01518,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.gravityforms.com/gravityforms-change-log/","https://www.wordfence.com/threat-intel/vulnerabilities/id/63973f61-81f0-4fc8-810c-a15734ff824e?source=cve"],"published_time":"2026-05-02T06:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6446","summary":"The My Social Feeds – Social Feeds Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.0.4 via the 'ttp_get_accounts' AJAX action. This is due to the complete absence of authorization checks (no capability verification) and nonce verification in the get_accounts() function, which returns the full contents of the 'ttp_tiktok_accounts' WordPress option. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive TikTok OAuth credentials, including access_token and refresh_token values, that belong to administrator-connected TikTok accounts, enabling them to impersonate the site owner when interacting with the TikTok API.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01277,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/my-social-feeds/tags/1.0.2/includes/TiktokAPI.php#L190","https://plugins.trac.wordpress.org/browser/my-social-feeds/tags/1.0.2/includes/TiktokAPI.php#L24","https://plugins.trac.wordpress.org/browser/my-social-feeds/trunk/includes/TiktokAPI.php#L190","https://plugins.trac.wordpress.org/browser/my-social-feeds/trunk/includes/TiktokAPI.php#L24","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3514796%40my-social-feeds&new=3514796%40my-social-feeds&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/d46d6493-8b89-4258-9d83-79e5946cd76f?source=cve"],"published_time":"2026-05-02T05:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6963","summary":"The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmg_save_provider_config AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update SMTP settings and redirect mail which can be used for privilege escalation by triggering a password reset email and using that to access and administrator's account.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04888,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wp-mail-gateway/tags/1.8/src/Bootstrap.php#L47","https://plugins.trac.wordpress.org/browser/wp-mail-gateway/tags/1.8/src/Functions.php#L111","https://plugins.trac.wordpress.org/browser/wp-mail-gateway/trunk/src/Bootstrap.php#L47","https://plugins.trac.wordpress.org/browser/wp-mail-gateway/trunk/src/Functions.php#L111","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3515205%40wp-mail-gateway&new=3515205%40wp-mail-gateway&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/c7caf1f4-a8dd-4016-91eb-2adbeed5290a?source=cve"],"published_time":"2026-05-02T05:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7458","summary":"The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the \"user_verification_form_wrap_process_otpLogin\" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting a \"true\" OTP value.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00065,"ranking_epss":0.19869,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/user-verification/trunk/includes/functions-rest.php%23L234?rev=3461175","https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/hook.php%23L164?rev=3461175","https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/index.php%23L71?rev=3461175","https://plugins.trac.wordpress.org/changeset/3519113/user-verification","https://www.wordfence.com/threat-intel/vulnerabilities/id/35b86488-8f68-4738-a9a8-76d0b7976165?source=cve"],"published_time":"2026-05-02T05:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7603","summary":"A vulnerability was determined in JeecgBoot up to 3.9.1. Affected by this issue is the function checkPathTraversalBatch of the file FileDownloadUtils.jav of the component LoadFile Endpoint. This manipulation of the argument files causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor confirmed the issue and will provide a fix in the upcoming release.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00043,"ranking_epss":0.1278,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jeecgboot/JeecgBoot/","https://github.com/jeecgboot/JeecgBoot/issues/9553","https://github.com/jeecgboot/JeecgBoot/issues/9553#issuecomment-4251745014","https://vuldb.com/submit/805707","https://vuldb.com/vuln/360560","https://vuldb.com/vuln/360560/cti","https://github.com/jeecgboot/JeecgBoot/issues/9553#issuecomment-4251745014"],"published_time":"2026-05-02T05:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7604","summary":"A vulnerability was identified in JeecgBoot up to 3.9.1. This affects the function OpenApiController.add/OpenApiController.call of the file OpenApiController.java of the component OpenApi Service. Such manipulation of the argument originUrl database leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is suggested to upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00043,"ranking_epss":0.1278,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jeecgboot/JeecgBoot/","https://github.com/jeecgboot/JeecgBoot/issues/9554","https://github.com/jeecgboot/JeecgBoot/issues/9554#issuecomment-4251574151","https://vuldb.com/submit/805708","https://vuldb.com/vuln/360561","https://vuldb.com/vuln/360561/cti"],"published_time":"2026-05-02T05:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7641","summary":"The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the `save_extra_user_profile_fields()` function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site (e.g., `wp_capabilities`, `wp_user_level`) but fails to block the equivalent meta keys for any other subsite in a WordPress Multisite network (e.g., `wp_2_capabilities`, `wp_2_user_level`), allowing these keys to pass the `in_array()` check and be written directly to user meta via `update_user_meta()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator on any subsite within the Multisite network by submitting a crafted profile update to `/wp-admin/profile.php`. Exploitation requires that an administrator has previously imported a CSV file containing multisite-prefixed capability column headers and has enabled the 'Show fields in profile?' option, which causes those keys to be stored in the `acui_columns` option and exposed as editable fields on the user profile page.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06489,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/columns.php#L198","https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/columns.php#L221","https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/helper.php#L150","https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/multisite.php#L21","https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php#L198","https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php#L221","https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/helper.php#L150","https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/multisite.php#L21","https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php#L198","https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php#L221","https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/helper.php#L150","https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/multisite.php#L21","https://plugins.trac.wordpress.org/changeset/3515646","https://www.wordfence.com/threat-intel/vulnerabilities/id/368cff00-6a86-443e-aec4-4115a229a3c1?source=cve"],"published_time":"2026-05-02T05:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-14726","summary":"The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00019,"ranking_epss":0.05316,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3513612/social-photo-feed-widget","https://www.wordfence.com/threat-intel/vulnerabilities/id/ab15fa8b-4072-435a-8a1c-ca6fd964a260?source=cve"],"published_time":"2026-05-02T05:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4658","summary":"The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the className, classHook, and blockId attributes in the Add to Cart block (essential-blocks/add-to-cart) in all versions up to, and including, 6.0.4. This is due to insufficient output escaping in the render_callback() function where these attributes are placed into class and data-id HTML attributes using raw sprintf() and implode() without esc_attr() escaping. While the outer wrapper div uses get_block_wrapper_attributes() which properly escapes, the inner divs do not. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05928,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/essential-blocks/tags/6.0.4/includes/Blocks/AddToCart.php#L118","https://plugins.trac.wordpress.org/browser/essential-blocks/tags/6.0.4/includes/Blocks/AddToCart.php#L120","https://plugins.trac.wordpress.org/browser/essential-blocks/tags/6.0.4/includes/Blocks/AddToCart.php#L65","https://plugins.trac.wordpress.org/browser/essential-blocks/tags/6.0.4/includes/Blocks/AddToCart.php#L66","https://plugins.trac.wordpress.org/browser/essential-blocks/trunk/includes/Blocks/AddToCart.php#L118","https://plugins.trac.wordpress.org/browser/essential-blocks/trunk/includes/Blocks/AddToCart.php#L120","https://plugins.trac.wordpress.org/browser/essential-blocks/trunk/includes/Blocks/AddToCart.php#L65","https://plugins.trac.wordpress.org/browser/essential-blocks/trunk/includes/Blocks/AddToCart.php#L66","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3516287%40essential-blocks%2Ftags%2F6.1.0%2Fincludes%2FBlocks%2FAddToCart.php&old=3178777%40essential-blocks%2Ftrunk%2Fincludes%2FBlocks%2FAddToCart.php","https://www.wordfence.com/threat-intel/vulnerabilities/id/3e7eed9d-2d44-4951-b66b-7d8995ca617d?source=cve"],"published_time":"2026-05-02T05:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4882","summary":"The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'URAF_AJAX::method_upload' function in all versions up to, and including, 1.6.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a \"Profile Picture\" field is added to the form.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00064,"ranking_epss":0.19646,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpuserregistration.com/features/advanced-fields/","https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c6a377-216f-4d61-8fae-ec5bc2793cdf?source=cve"],"published_time":"2026-05-02T05:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7209","summary":"The Simple Link Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `qcopd-directory` shortcode in all versions up to, and including, 8.9.2. This is due to insufficient input sanitization and output escaping on user supplied attributes such as `title_font_size`. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.1056,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.2/qc-op-directory-shortcodes.php#L88","https://plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.2/templates/style-1/template.php#L118","https://plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.4/qc-op-directory-shortcodes.php#L116","https://plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.4/qc-op-directory-shortcodes.php#L145","https://wordpress.org/plugins/simple-link-directory","https://www.wordfence.com/threat-intel/vulnerabilities/id/9a7ca5f6-89c0-49ce-9aef-2208365c6151?source=cve"],"published_time":"2026-05-02T04:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7602","summary":"A vulnerability was found in JeecgBoot up to 3.9.1. Affected by this vulnerability is an unknown functionality of the file /sys/fillRule/edit of the component FillRuleUtil Component. The manipulation of the argument ruleClass results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. You should upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00043,"ranking_epss":0.1278,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jeecgboot/JeecgBoot/","https://github.com/jeecgboot/JeecgBoot/issues/9552","https://github.com/jeecgboot/JeecgBoot/issues/9552#issuecomment-4251391314","https://vuldb.com/submit/805706","https://vuldb.com/vuln/360559","https://vuldb.com/vuln/360559/cti"],"published_time":"2026-05-02T04:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7638","summary":"The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference  in all versions up to and including 5.6.0. This is due to missing authorization validation in the `upload_avatar()` function, which accepts an attacker-controlled `user_id` parameter from the POST request body and uses it to update user meta without verifying that the authenticated requester owns or has permission to modify the target account. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the profile avatar of any arbitrary user on the site, including administrators, by supplying a target `user_id` in the request body to the `/wp-json/app-builder/v1/upload-avatar` endpoint.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00043,"ranking_epss":0.13079,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/UploadAvatar.php#L161","https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/UploadAvatar.php#L80","https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Traits/Permission.php#L33","https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Di/Service/Auth/UploadAvatar.php#L161","https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Di/Service/Auth/UploadAvatar.php#L80","https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Traits/Permission.php#L33","https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Service/Auth/UploadAvatar.php#L161","https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Service/Auth/UploadAvatar.php#L80","https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Traits/Permission.php#L33","https://www.wordfence.com/threat-intel/vulnerabilities/id/2d532ffc-c6f1-41e3-9a59-0706802ab8e2?source=cve"],"published_time":"2026-05-02T04:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6378","summary":"The Maxi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping of the `sc_styles` parameter. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute on every page where the plugin's style card styles are loaded, including across the entire WordPress admin panel.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00056,"ranking_epss":0.17359,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/maxi-blocks/maxi-blocks/pull/6250/changes/8db3267df9858f684e420566227ed2ea7954d9a9","https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.10/core/class-maxi-api.php#L1010","https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.10/core/class-maxi-api.php#L1021","https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.10/core/class-maxi-api.php#L979","https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.10/core/class-maxi-api.php#L981","https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.10/core/class-maxi-api.php#L987","https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.9/core/class-maxi-api.php#L221","https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.9/core/class-maxi-api.php#L979","https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.9/core/class-maxi-style-cards.php#L197","https://www.wordfence.com/threat-intel/vulnerabilities/id/22f05048-df38-4f26-82a3-53caac995283?source=cve"],"published_time":"2026-05-02T04:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7601","summary":"A vulnerability has been found in Open5GS up to 2.7.6. Affected is an unknown function of the file src/amf/gmm-handler.c of the component AMF. The manipulation of the argument reg_type leads to denial of service. The attack is possible to be carried out remotely. Upgrading to version 2.7.7 is able to address this issue. The identifier of the patch is ebc66942b6f8f1fab2d640e71cf4e9f1a423b426. It is advisable to upgrade the affected component.","cvss":5.3,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00057,"ranking_epss":0.17628,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/","https://github.com/open5gs/open5gs/commit/ebc66942b6f8f1fab2d640e71cf4e9f1a423b426","https://github.com/open5gs/open5gs/issues/4321","https://github.com/open5gs/open5gs/releases/tag/v2.7.7","https://vuldb.com/submit/805675","https://vuldb.com/vuln/360558","https://vuldb.com/vuln/360558/cti"],"published_time":"2026-05-02T03:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43824","summary":"In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01493,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3","https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3"],"published_time":"2026-05-02T02:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7600","summary":"A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts the function yii_command_help/yii_execute_command of the file src/index.ts of the component MCP Interface. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00924,"ranking_epss":0.76094,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ArtMin96/yii2-mcp-server/","https://github.com/ArtMin96/yii2-mcp-server/issues/3","https://github.com/BruceJqs/public_exp/issues/29","https://vuldb.com/submit/805613","https://vuldb.com/vuln/360557","https://vuldb.com/vuln/360557/cti"],"published_time":"2026-05-02T01:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7599","summary":"A vulnerability was detected in Dayoooun hwpx-mcp 0.2.0. This affects the function save_document/export_to_text/export_to_html of the file mcp-server/src/index.ts of the component MCP Interface. Performing a manipulation of the argument output_path results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00069,"ranking_epss":0.20884,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/BruceJqs/public_exp/issues/28","https://github.com/Dayoooun/hwpx-mcp/","https://github.com/Dayoooun/hwpx-mcp/issues/3","https://vuldb.com/submit/805608","https://vuldb.com/vuln/360556","https://vuldb.com/vuln/360556/cti"],"published_time":"2026-05-01T22:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7597","summary":"A vulnerability was found in mem0ai mem0 up to 1.0.11. This affects the function pickle.load/pickle.dump of the file mem0/vector_stores/faiss.py. Performing a manipulation results in deserialization. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The patch is named 62dca096f9236010ca15fea9ba369ba740b86b7a. Applying a patch is the recommended action to fix this issue.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00051,"ranking_epss":0.15789,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/mem0ai/mem0/","https://github.com/mem0ai/mem0/commit/62dca096f9236010ca15fea9ba369ba740b86b7a","https://github.com/mem0ai/mem0/issues/3778","https://github.com/mem0ai/mem0/pull/4833","https://vuldb.com/submit/805562","https://vuldb.com/vuln/360550","https://vuldb.com/vuln/360550/cti","https://vuldb.com/submit/805562"],"published_time":"2026-05-01T22:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7598","summary":"A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.00046,"ranking_epss":0.14082,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/libssh2/libssh2/","https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1","https://github.com/libssh2/libssh2/pull/1858","https://vuldb.com/submit/805564","https://vuldb.com/vuln/360555","https://vuldb.com/vuln/360555/cti","https://vuldb.com/submit/805564"],"published_time":"2026-05-01T22:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7595","summary":"A flaw has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this vulnerability is the function _format_plugins of the file .claude/skills/ui-styling/scripts/tailwind_config_gen.py of the component Tailwind Config Generator. This manipulation causes code injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00052,"ranking_epss":0.15905,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/","https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/246","https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/275","https://vuldb.com/submit/805509","https://vuldb.com/vuln/360548","https://vuldb.com/vuln/360548/cti"],"published_time":"2026-05-01T21:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7596","summary":"A vulnerability has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this issue is the function data.get of the file .claude/skills/design-system/scripts/generate-slide.py of the component Slide Generator. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through a pull request but has not reacted yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00015,"ranking_epss":0.02918,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/","https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/247","https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/274","https://vuldb.com/submit/805510","https://vuldb.com/vuln/360549","https://vuldb.com/vuln/360549/cti","https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/247"],"published_time":"2026-05-01T21:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39805","summary":"Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers.\n\n'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error.\n\nWhen Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging.\n\nThis issue affects bandit: before 1.11.0.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00017,"ranking_epss":0.04035,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.erlef.org/cves/CVE-2026-39805.html","https://github.com/mtrudel/bandit/commit/f2ca636eb6df385219957e8934e9fc6efa1630d1","https://github.com/mtrudel/bandit/security/advisories/GHSA-c67r-gc9j-2qf7","https://osv.dev/vulnerability/EEF-CVE-2026-39805","https://github.com/mtrudel/bandit/security/advisories/GHSA-c67r-gc9j-2qf7"],"published_time":"2026-05-01T21:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39807","summary":"Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections.\n\n'Elixir.Bandit.Pipeline':determine_scheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the transport's secure? flag. HTTP/1.1 absolute-form request targets (e.g. GET https://victim/path HTTP/1.1) and the HTTP/2 :scheme pseudo-header are both attacker-controlled strings that flow through this function. Over a plaintext TCP connection, a client can declare https and Bandit will set conn.scheme = :https even though no TLS was negotiated.\n\nDownstream Plug consumers that branch on conn.scheme are silently misled: Plug.SSL's already-secure branch skips its HTTP→HTTPS redirect, cookies emitted with secure: true are sent over plaintext, audit logs record requests as having arrived over HTTPS, and CSRF/SameSite gating may make incorrect decisions.\n\nThis issue affects bandit: from 1.0.0 before 1.11.0.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00018,"ranking_epss":0.04727,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.erlef.org/cves/CVE-2026-39807.html","https://github.com/mtrudel/bandit/commit/45feea20dea8af7ffd7245271107b695c040e667","https://github.com/mtrudel/bandit/security/advisories/GHSA-375f-4r2h-f99j","https://osv.dev/vulnerability/EEF-CVE-2026-39807","https://github.com/mtrudel/bandit/security/advisories/GHSA-375f-4r2h-f99j"],"published_time":"2026-05-01T21:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42786","summary":"Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.\n\nThe fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process.\n\nBecause the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.\n\nThis issue affects bandit: from 0.5.0 before 1.11.0.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.00056,"ranking_epss":0.17285,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.erlef.org/cves/CVE-2026-42786.html","https://github.com/mtrudel/bandit/commit/21612c7c7b1ce43eccd36d3af3a2299d23513667","https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p","https://osv.dev/vulnerability/EEF-CVE-2026-42786","https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p"],"published_time":"2026-05-01T21:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42788","summary":"Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated memory exhaustion via oversized HTTP/2 frames.\n\n'Elixir.Bandit.HTTP2.Frame':deserialize/2 in lib/bandit/http2/frame.ex checks the SETTINGS_MAX_FRAME_SIZE limit only after pattern-matching payload::binary-size(length), which requires the entire frame body to be present in memory before either the accept or reject clause can fire. A peer that announces a frame length up to the 24-bit maximum (~16 MiB) causes the server to buffer that entire body before the size guard is evaluated, regardless of the max_frame_size negotiated during the HTTP/2 handshake (default 16 KiB per RFC 9113).\n\nAn unauthenticated attacker holding many concurrent connections can force the server to buffer far more memory than the negotiated frame size limit should permit, leading to memory pressure and potential denial of service.\n\nThis issue affects bandit: from 0.3.6 before 1.11.0.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00017,"ranking_epss":0.04007,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.erlef.org/cves/CVE-2026-42788.html","https://github.com/mtrudel/bandit/commit/1e8e55966da9129016b73d32f0e1df4630e3b463","https://github.com/mtrudel/bandit/security/advisories/GHSA-q6v9-r226-v65f","https://osv.dev/vulnerability/EEF-CVE-2026-42788","https://github.com/mtrudel/bandit/security/advisories/GHSA-q6v9-r226-v65f"],"published_time":"2026-05-01T21:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7593","summary":"A security vulnerability has been detected in Sunwood-ai-labs command-executor-mcp-server up to 0.1.0. This impacts the function execute_command of the file src/index.ts of the component MCP Interface. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.01306,"ranking_epss":0.79867,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Sunwood-ai-labs/command-executor-mcp-server/","https://github.com/Sunwood-ai-labs/command-executor-mcp-server/issues/6","https://vuldb.com/submit/805507","https://vuldb.com/vuln/360546","https://vuldb.com/vuln/360546/cti"],"published_time":"2026-05-01T21:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7594","summary":"A vulnerability was detected in Flux159 mcp-game-asset-gen 0.1.0. Affected is the function image_to_3d_async of the file src/index.ts of the component MCP Interface. The manipulation of the argument statusFile results in path traversal. The attack can be executed remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00046,"ranking_epss":0.13877,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Flux159/mcp-game-asset-gen/","https://github.com/Flux159/mcp-game-asset-gen/issues/3","https://vuldb.com/submit/805508","https://vuldb.com/vuln/360547","https://vuldb.com/vuln/360547/cti"],"published_time":"2026-05-01T21:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-12993","summary":"Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-67968. Reason: This candidate is a reservation duplicate of CVE-2025-67968. Notes: All CVE users should reference CVE-2025-67968 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-05-01T21:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39804","summary":"Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled.\n\n'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs.\n\nAn unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill.\n\nThis vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false.\n\nThis issue affects bandit: from 0.5.9 before 1.11.0.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":0.0004,"ranking_epss":0.11844,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.erlef.org/cves/CVE-2026-39804.html","https://github.com/mtrudel/bandit/commit/8156921a51e684a951221da7bc30a70a022f722e","https://github.com/mtrudel/bandit/security/advisories/GHSA-frh3-6pv6-rc8j","https://osv.dev/vulnerability/EEF-CVE-2026-39804","https://github.com/mtrudel/bandit/security/advisories/GHSA-frh3-6pv6-rc8j"],"published_time":"2026-05-01T21:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7592","summary":"A weakness has been identified in itsourcecode Courier Management System 1.0. This affects an unknown function of the file /edit_staff.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.0003,"ranking_epss":0.08508,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ltranquility/submit/issues/11","https://itsourcecode.com/","https://vuldb.com/submit/804453","https://vuldb.com/vuln/360545","https://vuldb.com/vuln/360545/cti"],"published_time":"2026-05-01T20:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-8903","summary":"Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-2052. Reason: This candidate is a reservation duplicate of CVE-2026-2052 Notes: All CVE users should reference CVE-2026-2052 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-05-01T20:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7589","summary":"A vulnerability was determined in ghantakiran splunk-mcp-integration up to 0b86b09d5e5adf0433acd43c975951224613a1a6. Impacted is the function create_csv_export of the file services/csv-export-service/app/api/v1/endpoints/csv_export.py of the component CSV Export. This manipulation of the argument job_name causes path traversal. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":5.3,"cvss_v4":5.5,"epss":0.00044,"ranking_epss":0.13095,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ghantakiran/splunk-mcp-integration/","https://github.com/ghantakiran/splunk-mcp-integration/issues/49","https://vuldb.com/submit/804408","https://vuldb.com/vuln/360542","https://vuldb.com/vuln/360542/cti"],"published_time":"2026-05-01T19:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7590","summary":"A vulnerability was identified in eyal-gor p_69_branch_monkey_mcp up to 69bc71874ce40050ef45fde5a435855f18af3373. The affected element is an unknown function of the file branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py of the component Preview Endpoint. Such manipulation of the argument dev_script leads to os command injection. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.01306,"ranking_epss":0.79867,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/eyal-gor/p_69_branch_monkey_mcp/","https://github.com/eyal-gor/p_69_branch_monkey_mcp/issues/8","https://vuldb.com/submit/804413","https://vuldb.com/vuln/360543","https://vuldb.com/vuln/360543/cti"],"published_time":"2026-05-01T19:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7591","summary":"A security flaw has been discovered in TimBroddin astro-mcp-server up to 1.1.1. The impacted element is an unknown function of the file src/index.ts of the component MCP Tool Query Construction. Performing a manipulation of the argument request.params.arguments results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00028,"ranking_epss":0.07901,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TimBroddin/astro-mcp-server/","https://github.com/TimBroddin/astro-mcp-server/issues/2","https://vuldb.com/submit/804450","https://vuldb.com/vuln/360544","https://vuldb.com/vuln/360544/cti"],"published_time":"2026-05-01T19:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30363","summary":"flipperzero-firmware commit ad2a80 was discovered to contain a stack overflow in the \"Main\" function.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02152,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/k6dpvrmm8z-glitch/7db9fb648a18ffcd8600bea436486884","https://github.com/flipperdevices/flipperzero-firmware/issues/4332","https://gist.github.com/k6dpvrmm8z-glitch/7db9fb648a18ffcd8600bea436486884","https://github.com/flipperdevices/flipperzero-firmware/issues/4332"],"published_time":"2026-05-01T19:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-52347","summary":"An issue in the component DirectIo64.sys of PassMark BurnInTest v11.0 Build 1011, OSForensics v11.1 Build 1007, and PerformanceTest v11.1 Build 1004 allows attackers to access kernel memory and escalate privileges via a crafted IOCTL 0x8011E044 call.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00016,"ranking_epss":0.03795,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/netero1010/Vulnerability-Disclosure/tree/main/CVE-2025-52347","https://www.osforensics.com/whats-new.html","https://www.passmark.com/products/burnintest/history.php","https://www.passmark.com/products/performancetest/history.php"],"published_time":"2026-05-01T19:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7588","summary":"A vulnerability was found in ggerve coding-standards-mcp. This issue affects the function get_style_guide/get_best_practices of the file server.py. The manipulation of the argument Language results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":5.3,"cvss_v4":5.5,"epss":0.00044,"ranking_epss":0.13095,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ggerve/coding-standards-mcp/","https://github.com/ggerve/coding-standards-mcp/issues/3","https://vuldb.com/submit/804390","https://vuldb.com/vuln/360541","https://vuldb.com/vuln/360541/cti"],"published_time":"2026-05-01T18:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26461","summary":"A Command Injection vulnerability in the web management interface in Aver PTC320UV2 0.1.0000.65 allows an unauthenticated attacker to execute arbitrary commands via a crafted web request.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.06746,"ranking_epss":0.91336,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/spaceraccoon/disclosures/blob/main/2026/CVE-2026-26461.md","https://www.aver.com/Downloads/search?q=PTC320UV2"],"published_time":"2026-05-01T18:16:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35233","summary":"An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to -- or instruments -- that process (via dtrace -p , pid probes, or USDT), the ELF parser reads heap memory beyond the allocated section cache array without any bounds check. This results in an uninitialized/out-of-bounds heap read that can cause a NULL pointer dereference crash of the dtrace process (DoS), or -- depending on heap layout -- a read-then-use of a garbage pointer controlled by adjacent allocations, providing a foothold toward further exploitation in a privileged context.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02165,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://linux.oracle.com/cve/CVE-2026-35233.html"],"published_time":"2026-05-01T18:16:14","vendor":"oracle","product":"linux","version":null},{"cve_id":"CVE-2026-37457","summary":"An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11838,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FRRouting/frr/commit/0e6882bc72c0278988a47b2f0f73b7a91099a25c"],"published_time":"2026-05-01T18:16:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-63547","summary":"An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote attacker to cause a denial of service via a crafted packet to the MTU length field","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00088,"ranking_epss":0.24866,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/390","https://github.com/j4kb4dw0lf/CVEs/blob/main/README.md"],"published_time":"2026-05-01T18:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-63548","summary":"An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote attacker to cause a denial of service via a packet specially crafted to bear a non-valid value in any Boolean field.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00106,"ranking_epss":0.28092,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/389","https://github.com/j4kb4dw0lf/CVEs/blob/main/README.md"],"published_time":"2026-05-01T18:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-69606","summary":"Cross-Site Scripting (XSS) vulnerability was discovered in the GSVoIP web panel version 2.0.90. The `msg` parameter in the `/painel/gateways.php/error` endpoint does not properly sanitize user-supplied input, allowing attackers to inject arbitrary JavaScript into the HTML response. A remote attacker can exploit this vulnerability by sending a crafted URL to a victim, leading to unauthorized script execution, session hijacking, phishing, or other client-side attacks.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00045,"ranking_epss":0.13545,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Razielx64/CVE-2025-69606-GSVoIP-XSS","https://sip2.solutionsvoip.com.br/painel/gateways.php/error?msg=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E","https://www.solutionsvoip.com.br/","https://github.com/Razielx64/CVE-2025-69606-GSVoIP-XSS"],"published_time":"2026-05-01T18:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-21996","summary":"An unprivileged attacker can reliably trigger a crash of the dtrace process with a malicious ELF binary due to an integer Divide-by-Zero in Pbuild_file_symtab()","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02165,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://linux.oracle.com/cve/CVE-2026-21996.html"],"published_time":"2026-05-01T18:16:13","vendor":"oracle","product":"linux","version":null},{"cve_id":"CVE-2026-42467","summary":"An issue was discovered in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30) in SAE_J1939_Read_Binary_Data_Transfer_DM16 causing a denial of service via crafted CAN frame on the J1939 bus.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11838,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381"],"published_time":"2026-05-01T17:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42468","summary":"Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_pcap.cpp , the parser's phdr.len field is not properly validated, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted PCAP input.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00121,"ranking_epss":0.30612,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381"],"published_time":"2026-05-01T17:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42469","summary":"Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_canswitch.cpp the parser does not properly validate a CANswitch DLC value, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted CANswitch frames.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.00145,"ranking_epss":0.34292,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381"],"published_time":"2026-05-01T17:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42485","summary":"AGL agl-service-can-low-level contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.1188,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level","https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643"],"published_time":"2026-05-01T17:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7587","summary":"A vulnerability has been found in Open5GS up to 2.7.7. This vulnerability affects the function amf_nsmf_pdusession_handle_update_sm_context of the file /src/amf/nsmf-handler.c of the component AMF. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00039,"ranking_epss":0.11536,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/","https://github.com/open5gs/open5gs/issues/4408","https://vuldb.com/submit/804339","https://vuldb.com/vuln/360540","https://vuldb.com/vuln/360540/cti"],"published_time":"2026-05-01T17:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37541","summary":"Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data is not properly validated, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted GVRET frames.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":null,"epss":0.00194,"ranking_epss":0.40978,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381","https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3"],"published_time":"2026-05-01T17:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37534","summary":"Integer underflow vulnerability in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30) in SAE_J1939_Read_Transport_Protocol_Data_Transfer,allows attackers to write to arbitrary memory via crafted sequence number from the CAN frame.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03262,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381","https://github.com/DanielMartensson/Open-SAE-J1939"],"published_time":"2026-05-01T17:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37535","summary":"openxc/isotp-c thru commit 5a5d19245f65189202719321facd49ce6f5d46ac (2021-08-09) contains an out-of-bounds read in the ISO-TP Single Frame receive handler, where the 4-bit payload length nibble is used directly as the memcpy size without validating it against the actual CAN data length. A malicious CAN frame with an oversized length nibble can cause memory reads beyond the buffer, allowing attackers to cause a denial of service, or gain sensitive information.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02653,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381","https://github.com/openxc/isotp-c","https://github.com/openxc/isotp-c/blob/master/src/isotp/receive.c"],"published_time":"2026-05-01T17:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37536","summary":"miaofng/uds-c commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a (2016-10-05) contains a stack buffer overflow in send_diagnostic_request. A 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) receives memcpy at offset 1+pid_length with payload_length bytes. MAX_UDS_REQUEST_PAYLOAD_LENGTH=7, so 1+2+7=10 exceeds buffer by 4 bytes. No bounds check on payload_length before memcpy.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03108,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381","https://github.com/miaofng/uds-c","https://github.com/openxc/uds-c"],"published_time":"2026-05-01T17:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37537","summary":"collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce439558336806acb06 (2023-03-08) contains an integer underflow leading to out-of-bounds write in Transport Protocol Data Transfer handling. At line 23: uint8_t index = data[0] - 1. When data[0] (sequence number from CAN frame) is 0, index underflows to 255. Subsequent write at tp_dt->data[255*7 + i-1] reaches offset 1791, exceeding the MAX_TP_DT buffer (1785 bytes) by 6 bytes.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02712,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381","https://github.com/DanielMartensson/Open-SAE-J1939","https://github.com/collin80/Open-SAE-J1939"],"published_time":"2026-05-01T17:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37538","summary":"Buffer overflow vulnerability in socketcand 0.4.2 in file socketcand.c in function main allows attackers to cause a denial of service or other unspecified impacts via crafted bus_name.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11838,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381","https://github.com/dschanoeh/socketcand"],"published_time":"2026-05-01T17:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37539","summary":"Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsing in parser.cpp in function parseCANFrame, and decoder.cpp in function decodeFrame allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted CAN FD frames.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00251,"ranking_epss":0.48314,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381","https://github.com/mguentner/cannelloni"],"published_time":"2026-05-01T17:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37540","summary":"OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerability in firmware image parsing. In elf_loader.c, it performs multiplication of two attacker-controlled 16-bit values from the ELF header without overflow checking. On 32-bit embedded systems (STM32MP1, Zynq, i.MX), large values can cause the product to wrap around to a small value.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01697,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381","https://github.com/OpenAMP/open-amp","https://github.com/OpenAMP/open-amp/blob/main/lib/remoteproc/elf_loader.c"],"published_time":"2026-05-01T17:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37525","summary":"AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00254,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder","https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643"],"published_time":"2026-05-01T17:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37526","summary":"AGL app-framework-binder (afb-daemon) through v19.90.0 allows any local process to execute privileged supervision commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) without authentication via the abstract Unix socket @urn:AGL:afs:supervision:socket. The on_supervision_call function in src/afb-supervision.c dispatches all 8 commands without any credential verification. The abstract socket has no DAC protection, as acknowledged in the official CAUTION comment in src/afs-supervision.h. This allows a low-privileged local process to kill the daemon (DoS via Exit command), execute arbitrary API calls (via Do command), close arbitrary user sessions (via Sclose command), or leak the entire global configuration (via Config command). The vulnerability was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b3723777e1 on 2017-06-29.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.05384,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder","https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643"],"published_time":"2026-05-01T17:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37530","summary":"AGL agl-service-can-low-level thru 17.1.12 contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02079,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level","https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643"],"published_time":"2026-05-01T17:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37531","summary":"AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-367) in the widget installation flow. The is_valid_filename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal sequences it only blocks absolute paths. The zread extraction function uses openat(workdirfd, filename, O_CREAT) which resolves dot notation values relative to the work directory, allowing files to be written anywhere on the filesystem. Critically, in function install_widget in file wgtpkg-install.c, extraction via zread occurs BEFORE signature verification via check_all_signatures. Even if signature verification fails, the error cleanup (remove_workdir) only deletes the temporary work directory files written outside via path traversal persist permanently.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00108,"ranking_epss":0.28542,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gerrit.automotivelinux.org/gerrit/src/app-framework-main","https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643"],"published_time":"2026-05-01T17:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37532","summary":"AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-c library. In isotp_continue_receive (receive.c:87-89), the payload_length for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, yielding values 0-15. However, a standard CAN frame is only 8 bytes, with payload starting at data[1] (7 bytes available). When payload_length exceeds the available data (e.g., nibble=15 but only 7 payload bytes exist), memcpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the end of the data buffer.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00267,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level","https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643"],"published_time":"2026-05-01T17:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7585","summary":"A vulnerability was determined in Open5GS up to 2.7.7. The impacted element is the function amf_nudm_sdm_handle_provisioned of the file /src/amf/nudm-handler.c of the component AMF. Executing a manipulation can lead to denial of service. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00057,"ranking_epss":0.17628,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/","https://github.com/open5gs/open5gs/issues/4403","https://vuldb.com/submit/804334","https://vuldb.com/submit/804335","https://vuldb.com/submit/804337","https://vuldb.com/vuln/360533","https://vuldb.com/vuln/360533/cti","https://vuldb.com/submit/804334","https://vuldb.com/submit/804335","https://vuldb.com/submit/804337"],"published_time":"2026-05-01T16:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7586","summary":"A weakness has been identified in Open5GS up to 2.7.7. Affected is the function ogs_id_get_value of the file /src/amf/nudm-handler.c of the component AMF. This manipulation causes denial of service. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00039,"ranking_epss":0.11536,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/","https://github.com/open5gs/open5gs/issues/4405","https://vuldb.com/submit/804336","https://vuldb.com/vuln/360536","https://vuldb.com/vuln/360536/cti"],"published_time":"2026-05-01T16:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42480","summary":"A stack-based out-of-bounds read vulnerability in VrmlData_Scene::ReadLine in the VRML parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allows attackers to cause a denial of service via a crafted VRML file. The issue occurs because the quoted-string escape handler uses ptr[++anOffset] without proper bounds checking, which can read past the end of a fixed-size stack buffer.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02062,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a"],"published_time":"2026-05-01T16:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42481","summary":"Open CASCADE Technology (OCCT) V8_0_0_rc5 contains multiple vulnerabilities in its IGES and STEP file parsers that can be triggered by crafted IGES or STEP files. These issues include an out-of-bounds read in Geom2d_BSplineCurve::EvalD0 during IGES B-spline curve evaluation, an out-of-bounds read in MakeBSplineCurveCommon during STEP B-spline curve construction, and infinite recursion in StepShape_OrientedEdge::EdgeStart when processing a self-referential OrientedEdge entity. Successful exploitation may result in denial of service or unintended memory disclosure.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02062,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a"],"published_time":"2026-05-01T16:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37554","summary":"An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser's catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12342,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/45128ae15d52df7238680a8f2da8359f","https://github.com/riebl/vanetza","https://github.com/riebl/vanetza/blob/master/vanetza/geonet/router.cpp","https://github.com/riebl/vanetza/blob/master/vanetza/security/openssl_wrapper.cpp"],"published_time":"2026-05-01T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42471","summary":"Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11453,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975","https://github.com/mix-php/mix","https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php"],"published_time":"2026-05-01T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42472","summary":"Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from Redis in the RedisHandler object.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11453,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975","https://github.com/mix-php/mix","https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php"],"published_time":"2026-05-01T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42473","summary":"Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from the filesystem in the FileHandler object.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11453,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975","https://github.com/mix-php/mix","https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php"],"published_time":"2026-05-01T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42474","summary":"SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted `data` array to the data function in BuildHelper.php.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08855,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975","https://github.com/mix-php/mix","https://github.com/mix-php/mix/blob/v2.2.17/src/database/src/Helper/BuildHelper.php"],"published_time":"2026-05-01T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42475","summary":"SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted `on` array to the joinOn function in BuildHelper.php.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08855,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975","https://github.com/mix-php/mix","https://github.com/mix-php/mix/blob/v2.2.17/src/database/src/Helper/BuildHelper.php"],"published_time":"2026-05-01T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37503","summary":"Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing.","cvss":6.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.9,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.0847,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9","https://github.com/v2board/v2board"],"published_time":"2026-05-01T16:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37504","summary":"Sensitive server_token exposed via GET parameter in V2Board thru 1.7.4. In app/Http/Controllers/Server/UniProxyController.php, the server authentication token is accepted via GET parameter transmission. The token appears in URLs such as /api/v1/server/UniProxy/user?token=SECRET, causing it to be recorded in web server access logs, browser history, HTTP Referer headers, and proxy/CDN logs. An attacker who gains access to any log source can extract the token and impersonate a proxy server node, potentially intercepting all user traffic.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11092,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9","https://github.com/v2board/v2board"],"published_time":"2026-05-01T16:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37505","summary":"SQL Injection via ORDER BY clause in V2Board thru 1.7.4. In app/Http/Controllers/Admin/UserController.php, the sort parameter from user input is passed directly to User::orderBy($sort, $sortType) without validation. An authenticated admin can sort users by any database column including password, remember_token, and other sensitive fields, enabling information disclosure through ordering analysis.","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.0681,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9","https://github.com/v2board/v2board"],"published_time":"2026-05-01T16:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37552","summary":"Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\\Closure\\unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port (server binds 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":0.00103,"ranking_epss":0.27752,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975","https://github.com/mix-php/mix","https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php"],"published_time":"2026-05-01T16:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22165","summary":"A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger a write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable further exploits on the device.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02296,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.imaginationtech.com/gpu-driver-vulnerabilities/"],"published_time":"2026-05-01T16:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22166","summary":"A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable subsequent exploit on the system.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02296,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.imaginationtech.com/gpu-driver-vulnerabilities/"],"published_time":"2026-05-01T16:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22167","summary":"Software installed and run as a non-privileged user may conduct improper GPU system calls to force GPU to write to arbitrary physical memory pages.\n\n\n\nUnder certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour.\n\n\n\nThis attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00329,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.imaginationtech.com/gpu-driver-vulnerabilities/"],"published_time":"2026-05-01T16:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23863","summary":"An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exploitation in the wild.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.01022,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.facebook.com/security/advisories/cve-2026-23863","https://www.whatsapp.com/security/advisories/2026"],"published_time":"2026-05-01T16:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23866","summary":"Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":8e-05,"ranking_epss":0.00837,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.facebook.com/security/advisories/cve-2026-23866","https://www.whatsapp.com/security/advisories/2026"],"published_time":"2026-05-01T16:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7583","summary":"A flaw has been found in Open5GS up to 2.7.7. This issue affects the function bsf_sess_find_by_ipv6prefix of the file /src/bsf/context.c of the component BSF. This manipulation of the argument ipv6Prefix causes denial of service. It is possible to initiate the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00039,"ranking_epss":0.11536,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/","https://github.com/open5gs/open5gs/issues/4401","https://vuldb.com/submit/804322","https://vuldb.com/vuln/360530","https://vuldb.com/vuln/360530/cti"],"published_time":"2026-05-01T15:16:54","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43055","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: file: Use kzalloc_flex for aio_cmd\n\nThe target_core_file doesn't initialize the aio_cmd->iocb for the\nki_write_stream. When a write command fd_execute_rw_aio() is executed,\nwe may get a bogus ki_write_stream value, causing unintended write\nfailure status when checking iocb->ki_write_stream > max_write_streams\nin the block device.\n\nLet's just use kzalloc_flex when allocating the aio_cmd and let\nki_write_stream=0 to fix this issue.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11091,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01f784fc9d0ab2a6dac45ee443620e517cb2a19b","https://git.kernel.org/stable/c/4eaff1728d0e69b95933412241bbccf4f797dba8","https://git.kernel.org/stable/c/ce54802fe6bb78eb0feffc66fed6a45d41ffc3ab"],"published_time":"2026-05-01T15:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43056","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: fix use-after-free in add_adev() error path\n\nIf auxiliary_device_add() fails, add_adev() jumps to add_fail and calls\nauxiliary_device_uninit(adev).\n\nThe auxiliary device has its release callback set to adev_release(),\nwhich frees the containing struct mana_adev. Since adev is embedded in\nstruct mana_adev, the subsequent fall-through to init_fail and access\nto adev->id may result in a use-after-free.\n\nFix this by saving the allocated auxiliary device id in a local\nvariable before calling auxiliary_device_add(), and use that saved id\nin the cleanup path after auxiliary_device_uninit().","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/43f5b19fd190fea20d052bc84741b28031d5baa9","https://git.kernel.org/stable/c/5f4061f8225d18695e5afe9bbf1cb7bd673d7872","https://git.kernel.org/stable/c/c4ea7d8907cf72b259bf70bd8c2e791e1c4ff70f","https://git.kernel.org/stable/c/d88541ffd56d62a61e77209080001eddd4d69815","https://git.kernel.org/stable/c/e5a75bf026c686b91a7dc6f9c5caf5016745d1fe"],"published_time":"2026-05-01T15:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43057","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: correctly handle tunneled traffic on IPV6_CSUM GSO fallback\n\nNETIF_F_IPV6_CSUM only advertises support for checksum offload of\npackets without IPv6 extension headers. Packets with extension\nheaders must fall back onto software checksumming. Since TSO\ndepends on checksum offload, those must revert to GSO.\n\nThe below commit introduces that fallback. It always checks\nnetwork header length. For tunneled packets, the inner header length\nmust be checked instead. Extend the check accordingly.\n\nA special case is tunneled packets without inner IP protocol. Such as\nRFC 6951 SCTP in UDP. Those are not standard IPv6 followed by\ntransport header either, so also must revert to the software GSO path.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00053,"ranking_epss":0.16288,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2094a7cf91b71367b649f991aacc7b579f793d0b","https://git.kernel.org/stable/c/33670f780e0120c3dacda188c512bbffe0b6044c","https://git.kernel.org/stable/c/732fdeb2987c94b439d51f5cb9addddc2fc48c42","https://git.kernel.org/stable/c/a98b78116a27e2a57b696b569b2cb431c95cf9b6","https://git.kernel.org/stable/c/c4336a07eb6b2526dc2b62928b5104b41a7f81f5","https://git.kernel.org/stable/c/ed71cf465c75f5688b07a35d373cd1d6b589c8ea"],"published_time":"2026-05-01T15:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43504","summary":"An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when mod_proxy65 is enabled. Because mod_proxy65 mishandles access control in a paused scenario, relaying of unauthenticated traffic can occur.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03107,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://prosody.im/security/advisory_735dd9d3/","https://www.openwall.com/lists/oss-security/2026/05/01/5"],"published_time":"2026-05-01T15:16:52","vendor":"prosody","product":"prosody","version":null},{"cve_id":"CVE-2026-43505","summary":"An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when mod_proxy65 is enabled. Because mod_proxy65 mishandles access control in the activation scenario, relaying of unauthenticated traffic can occur.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00046,"ranking_epss":0.14031,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://prosody.im/security/advisory_735dd9d3/","https://www.openwall.com/lists/oss-security/2026/05/01/5"],"published_time":"2026-05-01T15:16:52","vendor":"prosody","product":"prosody","version":null},{"cve_id":"CVE-2026-43506","summary":"An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. A Denial of Service can occur via memory exhaustion caused by memory leaks from unauthenticated connections.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00044,"ranking_epss":0.13296,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://prosody.im/security/advisory_735dd9d3/","https://www.openwall.com/lists/oss-security/2026/05/01/5"],"published_time":"2026-05-01T15:16:52","vendor":"prosody","product":"prosody","version":null},{"cve_id":"CVE-2026-43507","summary":"An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. A Denial of Service can occur via memory exhaustion caused by XML parsing resource amplification from unauthenticated connections.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00054,"ranking_epss":0.16621,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://blog.unionium.org/ARTICLES/1.HTM","https://prosody.im/security/advisory_735dd9d3/","https://www.openwall.com/lists/oss-security/2026/05/01/5"],"published_time":"2026-05-01T15:16:52","vendor":"prosody","product":"prosody","version":null},{"cve_id":"CVE-2026-43047","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: Check to ensure report responses match the request\n\nIt is possible for a malicious (or clumsy) device to respond to a\nspecific report's feature request using a completely different report\nID.  This can cause confusion in the HID core resulting in nasty\nside-effects such as OOB writes.\n\nAdd a check to ensure that the report ID in the response, matches the\none that was requested.  If it doesn't, omit reporting the raw event and\nreturn early.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01762,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2edc92f89eee328b5be5706b5d431bf90669e9c0","https://git.kernel.org/stable/c/516da3f25cfe18643835af1cf09b0e9ffc36c383","https://git.kernel.org/stable/c/6a4acd3e86fe5584050c213d95147eba33856033","https://git.kernel.org/stable/c/74c6015375d8b9bc1b1eb79f20636c8e894bcad7","https://git.kernel.org/stable/c/7f66fdbc077faed3b52519228d21d81979e92249","https://git.kernel.org/stable/c/a61163daf8a90b4a7ef154d5fc9c525f665734e3","https://git.kernel.org/stable/c/c7a27bb4d0f6573ca0f9c7ef0b63291486239190","https://git.kernel.org/stable/c/e716edafedad4952fe3a4a273d2e039a84e8681a"],"published_time":"2026-05-01T15:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43048","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: Mitigate potential OOB by removing bogus memset()\n\nThe memset() in hid_report_raw_event() has the good intention of\nclearing out bogus data by zeroing the area from the end of the incoming\ndata string to the assumed end of the buffer.  However, as we have\npreviously seen, doing so can easily result in OOB reads and writes in\nthe subsequent thread of execution.\n\nThe current suggestion from one of the HID maintainers is to remove the\nmemset() and simply return if the incoming event buffer size is not\nlarge enough to fill the associated report.\n\nSuggested-by Benjamin Tissoires <bentiss@kernel.org>\n\n[bentiss: changed the return value]","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.0326,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0a3fe972a7cb1404f693d6f1711f32bc1d244b1c","https://git.kernel.org/stable/c/8f71034649738fdeb6859b8d6cddf132024fac06","https://git.kernel.org/stable/c/bd6e1d0230cca9575f5d118148f51e2a56b5373f"],"published_time":"2026-05-01T15:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43049","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure\n\nPresently, if the force feedback initialisation fails when probing the\nLogitech G920 Driving Force Racing Wheel for Xbox One, an error number\nwill be returned and propagated before the userspace infrastructure\n(sysfs and /dev/input) has been torn down.  If userspace ignores the\nerrors and continues to use its references to these dangling entities, a\nUAF will promptly follow.\n\nWe have 2 options; continue to return the error, but ensure that all of\nthe infrastructure is torn down accordingly or continue to treat this\ncondition as a warning by emitting the message but returning success.\nIt is thought that the original author's intention was to emit the\nwarning but keep the device functional, less the force feedback feature,\nso let's go with that.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/772f99cc8d6e5d95613bce93c9624e154c1abe88","https://git.kernel.org/stable/c/9a793ac19eb84f44ed759c0fce80cf29bc2a2453","https://git.kernel.org/stable/c/b846fb0a73e99174f08238e083e284c0463a2102","https://git.kernel.org/stable/c/f7a4c78bfeb320299c1b641500fe7761eadbd101"],"published_time":"2026-05-01T15:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43050","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\natm: lec: fix use-after-free in sock_def_readable()\n\nA race condition exists between lec_atm_close() setting priv->lecd\nto NULL and concurrent access to priv->lecd in send_to_lecd(),\nlec_handle_bridge(), and lec_atm_send(). When the socket is freed\nvia RCU while another thread is still using it, a use-after-free\noccurs in sock_def_readable() when accessing the socket's wait queue.\n\nThe root cause is that lec_atm_close() clears priv->lecd without\nany synchronization, while callers dereference priv->lecd without\nany protection against concurrent teardown.\n\nFix this by converting priv->lecd to an RCU-protected pointer:\n- Mark priv->lecd as __rcu in lec.h\n- Use rcu_assign_pointer() in lec_atm_close() and lecd_attach()\n  for safe pointer assignment\n- Use rcu_access_pointer() for NULL checks that do not dereference\n  the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and\n  lecd_attach()\n- Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(),\n  lec_handle_bridge() and lec_atm_send() to safely access lecd\n- Use rcu_assign_pointer() followed by synchronize_rcu() in\n  lec_atm_close() to ensure all readers have completed before\n  proceeding. This is safe since lec_atm_close() is called from\n  vcc_release() which holds lock_sock(), a sleeping lock.\n- Remove the manual sk_receive_queue drain from lec_atm_close()\n  since vcc_destroy_socket() already drains it after lec_atm_close()\n  returns.\n\nv2: Switch from spinlock + sock_hold/put approach to RCU to properly\n    fix the race. The v1 spinlock approach had two issues pointed out\n    by Eric Dumazet:\n    1. priv->lecd was still accessed directly after releasing the\n       lock instead of using a local copy.\n    2. The spinlock did not prevent packets being queued after\n       lec_atm_close() drains sk_receive_queue since timer and\n       workqueue paths bypass netif_stop_queue().\n\nNote: Syzbot patch testing was attempted but the test VM terminated\n    unexpectedly with \"Connection to localhost closed by remote host\",\n    likely due to a QEMU AHCI emulation issue unrelated to this fix.\n    Compile testing with \"make W=1 net/atm/lec.o\" passes cleanly.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/317843d5355062020649124eb4a0d7acbcc3f53e","https://git.kernel.org/stable/c/3989740fa4978e1d2d51ecc62be1b01093e104ad","https://git.kernel.org/stable/c/3e8b25f32f2f35549d03d77da030a24a45bdef5b","https://git.kernel.org/stable/c/5fbbb1ff936d7ff9528d929c1549977e8123d8a8","https://git.kernel.org/stable/c/750a33f417f3d196b86375f8d9f8938bacf130fe","https://git.kernel.org/stable/c/922814879542c2e397b0e9641fd36b8202a8e555","https://git.kernel.org/stable/c/abc10f85a3965ac14b9ed7ad3e67b35604a63aa3","https://git.kernel.org/stable/c/b256d055da47258e63f8b40965f276c5f23d229a"],"published_time":"2026-05-01T15:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43051","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq\n\nThe wacom_intuos_bt_irq() function processes Bluetooth HID reports\nwithout sufficient bounds checking. A maliciously crafted short report\ncan trigger an out-of-bounds read when copying data into the wacom\nstructure.\n\nSpecifically, report 0x03 requires at least 22 bytes to safely read\nthe processed data and battery status, while report 0x04 (which\nfalls through to 0x03) requires 32 bytes.\n\nAdd explicit length checks for these report IDs and log a warning if\na short report is received.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2f1763f62909ccb6386ac50350fa0abbf5bb16a9","https://git.kernel.org/stable/c/3d78386b144453c47e81bf62dc3601b757f02d99","https://git.kernel.org/stable/c/41026bcc0fdf82605205c27935ef719cbc07193b","https://git.kernel.org/stable/c/5b5b9730111808410e404ceac2fabd32eef92fbd","https://git.kernel.org/stable/c/8bd690ac1242332c73cba10dacdad6c6642bbb94","https://git.kernel.org/stable/c/c8dc23c97680eebefde06da5858aaef1b37cf75d","https://git.kernel.org/stable/c/d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada","https://git.kernel.org/stable/c/fa8901cb1f0b2113a342db93bd5684b59fe99dcf"],"published_time":"2026-05-01T15:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43052","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check tdls flag in ieee80211_tdls_oper\n\nWhen NL80211_TDLS_ENABLE_LINK is called, the code only checks if the\nstation exists but not whether it is actually a TDLS station. This\nallows the operation to proceed for non-TDLS stations, causing\nunintended side effects like modifying channel context and HT\nprotection before failing.\n\nAdd a check for sta->sta.tdls early in the ENABLE_LINK case, before\nany side effects occur, to ensure the operation is only allowed for\nactual TDLS peers.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/7d73872d949c488a1d7c308031d6a9d89b5e0a8b","https://git.kernel.org/stable/c/8148c2fda4ebb17104a573649c9b699208ad10ee","https://git.kernel.org/stable/c/be81f17151fcb8546a95f35ca8f4231b065985de","https://git.kernel.org/stable/c/e77b2937aaa20264e4bd699d3244bdb50e7e3343"],"published_time":"2026-05-01T15:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43053","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: close crash window in attr dabtree inactivation\n\nWhen inactivating an inode with node-format extended attributes,\nxfs_attr3_node_inactive() invalidates all child leaf/node blocks via\nxfs_trans_binval(), but intentionally does not remove the corresponding\nentries from their parent node blocks.  The implicit assumption is that\nxfs_attr_inactive() will truncate the entire attr fork to zero extents\nafterwards, so log recovery will never reach the root node and follow\nthose stale pointers.\n\nHowever, if a log shutdown occurs after the leaf/node block cancellations\ncommit but before the attr bmap truncation commits, this assumption\nbreaks.  Recovery replays the attr bmap intact (the inode still has\nattr fork extents), but suppresses replay of all cancelled leaf/node\nblocks, maybe leaving them as stale data on disk.  On the next mount,\nxlog_recover_process_iunlinks() retries inactivation and attempts to\nread the root node via the attr bmap. If the root node was not replayed,\nreading the unreplayed root block triggers a metadata verification\nfailure immediately; if it was replayed, following its child pointers\nto unreplayed child blocks triggers the same failure:\n\n XFS (pmem0): Metadata corruption detected at\n xfs_da3_node_read_verify+0x53/0x220, xfs_da3_node block 0x78\n XFS (pmem0): Unmount and run xfs_repair\n XFS (pmem0): First 128 bytes of corrupted metadata buffer:\n 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n XFS (pmem0): metadata I/O error in \"xfs_da_read_buf+0x104/0x190\" at daddr 0x78 len 8 error 117\n\nFix this in two places:\n\nIn xfs_attr3_node_inactive(), after calling xfs_trans_binval() on a\nchild block, immediately remove the entry that references it from the\nparent node in the same transaction.  This eliminates the window where\nthe parent holds a pointer to a cancelled block.  Once all children are\nremoved, the now-empty root node is converted to a leaf block within the\nsame transaction. This node-to-leaf conversion is necessary for crash\nsafety. If the system shutdown after the empty node is written to the\nlog but before the second-phase bmap truncation commits, log recovery\nwill attempt to verify the root block on disk. xfs_da3_node_verify()\ndoes not permit a node block with count == 0; such a block will fail\nverification and trigger a metadata corruption shutdown. on the other\nhand, leaf blocks are allowed to have this transient state.\n\nIn xfs_attr_inactive(), split the attr fork truncation into two explicit\nphases.  First, truncate all extents beyond the root block (the child\nextents whose parent references have already been removed above).\nSecond, invalidate the root block and truncate the attr bmap to zero in\na single transaction.  The two operations in the second phase must be\natomic: as long as the attr bmap has any non-zero length, recovery can\nfollow it to the root block, so the root block invalidation must commit\ntogether with the bmap-to-zero truncation.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/b854e1c4eff3473b6d3a9ae74129ac5c48bc0b61","https://git.kernel.org/stable/c/e5a3e3cdd9b3015ae79456c81beebfdbb5246c0f"],"published_time":"2026-05-01T15:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43054","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcm_loop: Drain commands in target_reset handler\n\ntcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS\nwithout draining any in-flight commands.  The SCSI EH documentation\n(scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver\nhas made lower layers \"forget about timed out scmds\" and is ready for new\ncommands.  Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug,\nmpi3mr) enforces this by draining or completing outstanding commands before\nreturning SUCCESS.\n\nBecause tcm_loop_target_reset() doesn't drain, the SCSI EH reuses in-flight\nscsi_cmnd structures for recovery commands (e.g. TUR) while the target core\nstill has async completion work queued for the old se_cmd.  The memset in\nqueuecommand zeroes se_lun and lun_ref_active, causing\ntransport_lun_remove_cmd() to skip its percpu_ref_put().  The leaked LUN\nreference prevents transport_clear_lun_ref() from completing, hanging\nconfigfs LUN unlink forever in D-state:\n\n  INFO: task rm:264 blocked for more than 122 seconds.\n  rm              D    0   264    258 0x00004000\n  Call Trace:\n   __schedule+0x3d0/0x8e0\n   schedule+0x36/0xf0\n   transport_clear_lun_ref+0x78/0x90 [target_core_mod]\n   core_tpg_remove_lun+0x28/0xb0 [target_core_mod]\n   target_fabric_port_unlink+0x50/0x60 [target_core_mod]\n   configfs_unlink+0x156/0x1f0 [configfs]\n   vfs_unlink+0x109/0x290\n   do_unlinkat+0x1d5/0x2d0\n\nFix this by making tcm_loop_target_reset() actually drain commands:\n\n 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that\n    the target core knows about (those not yet CMD_T_COMPLETE).\n\n 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and\n    flush_work() on each se_cmd — this drains any deferred completion work\n    for commands that already had CMD_T_COMPLETE set before the TMR (which\n    the TMR skips via __target_check_io_state()).  This is the same pattern\n    used by mpi3mr, scsi_debug, and libsas to drain outstanding commands\n    during reset.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/05ac3754467363558a0a54ae4bb7c89b2c9574cf","https://git.kernel.org/stable/c/103f79e4949513247d763c6e7f3cbbf62017afdf","https://git.kernel.org/stable/c/1333eee56cdf3f0cf67c6ab4114c2c9e0a952026","https://git.kernel.org/stable/c/15f5241d5a52364a7e7867b49128b0442dbcad9d","https://git.kernel.org/stable/c/757c43c692294cdfad31390accc0e90429b2ef8a","https://git.kernel.org/stable/c/7cbd69aaa507b1245240a28022bf5da0f07c68d9","https://git.kernel.org/stable/c/a836054ea81014117ec6b73529a21626a9e1f829"],"published_time":"2026-05-01T15:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43039","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch\n\nemac_dispatch_skb_zc() allocates a new skb via napi_alloc_skb() but\nnever copies the packet data from the XDP buffer into it. The skb is\npassed up the stack containing uninitialized heap memory instead of\nthe actual received packet, leaking kernel heap contents to userspace.\n\nCopy the received packet data from the XDP buffer into the skb using\nskb_copy_to_linear_data().\n\nAdditionally, remove the skb_mark_for_recycle() call since the skb is\nbacked by the NAPI page frag allocator, not page_pool. Marking a\nnon-page_pool skb for recycle causes the free path to return pages to\na page_pool that does not own them, corrupting page_pool state.\n\nThe non-ZC path (emac_rx_packet) does not have these issues because it\nuses napi_build_skb() to wrap the existing page_pool page directly,\nrequiring no copy, and correctly marks for recycle since the page comes\nfrom page_pool_dev_alloc_pages().","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00043,"ranking_epss":0.12804,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5597dd284ff8c556c0b00f6a34473677426e3f81","https://git.kernel.org/stable/c/a968438d4fc17ee1dcdc3cfa490dcb5e7709cf76"],"published_time":"2026-05-01T15:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43040","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak\n\nWhen processing Router Advertisements with user options the kernel\nbuilds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg struct\nhas three padding fields that are never zeroed and can leak kernel data\n\nThe fix is simple, just zeroes the padding fields.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/11d7fe97421cfc81549940c20ed5ac9472d6db05","https://git.kernel.org/stable/c/1da9023f6b071a38e5430ffbce4b70b2b1ac4f9c","https://git.kernel.org/stable/c/2fe4d0ba690a69ad6ae9f7ab9bdc96e02610b648","https://git.kernel.org/stable/c/4f810c686fde509d1cdaa706322d9d2531f8f1a4","https://git.kernel.org/stable/c/7f56d87e527bb5a13c3e8b0d5840cb6332822f6d","https://git.kernel.org/stable/c/ae05340ccaa9d347fe85415609e075545bec589f","https://git.kernel.org/stable/c/b485eef3d97b7aae55ce669b6de555ec81f3d21c","https://git.kernel.org/stable/c/ef3645606e4a635d5062a492f22b7f490852ee67"],"published_time":"2026-05-01T15:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43041","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak\n\n__radix_tree_create() allocates and links intermediate nodes into the\ntree one by one. If a subsequent allocation fails, the already-linked\nnodes remain in the tree with no corresponding leaf entry. These orphaned\ninternal nodes are never reclaimed because radix_tree_for_each_slot()\nonly visits slots containing leaf values.\n\nThe radix_tree API is deprecated in favor of xarray. As suggested by\nMatthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead\nof fixing the radix_tree itself [1]. xarray properly handles cleanup of\ninternal nodes — xa_destroy() frees all internal xarray nodes when the\nqrtr_node is released, preventing the leak.\n\n[1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0fda873092b541bb5a9b87d728a2429f863f8cfa","https://git.kernel.org/stable/c/2428083101f6883f979cceffa76cd8440751ffe6","https://git.kernel.org/stable/c/4b75ff0aedd6ade1018ad4a3a9d8336794e36e42","https://git.kernel.org/stable/c/5d2249eefaca59908fe3c264b8eca526424dcfbe","https://git.kernel.org/stable/c/69402908e277dd164bf8d7c8fd0513c0fac28e9e","https://git.kernel.org/stable/c/f2664bc4f0f356f17c2094587a2b3665e3867e44","https://git.kernel.org/stable/c/f2dd9aaf6e2861337f5835f877a5b2becaf4b015","https://git.kernel.org/stable/c/ff134cc43972d7ddceff8cfd36cf6b9eaafc00b3"],"published_time":"2026-05-01T15:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43042","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmpls: add seqcount to protect the platform_label{,s} pair\n\nThe RCU-protected codepaths (mpls_forward, mpls_dump_routes) can have\nan inconsistent view of platform_labels vs platform_label in case of a\nconcurrent resize (resize_platform_label_table, under\nplatform_mutex). This can lead to OOB accesses.\n\nThis patch adds a seqcount, so that we get a consistent snapshot.\n\nNote that mpls_label_ok is also susceptible to this, so the check\nagainst RTA_DST in rtm_to_route_config, done outside platform_mutex,\nis not sufficient. This value gets passed to mpls_label_ok once more\nin both mpls_route_add and mpls_route_del, so there is no issue, but\nthat additional check must not be removed.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02103,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5bb3caf0bbfb56f1a00d2af072ac3d8395a3b9ef","https://git.kernel.org/stable/c/629ec78ef8608d955ce217880cdc3e1873af3a15"],"published_time":"2026-05-01T15:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43043","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af-alg - fix NULL pointer dereference in scatterwalk\n\nThe AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL)\nwhen chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL\nexactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent\nsendmsg() allocates a new SGL and chains it, but fails to clear the end\nmarker on the previous SGL's last data entry.\n\nThis causes the crypto scatterwalk to hit a premature end, returning NULL\non sg_next() and leading to a kernel panic during dereference.\n\nFix this by explicitly unmarking the end of the previous SGL when\nperforming sg_chain() in af_alg_alloc_tsgl().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00cbdec17c15d024a1c5002c7365df7624a18a75","https://git.kernel.org/stable/c/44eafa39363e8d5dfda6a8c6eb6b45458ed4b948","https://git.kernel.org/stable/c/4b03ab0a587ec57eb7ddb5c115d84a42896f60f7","https://git.kernel.org/stable/c/62397b493e14107ae82d8b80938f293d95425bcb","https://git.kernel.org/stable/c/7195350fb78538c25cd790d703f8f2c73ee0d395","https://git.kernel.org/stable/c/7cdf2c6381b21ab5ccf8116750d5582fcd6c0f49","https://git.kernel.org/stable/c/f48d3dd99199180cf37d6253550c55e86372309a","https://git.kernel.org/stable/c/f9acceae7b004956851fd4268edf9f518a9bce04"],"published_time":"2026-05-01T15:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43044","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: caam - fix DMA corruption on long hmac keys\n\nWhen a key longer than block size is supplied, it is copied and then\nhashed into the real key.  The memory allocated for the copy needs to\nbe rounded to DMA cache alignment, as otherwise the hashed key may\ncorrupt neighbouring memory.\n\nThe rounding was performed, but never actually used for the allocation.\nFix this by replacing kmemdup with kmalloc for a larger buffer,\nfollowed by memcpy.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5ddfdcbe10dc5f97afc4e46ca22be2be717e8caf","https://git.kernel.org/stable/c/68feed135a0c7243a9275ae7e6a18260f755f52b","https://git.kernel.org/stable/c/a7ecf06d3ee06e9b3322e1e7b003ea5c6f6e135a","https://git.kernel.org/stable/c/c0c133e0225d87aad326bb90bbce9bdd6fde3cbb","https://git.kernel.org/stable/c/f2af8be110bde26b3e3354efdfdda97f426306a4"],"published_time":"2026-05-01T15:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43045","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmshv: Fix error handling in mshv_region_pin\n\nThe current error handling has two issues:\n\nFirst, pin_user_pages_fast() can return a short pin count (less than\nrequested but greater than zero) when it cannot pin all requested pages.\nThis is treated as success, leading to partially pinned regions being\nused, which causes memory corruption.\n\nSecond, when an error occurs mid-loop, already pinned pages from the\ncurrent batch are not properly accounted for before calling\nmshv_region_invalidate_pages(), causing a page reference leak.\n\nTreat short pins as errors and fix partial batch accounting before\ncleanup.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/a7d149152bc5a9119854331c57be35ad31fdf5cc","https://git.kernel.org/stable/c/c0e296f257671ba10249630fe58026f29e4804d9"],"published_time":"2026-05-01T15:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43046","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject root items with drop_progress and zero drop_level\n\n[BUG]\nWhen recovering relocation at mount time, merge_reloc_root() and\nbtrfs_drop_snapshot() both use BUG_ON(level == 0) to guard against\nan impossible state: a non-zero drop_progress combined with a zero\ndrop_level in a root_item, which can be triggered:\n\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/relocation.c:1545!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 1 UID: 0 PID: 283 ... Tainted: 6.18.0+ #16 PREEMPT(voluntary)\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU Ubuntu 24.04 PC v2, BIOS 1.16.3-debian-1.16.3-2\nRIP: 0010:merge_reloc_root+0x1266/0x1650 fs/btrfs/relocation.c:1545\nCode: ffff0000 00004589 d7e9acfa ffffe8a1 79bafebe 02000000\nCall Trace:\n merge_reloc_roots+0x295/0x890 fs/btrfs/relocation.c:1861\n btrfs_recover_relocation+0xd6e/0x11d0 fs/btrfs/relocation.c:4195\n btrfs_start_pre_rw_mount+0xa4d/0x1810 fs/btrfs/disk-io.c:3130\n open_ctree+0x5824/0x5fe0 fs/btrfs/disk-io.c:3640\n btrfs_fill_super fs/btrfs/super.c:987 [inline]\n btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]\n btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]\n btrfs_get_tree+0x111c/0x2190 fs/btrfs/super.c:2128\n vfs_get_tree+0x9a/0x370 fs/super.c:1758\n fc_mount fs/namespace.c:1199 [inline]\n do_new_mount_fc fs/namespace.c:3642 [inline]\n do_new_mount fs/namespace.c:3718 [inline]\n path_mount+0x5b8/0x1ea0 fs/namespace.c:4028\n do_mount fs/namespace.c:4041 [inline]\n __do_sys_mount fs/namespace.c:4229 [inline]\n __se_sys_mount fs/namespace.c:4206 [inline]\n __x64_sys_mount+0x282/0x320 fs/namespace.c:4206\n ...\nRIP: 0033:0x7f969c9a8fde\nCode: 0f1f4000 48c7c2b0 fffffff7 d8648902 b8ffffff ffc3660f\n---[ end trace 0000000000000000 ]---\n\nThe bug is reproducible on 7.0.0-rc2-next-20260310 with our dynamic\nmetadata fuzzing tool that corrupts btrfs metadata at runtime.\n\n[CAUSE]\nA non-zero drop_progress.objectid means an interrupted\nbtrfs_drop_snapshot() left a resume point on disk, and in that case\ndrop_level must be greater than 0 because the checkpoint is only\nsaved at internal node levels.\n\nAlthough this invariant is enforced when the kernel writes the root\nitem, it is not validated when the root item is read back from disk.\nThat allows on-disk corruption to provide an invalid state with\ndrop_progress.objectid != 0 and drop_level == 0.\n\nWhen relocation recovery later processes such a root item,\nmerge_reloc_root() reads drop_level and hits BUG_ON(level == 0). The\nsame invalid metadata can also trigger the corresponding BUG_ON() in\nbtrfs_drop_snapshot().\n\n[FIX]\nFix this by validating the root_item invariant in tree-checker when\nreading root items from disk: if drop_progress.objectid is non-zero,\ndrop_level must also be non-zero. Reject such malformed metadata with\n-EUCLEAN before it reaches merge_reloc_root() or btrfs_drop_snapshot()\nand triggers the BUG_ON.\n\nAfter the fix, the same corruption is correctly rejected by tree-checker\nand the BUG_ON is no longer triggered.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/295f8075d00442d71dc9ccae421ace1c0d2d9224","https://git.kernel.org/stable/c/53ceedd1eb6280ca8359664e0226983eded2ed73","https://git.kernel.org/stable/c/850de3d87f4720b71ccdcd44f4aa57e46b53a3f3","https://git.kernel.org/stable/c/ac68a9a8e481ab1becaed29d6d23087dac3de15d","https://git.kernel.org/stable/c/b17b79ff896305fd74980a5f72afec370ee88ca4","https://git.kernel.org/stable/c/bedaf7d0b9d793e116f16b4d9a7dbc94bcc80443","https://git.kernel.org/stable/c/de585ee18dd5601745f65a60fef7b7ceebd78c83"],"published_time":"2026-05-01T15:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43034","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: set backing store type from query type\n\nbnxt_hwrm_func_backing_store_qcaps_v2() stores resp->type from the\nfirmware response in ctxm->type and later uses that value to index\nfixed backing-store metadata arrays such as ctx_arr[] and\nbnxt_bstore_to_trace[].\n\nctxm->type is fixed by the current backing-store query type and matches\nthe array index of ctx->ctx_arr. Set ctxm->type from the current loop\nvariable instead of depending on resp->type.\n\nAlso update the loop to advance type from next_valid_type in the for\nstatement, which keeps the control flow simpler for non-valid and\nunchanged entries.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/29732b68a6816a815d58e9ab229844c23617e1e0","https://git.kernel.org/stable/c/4ee937107d52f9e5c350e4b5e629760e328b3d9f","https://git.kernel.org/stable/c/c8d53b70166d1dc463ef42adb7293e1a770822c7"],"published_time":"2026-05-01T15:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43035","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak\n\nWhen building netlink messages, tc_chain_fill_node() never initializes\nthe tcm_info field of struct tcmsg. Since the allocation is not zeroed,\nkernel heap memory is leaked to userspace through this 4-byte field.\n\nThe fix simply zeroes tcm_info alongside the other fields that are\nalready initialized.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1091b3c174441a52fdbb92e2fe00338f9371a91c","https://git.kernel.org/stable/c/4ae5d23f51fb91d7d1140c6f1ba77ab0756054c3","https://git.kernel.org/stable/c/71a3eda7e850ae844cb8993065f4e410c11a46ce","https://git.kernel.org/stable/c/903c3405cfcc7700260e456ab66a5867586c9e69","https://git.kernel.org/stable/c/906997ea3766c24fbbf9cc4bf17c047315bbd138","https://git.kernel.org/stable/c/d6db08484c6cb3d4ad696246f9d288eceba2a078","https://git.kernel.org/stable/c/e35f5195cd44ff4053fbc5d71ea97681728a0099","https://git.kernel.org/stable/c/e6e3eb5ee89ac4c163d46429391c889a1bb5e404"],"published_time":"2026-05-01T15:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43036","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: use skb_header_pointer() for TCPv4 GSO frag_off check\n\nSyzbot reported a KMSAN uninit-value warning in gso_features_check()\ncalled from netif_skb_features() [1].\n\ngso_features_check() reads iph->frag_off to decide whether to clear\nmangleid_features. Accessing the IPv4 header via ip_hdr()/inner_ip_hdr()\ncan rely on skb header offsets that are not always safe for direct\ndereference on packets injected from PF_PACKET paths.\n\nUse skb_header_pointer() for the TCPv4 frag_off check so the header read\nis robust whether data is already linear or needs copying.\n\n[1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/cc91202fc20a44aab4c206f12a2bfe05da936051","https://git.kernel.org/stable/c/d970341cfa5594614c7a6634886c7688b4f5cafd","https://git.kernel.org/stable/c/ddc748a391dd8642ba6b2e4fe22e7f2ddf84b7f0","https://git.kernel.org/stable/c/f7a6cd508e9e825a2c69fa9e13d41ee156852f25"],"published_time":"2026-05-01T15:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43037","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: clear skb2->cb[] in ip4ip6_err()\n\nOskar Kjos reported the following problem.\n\nip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written\nby the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes\nIPCB(skb2) to __ip_options_echo(), which interprets that cb[] region\nas struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff\nat offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr\nvalue. __ip_options_echo() then reads optlen from attacker-controlled\npacket data at sptr[rr+1] and copies that many bytes into dopt->__data,\na fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).\n\nTo fix this we clear skb2->cb[], as suggested by Oskar Kjos.\n\nAlso add minimal IPv4 header validation (version == 4, ihl >= 5).","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00053,"ranking_epss":0.16406,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1063515ce15ff31065c4e7f8265f4c2fd3c54876","https://git.kernel.org/stable/c/2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5","https://git.kernel.org/stable/c/2edfa31769a4add828a7e604b21cb82aaaa05925","https://git.kernel.org/stable/c/4a622658f384b03560834cbe8ffcfe69a278f7c8","https://git.kernel.org/stable/c/590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3","https://git.kernel.org/stable/c/a0c4ce9900a108eaf55d0f3b399cb55999647d39","https://git.kernel.org/stable/c/d6621f60192fe10c047a4487be42a6f4c150707f","https://git.kernel.org/stable/c/ea9f65b27c8404e164848ebff1443310fd187629"],"published_time":"2026-05-01T15:16:48","vendor":"linux","product":"linux_kernel","version":null},{"cve_id":"CVE-2026-43038","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()\n\nSashiko AI-review observed:\n\n  In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet\n  where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2\n  and passed to icmp6_send(), it uses IP6CB(skb2).\n\n  IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso\n  offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm\n  at offset 18.\n\n  If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao\n  would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called\n  and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).\n\n  This would scan the inner, attacker-controlled IPv6 packet starting at that\n  offset, potentially returning a fake TLV without checking if the remaining\n  packet length can hold the full 18-byte struct ipv6_destopt_hao.\n\n  Could mip6_addr_swap() then perform a 16-byte swap that extends past the end\n  of the packet data into skb_shared_info?\n\n  Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and\n  ip6ip6_err() to prevent this?\n\nThis patch implements the first suggestion.\n\nI am not sure if ip6ip6_err() needs to be changed.\nA separate patch would be better anyway.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00053,"ranking_epss":0.16406,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7","https://git.kernel.org/stable/c/1ceeebd5bd6d855b17a5df625109bfe29129d7cf","https://git.kernel.org/stable/c/3d5127d998de617b130aae96b138dba22ac6a8a7","https://git.kernel.org/stable/c/86ab3e55673a7a49a841838776f1ab18d23a67b5","https://git.kernel.org/stable/c/a2edbb6393972a02114b6003953a5cef3104fada","https://git.kernel.org/stable/c/a4437faf135da293d16fcc4cc607316742bd0ebb","https://git.kernel.org/stable/c/c438ba010171b70bad22fc18b1d5bdc3627476e8","https://git.kernel.org/stable/c/e41953e7d118e2702bcb217879c173d9d1d3cd4e"],"published_time":"2026-05-01T15:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43026","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent\n\nctnetlink_alloc_expect() allocates expectations from a non-zeroing\nslab cache via nf_ct_expect_alloc().  When CTA_EXPECT_NAT is not\npresent in the netlink message, saved_addr and saved_proto are\nnever initialized.  Stale data from a previous slab occupant can\nthen be dumped to userspace by ctnetlink_exp_dump_expect(), which\nchecks these fields to decide whether to emit CTA_EXPECT_NAT.\n\nThe safe sibling nf_ct_expect_init(), used by the packet path,\nexplicitly zeroes these fields.\n\nZero saved_addr, saved_proto and dir in the else branch, guarded\nby IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when\nNAT is enabled.\n\nConfirmed by priming the expect slab with NAT-bearing expectations,\nfreeing them, creating a new expectation without CTA_EXPECT_NAT,\nand observing that the ctnetlink dump emits a spurious\nCTA_EXPECT_NAT containing stale data from the prior allocation.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1c2ebdeff8d088a2e47ae25d7b38447249adace2","https://git.kernel.org/stable/c/2898080c054ea4d6ddfaaf21bbedbc229a9a8376","https://git.kernel.org/stable/c/35177c6877134a21315f37d57a5577846225623e","https://git.kernel.org/stable/c/929f7a9a7aad9404a5867216c3f8738232355b38","https://git.kernel.org/stable/c/a5a89db6981a1ddf2314bf50cb49db5a3146185f","https://git.kernel.org/stable/c/a64b7bf84b4d5ea54218c5d374ec87fff9000f43","https://git.kernel.org/stable/c/bff0f4f06f12d6d9bc565a3e1378abd4f6f5ce36","https://git.kernel.org/stable/c/fd002ff2ea030cbfb0188a11b3c60ce7f84485f4"],"published_time":"2026-05-01T15:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43027","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_helper: pass helper to expect cleanup\n\nnf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()\nto remove expectations belonging to the helper being unregistered.\nHowever, it passes NULL instead of the helper pointer as the data\nargument, so expect_iter_me() never matches any expectation and all\nof them survive the cleanup.\n\nAfter unregister returns, nfnl_cthelper_del() frees the helper\nobject immediately.  Subsequent expectation dumps or packet-driven\ninit_conntrack() calls then dereference the freed exp->helper,\ncausing a use-after-free.\n\nPass the actual helper pointer so expectations referencing it are\nproperly destroyed before the helper object is freed.\n\n  BUG: KASAN: slab-use-after-free in string+0x38f/0x430\n  Read of size 1 at addr ffff888003b14d20 by task poc/103\n  Call Trace:\n   string+0x38f/0x430\n   vsnprintf+0x3cc/0x1170\n   seq_printf+0x17a/0x240\n   exp_seq_show+0x2e5/0x560\n   seq_read_iter+0x419/0x1280\n   proc_reg_read+0x1ac/0x270\n   vfs_read+0x179/0x930\n   ksys_read+0xef/0x1c0\n  Freed by task 103:\n  The buggy address is located 32 bytes inside of\n   freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2c16e4d64dd91227742dfe196a3e7b0568bef65a","https://git.kernel.org/stable/c/2cf2737c85a2ba2b52024dafe68ffad2676f97be","https://git.kernel.org/stable/c/504ba4168466c91210c45acdc332479cfd5f2da6","https://git.kernel.org/stable/c/5cf28d5c8dcbbe8af6d3b145babe491906d7bad1","https://git.kernel.org/stable/c/620f3d14c1ef51d425060a3056ad8dbae8f998a3","https://git.kernel.org/stable/c/90bd7e8501349db3006d21fbc09df9ffcb172965","https://git.kernel.org/stable/c/a242a9ae58aa46ff7dae51ce64150a93957abe65","https://git.kernel.org/stable/c/dc1739eff48e34cc71d4e2f03715493fbcebd8af"],"published_time":"2026-05-01T15:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43028","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: ensure names are nul-terminated\n\nReject names that lack a \\0 character before feeding them\nto functions that expect c-strings.\n\nFixes tag is the most recent commit that needs this change.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01762,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/673bbd36cba21d10a10f0932f479df7468e26fbb","https://git.kernel.org/stable/c/73124608172890306b85f2206d8b3cac20e324f1","https://git.kernel.org/stable/c/a958a4f90ddd7de0800b33ca9d7b886b7d40f74e","https://git.kernel.org/stable/c/aa6cd4a8863391e0a64f62d8922cb0af732a2cf2","https://git.kernel.org/stable/c/bcac50ea0a29d430eedc5ac87b215393b567baa9","https://git.kernel.org/stable/c/c2d4a3abb15ca14716c6d8b9ffcbcd7c63626af4","https://git.kernel.org/stable/c/ea01c1b219f5a11c66918abaa6f052e5a74041d6","https://git.kernel.org/stable/c/f419bdc205894750f4d3ec042bc87a1b9cde1351"],"published_time":"2026-05-01T15:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43029","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix soft lockup in mptcp_recvmsg()\n\nsyzbot reported a soft lockup in mptcp_recvmsg() [0].\n\nWhen receiving data with MSG_PEEK | MSG_WAITALL flags, the skb is not\nremoved from the sk_receive_queue. This causes sk_wait_data() to always\nfind available data and never perform actual waiting, leading to a soft\nlockup.\n\nFix this by adding a 'last' parameter to track the last peeked skb.\nThis allows sk_wait_data() to make informed waiting decisions and prevent\ninfinite loops when MSG_PEEK is used.\n\n[0]:\nwatchdog: BUG: soft lockup - CPU#2 stuck for 156s! [server:1963]\nModules linked in:\nCPU: 2 UID: 0 PID: 1963 Comm: server Not tainted 6.19.0-rc8 #61 PREEMPT(none)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:sk_wait_data+0x15/0x190\nCode: 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 56 41 55 41 54 49 89 f4 55 48 89 d5 53 48 89 fb <48> 83 ec 30 65 48 8b 05 17 a4 6b 01 48 89 44 24 28 31 c0 65 48 8b\nRSP: 0018:ffffc90000603ca0 EFLAGS: 00000246\nRAX: 0000000000000000 RBX: ffff888102bf0800 RCX: 0000000000000001\nRDX: 0000000000000000 RSI: ffffc90000603d18 RDI: ffff888102bf0800\nRBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000101\nR10: 0000000000000000 R11: 0000000000000075 R12: ffffc90000603d18\nR13: ffff888102bf0800 R14: ffff888102bf0800 R15: 0000000000000000\nFS:  00007f6e38b8c4c0(0000) GS:ffff8881b877e000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055aa7bff1680 CR3: 0000000105cbe000 CR4: 00000000000006f0\nCall Trace:\n <TASK>\n mptcp_recvmsg+0x547/0x8c0 net/mptcp/protocol.c:2329\n inet_recvmsg+0x11f/0x130 net/ipv4/af_inet.c:891\n sock_recvmsg+0x94/0xc0 net/socket.c:1100\n __sys_recvfrom+0xb2/0x130 net/socket.c:2256\n __x64_sys_recvfrom+0x1f/0x30 net/socket.c:2267\n do_syscall_64+0x59/0x2d0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e arch/x86/entry/entry_64.S:131\nRIP: 0033:0x7f6e386a4a1d\nCode: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8d 05 f1 de 2c 00 41 89 ca 8b 00 85 c0 75 20 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 6b f3 c3 66 0f 1f 84 00 00 00 00 00 41 56 41\nRSP: 002b:00007ffc3c4bb078 EFLAGS: 00000246 ORIG_RAX: 000000000000002d\nRAX: ffffffffffffffda RBX: 000000000000861e RCX: 00007f6e386a4a1d\nRDX: 00000000000003ff RSI: 00007ffc3c4bb150 RDI: 0000000000000004\nRBP: 00007ffc3c4bb570 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000103 R11: 0000000000000246 R12: 00005605dbc00be0\nR13: 00007ffc3c4bb650 R14: 0000000000000000 R15: 0000000000000000\n </TASK>","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11091,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/58b58b9ba89c43914eea90c18928e51852d10c24","https://git.kernel.org/stable/c/5dd8025a49c268ab6b94d978532af3ad341132a7","https://git.kernel.org/stable/c/de3c248d1b69eaefa2d5b3da4005936dcf590f1b"],"published_time":"2026-05-01T15:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43030","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix regsafe() for pointers to packet\n\nIn case rold->reg->range == BEYOND_PKT_END && rcur->reg->range == N\nregsafe() may return true which may lead to current state with\nvalid packet range not being explored. Fix the bug.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01762,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/015a74476dc1ab6923d89f1ee009aaf43faa7185","https://git.kernel.org/stable/c/37db6b9726d0bcf91cbdf9d63b558c50da49f968","https://git.kernel.org/stable/c/7241da033fdc507b920e092dab1f97b945cb0370","https://git.kernel.org/stable/c/8aebe18069394f4a79d2d82080a0f806da449996","https://git.kernel.org/stable/c/a8502a79e832b861e99218cbd2d8f4312d62e225","https://git.kernel.org/stable/c/b52f6d0ef7b308f9d05bbddb78749852f28e8e40","https://git.kernel.org/stable/c/b99d82706bd1511bb875e3de7154698fd9215c99","https://git.kernel.org/stable/c/ca995b1462ec6db1e869100ba1fb7356bd3f22f0"],"published_time":"2026-05-01T15:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43031","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: xilinx: axienet: Fix BQL accounting for multi-BD TX packets\n\nWhen a TX packet spans multiple buffer descriptors (scatter-gather),\naxienet_free_tx_chain sums the per-BD actual length from descriptor\nstatus into a caller-provided accumulator. That sum is reset on each\nNAPI poll. If the BDs for a single packet complete across different\npolls, the earlier bytes are lost and never credited to BQL. This\ncauses BQL to think bytes are permanently in-flight, eventually\nstalling the TX queue.\n\nThe SKB pointer is stored only on the last BD of a packet. When that\nBD completes, use skb->len for the byte count instead of summing\nper-BD status lengths. This matches netdev_sent_queue(), which debits\nskb->len, and naturally survives across polls because no partial\npacket contributes to the accumulator.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11091,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2a0323a913109b52bfc9f5ea7b92a1b249e07d3e","https://git.kernel.org/stable/c/3c3a6b9020c01fde7b22e8550105de0b59904f61","https://git.kernel.org/stable/c/d1978d03e86785872871bff9c2623174b10740de"],"published_time":"2026-05-01T15:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43032","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: pn533: bound the UART receive buffer\n\npn532_receive_buf() appends every incoming byte to dev->recv_skb and\nonly resets the buffer after pn532_uart_rx_is_frame() recognizes a\ncomplete frame. A continuous stream of bytes without a valid PN532 frame\nheader therefore keeps growing the skb until skb_put_u8() hits the tail\nlimit.\n\nDrop the accumulated partial frame once the fixed receive buffer is full\nso malformed UART traffic cannot grow the skb past\nPN532_UART_SKB_BUFF_LEN.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/23e925183db26cd322597679669ad29d70ed2ada","https://git.kernel.org/stable/c/2c1fadd221b21d8038acfe6a0f56291881d5ff76","https://git.kernel.org/stable/c/30fe3f5f6494f827d812ff179f295a8e532709d6","https://git.kernel.org/stable/c/3adca9be14bf36b927193f05f5aea35a1a90e913","https://git.kernel.org/stable/c/8bedf1dd5640ac8997bff00bbefe241b438df397","https://git.kernel.org/stable/c/ad2f60de5045bfb5d20ea468a97c8760c6a3a4f8","https://git.kernel.org/stable/c/cf2ff10183204349edfd6b972e189375fc5f1fb0","https://git.kernel.org/stable/c/f48ab6ee654ecc350434e4566bc785773f412b7e"],"published_time":"2026-05-01T15:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43033","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption\n\nWhen decrypting data that is not in-place (src != dst), there is\nno need to save the high-order sequence bits in dst as it could\nsimply be re-copied from the source.\n\nHowever, the data to be hashed need to be rearranged accordingly.\n\n\nThanks,","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01762,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/153d5520c3f9fd62e71c7e7f9e34b59cf411e555","https://git.kernel.org/stable/c/5466e7d0cd9e4f9cef9d8f18f18b60e7bc1c77e5","https://git.kernel.org/stable/c/89fe118b6470119b20c04afc36e45b81a69ea11f","https://git.kernel.org/stable/c/8c62f618576519dbed6816fafc623ce592953025","https://git.kernel.org/stable/c/cded4002d22177e8deaca1f257ecd932c9582b6b","https://git.kernel.org/stable/c/d0c4ff6812386880f30bc64c2921299cc4d7b47f","https://git.kernel.org/stable/c/d589abd8b019b07075fda255ceab8c8e950cdb3f","https://git.kernel.org/stable/c/e02494114ebf7c8b42777c6cd6982f113bfdbec7"],"published_time":"2026-05-01T15:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43019","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: fix potential UAF in set_cig_params_sync\n\nhci_conn lookup and field access must be covered by hdev lock in\nset_cig_params_sync, otherwise it's possible it is freed concurrently.\n\nTake hdev lock to prevent hci_conn from being deleted or modified\nconcurrently.  Just RCU lock is not suitable here, as we also want to\navoid \"tearing\" in the configuration.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/66d432e9b45bae7881ffcdb12cd8fd0bf254ef02","https://git.kernel.org/stable/c/7d568fede8eac91161a60b710aa920abe9b0fb9f","https://git.kernel.org/stable/c/a2639a7f0f5bf7d73f337f8f077c19415c62ed2c","https://git.kernel.org/stable/c/bad65b4b0a96139f023eadc28a33125963208449"],"published_time":"2026-05-01T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43020","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate LTK enc_size on load\n\nLoad Long Term Keys stores the user-provided enc_size and later uses\nit to size fixed-size stack operations when replying to LE LTK\nrequests. An enc_size larger than the 16-byte key buffer can therefore\noverflow the reply stack buffer.\n\nReject oversized enc_size values while validating the management LTK\nrecord so invalid keys never reach the stored key state.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0f37d1e65c6d71ad94ccfb5c602163c525db789d","https://git.kernel.org/stable/c/257cdb960d8ff6d60bb6461b03c814b6cf0c9e64","https://git.kernel.org/stable/c/40ba329e8b4cd2fb11b0caf5e6a543ceaebb6009","https://git.kernel.org/stable/c/50fb64defa72a3fecd0af1ca7c6b47b5c5c2b257","https://git.kernel.org/stable/c/82f342b3b006ca1d65f4890c05f2ec32fcb808b6","https://git.kernel.org/stable/c/b8dbe9648d69059cfe3a28917bfbf7e61efd7f15","https://git.kernel.org/stable/c/c34577f517b556fb6ca173d45bf7e766ae2564ce","https://git.kernel.org/stable/c/f71695e81f4cb428f3c7e2138eae88199005b52c"],"published_time":"2026-05-01T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43021","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: fix leaks when hci_cmd_sync_queue_once fails\n\nWhen hci_cmd_sync_queue_once() returns with error, the destroy callback\nwill not be called.\n\nFix leaking references / memory on these failures.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/7fd74178d4b16dcf47179da634ea9d7c02e3608b","https://git.kernel.org/stable/c/aca377208e7f7322bf4e107cdec6e7d7e8aa7a88"],"published_time":"2026-05-01T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43022","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: hci_cmd_sync_queue_once() return -EEXIST if exists\n\nhci_cmd_sync_queue_once() needs to indicate whether a queue item was\nadded, so caller can know if callbacks are called, so it can avoid\nleaking resources.\n\nChange the function to return -EEXIST if queue item already exists.\n\nModify all callsites to handle that.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ad2ce230b38cd4b3f6732cc609e270461e626e5","https://git.kernel.org/stable/c/2969554bcfccb5c609f6b6cd4a014933f3a66dd0"],"published_time":"2026-05-01T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43023","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: fix race conditions in sco_sock_connect()\n\nsco_sock_connect() checks sk_state and sk_type without holding\nthe socket lock. Two concurrent connect() syscalls on the same\nsocket can both pass the check and enter sco_connect(), leading\nto use-after-free.\n\nThe buggy scenario involves three participants and was confirmed\nwith additional logging instrumentation:\n\n  Thread A (connect):    HCI disconnect:      Thread B (connect):\n\n  sco_sock_connect(sk)                        sco_sock_connect(sk)\n  sk_state==BT_OPEN                           sk_state==BT_OPEN\n  (pass, no lock)                             (pass, no lock)\n  sco_connect(sk):                            sco_connect(sk):\n    hci_dev_lock                                hci_dev_lock\n    hci_connect_sco                               <- blocked\n      -> hcon1\n    sco_conn_add->conn1\n    lock_sock(sk)\n    sco_chan_add:\n      conn1->sk = sk\n      sk->conn = conn1\n    sk_state=BT_CONNECT\n    release_sock\n    hci_dev_unlock\n                           hci_dev_lock\n                           sco_conn_del:\n                             lock_sock(sk)\n                             sco_chan_del:\n                               sk->conn=NULL\n                               conn1->sk=NULL\n                               sk_state=\n                                 BT_CLOSED\n                               SOCK_ZAPPED\n                             release_sock\n                           hci_dev_unlock\n                                                  (unblocked)\n                                                  hci_connect_sco\n                                                    -> hcon2\n                                                  sco_conn_add\n                                                    -> conn2\n                                                  lock_sock(sk)\n                                                  sco_chan_add:\n                                                    sk->conn=conn2\n                                                  sk_state=\n                                                    BT_CONNECT\n                                                  // zombie sk!\n                                                  release_sock\n                                                  hci_dev_unlock\n\nThread B revives a BT_CLOSED + SOCK_ZAPPED socket back to\nBT_CONNECT. Subsequent cleanup triggers double sock_put() and\nuse-after-free. Meanwhile conn1 is leaked as it was orphaned\nwhen sco_conn_del() cleared the association.\n\nFix this by:\n- Moving lock_sock() before the sk_state/sk_type checks in\n  sco_sock_connect() to serialize concurrent connect attempts\n- Fixing the sk_type != SOCK_SEQPACKET check to actually\n  return the error instead of just assigning it\n- Adding a state re-check in sco_connect() after lock_sock()\n  to catch state changes during the window between the locks\n- Adding sco_pi(sk)->conn check in sco_chan_add() to prevent\n  double-attach of a socket to multiple connections\n- Adding hci_conn_drop() on sco_chan_add failure to prevent\n  HCI connection leaks","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01762,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/7e296ffdab5bdab718dff7c14288fdcb9154fa27","https://git.kernel.org/stable/c/8a5b0135d4a5d9683203a3d9a12a711ccec5936b","https://git.kernel.org/stable/c/98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d","https://git.kernel.org/stable/c/adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0","https://git.kernel.org/stable/c/d002bd11024bd231bcb606877e33951ffb7bed14","https://git.kernel.org/stable/c/dabf22269242e2f2bf44c43fcdc2fa763df7f9cc"],"published_time":"2026-05-01T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43024","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject immediate NF_QUEUE verdict\n\nnft_queue is always used from userspace nftables to deliver the NF_QUEUE\nverdict. Immediately emitting an NF_QUEUE verdict is never used by the\nuserspace nft tools, so reject immediate NF_QUEUE verdicts.\n\nThe arp family does not provide queue support, but such an immediate\nverdict is still reachable. Globally reject NF_QUEUE immediate verdicts\nto address this issue.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/17dc5d5a935c771338430cbc156a16a51cfd31e8","https://git.kernel.org/stable/c/2f7f825a548be55420f0f5f716f6c27b9d312d3f","https://git.kernel.org/stable/c/42a47f4b1b7695026ab9bc1bb35d4622b0835c95","https://git.kernel.org/stable/c/4b12a3cc3f075e750cc3c5e693fd25fb400af4a2","https://git.kernel.org/stable/c/68390437a998c3f2c57212b413abef5e6d657d88","https://git.kernel.org/stable/c/da107398cbd4bbdb6bffecb2ce86d5c9384f4cec","https://git.kernel.org/stable/c/f140593901724cfbd16597c3a4fcb24a58ae44b0","https://git.kernel.org/stable/c/f710691be163ae6b39e4bcab9e5be32d329f035b"],"published_time":"2026-05-01T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43025","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: ignore explicit helper on new expectations\n\nUse the existing master conntrack helper, anything else is not really\nsupported and it just makes validation more complicated, so just ignore\nwhat helper userspace suggests for this expectation.\n\nThis was uncovered when validating CTA_EXPECT_CLASS via different helper\nprovided by userspace than the existing master conntrack helper:\n\n  BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0\n  Read of size 4 at addr ffff8880043fe408 by task poc/102\n  Call Trace:\n   nf_ct_expect_related_report+0x2479/0x27c0\n   ctnetlink_create_expect+0x22b/0x3b0\n   ctnetlink_new_expect+0x4bd/0x5c0\n   nfnetlink_rcv_msg+0x67a/0x950\n   netlink_rcv_skb+0x120/0x350\n\nAllowing to read kernel memory bytes off the expectation boundary.\n\nCTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace\nvia netlink dump.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01762,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0f6c33697ccfac6499d0b7a4dbdec5d3a3a566cd","https://git.kernel.org/stable/c/187b6ec5229ea93cb04c4f6d3b52efc80f513d0d","https://git.kernel.org/stable/c/21a04c31db4057deec85fcd6cc63d720b38819c3","https://git.kernel.org/stable/c/2ea0f35f235f70c133ad61fe05ba013753b978c6","https://git.kernel.org/stable/c/917b61fa2042f11e2af4c428e43f08199586633a","https://git.kernel.org/stable/c/e135f8e8212cbed12a03ab8dec77fa1247139897"],"published_time":"2026-05-01T15:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43012","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix switchdev mode rollback in case of failure\n\nIf for some internal reason switchdev mode fails, we rollback to legacy\nmode, before this patch, rollback will unregister the uplink netdev and\nleave it unregistered causing the below kernel bug.\n\nTo fix this, we need to avoid netdev unregister by setting the proper\nrollback flag 'MLX5_PRIV_FLAGS_SWITCH_LEGACY' to indicate legacy mode.\n\ndevlink (431) used greatest stack depth: 11048 bytes left\nmlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), \\\n\tnecvfs(0), active vports(0)\nmlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload\nmlx5_core 0000:00:03.0: Loading uplink representor for vport 65535\nmlx5_core 0000:00:03.0: mlx5_cmd_out_err:816:(pid 456): \\\n\tQUERY_HCA_CAP(0x100) op_mod(0x0) failed, \\\n\tstatus bad parameter(0x3), syndrome (0x3a3846), err(-22)\nmlx5_core 0000:00:03.0 enp0s3np0 (unregistered): Unloading uplink \\\n\trepresentor for vport 65535\n ------------[ cut here ]------------\nkernel BUG at net/core/dev.c:12070!\nOops: invalid opcode: 0000 [#1] SMP NOPTI\nCPU: 2 UID: 0 PID: 456 Comm: devlink Not tainted 6.16.0-rc3+ \\\n\t#9 PREEMPT(voluntary)\nRIP: 0010:unregister_netdevice_many_notify+0x123/0xae0\n...\nCall Trace:\n[   90.923094]  unregister_netdevice_queue+0xad/0xf0\n[   90.923323]  unregister_netdev+0x1c/0x40\n[   90.923522]  mlx5e_vport_rep_unload+0x61/0xc6\n[   90.923736]  esw_offloads_enable+0x8e6/0x920\n[   90.923947]  mlx5_eswitch_enable_locked+0x349/0x430\n[   90.924182]  ? is_mp_supported+0x57/0xb0\n[   90.924376]  mlx5_devlink_eswitch_mode_set+0x167/0x350\n[   90.924628]  devlink_nl_eswitch_set_doit+0x6f/0xf0\n[   90.924862]  genl_family_rcv_msg_doit+0xe8/0x140\n[   90.925088]  genl_rcv_msg+0x18b/0x290\n[   90.925269]  ? __pfx_devlink_nl_pre_doit+0x10/0x10\n[   90.925506]  ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10\n[   90.925766]  ? __pfx_devlink_nl_post_doit+0x10/0x10\n[   90.926001]  ? __pfx_genl_rcv_msg+0x10/0x10\n[   90.926206]  netlink_rcv_skb+0x52/0x100\n[   90.926393]  genl_rcv+0x28/0x40\n[   90.926557]  netlink_unicast+0x27d/0x3d0\n[   90.926749]  netlink_sendmsg+0x1f7/0x430\n[   90.926942]  __sys_sendto+0x213/0x220\n[   90.927127]  ? __sys_recvmsg+0x6a/0xd0\n[   90.927312]  __x64_sys_sendto+0x24/0x30\n[   90.927504]  do_syscall_64+0x50/0x1c0\n[   90.927687]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[   90.927929] RIP: 0033:0x7f7d0363e047","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2ebb13f3e8be0b61f72425b34cce60c8b6ad1891","https://git.kernel.org/stable/c/403186400a1a6166efe7031edc549c15fee4723f","https://git.kernel.org/stable/c/4363698838b7ec6e8d85b179495889aa7e522f91","https://git.kernel.org/stable/c/e27153b2bd6e6699b544ac4dfa35d167bed5e642"],"published_time":"2026-05-01T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43013","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: lag: Check for LAG device before creating debugfs\n\n__mlx5_lag_dev_add_mdev() may return 0 (success) even when an error\noccurs that is handled gracefully. Consequently, the initialization\nflow proceeds to call mlx5_ldev_add_debugfs() even when there is no\nvalid LAG context.\n\nmlx5_ldev_add_debugfs() blindly created the debugfs directory and\nattributes. This exposed interfaces (like the members file) that rely on\na valid ldev pointer, leading to potential NULL pointer dereferences if\naccessed when ldev is NULL.\n\nAdd a check to verify that mlx5_lag_dev(dev) returns a valid pointer\nbefore attempting to create the debugfs entries.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/7129632cab3e4d23510b21930aa73b8d97a859f5","https://git.kernel.org/stable/c/89c65f2fcd8801365b410f40a427cbcd7f4c28e9","https://git.kernel.org/stable/c/a3db46d5f4df92630a96f7bc77b60e75c2353e06","https://git.kernel.org/stable/c/bf16bca6653679d8a514d6c1c5a2c67065033f14","https://git.kernel.org/stable/c/c53cf44588a93000f71817a6bb87a66353c48dee","https://git.kernel.org/stable/c/cfa774e6c920c81e700327bf10db8cb50d5db456"],"published_time":"2026-05-01T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43014","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: properly unregister fixed rate clocks\n\nThe additional resources allocated with clk_register_fixed_rate() need\nto be released with clk_unregister_fixed_rate(), otherwise they are lost.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/015aa24d3721a05b40935b8af78b49cadf616b8d","https://git.kernel.org/stable/c/5392a5174df4f5a2fad2f00e8c617394d0efe031","https://git.kernel.org/stable/c/54c6f0e7682433abed0304ac2f5cb71a92d4b366","https://git.kernel.org/stable/c/6ec567425c057fd850651ee09b31d059ef960e0f","https://git.kernel.org/stable/c/e1f6f47d6e60d51c3294e5b85787e9aee24c450e","https://git.kernel.org/stable/c/e35dbfdb1b7710f04ff5c9972ea04971d823a22d","https://git.kernel.org/stable/c/ec1be2ce0d94506f11b22066fd6dc5eb4341b14f","https://git.kernel.org/stable/c/f0f367a4f459cc8118aadc43c6bba53c60d93f8d"],"published_time":"2026-05-01T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43015","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix clk handling on PCI glue driver removal\n\nplatform_device_unregister() may still want to use the registered clks\nduring runtime resume callback.\n\nNote that there is a commit d82d5303c4c5 (\"net: macb: fix use after free\non rmmod\") that addressed the similar problem of clk vs platform device\nunregistration but just moved the bug to another place.\n\nSave the pointers to clks into local variables for reuse after platform\ndevice is unregistered.\n\nBUG: KASAN: use-after-free in clk_prepare+0x5a/0x60\nRead of size 8 at addr ffff888104f85e00 by task modprobe/597\n\nCPU: 2 PID: 597 Comm: modprobe Not tainted 6.1.164+ #114\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x8d/0xba\n print_report+0x17f/0x496\n kasan_report+0xd9/0x180\n clk_prepare+0x5a/0x60\n macb_runtime_resume+0x13d/0x410 [macb]\n pm_generic_runtime_resume+0x97/0xd0\n __rpm_callback+0xc8/0x4d0\n rpm_callback+0xf6/0x230\n rpm_resume+0xeeb/0x1a70\n __pm_runtime_resume+0xb4/0x170\n bus_remove_device+0x2e3/0x4b0\n device_del+0x5b3/0xdc0\n platform_device_del+0x4e/0x280\n platform_device_unregister+0x11/0x50\n pci_device_remove+0xae/0x210\n device_remove+0xcb/0x180\n device_release_driver_internal+0x529/0x770\n driver_detach+0xd4/0x1a0\n bus_remove_driver+0x135/0x260\n driver_unregister+0x72/0xb0\n pci_unregister_driver+0x26/0x220\n __do_sys_delete_module+0x32e/0x550\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n </TASK>\n\nAllocated by task 519:\n kasan_save_stack+0x2c/0x50\n kasan_set_track+0x21/0x30\n __kasan_kmalloc+0x8e/0x90\n __clk_register+0x458/0x2890\n clk_hw_register+0x1a/0x60\n __clk_hw_register_fixed_rate+0x255/0x410\n clk_register_fixed_rate+0x3c/0xa0\n macb_probe+0x1d8/0x42e [macb_pci]\n local_pci_probe+0xd7/0x190\n pci_device_probe+0x252/0x600\n really_probe+0x255/0x7f0\n __driver_probe_device+0x1ee/0x330\n driver_probe_device+0x4c/0x1f0\n __driver_attach+0x1df/0x4e0\n bus_for_each_dev+0x15d/0x1f0\n bus_add_driver+0x486/0x5e0\n driver_register+0x23a/0x3d0\n do_one_initcall+0xfd/0x4d0\n do_init_module+0x18b/0x5a0\n load_module+0x5663/0x7950\n __do_sys_finit_module+0x101/0x180\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFreed by task 597:\n kasan_save_stack+0x2c/0x50\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x50\n __kasan_slab_free+0x106/0x180\n __kmem_cache_free+0xbc/0x320\n clk_unregister+0x6de/0x8d0\n macb_remove+0x73/0xc0 [macb_pci]\n pci_device_remove+0xae/0x210\n device_remove+0xcb/0x180\n device_release_driver_internal+0x529/0x770\n driver_detach+0xd4/0x1a0\n bus_remove_driver+0x135/0x260\n driver_unregister+0x72/0xb0\n pci_unregister_driver+0x26/0x220\n __do_sys_delete_module+0x32e/0x550\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/16ab4c0e2b15df5d33bfcb9ea8e4441b85dd4a57","https://git.kernel.org/stable/c/2d96204e4184d6f7dd2f93c6f218fd0c1f55e9ae","https://git.kernel.org/stable/c/3496fb9e66f79d4def3bb7ec7563e3eaa33a688f","https://git.kernel.org/stable/c/67f70841a175fa3469119f52d77a3662c07507a2","https://git.kernel.org/stable/c/b3f799cdf830df1782ae463cf15ace35015be99e","https://git.kernel.org/stable/c/bf64cae913cdd4821f13d5d1d68900c0891bef69","https://git.kernel.org/stable/c/ce8fe5287b87e24e225c342f3b0ec04f0b3680fe","https://git.kernel.org/stable/c/f310a836da90d0f0321b14d446c071af63f9ee4c"],"published_time":"2026-05-01T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43016","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_verdict_data_ready().\n\nsyzbot reported use-after-free of AF_UNIX socket's sk->sk_socket\nin sk_psock_verdict_data_ready(). [0]\n\nIn unix_stream_sendmsg(), the peer socket's ->sk_data_ready() is\ncalled after dropping its unix_state_lock().\n\nAlthough the sender socket holds the peer's refcount, it does not\nprevent the peer's sock_orphan(), and the peer's sk_socket might\nbe freed after one RCU grace period.\n\nLet's fetch the peer's sk->sk_socket and sk->sk_socket->ops under\nRCU in sk_psock_verdict_data_ready().\n\n[0]:\nBUG: KASAN: slab-use-after-free in sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278\nRead of size 8 at addr ffff8880594da860 by task syz.4.1842/11013\n\nCPU: 1 UID: 0 PID: 11013 Comm: syz.4.1842 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026\nCall Trace:\n <TASK>\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xba/0x230 mm/kasan/report.c:482\n kasan_report+0x117/0x150 mm/kasan/report.c:595\n sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278\n unix_stream_sendmsg+0x8a3/0xe80 net/unix/af_unix.c:2482\n sock_sendmsg_nosec net/socket.c:721 [inline]\n __sock_sendmsg net/socket.c:736 [inline]\n ____sys_sendmsg+0x972/0x9f0 net/socket.c:2585\n ___sys_sendmsg+0x2a5/0x360 net/socket.c:2639\n __sys_sendmsg net/socket.c:2671 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7facf899c819\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007facf9827028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007facf8c15fa0 RCX: 00007facf899c819\nRDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004\nRBP: 00007facf8a32c91 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007facf8c16038 R14: 00007facf8c15fa0 R15: 00007ffd41b01c78\n </TASK>\n\nAllocated by task 11013:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n unpoison_slab_object mm/kasan/common.c:340 [inline]\n __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366\n kasan_slab_alloc include/linux/kasan.h:253 [inline]\n slab_post_alloc_hook mm/slub.c:4538 [inline]\n slab_alloc_node mm/slub.c:4866 [inline]\n kmem_cache_alloc_lru_noprof+0x2b8/0x640 mm/slub.c:4885\n sock_alloc_inode+0x28/0xc0 net/socket.c:316\n alloc_inode+0x6a/0x1b0 fs/inode.c:347\n new_inode_pseudo include/linux/fs.h:3003 [inline]\n sock_alloc net/socket.c:631 [inline]\n __sock_create+0x12d/0x9d0 net/socket.c:1562\n sock_create net/socket.c:1656 [inline]\n __sys_socketpair+0x1c4/0x560 net/socket.c:1803\n __do_sys_socketpair net/socket.c:1856 [inline]\n __se_sys_socketpair net/socket.c:1853 [inline]\n __x64_sys_socketpair+0x9b/0xb0 net/socket.c:1853\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 15:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584\n poison_slab_object mm/kasan/common.c:253 [inline]\n __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285\n kasan_slab_free include/linux/kasan.h:235 [inline]\n slab_free_hook mm/slub.c:2685 [inline]\n slab_free mm/slub.c:6165 [inline]\n kmem_cache_free+0x187/0x630 mm/slub.c:6295\n rcu_do_batch kernel/rcu/tree.c:\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/18861f87a043e78b1f901cae4237e755ed7ef095","https://git.kernel.org/stable/c/68187f18a89be4b6237d28ae1313b5adf76238c6","https://git.kernel.org/stable/c/8d597e3e74027900ffa81b8ff47ab51999a3e110","https://git.kernel.org/stable/c/ad8391d37f334ee73ba91926f8b4e4cf6d31ea04","https://git.kernel.org/stable/c/af95bc39a83d82ae6ad253986335037256888b3f"],"published_time":"2026-05-01T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43017","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate mesh send advertising payload length\n\nmesh_send() currently bounds MGMT_OP_MESH_SEND by total command\nlength, but it never verifies that the bytes supplied for the\nflexible adv_data[] array actually match the embedded adv_data_len\nfield. MGMT_MESH_SEND_SIZE only covers the fixed header, so a\ntruncated command can still pass the existing 20..50 byte range\ncheck and later drive the async mesh send path past the end of the\nqueued command buffer.\n\nKeep rejecting zero-length and oversized advertising payloads, but\nvalidate adv_data_len explicitly and require the command length to\nexactly match the flexible array size before queueing the request.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0b706fb2294aff3adfd54653bda1b5e356ad4566","https://git.kernel.org/stable/c/244b639e6a3a8e26241e201004a3a9f764476631","https://git.kernel.org/stable/c/24fa32369cf15d8fc918bdfe94097b12e6acada0","https://git.kernel.org/stable/c/562ed1954f0c1bff3422b7b752bd3dacf185edbf","https://git.kernel.org/stable/c/bda93eec78cdbfe5cda00785cefebd443e56b88b","https://git.kernel.org/stable/c/edb5898cfa91afe7e8f83eda18d93034c953d632"],"published_time":"2026-05-01T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43018","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt\n\nhci_conn lookup and field access must be covered by hdev lock in\nhci_le_remote_conn_param_req_evt, otherwise it's possible it is freed\nconcurrently.\n\nExtend the hci_dev_lock critical section to cover all conn usage.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1d0bdbfe3e91c11f0a704c52443a9446a10d699c","https://git.kernel.org/stable/c/59eecf0ffde15670e6a5e10c47be67f73d843b20","https://git.kernel.org/stable/c/5fb69e1eeea9d6cba80517e9f058b56b34bc3a81","https://git.kernel.org/stable/c/7cadb03be37e761130edb153544fe0770a842b19","https://git.kernel.org/stable/c/b255531b27da336571411248c2a72a350662bd09","https://git.kernel.org/stable/c/ea3cd36d7382d5f8309df04c275d20df139ed42c"],"published_time":"2026-05-01T15:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43004","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: stm32-ospi: Fix resource leak in remove() callback\n\nThe remove() callback returned early if pm_runtime_resume_and_get()\nfailed, skipping the cleanup of spi controller and other resources.\n\nRemove the early return so cleanup completes regardless of PM resume\nresult.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0807532c5ebb72751bfe773e6ae79db0e9c57ab9","https://git.kernel.org/stable/c/73cd1f97946ae3796544448ff12c07f399bb2881","https://git.kernel.org/stable/c/b4ec54c974c6ea68b309989dcc3d3511068f45f3"],"published_time":"2026-05-01T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43005","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (tps53679) Fix array access with zero-length block read\n\ni2c_smbus_read_block_data() can return 0, indicating a zero-length\nread. When this happens, tps53679_identify_chip() accesses buf[ret - 1]\nwhich is buf[-1], reading one byte before the buffer on the stack.\n\nFix by changing the check from \"ret < 0\" to \"ret <= 0\", treating a\nzero-length read as an error (-EIO), which prevents the out-of-bounds\narray access.\n\nAlso fix a typo in the adjacent comment: \"if present\" instead of\nduplicate \"if\".","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0e211f6aaa6a00fd0ee0c1eea5498f168c6725e6","https://git.kernel.org/stable/c/6999b4769e2a61c463158927102e8c07e3f69ba2","https://git.kernel.org/stable/c/79b7e588399bb55f4c10bea6ca41b6c3b944d2bb"],"published_time":"2026-05-01T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43006","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rsrc: reject zero-length fixed buffer import\n\nvalidate_fixed_range() admits buf_addr at the exact end of the\nregistered region when len is zero, because the check uses strict\ngreater-than (buf_end > imu->ubuf + imu->len).  io_import_fixed()\nthen computes offset == imu->len, which causes the bvec skip logic\nto advance past the last bio_vec entry and read bv_offset from\nout-of-bounds slab memory.\n\nReturn early from io_import_fixed() when len is zero.  A zero-length\nimport has no data to transfer and should not walk the bvec array\nat all.\n\n  BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0\n  Read of size 4 at addr ffff888002bcc254 by task poc/103\n  Call Trace:\n   io_import_reg_buf+0x697/0x7f0\n   io_write_fixed+0xd9/0x250\n   __io_issue_sqe+0xad/0x710\n   io_issue_sqe+0x7d/0x1100\n   io_submit_sqes+0x86a/0x23c0\n   __do_sys_io_uring_enter+0xa98/0x1590\n  Allocated by task 103:\n  The buggy address is located 12 bytes to the right of\n   allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01666,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/040a1e7e0e2f01851fec1dd2d96906f8636a9f75","https://git.kernel.org/stable/c/111a12b422a8cfa93deabaef26fec48237163214","https://git.kernel.org/stable/c/40170fc1a79c1b2e68f09ae6aac687b7305ae6f4"],"published_time":"2026-05-01T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43007","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Handle DBC deactivation if the owner went away\n\nWhen a DBC is released, the device sends a QAIC_TRANS_DEACTIVATE_FROM_DEV\ntransaction to the host over the QAIC_CONTROL MHI channel. QAIC handles\nthis by calling decode_deactivate() to release the resources allocated for\nthat DBC. Since that handling is done in the qaic_manage_ioctl() context,\nif the user goes away before receiving and handling the deactivation, the\nhost will be out-of-sync with the DBCs available for use, and the DBC\nresources will not be freed unless the device is removed. If another user\nloads and requests to activate a network, then the device assigns the same\nDBC to that network, QAIC will \"indefinitely\" wait for dbc->in_use = false,\nleading the user process to hang.\n\nAs a solution to this, handle QAIC_TRANS_DEACTIVATE_FROM_DEV transactions\nthat are received after the user has gone away.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04829,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/08021f2d4a557d6491e3bcc288e96425f50aa3cf","https://git.kernel.org/stable/c/2dd67966f39a2abf8ccb4865031c722e40e01b7f","https://git.kernel.org/stable/c/2feec5ae5df785658924ab6bd91280dc3926507c","https://git.kernel.org/stable/c/ee0180e77e6c8482644569632065411de844c515","https://git.kernel.org/stable/c/f403094d9075d7c565a3d81002b781c325cb3c07"],"published_time":"2026-05-01T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43008","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: qixis-fpga: Fix error handling for devm_regmap_init_mmio()\n\ndevm_regmap_init_mmio() returns an ERR_PTR() on failure, not NULL.\nThe original code checked for NULL which would never trigger on error,\npotentially leading to an invalid pointer dereference.\nUse IS_ERR() and PTR_ERR() to properly handle the error case.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/8de4e0f44c638c66cdc5eeb4d5ab9acd61c31e4f","https://git.kernel.org/stable/c/e54b8fe9454cc786590a0b88db96afe0cdc8a83d"],"published_time":"2026-05-01T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43009","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix incorrect pruning due to atomic fetch precision tracking\n\nWhen backtrack_insn encounters a BPF_STX instruction with BPF_ATOMIC\nand BPF_FETCH, the src register (or r0 for BPF_CMPXCHG) also acts as\na destination, thus receiving the old value from the memory location.\n\nThe current backtracking logic does not account for this. It treats\natomic fetch operations the same as regular stores where the src\nregister is only an input. This leads the backtrack_insn to fail to\npropagate precision to the stack location, which is then not marked\nas precise!\n\nLater, the verifier's path pruning can incorrectly consider two states\nequivalent when they differ in terms of stack state. Meaning, two\nbranches can be treated as equivalent and thus get pruned when they\nshould not be seen as such.\n\nFix it as follows: Extend the BPF_LDX handling in backtrack_insn to\nalso cover atomic fetch operations via is_atomic_fetch_insn() helper.\nWhen the fetch dst register is being tracked for precision, clear it,\nand propagate precision over to the stack slot. For non-stack memory,\nthe precision walk stops at the atomic instruction, same as regular\nBPF_LDX. This covers all fetch variants.\n\nBefore:\n\n  0: (b7) r1 = 8                        ; R1=8\n  1: (7b) *(u64 *)(r10 -8) = r1         ; R1=8 R10=fp0 fp-8=8\n  2: (b7) r2 = 0                        ; R2=0\n  3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)          ; R2=8 R10=fp0 fp-8=mmmmmmmm\n  4: (bf) r3 = r10                      ; R3=fp0 R10=fp0\n  5: (0f) r3 += r2\n  mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n  mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10\n  mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)\n  mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0\n  6: R2=8 R3=fp8\n  6: (b7) r0 = 0                        ; R0=0\n  7: (95) exit\n\nAfter:\n\n  0: (b7) r1 = 8                        ; R1=8\n  1: (7b) *(u64 *)(r10 -8) = r1         ; R1=8 R10=fp0 fp-8=8\n  2: (b7) r2 = 0                        ; R2=0\n  3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)          ; R2=8 R10=fp0 fp-8=mmmmmmmm\n  4: (bf) r3 = r10                      ; R3=fp0 R10=fp0\n  5: (0f) r3 += r2\n  mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n  mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10\n  mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)\n  mark_precise: frame0: regs= stack=-8 before 2: (b7) r2 = 0\n  mark_precise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1\n  mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8\n  6: R2=8 R3=fp8\n  6: (b7) r0 = 0                        ; R0=0\n  7: (95) exit","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02103,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/179ee84a89114b854ac2dd1d293633a7f6c8dac1","https://git.kernel.org/stable/c/7ffbe45b1d227e24659998a91cfd4c27af457e71"],"published_time":"2026-05-01T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43010","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject sleepable kprobe_multi programs at attach time\n\nkprobe.multi programs run in atomic/RCU context and cannot sleep.\nHowever, bpf_kprobe_multi_link_attach() did not validate whether the\nprogram being attached had the sleepable flag set, allowing sleepable\nhelpers such as bpf_copy_from_user() to be invoked from a non-sleepable\ncontext.\n\nThis causes a \"sleeping function called from invalid context\" splat:\n\n  BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:169\n  in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1787, name: sudo\n  preempt_count: 1, expected: 0\n  RCU nest depth: 2, expected: 0\n\nFix this by rejecting sleepable programs early in\nbpf_kprobe_multi_link_attach(), before any further processing.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/dc9a060d76c12b23c5f378ee115d5e5d03d8bbf3","https://git.kernel.org/stable/c/eb7024bfcc5f68ed11ed9dd4891a3073c15f04a8","https://git.kernel.org/stable/c/f952157e695fd434bdc05af63a703bb082a78717"],"published_time":"2026-05-01T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-43011","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/x25: Fix potential double free of skb\n\nWhen alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at\nline 48 and returns 1 (error).\nThis error propagates back through the call chain:\n\nx25_queue_rx_frame returns 1\n    |\n    v\nx25_state3_machine receives the return value 1 and takes the else\nbranch at line 278, setting queued=0 and returning 0\n    |\n    v\nx25_process_rx_frame returns queued=0\n    |\n    v\nx25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb)\nagain\n\nThis would free the same skb twice. Looking at x25_backlog_rcv:\n\nnet/x25/x25_in.c:x25_backlog_rcv() {\n    ...\n    queued = x25_process_rx_frame(sk, skb);\n    ...\n    if (!queued)\n        kfree_skb(skb);\n}","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00053,"ranking_epss":0.16406,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/143d4fa68ae9efb83b0c55b12cc7f0d03732a2b1","https://git.kernel.org/stable/c/3f5e3005984645bf5bd129c6b13149879580b1fb","https://git.kernel.org/stable/c/524371398d8463ea7e101fce2cbf3915645d1730","https://git.kernel.org/stable/c/5d0aa038a90b30c9bedde0c41c1fdcd98ecb16e9","https://git.kernel.org/stable/c/c87dd137c0dad07cc55f98181ff380b0c23d2878","https://git.kernel.org/stable/c/d10a26aa4d072320530e6968ef945c8c575edf61","https://git.kernel.org/stable/c/f782dd382203b2a8c4552a628431b7de65a19a7b","https://git.kernel.org/stable/c/fa1dbc93530b34fab0da9862426fe9c918c74dc0"],"published_time":"2026-05-01T15:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42476","summary":"Two heap-based out-of-bounds read vulnerabilities in the STL ASCII file parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 exist in RWStl_Reader::ReadAscii because buffers returned by Standard_ReadLineBuffer::ReadLine() are not properly length-validated before strncasecmp or direct byte access. User-assisted attackers can trigger these issues by persuading a victim to open a crafted STL file with extremely short lines, resulting in a denial of service or possible information disclosure.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01782,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a"],"published_time":"2026-05-01T15:16:43","vendor":"opencascade","product":"open_cascade_technology","version":null},{"cve_id":"CVE-2026-42477","summary":"A heap-based out-of-bounds read vulnerability in RWObj_Reader::read in the OBJ file parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allows user-assisted attackers to cause a denial of service or obtain sensitive information by persuading a victim to open a crafted OBJ file. The issue occurs because Standard_ReadLineBuffer::ReadLine() can return a 1-byte buffer for a minimal OBJ line, and RWObj_Reader::read() calls pushIndices(aLine + 2) without validating the buffer length.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01782,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a"],"published_time":"2026-05-01T15:16:43","vendor":"opencascade","product":"open_cascade_technology","version":null},{"cve_id":"CVE-2026-42478","summary":"An issue was discovered in VrmlData_IndexedFaceSet::TShape in the VRML V2.0 parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allows attackers to cause a denial of service via a crafted VRML file. The issue occurs because malformed VRML input can trigger dereference of a corrupt or unvalidated pointer during shape construction in libTKDEVRML.so.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08256,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a"],"published_time":"2026-05-01T15:16:43","vendor":"opencascade","product":"open_cascade_technology","version":null},{"cve_id":"CVE-2026-42479","summary":"An out-of-bounds read vulnerability in VrmlData_IndexedLineSet::TShape in the VRML parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allows attackers to cause a denial of service via a crafted VRML file. The issue occurs because coordIndex values from parsed input are used as direct array indices without validation against the size of the coordinate array during geometry processing.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02062,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a"],"published_time":"2026-05-01T15:16:43","vendor":"opencascade","product":"open_cascade_technology","version":null},{"cve_id":"CVE-2026-31785","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/xe_pagefault: Disallow writes to read-only VMAs\n\nThe page fault handler should reject write/atomic access to read only\nVMAs.  Add code to handle this in xe_pagefault_service after the VMA\nlookup.\n\nv2:\n- Apply max line length (Matthew)\n\n(cherry picked from commit 714ee6754ac5fa3dc078856a196a6b124cd797a0)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6d192b4f2d644d15d9a9f1d33dab05af936f6540","https://git.kernel.org/stable/c/b656f040ed4ed2074dfb78072745b41d44368be0"],"published_time":"2026-05-01T15:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31777","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Check the error for index mapping\n\nThe ctxfi driver blindly assumed a proper value returned from\ndaio_device_index(), but it's not always true.  Add a proper error\ncheck to deal with the error from the function.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/277c6960d4ddb94d16198afd70c92c3d4593d131","https://git.kernel.org/stable/c/d4d3b8cbb70a2de247cbfe99bdb232aef9ed59bc"],"published_time":"2026-05-01T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31778","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: fix stack out-of-bounds read in init_card\n\nThe loop creates a whitespace-stripped copy of the card shortname\nwhere `len < sizeof(card->id)` is used for the bounds check. Since\nsizeof(card->id) is 16 and the local id buffer is also 16 bytes,\nwriting 16 non-space characters fills the entire buffer,\noverwriting the terminating nullbyte.\n\nWhen this non-null-terminated string is later passed to\nsnd_card_set_id() -> copy_valid_id_string(), the function scans\nforward with `while (*nid && ...)` and reads past the end of the\nstack buffer, reading the contents of the stack.\n\nA USB device with a product name containing many non-ASCII, non-space\ncharacters (e.g. multibyte UTF-8) will reliably trigger this as follows:\n\n  BUG: KASAN: stack-out-of-bounds in copy_valid_id_string\n       sound/core/init.c:696 [inline]\n  BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c\n       sound/core/init.c:718\n\nThe off-by-one has been present since commit bafeee5b1f8d (\"ALSA:\nsnd_usb_caiaq: give better shortname\") from June 2009 (v2.6.31-rc1),\nwhich first introduced this whitespace-stripping loop. The original\ncode never accounted for the null terminator when bounding the copy.\n\nFix this by changing the loop bound to `sizeof(card->id) - 1`,\nensuring at least one byte remains as the null terminator.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/02d9c5b0b5553a391448b6d655262bd829f90234","https://git.kernel.org/stable/c/3178b62e2e31bab39f63d4c8e54bf4ee0a425627","https://git.kernel.org/stable/c/3afa2e67f3523a980a2f90fd63c22322ac2b9ce0","https://git.kernel.org/stable/c/3f7f8bae0d52cbd07ab04b76b6aac89ef98ee9f6","https://git.kernel.org/stable/c/45424e871abf2a152e247a9cff78359f18dd95c0","https://git.kernel.org/stable/c/66194c2575a4f567577ae70b1d7561163ce791a6","https://git.kernel.org/stable/c/7594a6464873d90fd229e5b94cdd3b92c9feabed","https://git.kernel.org/stable/c/a82c1bce2d1299dd3c686a8fe48cf75b79a403c7"],"published_time":"2026-05-01T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31779","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()\n\nThe memcpy function assumes the dynamic array notif->matches is at least\nas large as the number of bytes to copy. Otherwise, results->matches may\ncontain unwanted data. To guarantee safety, extend the validation in one\nof the checks to ensure sufficient packet length.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/744fabc338e87b95c4d1ff7c95bc8c0f834c6d99","https://git.kernel.org/stable/c/ca0e9491b98ca4c5b44204b0b3dd8062a3b5fba2","https://git.kernel.org/stable/c/dd90880eb5ec5442b37eb2b95688f4a63f4883e3","https://git.kernel.org/stable/c/e67d8c626ace80b0fa2b48c8ec0a46b508c93442","https://git.kernel.org/stable/c/f6abac936a0dfd31d6c3e49205ec0ee75a8f887f","https://git.kernel.org/stable/c/ffbed27ba15ef80d1c622eeedbfef03e501ae134"],"published_time":"2026-05-01T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31780","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation\n\nThe variable valuesize is declared as u8 but accumulates the total\nlength of all SSIDs to scan. Each SSID contributes up to 33 bytes\n(IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10)\nSSIDs the total can reach 330, which wraps around to 74 when stored\nin a u8.\n\nThis causes kmalloc to allocate only 75 bytes while the subsequent\nmemcpy writes up to 331 bytes into the buffer, resulting in a 256-byte\nheap buffer overflow.\n\nWiden valuesize from u8 to u32 to accommodate the full range.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01762,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c7f21d8bd2f93998b72b7a7f93152336aeca4dd","https://git.kernel.org/stable/c/34a23fd9ddd683a03c7e8cc0ceded3e59e354b99","https://git.kernel.org/stable/c/549f02d8ec94d39092ab6d9b103d0d6783a4b024","https://git.kernel.org/stable/c/9907ac9b9a18b92fc34b9e4cb9e10f208dc1d3f7","https://git.kernel.org/stable/c/bfbddeadd4779651403035ee177ae2f22f9f5521","https://git.kernel.org/stable/c/c97b2a00059608592ad0d86fbb813a4f8cf9464b","https://git.kernel.org/stable/c/d049e56b1739101d1c4d81deedb269c52a8dbba0","https://git.kernel.org/stable/c/d8388614de613c28eeb659c10115060a83739924"],"published_time":"2026-05-01T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31781","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ioc32: stop speculation on the drm_compat_ioctl path\n\nThe drm compat ioctl path takes a user controlled pointer, and then\ndereferences it into a table of function pointers, the signature method\nof spectre problems.  Fix this up by calling array_index_nospec() on the\nindex to the function pointer list.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/27ef84bba9b9d7b03418c60fbc6069ea0e87b13c","https://git.kernel.org/stable/c/46a60ee8956ef1975f00455f614761c7ecedc09d","https://git.kernel.org/stable/c/489f2ef2b908898d01df697dc4fe1476674be640","https://git.kernel.org/stable/c/4a41c2b18fc05d30b718d2602cac339eae710b34","https://git.kernel.org/stable/c/5bb398991f378ef74d90b14a6ea8b61ff96cc03a","https://git.kernel.org/stable/c/d59c5d8539662d95887b4564f3f72ad38076a2d5","https://git.kernel.org/stable/c/f0e441be08a2eab10b2d06fccfa267ee599dd6b3","https://git.kernel.org/stable/c/f8995c2df519f382525ca4bc90553ad2ec611067"],"published_time":"2026-05-01T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31782","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86: Fix potential bad container_of in intel_pmu_hw_config\n\nAuto counter reload may have a group of events with software events\npresent within it. The software event PMU isn't the x86_hybrid_pmu and\na container_of operation in intel_pmu_set_acr_caused_constr (via the\nhybrid helper) could cause out of bound memory reads. Avoid this by\nguarding the call to intel_pmu_set_acr_caused_constr with an\nis_x86_event check.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01666,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/bfee04838f636d064bc92075c65c95f739003804","https://git.kernel.org/stable/c/dbde07f06226438cd2cf1179745fa1bec5d8914a","https://git.kernel.org/stable/c/e435a30ca6fe14c9611b1fc731c98a6d28410247"],"published_time":"2026-05-01T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31783","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: amlogic: spifc-a4: unregister ECC engine on probe failure and remove() callback\n\naml_sfc_probe() registers the on-host NAND ECC engine, but teardown was\nmissing from both probe unwind and remove-time cleanup. Add a devm cleanup\naction after successful registration so\nnand_ecc_unregister_on_host_hw_engine() runs automatically on probe\nfailures and during device removal.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5e11741aec3b242a197250b473c37b58f53a16b6","https://git.kernel.org/stable/c/b0dc7e7c56573e7a52080f25f3179a45f3dd7e6f","https://git.kernel.org/stable/c/ee4c064e37d4d0ddc5a7580933dbe79a2c6acafc"],"published_time":"2026-05-01T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31784","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/pxp: Clear restart flag in pxp_start after jumping back\n\nIf we don't clear the flag we'll keep jumping back at the beginning of\nthe function once we reach the end.\n\n(cherry picked from commit 0850ec7bb2459602351639dccf7a68a03c9d1ee0)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/400ee45f80480c05c3fa673967f25faab8323753","https://git.kernel.org/stable/c/76903b2057c8677c2c006e87fede15f496555dc0","https://git.kernel.org/stable/c/9e962e68a9d26135af67c423767c0983d9ad94c3"],"published_time":"2026-05-01T15:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31769","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ngpib: fix use-after-free in IO ioctl handlers\n\nThe IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers use a gpib_descriptor\npointer after board->big_gpib_mutex has been released.  A concurrent\nIBCLOSEDEV ioctl can free the descriptor via close_dev_ioctl() during\nthis window, causing a use-after-free.\n\nThe IO handlers (read_ioctl, write_ioctl, command_ioctl) explicitly\nrelease big_gpib_mutex before calling their handler.  wait_ioctl() is\ncalled with big_gpib_mutex held, but ibwait() releases it internally\nwhen wait_mask is non-zero.  In all four cases, the descriptor pointer\nobtained from handle_to_descriptor() becomes unprotected.\n\nFix this by introducing a kernel-only descriptor_busy reference count\nin struct gpib_descriptor.  Each handler atomically increments\ndescriptor_busy under file_priv->descriptors_mutex before releasing the\nlock, and decrements it when done.  close_dev_ioctl() checks\ndescriptor_busy under the same lock and rejects the close with -EBUSY\nif the count is non-zero.\n\nA reference count rather than a simple flag is necessary because\nmultiple handlers can operate on the same descriptor concurrently\n(e.g. IBRD and IBWAIT on the same handle from different threads).\n\nA separate counter is needed because io_in_progress can be cleared from\nunprivileged userspace via the IBWAIT ioctl (through general_ibstatus()\nwith set_mask containing CMPL), which would allow an attacker to bypass\na check based solely on io_in_progress.  The new descriptor_busy\ncounter is only modified by the kernel IO paths.\n\nThe lock ordering is consistent (big_gpib_mutex -> descriptors_mutex)\nand the handlers only hold descriptors_mutex briefly during the lookup,\nso there is no deadlock risk and no impact on IO throughput.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01666,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/28c75dd143ead62e0dfac564c79d251e21d5d74b","https://git.kernel.org/stable/c/cae26eff1b56d78bed7873cf3e60a2b1bdd4da6c","https://git.kernel.org/stable/c/d1857f8296dceb75d00ab857fc3c61bc00c7f5c6"],"published_time":"2026-05-01T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31770","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (occ) Fix division by zero in occ_show_power_1()\n\nIn occ_show_power_1() case 1, the accumulator is divided by\nupdate_tag without checking for zero. If no samples have been\ncollected yet (e.g. during early boot when the sensor block is\nincluded but hasn't been updated), update_tag is zero, causing\na kernel divide-by-zero crash.\n\nThe 2019 fix in commit 211186cae14d (\"hwmon: (occ) Fix division by\nzero issue\") only addressed occ_get_powr_avg() used by\nocc_show_power_2() and occ_show_power_a0(). This separate code\npath in occ_show_power_1() was missed.\n\nFix this by reusing the existing occ_get_powr_avg() helper, which\nalready handles the zero-sample case and uses mul_u64_u32_div()\nto multiply before dividing for better precision. Move the helper\nabove occ_show_power_1() so it is visible at the call site.\n\n[groeck: Fix alignment problems reported by checkpatch]","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/243d55bd3f08cb15eee9d63f4716d4d4cdd760f5","https://git.kernel.org/stable/c/2502684b9e835de9a992ec47c3e6c6faabe3858d","https://git.kernel.org/stable/c/37ae8fadc74ed68e5bc364ffd17746d88e449ae3","https://git.kernel.org/stable/c/39e2a5bf970402a8530a319cf06122e216ba57b8","https://git.kernel.org/stable/c/53e6175756b8c474b6247bbcea0aad3d68357475","https://git.kernel.org/stable/c/7b89ce0c98bf3015f493ca4285b2d1056cd8c733","https://git.kernel.org/stable/c/bbbefc48f6617cfb738dcff7f44beb50b5dfeb38","https://git.kernel.org/stable/c/c7d3712362c8ab8f82f441b649d9e446e7b9aa9d"],"published_time":"2026-05-01T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31771","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: move wake reason storage into validated event handlers\n\nhci_store_wake_reason() is called from hci_event_packet() immediately\nafter stripping the HCI event header but before hci_event_func()\nenforces the per-event minimum payload length from hci_ev_table.\nThis means a short HCI event frame can reach bacpy() before any bounds\ncheck runs.\n\nRather than duplicating skb parsing and per-event length checks inside\nhci_store_wake_reason(), move wake-address storage into the individual\nevent handlers after their existing event-length validation has\nsucceeded. Convert hci_store_wake_reason() into a small helper that only\nstores an already-validated bdaddr while the caller holds hci_dev_lock().\nUse the same helper after hci_event_func() with a NULL address to\npreserve the existing unexpected-wake fallback semantics when no\nvalidated event handler records a wake address.\n\nAnnotate the helper with __must_hold(&hdev->lock) and add\nlockdep_assert_held(&hdev->lock) so future call paths keep the lock\ncontract explicit.\n\nCall the helper from hci_conn_request_evt(), hci_conn_complete_evt(),\nhci_sync_conn_complete_evt(), le_conn_complete_evt(),\nhci_le_adv_report_evt(), hci_le_ext_adv_report_evt(),\nhci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), and\nhci_le_past_received_evt().","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05962,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2b2bf47cd75518c36fa2d41380e4a40641cc89cd","https://git.kernel.org/stable/c/86c8d07a64d553c41e213b52650020010f9ef23e"],"published_time":"2026-05-01T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31772","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync\n\nhci_le_big_create_sync() uses DEFINE_FLEX to allocate a\nstruct hci_cp_le_big_create_sync on the stack with room for 0x11 (17)\nBIS entries.  However, conn->num_bis can hold up to HCI_MAX_ISO_BIS (31)\nentries — validated against ISO_MAX_NUM_BIS (0x1f) in the caller\nhci_conn_big_create_sync().  When conn->num_bis is between 18 and 31,\nthe memcpy that copies conn->bis into cp->bis writes up to 14 bytes\npast the stack buffer, corrupting adjacent stack memory.\n\nThis is trivially reproducible: binding an ISO socket with\nbc_num_bis = ISO_MAX_NUM_BIS (31) and calling listen() will\neventually trigger hci_le_big_create_sync() from the HCI command\nsync worker, causing a KASAN-detectable stack-out-of-bounds write:\n\n  BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0\n  Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71\n\nFix this by changing the DEFINE_FLEX count from the incorrect 0x11 to\nHCI_MAX_ISO_BIS, which matches the maximum number of BIS entries that\nconn->bis can actually carry.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/aba0aea354015794e8312dd7efe726967e58aefe","https://git.kernel.org/stable/c/bc39a094730ce062fa034a529c93147c096cb488","https://git.kernel.org/stable/c/eaf32002ca7b1ba51c9f140991fd9febe6de79f0","https://git.kernel.org/stable/c/f5d446624345d309e7a4a1b27ea9f028d6a8c5d9"],"published_time":"2026-05-01T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31773","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SMP: derive legacy responder STK authentication from MITM state\n\nThe legacy responder path in smp_random() currently labels the stored\nSTK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH.\nThat reflects what the local service requested, not what the pairing\nflow actually achieved.\n\nFor Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear\nand the resulting STK should remain unauthenticated even if the local\nside requested HIGH security. Use the established MITM state when\nstoring the responder STK so the key metadata matches the pairing result.\n\nThis also keeps the legacy path aligned with the Secure Connections code,\nwhich already treats JUST_WORKS/JUST_CFM as unauthenticated.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.09463,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/061ee71ac6b03c9f8432fe49538c3682bfcf4cf3","https://git.kernel.org/stable/c/0afc846bd80073ffcd2b8040f2b2fafaea3d9f72","https://git.kernel.org/stable/c/20756fec2f0108cb88e815941f1ffff88dc286fe","https://git.kernel.org/stable/c/667f44f1392df6482483756458c48670e579e9ff","https://git.kernel.org/stable/c/929db734d12db41ca5f95424db4612397f1bd4a7","https://git.kernel.org/stable/c/9a38659a3d06080715691bd3139f9c4b61f688e3","https://git.kernel.org/stable/c/9a6d0db176f082685e0b6149700c0baf3ce2aa8b","https://git.kernel.org/stable/c/b1c6a8e554a39b222c0879a288ea98e338fc4d77"],"published_time":"2026-05-01T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31774","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()\n\nsqe->len is __u32 but gets stored into sr->len which is int. When\nuserspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF),\nsr->len overflows to a negative value. This negative value propagates\nthrough the bundle recv/send path:\n\n  1. io_recv(): sel.val = sr->len (ssize_t gets -1)\n  2. io_recv_buf_select(): arg.max_len = sel->val (size_t gets\n     0xFFFFFFFFFFFFFFFF)\n  3. io_ring_buffers_peek(): buf->len is not clamped because max_len\n     is astronomically large\n  4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs()\n  5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1,\n     causing ret to increase instead of decrease, creating an\n     infinite loop that reads past the allocated iov[] array\n\nThis results in a slab-out-of-bounds read in io_bundle_nbufs() from\nthe kmalloc-64 slab, as nbufs increments past the allocated iovec\nentries.\n\n  BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160\n  Read of size 8 at addr ffff888100ae05c8 by task exp/145\n  Call Trace:\n   io_bundle_nbufs+0x128/0x160\n   io_recv_finish+0x117/0xe20\n   io_recv+0x2db/0x1160\n\nFix this by rejecting negative sr->len values early in both\nio_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32,\nany value > INT_MAX indicates overflow and is not a valid length.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b655cd311344117d3052f6552cb20d9901c9d7c","https://git.kernel.org/stable/c/90ced24c500ad4e129e9e34b7e56fd7849e350b6","https://git.kernel.org/stable/c/b948f9d5d3057b01188e36664e7c7604d1c8ecb5","https://git.kernel.org/stable/c/c314b405dcc4d8b9041124f928f81715d6328bec"],"published_time":"2026-05-01T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31775","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Don't enumerate SPDIF1 at DAIO initialization\n\nThe recent refactoring of xfi driver changed the assignment of\natc->daios[] at atc_get_resources(); now it loops over all enum\nDAIOTYP entries while it looped formerly only a part of them.\nThe problem is that the last entry, SPDIF1, is a special type that\nis used only for hw20k1 CTSB073X model (as a replacement of SPDIFIO),\nand there is no corresponding definition for hw20k2.  Due to the lack\nof the info, it caused a kernel crash on hw20k2, which was already\nworked around by the commit b045ab3dff97 (\"ALSA: ctxfi: Fix missing\nSPDIFI1 index handling\").\n\nThis patch addresses the root cause of the regression above properly,\nsimply by skipping the incorrect SPDIF1 type in the parser loop.\n\nFor making the change clearer, the code is slightly arranged, too.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/75dc1980cf48826287e43dc7a49e310c6691f97e","https://git.kernel.org/stable/c/a79c4c42057818bd9de45d2627464b4f0e02196a"],"published_time":"2026-05-01T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31776","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Fix missing SPDIFI1 index handling\n\nSPDIF1 DAIO type isn't properly handled in daio_device_index() for\nhw20k2, and it returned -EINVAL, which ended up with the out-of-bounds\narray access.  Follow the hw20k1 pattern and return the proper index\nfor this type, too.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/950decf59d4e978b60a792ce0b3e1555a608f489","https://git.kernel.org/stable/c/b045ab3dff97edae6d538eeff900a34c098761f8"],"published_time":"2026-05-01T15:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31760","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ngpib: lpvo_usb: fix memory leak on disconnect\n\nThe driver iterates over the registered USB interfaces during GPIB\nattach and takes a reference to their USB devices until a match is\nfound. These references are never released which leads to a memory leak\nwhen devices are disconnected.\n\nFix the leak by dropping the unnecessary references.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/21f942879f86108b300a23683e67483f8c358fc7","https://git.kernel.org/stable/c/5cefb52c1af6f69ea719e42788f6ec6a087eb74c","https://git.kernel.org/stable/c/706f4fe2dacc95d65e7c8dff321711f024bb8d20"],"published_time":"2026-05-01T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31761","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niio: gyro: mpu3050: Move iio_device_register() to correct location\n\niio_device_register() should be at the end of the probe function to\nprevent race conditions.\n\nPlace iio_device_register() at the end of the probe function and place\niio_device_unregister() accordingly.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01762,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/051ca43b0e0e4b66bfd349cd53ccf231ad1d69b7","https://git.kernel.org/stable/c/22487ef85f6dd9499ddf49b85a08afc50a3f1992","https://git.kernel.org/stable/c/2a4537653d200fda2a8516083459f8ff6194f8fc","https://git.kernel.org/stable/c/4c05799449108fb0e0a6bd30e65fffc71e60db4d","https://git.kernel.org/stable/c/59a317f8215674c8330817770497301bfb2c1b99","https://git.kernel.org/stable/c/92f18aa86302fe83e0726a1191015f427d4ff056","https://git.kernel.org/stable/c/caec338f91469f0a70b68165185afa3abc994545","https://git.kernel.org/stable/c/cc3de12a5612ee25df7fb549cb7b3e4cc8bfaf9c"],"published_time":"2026-05-01T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31762","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niio: gyro: mpu3050: Fix irq resource leak\n\nThe interrupt handler is setup but only a few lines down if\niio_trigger_register() fails the function returns without properly\nreleasing the handler.\n\nAdd cleanup goto to resolve resource leak.\n\nDetected by Smatch:\ndrivers/iio/gyro/mpu3050-core.c:1128 mpu3050_trigger_probe() warn:\n'irq' from request_threaded_irq() not released on lines: 1124.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3a8e68d65a443de05061818823037931674740e0","https://git.kernel.org/stable/c/4216db1043a3be72ef9c2b7b9f393d7fa72496e6","https://git.kernel.org/stable/c/658d9deb45d5032baf388ac51991d1e789157334","https://git.kernel.org/stable/c/889253494ec73d60bd47c0518f8fe3a748520d5b","https://git.kernel.org/stable/c/8f237c408f3007d7d9667623ffb41a9e9d661ee9","https://git.kernel.org/stable/c/b52fd1644ad2c4e96bbec97543a966d7ad8f21ea","https://git.kernel.org/stable/c/beb23092571e627190f23da4bb8548065cacd89c","https://git.kernel.org/stable/c/e66215fc1878357d5c980066e650f542330524af"],"published_time":"2026-05-01T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31763","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niio: gyro: mpu3050: Fix incorrect free_irq() variable\n\nThe handler for the IRQ part of this driver is mpu3050->trig but,\nin the teardown free_irq() is called with handler mpu3050.\n\nUse correct IRQ handler when calling free_irq().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/11f7cd960f05b3f06747abfdc4e56dd0d8b8a157","https://git.kernel.org/stable/c/2821f7b62c5b3633c4923c7e4f742380897cd511","https://git.kernel.org/stable/c/8001b42fbd5e510dced3a25665019982c99bc708","https://git.kernel.org/stable/c/8631e755fc07b651b5d158cc3656ef76cc874068","https://git.kernel.org/stable/c/a09171d3f23e13bccd3dc34863186707c6301071","https://git.kernel.org/stable/c/ac1233397f4cfe55d71f6aa459b42c256c951531","https://git.kernel.org/stable/c/edb11a1aef4011a4b7b22cc3c3396c6fe371f4a6","https://git.kernel.org/stable/c/fdbe4b5268cd41f9953d25a67d139e47cac34519"],"published_time":"2026-05-01T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31764","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only\n\nThe st_lsm6dsx_hwfifo_odr_store() function, which is called when userspace\nwrites the buffer sampling frequency sysfs attribute, calls\nst_lsm6dsx_check_odr(), which accesses the odr_table array at index\n`sensor->id`; since this array is only 2 entries long, an access for any\nsensor type other than accelerometer or gyroscope is an out-of-bounds\naccess.\n\nThe motivation for being able to set a buffer frequency different from the\nsensor sampling frequency is to support use cases that need accurate event\ndetection (which requires a high sampling frequency) while retrieving\nsensor data at low frequency. Since all the supported event types are\ngenerated from acceleration data only, do not create the buffer sampling\nfrequency attribute for sensor types other than the accelerometer.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3225a81e8d264442b14c7c1bc965ebafa3c0ee01","https://git.kernel.org/stable/c/679c04c10d65d32a3f269e696b22912ff0a001b9"],"published_time":"2026-05-01T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31765","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB\n\nCurrently, AMDGPU_VA_RESERVED_TRAP_SIZE is hardcoded to 8KB, while\nKFD_CWSR_TBA_TMA_SIZE is defined as 2 * PAGE_SIZE. On systems with\n4K pages, both values match (8KB), so allocation and reserved space\nare consistent.\n\nHowever, on 64K page-size systems, KFD_CWSR_TBA_TMA_SIZE becomes 128KB,\nwhile the reserved trap area remains 8KB. This mismatch causes the\nkernel to crash when running rocminfo or rccl unit tests.\n\nKernel attempted to read user page (2) - exploit attempt? (uid: 1001)\nBUG: Kernel NULL pointer dereference on read at 0x00000002\nFaulting instruction address: 0xc0000000002c8a64\nOops: Kernel access of bad area, sig: 11 [#1]\nLE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\nCPU: 34 UID: 1001 PID: 9379 Comm: rocminfo Tainted: G E\n6.19.0-rc4-amdgpu-00320-gf23176405700 #56 VOLUNTARY\nTainted: [E]=UNSIGNED_MODULE\nHardware name: IBM,9105-42A POWER10 (architected) 0x800200 0xf000006\nof:IBM,FW1060.30 (ML1060_896) hv:phyp pSeries\nNIP:  c0000000002c8a64 LR: c00000000125dbc8 CTR: c00000000125e730\nREGS: c0000001e0957580 TRAP: 0300 Tainted: G E\nMSR:  8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 24008268\nXER: 00000036\nCFAR: c00000000125dbc4 DAR: 0000000000000002 DSISR: 40000000\nIRQMASK: 1\nGPR00: c00000000125d908 c0000001e0957820 c0000000016e8100\nc00000013d814540\nGPR04: 0000000000000002 c00000013d814550 0000000000000045\n0000000000000000\nGPR08: c00000013444d000 c00000013d814538 c00000013d814538\n0000000084002268\nGPR12: c00000000125e730 c000007e2ffd5f00 ffffffffffffffff\n0000000000020000\nGPR16: 0000000000000000 0000000000000002 c00000015f653000\n0000000000000000\nGPR20: c000000138662400 c00000013d814540 0000000000000000\nc00000013d814500\nGPR24: 0000000000000000 0000000000000002 c0000001e0957888\nc0000001e0957878\nGPR28: c00000013d814548 0000000000000000 c00000013d814540\nc0000001e0957888\nNIP [c0000000002c8a64] __mutex_add_waiter+0x24/0xc0\nLR [c00000000125dbc8] __mutex_lock.constprop.0+0x318/0xd00\nCall Trace:\n0xc0000001e0957890 (unreliable)\n__mutex_lock.constprop.0+0x58/0xd00\namdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x6fc/0xb60 [amdgpu]\nkfd_process_alloc_gpuvm+0x54/0x1f0 [amdgpu]\nkfd_process_device_init_cwsr_dgpu+0xa4/0x1a0 [amdgpu]\nkfd_process_device_init_vm+0xd8/0x2e0 [amdgpu]\nkfd_ioctl_acquire_vm+0xd0/0x130 [amdgpu]\nkfd_ioctl+0x514/0x670 [amdgpu]\nsys_ioctl+0x134/0x180\nsystem_call_exception+0x114/0x300\nsystem_call_vectored_common+0x15c/0x2ec\n\nThis patch changes AMDGPU_VA_RESERVED_TRAP_SIZE to 64 KB and\nKFD_CWSR_TBA_TMA_SIZE to the AMD GPU page size. This means we reserve\n64 KB for the trap in the address space, but only allocate 8 KB within\nit. With this approach, the allocation size never exceeds the reserved\narea.\n\n(cherry picked from commit 31b8de5e55666f26ea7ece5f412b83eab3f56dbb)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4487571ef17a30d274600b3bd6965f497a881299","https://git.kernel.org/stable/c/6b2614a0ff05a2d2836311425091c8feca6f0c21","https://git.kernel.org/stable/c/77c918eaa4c916751769242567407f61c6af142a","https://git.kernel.org/stable/c/d3508cf822c4d96d3e492210314f8f6f2da7df58"],"published_time":"2026-05-01T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31766","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate doorbell_offset in user queue creation\n\namdgpu_userq_get_doorbell_index() passes the user-provided\ndoorbell_offset to amdgpu_doorbell_index_on_bar() without bounds\nchecking. An arbitrarily large doorbell_offset can cause the\ncalculated doorbell index to fall outside the allocated doorbell BO,\npotentially corrupting kernel doorbell space.\n\nValidate that doorbell_offset falls within the doorbell BO before\ncomputing the BAR index, using u64 arithmetic to prevent overflow.\n\n(cherry picked from commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec)","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01645,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3543005a42d7e8e12b21897ef6798541bf7cbcd3","https://git.kernel.org/stable/c/86b732fbc37ce4fb76cdd4af0fb7e30a6acdbce6","https://git.kernel.org/stable/c/a018d1819f158991b7308e4f74609c6c029b670c"],"published_time":"2026-05-01T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31767","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/dsi: Don't do DSC horizontal timing adjustments in command mode\n\nStop adjusting the horizontal timing values based on the\ncompression ratio in command mode. Bspec seems to be telling\nus to do this only in video mode, and this is also how the\nWindows driver does things.\n\nThis should also fix a div-by-zero on some machines because\nthe adjusted htotal ends up being so small that we end up with\nline_time_us==0 when trying to determine the vtotal value in\ncommand mode.\n\nNote that this doesn't actually make the display on the\nHuawei Matebook E work, but at least the kernel no longer\nexplodes when the driver loads.\n\n(cherry picked from commit 0b475e91ecc2313207196c6d7fd5c53e1a878525)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/33b5336e4fd8ba0e40a12989cadb3f5534a0f9e4","https://git.kernel.org/stable/c/4dfce79e098915d8e5fc2b9e1d980bc3251dd32c","https://git.kernel.org/stable/c/55efe8402f46af8399c8b634a18b130a05fd7820","https://git.kernel.org/stable/c/86e926b108880c0109b8635e459450447156aeb7"],"published_time":"2026-05-01T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31768","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ti-adc161s626: use DMA-safe memory for spi_read()\n\nAdd a DMA-safe buffer and use it for spi_read() instead of a stack\nmemory. All SPI buffers must be DMA-safe.\n\nSince we only need up to 3 bytes, we just use a u8[] instead of __be16\nand __be32 and change the conversion functions appropriately.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01762,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/014c6d27878d3883f7bb065610768fd021de1a96","https://git.kernel.org/stable/c/67b3a91bdc48220bfb67155ab528121b9c822782","https://git.kernel.org/stable/c/768461517a28d80fe81ea4d5d03a90cd184ea6ad","https://git.kernel.org/stable/c/b3bb8faeca1a2ef7be95ee8a512b639f9ffce947","https://git.kernel.org/stable/c/d2d031b0786ea66ab0577c9d2d71435068d32199","https://git.kernel.org/stable/c/fa64aab25aba47296aa8d12bb4c88ec3fecb2054"],"published_time":"2026-05-01T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31752","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: validate ND option lengths\n\nbr_nd_send() walks ND options according to option-provided lengths.\nA malformed option can make the parser advance beyond the computed\noption span or use a too-short source LLADDR option payload.\n\nValidate option lengths against the remaining NS option area before\nadvancing, and only read source LLADDR when the option is large enough\nfor an Ethernet address.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/259466f76f5a2148aff11134e68f4b4c6d52725b","https://git.kernel.org/stable/c/82a42eceec7c6bdb0e0da94c0542a173b7ea57f2","https://git.kernel.org/stable/c/837392a38445729c22e03d3abcf33f07763efd85","https://git.kernel.org/stable/c/850837965af15707fd3142c1cf3c5bfaf022299b","https://git.kernel.org/stable/c/c49b9256bbacb6a135654aebd12e4c0e87166b7c","https://git.kernel.org/stable/c/e0bfd6d4dc77ab345b6c65eef0cfe9b2f69085aa","https://git.kernel.org/stable/c/e71303a9190496136e240c4f2872b7b0b16027a7","https://git.kernel.org/stable/c/ee02d8991fd7bd86ed6ebd0deb4aab53feb0e43a"],"published_time":"2026-05-01T15:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31753","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nauxdisplay: line-display: fix NULL dereference in linedisp_release\n\nlinedisp_release() currently retrieves the enclosing struct linedisp via\nto_linedisp(). That lookup depends on the attachment list, but the\nattachment may already have been removed before put_device() invokes the\nrelease callback. This can happen in linedisp_unregister(), and can also\nbe reached from some linedisp_register() error paths.\n\nIn that case, to_linedisp() returns NULL and linedisp_release()\ndereferences it while freeing the display resources.\n\nThe struct device released here is the embedded linedisp->dev used by\nlinedisp_register(), so retrieve the enclosing object directly with\ncontainer_of() instead.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/625fdac41cfc4ca9e1774a0d31d7985aec2c1d66","https://git.kernel.org/stable/c/7f138de156b20d9f9da6f72f90b63c01941d97d3"],"published_time":"2026-05-01T15:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31754","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: gadget: fix state inconsistency on gadget init failure\n\nWhen cdns3_gadget_start() fails, the DRD hardware is left in gadget mode\nwhile software state remains INACTIVE, creating hardware/software state\ninconsistency.\n\nWhen switching to host mode via sysfs:\n  echo host > /sys/class/usb_role/13180000.usb-role-switch/role\n\nThe role state is not set to CDNS_ROLE_STATE_ACTIVE due to the error,\nso cdns_role_stop() skips cleanup because state is still INACTIVE.\nThis violates the DRD controller design specification (Figure22),\nwhich requires returning to idle state before switching roles.\n\nThis leads to a synchronous external abort in xhci_gen_setup() when\nsetting up the host controller:\n\n[  516.440698] configfs-gadget 13180000.usb: failed to start g1: -19\n[  516.442035] cdns-usb3 13180000.usb: Failed to add gadget\n[  516.443278] cdns-usb3 13180000.usb: set role 2 has failed\n...\n[ 1301.375722] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller\n[ 1301.377716] Internal error: synchronous external abort: 96000010 [#1] PREEMPT SMP\n[ 1301.382485] pc : xhci_gen_setup+0xa4/0x408\n[ 1301.393391] backtrace:\n    ...\n    xhci_gen_setup+0xa4/0x408    <-- CRASH\n    xhci_plat_setup+0x44/0x58\n    usb_add_hcd+0x284/0x678\n    ...\n    cdns_role_set+0x9c/0xbc        <-- Role switch\n\nFix by calling cdns_drd_gadget_off() in the error path to properly\nclean up the DRD gadget state.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08562,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5a85599ca4d2584d89dc69f4fc49303b75a42338","https://git.kernel.org/stable/c/9b1d301fbae837bf6979a19030b81d869bb15f7a","https://git.kernel.org/stable/c/b490f0e477d26d29ed51e5dc47e3b9bd31bcb49f","https://git.kernel.org/stable/c/c32f8748d70c8fc77676ad92ed76cede17bf2c48","https://git.kernel.org/stable/c/c7e475ae3a5593c5db21b3b7dca4ba8bdac9b47f","https://git.kernel.org/stable/c/cfca84f5986afceb63a3adf39d4a98e915aebbc2","https://git.kernel.org/stable/c/fb7110a052467098967284ef14d306810b354937"],"published_time":"2026-05-01T15:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31755","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: gadget: fix NULL pointer dereference in ep_queue\n\nWhen the gadget endpoint is disabled or not yet configured, the ep->desc\npointer can be NULL. This leads to a NULL pointer dereference when\n__cdns3_gadget_ep_queue() is called, causing a kernel crash.\n\nAdd a check to return -ESHUTDOWN if ep->desc is NULL, which is the\nstandard return code for unconfigured endpoints.\n\nThis prevents potential crashes when ep_queue is called on endpoints\nthat are not ready.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/14bf08ab2cdfcdfd3f13e799d06692a1b3e0745f","https://git.kernel.org/stable/c/390536cc6af4ca5566bc3bf1f8b704700380cd2c","https://git.kernel.org/stable/c/3d1433fe34b224b90259e207e5389e95b504ef04","https://git.kernel.org/stable/c/7f6f127b9bc34bed35f56faf7ecb1561d6b39000","https://git.kernel.org/stable/c/9ab9b0e5fcdac325f950fc8b6caa08a9e22a0db9","https://git.kernel.org/stable/c/d61446dfc9d387775bb1b95b081953201b9222af","https://git.kernel.org/stable/c/fb2ad0c1334a3eccfe4ed203f9eef5a4879226f6"],"published_time":"2026-05-01T15:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31756","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()\n\ndwc2_gadget_exit_clock_gating() internally calls call_gadget() macro,\nwhich expects hsotg->lock to be held since it does spin_unlock/spin_lock\naround the gadget driver callback invocation.\n\nHowever, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating()\nwithout holding the lock. This leads to:\n - spin_unlock on a lock that is not held (undefined behavior)\n - The lock remaining held after dwc2_gadget_exit_clock_gating() returns,\n   causing a deadlock when spin_lock_irqsave() is called later in the\n   same function.\n\nFix this by acquiring hsotg->lock before calling\ndwc2_gadget_exit_clock_gating() and releasing it afterwards, which\nsatisfies the locking requirement of the call_gadget() macro.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4ed9d2dd9f29828c311db6ec4b8e0d34bfd6d6a4","https://git.kernel.org/stable/c/51b62286fc668c6eb74dee7624ec0beec3c5a0ed","https://git.kernel.org/stable/c/61937f686290494998236c680ce0836b8dd63a3f","https://git.kernel.org/stable/c/8ffe31acb3b77a30ae34d01719a269881569fb7f","https://git.kernel.org/stable/c/9bb4b5ed7f8c4f95cc556bdf042b0ba2fa13557a","https://git.kernel.org/stable/c/beab10429439e20708036a66fb0d97ffb79da6a1","https://git.kernel.org/stable/c/e9fcca3e87463013d595c65c2189ffaa32ad3b50"],"published_time":"2026-05-01T15:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31757","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: misc: usbio: Fix URB memory leak on submit failure\n\nWhen usb_submit_urb() fails in usbio_probe(), the previously allocated\nURB is never freed, causing a memory leak.\n\nFix this by jumping to err_free_urb label to properly release the URB\non the error path.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1762dc43b983d321180582afba4a0c5185fae04c","https://git.kernel.org/stable/c/33cfe0709b6bf1a7f1a16d5e8d65d003a71b6a21","https://git.kernel.org/stable/c/65ff09f48b0e72e4049096a989723406aabcf091"],"published_time":"2026-05-01T15:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31758","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usbtmc: Flush anchored URBs in usbtmc_release\n\nWhen calling usbtmc_release, pending anchored URBs must be flushed or\nkilled to prevent use-after-free errors (e.g. in the HCD giveback\npath). Call usbtmc_draw_down() to allow anchored URBs to be completed.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01762,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/7fa8f61bab3fb75b5deba8a0f3abb74dc5068d9f","https://git.kernel.org/stable/c/8a768552f7a8276fb9e01d49773d2094ace7c8f1","https://git.kernel.org/stable/c/959ef329071136e4335b54822fe2f607659b4569","https://git.kernel.org/stable/c/95e09b07e50290254b28b8395509473104518f8c","https://git.kernel.org/stable/c/977b632db51d231dec0bc571089a5c2402674139","https://git.kernel.org/stable/c/d13318dec0c1e0e2ac16f8ecbd522db14cea4bb1","https://git.kernel.org/stable/c/d40198de50232e04c14c6e2092e896766c95ea48","https://git.kernel.org/stable/c/e189d443767f7cd390c52f2e122e1fc41c7562d6"],"published_time":"2026-05-01T15:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31759","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ulpi: fix double free in ulpi_register_interface() error path\n\nWhen device_register() fails, ulpi_register() calls put_device() on\nulpi->dev.\n\nThe device release callback ulpi_dev_release() drops the OF node\nreference and frees ulpi, but the current error path in\nulpi_register_interface() then calls kfree(ulpi) again, causing a\ndouble free.\n\nLet put_device() handle the cleanup through ulpi_dev_release() and\navoid freeing ulpi again in ulpi_register_interface().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01af542392b5d41fd659d487015a71f627accce3","https://git.kernel.org/stable/c/272a9b26c336a295e4e209157fed809706c1b1f7","https://git.kernel.org/stable/c/2f70ba9dae13a190673cc3f9b4aad52179738f60","https://git.kernel.org/stable/c/38c28fe25611099230f0965c925499bfcf46a795","https://git.kernel.org/stable/c/8763f8317bb389aded32a32b08f6751cfff657d2","https://git.kernel.org/stable/c/a6e5461f076c2ef63159f18e5cdbd30b50f0bc15","https://git.kernel.org/stable/c/aaeae6533d77e6ed4def85baec01e2815ebbef61","https://git.kernel.org/stable/c/ee248e6e941e4f2e634df2bd43e5f1ef810ab6df"],"published_time":"2026-05-01T15:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31743","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: zynqmp_nvmem: Fix buffer size in DMA and memcpy\n\nBuffer size used in dma allocation and memcpy is wrong.\nIt can lead to undersized DMA buffer access and possible\nmemory corruption. use correct buffer size in dma_alloc_coherent\nand memcpy.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02696,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2f6e5b9964d0a63a5ba84fca2642876afb70a662","https://git.kernel.org/stable/c/6c01e7f11f5e5f22285d19510a9643e2506e13c3","https://git.kernel.org/stable/c/784ed4abded1ca4b525fa4cade8b02f8c5d2a087","https://git.kernel.org/stable/c/f9b88613ff402aa6fe8fd020573cb95867ae947e"],"published_time":"2026-05-01T15:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31744","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nPM: EM: Fix NULL pointer dereference when perf domain ID is not found\n\ndev_energymodel_nl_get_perf_domains_doit() calls\nem_perf_domain_get_by_id() but does not check the return value before\npassing it to __em_nl_get_pd_size(). When a caller supplies a\nnon-existent perf domain ID, em_perf_domain_get_by_id() returns NULL,\nand __em_nl_get_pd_size() immediately dereferences pd->cpus\n(struct offset 0x30), causing a NULL pointer dereference.\n\nThe sister handler dev_energymodel_nl_get_perf_table_doit() already\nhandles this correctly via __em_nl_get_pd_table_id(), which returns\nNULL and causes the caller to return -EINVAL. Add the same NULL check\nin the get-perf-domains do handler.\n\n[ rjw: Subject and changelog edits ]","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/9badc2a84e688be1275bb740942d5f6f51746908","https://git.kernel.org/stable/c/ab09b9a1e3b02ff62c5aebe3b12b0cb4cb4ea8ab"],"published_time":"2026-05-01T15:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31745","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nreset: gpio: fix double free in reset_add_gpio_aux_device() error path\n\nWhen __auxiliary_device_add() fails, reset_add_gpio_aux_device()\ncalls auxiliary_device_uninit(adev).\n\nThe device release callback reset_gpio_aux_device_release() frees\nadev, but the current error path then calls kfree(adev) again,\ncausing a double free.\n\nKeep kfree(adev) for the auxiliary_device_init() failure path, but\navoid freeing adev after auxiliary_device_uninit().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1de465753220deb41569cf2add87bbb0673731db","https://git.kernel.org/stable/c/fbffb8c7c7bb4d38e9f65e0bee446685011de5d8"],"published_time":"2026-05-01T15:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31746","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: Fix memory leak with CCA cards used as accelerator\n\nTests showed that there is a memory leak if CCA cards are used as\naccelerator for clear key RSA requests (ME and CRT). With the last\nrework for the memory allocation the AP messages are allocated by\nap_init_apmsg() but for some reason on two places (ME and CRT) the\nolder allocation was still in place. So the first allocation simple\nwas never freed.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/586222c37d4027dbf60a604fbe820184fee7c1c9","https://git.kernel.org/stable/c/ace37bfec3822033e59fff390f2ff99fc96ebe4f","https://git.kernel.org/stable/c/c8d46f17c2fc7d25c18e60c008928aecab26184d"],"published_time":"2026-05-01T15:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31747","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: me4000: Fix potential overrun of firmware buffer\n\n`me4000_xilinx_download()` loads the firmware that was requested by\n`request_firmware()`.  It is possible for it to overrun the source\nbuffer because it blindly trusts the file format.  It reads a data\nstream length from the first 4 bytes into variable `file_length` and\nreads the data stream contents of length `file_length` from offset 16\nonwards.\n\nAdd a test to ensure that the supplied firmware is long enough to\ncontain the header and the data stream.  On failure, log an error and\nreturn `-EINVAL`.\n\nNote: The firmware loading was totally broken before commit ac584af59945\n(\"staging: comedi: me4000: fix firmware downloading\"), but that is the\nmost sensible target for this fix.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1603dd471f47762e9d1f52304edb3e49a7e62655","https://git.kernel.org/stable/c/3fb43a7a5b44713f892c58ead2e5f3a1bc9f4ee7","https://git.kernel.org/stable/c/64b24b713e1a3ea6624480594b4f8c2ff86502f2","https://git.kernel.org/stable/c/8ddfe6495c245226a30d8b36e2f4a7aa7712e8d6","https://git.kernel.org/stable/c/99f31aa98ab6e3805c455b65bcd01b3d48bdf1a5","https://git.kernel.org/stable/c/de3f923ae7d91480ed3ecea1b1e1fc0dc25b597d","https://git.kernel.org/stable/c/eae19cab44204537f79146f15a51811b13227c38","https://git.kernel.org/stable/c/f72b5567f7c117b46b4058dc6a0c7554f8565561"],"published_time":"2026-05-01T15:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31748","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: me_daq: Fix potential overrun of firmware buffer\n\n`me2600_xilinx_download()` loads the firmware that was requested by\n`request_firmware()`.  It is possible for it to overrun the source\nbuffer because it blindly trusts the file format.  It reads a data\nstream length from the first 4 bytes into variable `file_length` and\nreads the data stream contents of length `file_length` from offset 16\nonwards.  Although it checks that the supplied firmware is at least 16\nbytes long, it does not check that it is long enough to contain the data\nstream.\n\nAdd a test to ensure that the supplied firmware is long enough to\ncontain the header and the data stream.  On failure, log an error and\nreturn `-EINVAL`.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1bf8761eb59e94bf7b8c17b2a1ee48f14378b172","https://git.kernel.org/stable/c/2fc25a4c2e055cd42ea39a1b42c89bfef70e0319","https://git.kernel.org/stable/c/9f39fa07259eb342908e4aa0271dee038a8ce4f8","https://git.kernel.org/stable/c/a47ae40339c1048f519df33ff8840731720f57cb","https://git.kernel.org/stable/c/c16ac4e173a05011437a2d868f70cc415339065a","https://git.kernel.org/stable/c/c8c607a77aab783f2e38cc2e0f24aa6c8f6d200b","https://git.kernel.org/stable/c/cc797d4821c754c701d9714b58bea947e31dbbe0","https://git.kernel.org/stable/c/f3f8ec00cfb8d8e826e30b1138a56355b88e9ba8"],"published_time":"2026-05-01T15:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31749","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: ni_atmio16d: Fix invalid clean-up after failed attach\n\nIf the driver's COMEDI \"attach\" handler function (`atmio16d_attach()`)\nreturns an error, the COMEDI core will call the driver's \"detach\"\nhandler function (`atmio16d_detach()`) to clean up.  This calls\n`reset_atmio16d()` unconditionally, but depending on where the error\noccurred in the attach handler, the device may not have been\nsufficiently initialized to call `reset_atmio16d()`.  It uses\n`dev->iobase` as the I/O port base address and `dev->private` as the\npointer to the COMEDI device's private data structure.  `dev->iobase`\nmay still be set to its initial value of 0, which would result in\nundesired writes to low I/O port addresses.  `dev->private` may still be\n`NULL`, which would result in null pointer dereferences.\n\nFix `atmio16d_detach()` by checking that `dev->private` is valid\n(non-null) before calling `reset_atmio16d()`.  This implies that\n`dev->iobase` was set correctly since that is set up before\n`dev->private`.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/101ab946b79ad83b36d5cfd47de587492a80acf0","https://git.kernel.org/stable/c/3848ae00b1642e2c98ff8cbfd2d3b38c6f53b5c3","https://git.kernel.org/stable/c/43c68a2c7cc35b7c2a83c285cb4ad3d472b8caa2","https://git.kernel.org/stable/c/5d8d88c8c0eec230de8f1f60e0920a4337939a88","https://git.kernel.org/stable/c/933a2d6a95f9bfb203e562c9be1dd990c735535c","https://git.kernel.org/stable/c/a01dd339ea6ac58b0967a50085622a6017351140","https://git.kernel.org/stable/c/d07d97ca4f7fac467cdcf4a012690853958b7e89","https://git.kernel.org/stable/c/f517646e008fe99ca1800601cd011b110f8684ae"],"published_time":"2026-05-01T15:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31750","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: runflags cannot determine whether to reclaim chanlist\n\nsyzbot reported a memory leak [1], because commit 4e1da516debb (\"comedi:\nAdd reference counting for Comedi command handling\") did not consider\nthe exceptional exit case in do_cmd_ioctl() where runflags is not set.\nThis caused chanlist not to be properly freed by do_become_nonbusy(),\nas it only frees chanlist when runflags is correctly set.\n\nAdded a check in do_become_nonbusy() for the case where runflags is not\nset, to properly free the chanlist memory.\n\n[1]\nBUG: memory leak\n  backtrace (crc 844a0efa):\n    __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]\n    do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890\n    do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/29f644f14b89e6c4965e3c89251929e451190a66","https://git.kernel.org/stable/c/830c848aba9f047eb6b34288975ebeb8e8621451"],"published_time":"2026-05-01T15:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31751","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: dt2815: add hardware detection to prevent crash\n\nThe dt2815 driver crashes when attached to I/O ports without actual\nhardware present. This occurs because syzkaller or users can attach\nthe driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl.\n\nWhen no hardware exists at the specified port, inb() operations return\n0xff (floating bus), but outb() operations can trigger page faults due\nto undefined behavior, especially under race conditions:\n\n  BUG: unable to handle page fault for address: 000000007fffff90\n  #PF: supervisor write access in kernel mode\n  #PF: error_code(0x0002) - not-present page\n  RIP: 0010:dt2815_attach+0x6e0/0x1110\n\nAdd hardware detection by reading the status register before attempting\nany write operations. If the read returns 0xff, assume no hardware is\npresent and fail the attach with -ENODEV. This prevents crashes from\noutb() operations on non-existent hardware.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0dcf33994b8dcf3db36530fb7e2cf9f89e5cbac3","https://git.kernel.org/stable/c/34b13250c618d7441508c6ef369144aa8a9b9bfa","https://git.kernel.org/stable/c/34c8b3a91bdfbe4573650b4cd750ef639101fdc5","https://git.kernel.org/stable/c/65c528fbeddd88478c210052f6c7b21be4973156","https://git.kernel.org/stable/c/8d63161837f1bf8810dbcd2a583c2bbf5ca6d733","https://git.kernel.org/stable/c/93853512f565e625df2397f0d8050d6aafd7c3ad","https://git.kernel.org/stable/c/d2a786efdb9971f2a647724625da5bbecc994dc9","https://git.kernel.org/stable/c/d5d9df8b08d68d083ac57abc2c887dfb1f31af63"],"published_time":"2026-05-01T15:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31734","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU\n\nSince commit 8e4f0b1ebcf2 (\"bpf: use rcu_read_lock_dont_migrate() for\ntrampoline.c\"), the BPF prolog (__bpf_prog_enter) calls migrate_disable()\nonly when CONFIG_PREEMPT_RCU is enabled, via rcu_read_lock_dont_migrate().\nWithout CONFIG_PREEMPT_RCU, the prolog never touches migration_disabled,\nso migration_disabled == 1 always means the task is truly\nmigration-disabled regardless of whether it is the current task.\n\nThe old unconditional p == current check was a false negative in this\ncase, potentially allowing a migration-disabled task to be dispatched to\na remote CPU and triggering scx_error in task_can_run_on_remote_rq().\n\nOnly apply the p == current disambiguation when CONFIG_PREEMPT_RCU is\nenabled, where the ambiguity with the BPF prolog still exists.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c4a59df370bea245695c00aaae6ae75747139bd","https://git.kernel.org/stable/c/72c43eb2e334febe93018cfb68ae828f55c6e49e","https://git.kernel.org/stable/c/b4992a9446bb9a639007bfd32bf5c5a7e30199e5"],"published_time":"2026-05-01T15:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31735","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niommupt: Fix short gather if the unmap goes into a large mapping\n\nunmap has the odd behavior that it can unmap more than requested if the\nending point lands within the middle of a large or contiguous IOPTE.\n\nIn this case the gather should flush everything unmapped which can be\nlarger than what was requested to be unmapped. The gather was only\nflushing the range requested to be unmapped, not extending to the extra\nrange, resulting in a short invalidation if the caller hits this special\ncondition.\n\nThis was found by the new invalidation/gather test I am adding in\npreparation for ARMv8. Claude deduced the root cause.\n\nAs far as I remember nothing relies on unmapping a large entry, so this is\nlikely not a triggerable bug.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02103,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/50ecd96a28f712f8b682c0441f4cb9b086d28816","https://git.kernel.org/stable/c/ee6e69d032550687a3422504bfca3f834c7b5061"],"published_time":"2026-05-01T15:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31736","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_ppe: avoid NULL deref when gmac0 is disabled\n\nIf the gmac0 is disabled, the precheck for a valid ingress device will\ncause a NULL pointer deref and crash the system. This happens because\neth->netdev[0] will be NULL but the code will directly try to access\nnetdev_ops.\n\nInstead of just checking for the first net_device, it must be checked if\nany of the mtk_eth net_devices is matching the netdev_ops of the ingress\ndevice.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0b832aad33e6f160fda310f0306a6483d85e9d6e","https://git.kernel.org/stable/c/5dff799c677152dde963c3917bacd9127b03e145","https://git.kernel.org/stable/c/7b2380f0a0e374010c1a4a13203511b9dee5b166","https://git.kernel.org/stable/c/976ff48c2ac6e6b25b01428c9d7997bcd0fb2949"],"published_time":"2026-05-01T15:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31737","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ftgmac100: fix ring allocation unwind on open failure\n\nftgmac100_alloc_rings() allocates rx_skbs, tx_skbs, rxdes, txdes, and\nrx_scratch in stages. On intermediate failures it returned -ENOMEM\ndirectly, leaking resources allocated earlier in the function.\n\nRework the failure path to use staged local unwind labels and free\nallocated resources in reverse order before returning -ENOMEM. This\nmatches common netdev allocation cleanup style.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/184b3a500d60ea48d1b176103cff1706c456edf3","https://git.kernel.org/stable/c/78da43320d9d6ed788147fb085184e4fc801f057","https://git.kernel.org/stable/c/82f86111f0704ab2ded11a2033bc6cf0be3e09ea","https://git.kernel.org/stable/c/8351d18989c8642fc53e2e12d94e42314a39b078","https://git.kernel.org/stable/c/8a71911fc7eeea930153322bc1efc065db8cd97e","https://git.kernel.org/stable/c/a7e1bf392acf11dc4209820fef75758f6e42bd65","https://git.kernel.org/stable/c/c0fd0fe745f5e8c568d898cd1513d0083e46204a","https://git.kernel.org/stable/c/d45230081f19c280096241353c26b0de457de795"],"published_time":"2026-05-01T15:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31738","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: validate ND option lengths in vxlan_na_create\n\nvxlan_na_create() walks ND options according to option-provided\nlengths. A malformed option can make the parser advance beyond the\ncomputed option span or use a too-short source LLADDR option payload.\n\nValidate option lengths against the remaining NS option area before\nadvancing, and only read source LLADDR when the option is large enough\nfor an Ethernet address.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2029712fb2c87e9a8c75094906f2ee29bf08c500","https://git.kernel.org/stable/c/602596c69a70e50d9ab8c6ae0290a01f88229dd7","https://git.kernel.org/stable/c/901c1dd3bab2955d7e664f914c374c8c3ac2b958","https://git.kernel.org/stable/c/afa9a05e6c4971bd5586f1b304e14d61fb3d9385","https://git.kernel.org/stable/c/b69c4236255bd8de16cd876e58c6f0867d1d78b1","https://git.kernel.org/stable/c/de20d2e3b9179d132f5f5b44e490d7c916c6321b","https://git.kernel.org/stable/c/e476745917a1e288eb15e7ff49d286a86a4861d3","https://git.kernel.org/stable/c/eddfce70a6f3107d1679b0c2fcbeb96b593bd679"],"published_time":"2026-05-01T15:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31739","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: tegra - Add missing CRYPTO_ALG_ASYNC\n\nThe tegra crypto driver failed to set the CRYPTO_ALG_ASYNC on its\nasynchronous algorithms, causing the crypto API to select them for users\nthat request only synchronous algorithms.  This causes crashes (at\nleast).  Fix this by adding the flag like what the other drivers do.\nAlso remove the unnecessary CRYPTO_ALG_TYPE_* flags, since those just\nget ignored and overridden by the registration function anyway.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00043,"ranking_epss":0.13031,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3aea268b6d5cde3b087df9eeecc3bc620aa09513","https://git.kernel.org/stable/c/429d05565eb19ee545d8a8395991372adbe4daf3","https://git.kernel.org/stable/c/4b56770d345524fc2acc143a2b85539cf7d74bc1","https://git.kernel.org/stable/c/bdbf027a4504b4a86740de6beb6d18a957331839"],"published_time":"2026-05-01T15:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31740","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncounter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member\n\nThe counter driver can use HW channels 1 and 2, while the PWM driver can\nuse HW channels 0, 1, 2, 3, 4, 6, 7.\n\nThe dev member is assigned both by the counter driver and the PWM driver\nfor channels 1 and 2, to their own struct device instance, overwriting\nthe previous value.\n\nThe sub-drivers race to assign their own struct device pointer to the\nsame struct rz_mtu3_channel's dev member.\n\nThe dev member of struct rz_mtu3_channel is used by the counter\nsub-driver for runtime PM.\n\nDepending on the probe order of the counter and PWM sub-drivers, the\ndev member may point to the wrong struct device instance, causing the\ncounter sub-driver to do runtime PM actions on the wrong device.\n\nTo fix this, use the parent pointer of the counter, which is assigned\nduring probe to the correct struct device, not the struct device pointer\ninside the shared struct rz_mtu3_channel.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04829,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/28a371be901ef44ee03726c2575d7d6795521fe0","https://git.kernel.org/stable/c/2932095c114b98cbb40ccf34fc00d613cb17cead","https://git.kernel.org/stable/c/633dfbf0eb2766c597c1a59dd83035c82e14791d","https://git.kernel.org/stable/c/63be324c795262f0e316c6fe9b329d83afa1ec93","https://git.kernel.org/stable/c/6562290225c197e2e193a53de2a517815288dcd1"],"published_time":"2026-05-01T15:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31741","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncounter: rz-mtu3-cnt: prevent counter from being toggled multiple times\n\nRuntime PM counter is incremented / decremented each time the sysfs\nenable file is written to.\n\nIf user writes 0 to the sysfs enable file multiple times, runtime PM\nusage count underflows, generating the following message.\n\nrz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow!\n\nAt the same time, hardware registers end up being accessed with clocks\noff in rz_mtu3_terminate_counter() to disable an already disabled\nchannel.\n\nIf user writes 1 to the sysfs enable file multiple times, runtime PM\nusage count will be incremented each time, requiring the same number of\n0 writes to get it back to 0.\n\nIf user writes 0 to the sysfs enable file while PWM is in progress, PWM\nis stopped without counter being the owner of the underlying MTU3\nchannel.\n\nCheck against the cached count_is_enabled value and exit if the user\nis trying to set the same enable value.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04829,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/67c3f99bed6f422ba343d2b70a2eeeccdfd91bef","https://git.kernel.org/stable/c/885aa739a07ab45e90dfa997205acec97979ce4e","https://git.kernel.org/stable/c/ced8b48420eddb1251f93c22dc23fa136490b3cd","https://git.kernel.org/stable/c/e07237df8538b0ae98dce112e4f6db093d767f80","https://git.kernel.org/stable/c/f5f6f06d7e6d262026578b59ba7426eb04acce5d"],"published_time":"2026-05-01T15:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31742","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvt: discard stale unicode buffer on alt screen exit after resize\n\nWhen enter_alt_screen() saves vc_uni_lines into vc_saved_uni_lines and\nsets vc_uni_lines to NULL, a subsequent console resize via vc_do_resize()\nskips reallocating the unicode buffer because vc_uni_lines is NULL.\nHowever, vc_saved_uni_lines still points to the old buffer allocated for\nthe original dimensions.\n\nWhen leave_alt_screen() later restores vc_saved_uni_lines, the buffer\ndimensions no longer match vc_rows/vc_cols. Any operation that iterates\nover the unicode buffer using the current dimensions (e.g. csi_J clearing\nthe screen) will access memory out of bounds, causing a kernel oops:\n\n  BUG: unable to handle page fault for address: 0x0000002000000020\n  RIP: 0010:csi_J+0x133/0x2d0\n\nThe faulting address 0x0000002000000020 is two adjacent u32 space\ncharacters (0x20) interpreted as a pointer, read from the row data area\npast the end of the 25-entry pointer array in a buffer allocated for\n80x25 but accessed with 240x67 dimensions.\n\nFix this by checking whether the console dimensions changed while in the\nalternate screen. If they did, free the stale saved buffer instead of\nrestoring it. The unicode screen will be lazily rebuilt via\nvc_uniscr_check() when next needed.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01666,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/40014493cece72a0be5672cd86763e53fb3ec613","https://git.kernel.org/stable/c/428fdf55301e6c8fa5a36b426240797b1cf86570","https://git.kernel.org/stable/c/891d790fdb5c96c6e1d2841e06ee6c360f2d1288"],"published_time":"2026-05-01T15:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31726","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: fix NULL pointer dereference during unbind race\n\nCommit b81ac4395bbe (\"usb: gadget: uvc: allow for application to cleanly\nshutdown\") introduced two stages of synchronization waits totaling 1500ms\nin uvc_function_unbind() to prevent several types of kernel panics.\nHowever, this timing-based approach is insufficient during power\nmanagement (PM) transitions.\n\nWhen the PM subsystem starts freezing user space processes, the\nwait_event_interruptible_timeout() is aborted early, which allows the\nunbind thread to proceed and nullify the gadget pointer\n(cdev->gadget = NULL):\n\n[  814.123447][  T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind()\n[  814.178583][ T3173] PM: suspend entry (deep)\n[  814.192487][ T3173] Freezing user space processes\n[  814.197668][  T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind no clean disconnect, wait for release\n\nWhen the PM subsystem resumes or aborts the suspend and tasks are\nrestarted, the V4L2 release path is executed and attempts to access the\nalready nullified gadget pointer, triggering a kernel panic:\n\n[  814.292597][    C0] PM: pm_system_irq_wakeup: 479 triggered dhdpcie_host_wake\n[  814.386727][ T3173] Restarting tasks ...\n[  814.403522][ T4558] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030\n[  814.404021][ T4558] pc : usb_gadget_deactivate+0x14/0xf4\n[  814.404031][ T4558] lr : usb_function_deactivate+0x54/0x94\n[  814.404078][ T4558] Call trace:\n[  814.404080][ T4558]  usb_gadget_deactivate+0x14/0xf4\n[  814.404083][ T4558]  usb_function_deactivate+0x54/0x94\n[  814.404087][ T4558]  uvc_function_disconnect+0x1c/0x5c\n[  814.404092][ T4558]  uvc_v4l2_release+0x44/0xac\n[  814.404095][ T4558]  v4l2_release+0xcc/0x130\n\nAddress the race condition and NULL pointer dereference by:\n\n1. State Synchronization (flag + mutex)\nIntroduce a 'func_unbound' flag in struct uvc_device. This allows\nuvc_function_disconnect() to safely skip accessing the nullified\ncdev->gadget pointer. As suggested by Alan Stern, this flag is protected\nby a new mutex (uvc->lock) to ensure proper memory ordering and prevent\ninstruction reordering or speculative loads. This mutex is also used to\nprotect 'func_connected' for consistent state management.\n\n2. Explicit Synchronization (completion)\nUse a completion to synchronize uvc_function_unbind() with the\nuvc_vdev_release() callback. This prevents Use-After-Free (UAF) by\nensuring struct uvc_device is freed after all video device resources\nare released.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0587de744615628c38e33ddc1601160a5ea8c50a","https://git.kernel.org/stable/c/0c00ec409d7b2bce3fcac73188b79a141db7cfda","https://git.kernel.org/stable/c/1aa9356881ee4ed414bf72d0c56d915492cb5345","https://git.kernel.org/stable/c/8a1128d604c360eca135f15b882b70256a522145","https://git.kernel.org/stable/c/c038ba56b92e410d1caec22b2dc68780a0b42091","https://git.kernel.org/stable/c/c78e463ee134b4669579d453c81ae00795e4c19a","https://git.kernel.org/stable/c/d92d1532e05b1b31d36d48765e43bf73d793d19f","https://git.kernel.org/stable/c/eba2936bbe6b752a31725a9eb5c674ecbf21ee7d"],"published_time":"2026-05-01T15:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31727","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo\n\nCommit ec35c1969650 (\"usb: gadget: f_ncm: Fix net_device lifecycle with\ndevice_move\") reparents the gadget device to /sys/devices/virtual during\nunbind, clearing the gadget pointer. If the userspace tool queries on\nthe surviving interface during this detached window, this leads to a\nNULL pointer dereference.\n\nUnable to handle kernel NULL pointer dereference\nCall trace:\n eth_get_drvinfo+0x50/0x90\n ethtool_get_drvinfo+0x5c/0x1f0\n __dev_ethtool+0xaec/0x1fe0\n dev_ethtool+0x134/0x2e0\n dev_ioctl+0x338/0x560\n\nAdd a NULL check for dev->gadget in eth_get_drvinfo(). When detached,\nskip copying the fw_version and bus_info strings, which is natively\nhandled by ethtool_get_drvinfo for empty strings.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0326429e8ba99892e1d1e115dc8e88e1a3b64e24","https://git.kernel.org/stable/c/7de4d46be40738c7e48e64b5cc0a34aa1e047b0a","https://git.kernel.org/stable/c/a36e5e800b9c93e3e1ffa42f34d38b36775dbcee","https://git.kernel.org/stable/c/e002e92e88e12457373ed096b18716d97e7bbb20"],"published_time":"2026-05-01T15:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31728","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_ether: Fix race between gether_disconnect and eth_stop\n\nA race condition between gether_disconnect() and eth_stop() leads to a\nNULL pointer dereference. Specifically, if eth_stop() is triggered\nconcurrently while gether_disconnect() is tearing down the endpoints,\neth_stop() attempts to access the cleared endpoint descriptor, causing\nthe following NPE:\n\n  Unable to handle kernel NULL pointer dereference\n  Call trace:\n   __dwc3_gadget_ep_enable+0x60/0x788\n   dwc3_gadget_ep_enable+0x70/0xe4\n   usb_ep_enable+0x60/0x15c\n   eth_stop+0xb8/0x108\n\nBecause eth_stop() crashes while holding the dev->lock, the thread\nrunning gether_disconnect() fails to acquire the same lock and spins\nforever, resulting in a hardlockup:\n\n  Core - Debugging Information for Hardlockup core(7)\n  Call trace:\n   queued_spin_lock_slowpath+0x94/0x488\n   _raw_spin_lock+0x64/0x6c\n   gether_disconnect+0x19c/0x1e8\n   ncm_set_alt+0x68/0x1a0\n   composite_setup+0x6a0/0xc50\n\nThe root cause is that the clearing of dev->port_usb in\ngether_disconnect() is delayed until the end of the function.\n\nMove the clearing of dev->port_usb to the very beginning of\ngether_disconnect() while holding dev->lock. This cuts off the link\nimmediately, ensuring eth_stop() will see dev->port_usb as NULL and\nsafely bail out.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6ad77458637b78ec655e3da5f112c862e6690a9d","https://git.kernel.org/stable/c/8ff689edfeceb5e3ec1623e09af2b2aa0f1098a8","https://git.kernel.org/stable/c/a259ba0bce3b192c04334499690372a250f7d0b1","https://git.kernel.org/stable/c/bbb09bb89ffa571475f66daca9482b974cd29d6a","https://git.kernel.org/stable/c/e1e7a66584bf0aff3becb73c19fa31527889fc9e","https://git.kernel.org/stable/c/e1eabb072c75681f78312c484ccfffb7430f206e","https://git.kernel.org/stable/c/f02980594deef751e42133714aee25228f1494c6","https://git.kernel.org/stable/c/f6813c2b2ae78def76b69e0f9d72f80e4a1c4aca"],"published_time":"2026-05-01T15:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31729","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: validate connector number in ucsi_notify_common()\n\nThe connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a\n7-bit field (0-127) that is used to index into the connector array in\nucsi_connector_change(). However, the array is only allocated for the\nnumber of connectors reported by the device (typically 2-4 entries).\n\nA malicious or malfunctioning device could report an out-of-range\nconnector number in the CCI, causing an out-of-bounds array access in\nucsi_connector_change().\n\nAdd a bounds check in ucsi_notify_common(), the central point where CCI\nis parsed after arriving from hardware, so that bogus connector numbers\nare rejected before they propagate further.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/98429e9ec89a5e3a204112dfaa2dbe6ca28493a0","https://git.kernel.org/stable/c/d2d8c17ac01a1b1f638ea5d340a884ccc5015186","https://git.kernel.org/stable/c/f4e608fe12b7ac6a4a57176ab0296bb5a110a078","https://git.kernel.org/stable/c/f6dcbf2b024d55549959402f1db6c614e51d52cb"],"published_time":"2026-05-01T15:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31730","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: possible double-free of cctx->remote_heap\n\nfastrpc_init_create_static_process() may free cctx->remote_heap on the\nerr_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove()\nfrees cctx->remote_heap again if it is non-NULL, which can lead to a\ndouble-free if the INIT_CREATE_STATIC ioctl hits the error path and the rpmsg\ndevice is subsequently removed/unbound.\nClear cctx->remote_heap after freeing it in the error path to prevent the\nlater cleanup from freeing it again.\n\nThis issue was found by an in-house analysis workflow that extracts AST-based\ninformation and runs static checks, with LLM assistance for triage, and was\nconfirmed by manual code review.\nNo hardware testing was performed.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04829,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0bdee4118340c5a756220c1b29a7dab86bb0aa65","https://git.kernel.org/stable/c/3a164f640953cc982804746e772d379171aff5c6","https://git.kernel.org/stable/c/4b8e527aca357a6488680713bd88007cf8f547fe","https://git.kernel.org/stable/c/ba2c83167b215da30fa2aae56b140198cf8d8408","https://git.kernel.org/stable/c/f67d368d26764a357691b2b3a33d3cb55b435bfc"],"published_time":"2026-05-01T15:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31731","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Address thermal zone removal races with resume\n\nSince thermal_zone_pm_complete() and thermal_zone_device_resume()\nre-initialize the poll_queue delayed work for the given thermal zone,\nthe cancel_delayed_work_sync() in thermal_zone_device_unregister()\nmay miss some already running work items and the thermal zone may\nbe freed prematurely [1].\n\nThere are two failing scenarios that both start with\nrunning thermal_pm_notify_complete() right before invoking\nthermal_zone_device_unregister() for one of the thermal zones.\n\nIn the first scenario, there is a work item already running for\nthe given thermal zone when thermal_pm_notify_complete() calls\nthermal_zone_pm_complete() for that thermal zone and it continues to\nrun when thermal_zone_device_unregister() starts.  Since the poll_queue\ndelayed work has been re-initialized by thermal_pm_notify_complete(), the\nrunning work item will be missed by the cancel_delayed_work_sync() in\nthermal_zone_device_unregister() and if it continues to run past the\nfreeing of the thermal zone object, a use-after-free will occur.\n\nIn the second scenario, thermal_zone_device_resume() queued up by\nthermal_pm_notify_complete() runs right after the thermal_zone_exit()\ncalled by thermal_zone_device_unregister() has returned.  The poll_queue\ndelayed work is re-initialized by it before cancel_delayed_work_sync() is\ncalled by thermal_zone_device_unregister(), so it may continue to run\nafter the freeing of the thermal zone object, which also leads to a\nuse-after-free.\n\nAddress the first failing scenario by ensuring that no thermal work\nitems will be running when thermal_pm_notify_complete() is called.\nFor this purpose, first move the cancel_delayed_work() call from\nthermal_zone_pm_complete() to thermal_zone_pm_prepare() to prevent\nnew work from entering the workqueue going forward.  Next, switch\nover to using a dedicated workqueue for thermal events and update\nthe code in thermal_pm_notify() to flush that workqueue after\nthermal_pm_notify_prepare() has returned which will take care of\nall leftover thermal work already on the workqueue (that leftover\nwork would do nothing useful anyway because all of the thermal zones\nhave been flagged as suspended).\n\nThe second failing scenario is addressed by adding a tz->state check\nto thermal_zone_device_resume() to prevent it from re-initializing\nthe poll_queue delayed work if the thermal zone is going away.\n\nNote that the above changes will also facilitate relocating the suspend\nand resume of thermal zones closer to the suspend and resume of devices,\nrespectively.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1a6d2b001eb730d85f00da39ae7db6f3b4edc540","https://git.kernel.org/stable/c/2dbe93f344f10b432b95a23304006be805c097a1","https://git.kernel.org/stable/c/45b859b0728267a6199ee5002d62e6c6f3e8c89d","https://git.kernel.org/stable/c/c4593f1654f7dea3bcf9bb1851ded86311d4f370"],"published_time":"2026-05-01T15:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31732","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: Fix resource leaks on errors in gpiochip_add_data_with_key()\n\nSince commit aab5c6f20023 (\"gpio: set device type for GPIO chips\"),\n`gdev->dev.release` is unset.  As a result, the reference count to\n`gdev->dev` isn't dropped on the error handling paths.\n\nDrop the reference on errors.\n\nAlso reorder the instructions to make the error handling simpler.\nNow gpiochip_add_data_with_key() roughly looks like:\n\n   >>> Some memory allocation.  Go to ERR ZONE 1 on errors.\n   >>> device_initialize().\n\n   gpiodev_release() takes over the responsibility for freeing the\n   resources of `gdev->dev`.  The subsequent error handling paths\n   shouldn't go through ERR ZONE 1 again which leads to double free.\n\n   >>> Some initialization mainly on `gdev`.\n   >>> The rest of initialization.  Go to ERR ZONE 2 on errors.\n   >>> Chip registration success and exit.\n\n   >>> ERR ZONE 2.  gpio_device_put() and exit.\n   >>> ERR ZONE 1.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/16fdabe143fce2cbf89139677728e17e21b46c28","https://git.kernel.org/stable/c/f0cf9c7b7c281956cc0dec163132cd96f76e1d60","https://git.kernel.org/stable/c/fb4584d2b324c522404c733c65840a1a6519ada8"],"published_time":"2026-05-01T15:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31733","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix stale direct dispatch state in ddsp_dsq_id\n\n@p->scx.ddsp_dsq_id can be left set (non-SCX_DSQ_INVALID) triggering a\nspurious warning in mark_direct_dispatch() when the next wakeup's\nops.select_cpu() calls scx_bpf_dsq_insert(), such as:\n\n WARNING: kernel/sched/ext.c:1273 at scx_dsq_insert_commit+0xcd/0x140\n\nThe root cause is that ddsp_dsq_id was only cleared in dispatch_enqueue(),\nwhich is not reached in all paths that consume or cancel a direct dispatch\nverdict.\n\nFix it by clearing it at the right places:\n\n - direct_dispatch(): cache the direct dispatch state in local variables\n   and clear it before dispatch_enqueue() on the synchronous path. For\n   the deferred path, the direct dispatch state must remain set until\n   process_ddsp_deferred_locals() consumes them.\n\n - process_ddsp_deferred_locals(): cache the dispatch state in local\n   variables and clear it before calling dispatch_to_local_dsq(), which\n   may migrate the task to another rq.\n\n - do_enqueue_task(): clear the dispatch state on the enqueue path\n   (local/global/bypass fallbacks), where the direct dispatch verdict is\n   ignored.\n\n - dequeue_task_scx(): clear the dispatch state after dispatch_dequeue()\n   to handle both the deferred dispatch cancellation and the holding_cpu\n   race, covering all cases where a pending direct dispatch is\n   cancelled.\n\n - scx_disable_task(): clear the direct dispatch state when\n   transitioning a task out of the current scheduler. Waking tasks may\n   have had the direct dispatch state set by the outgoing scheduler's\n   ops.select_cpu() and then been queued on a wake_list via\n   ttwu_queue_wakelist(), when SCX_OPS_ALLOW_QUEUED_WAKEUP is set. Such\n   tasks are not on the runqueue and are not iterated by scx_bypass(),\n   so their direct dispatch state won't be cleared. Without this clear,\n   any subsequent SCX scheduler that tries to direct dispatch the task\n   will trigger the WARN_ON_ONCE() in mark_direct_dispatch().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5e7b2cc8fae9ec2a5bc53311191d2faaff75a4b5","https://git.kernel.org/stable/c/7e0ffb72de8aa3b25989c2d980e81b829c577010","https://git.kernel.org/stable/c/7ea601daa0153e19cd1c6e6b300348c70c05fe77","https://git.kernel.org/stable/c/ca685511f7afd42cdcbb0feea42e5d332d384251"],"published_time":"2026-05-01T15:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31720","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_uac1_legacy: validate control request size\n\nf_audio_complete() copies req->length bytes into a 4-byte stack\nvariable:\n\n  u32 data = 0;\n  memcpy(&data, req->buf, req->length);\n\nreq->length is derived from the host-controlled USB request path,\nwhich can lead to a stack out-of-bounds write.\n\nValidate req->actual against the expected payload size for the\nsupported control selectors and decode only the expected amount\nof data.\n\nThis avoids copying a host-influenced length into a fixed-size\nstack object.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0d41772d98dcaf6c17e875b7d0ea0154ae1191ee","https://git.kernel.org/stable/c/21b11e8581285c6f10ef43d05df349d445f24273","https://git.kernel.org/stable/c/26304d124e7f0383f8fe1168b5801a0ac7e16b1c","https://git.kernel.org/stable/c/557d1d4e862eccd0b74cc377b66de3e1e8d49605","https://git.kernel.org/stable/c/6e0e34d85cd46ceb37d16054e97a373a32770f6c","https://git.kernel.org/stable/c/8e5eb1d6e6a3d7bbea9c92132d0cda5793176426","https://git.kernel.org/stable/c/be2d32f0c3fe333d14c0a9ca90328dacbc3e06b8","https://git.kernel.org/stable/c/c6da4fed7537aec19880c24f6c3a95065adb1406"],"published_time":"2026-05-01T15:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31721","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_hid: move list and spinlock inits from bind to alloc\n\nThere was an issue when you did the following:\n- setup and bind an hid gadget\n- open /dev/hidg0\n- use the resulting fd in EPOLL_CTL_ADD\n- unbind the UDC\n- bind the UDC\n- use the fd in EPOLL_CTL_DEL\n\nWhen CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported\nwithin remove_wait_queue (via ep_remove_wait_queue). After some\ndebugging I found out that the queues, which f_hid registers via\npoll_wait were the problem. These were initialized using\ninit_waitqueue_head inside hidg_bind. So effectively, the bind function\nre-initialized the queues while there were still items in them.\n\nThe solution is to move the initialization from hidg_bind to hidg_alloc\nto extend their lifetimes to the lifetime of the function instance.\n\nAdditionally, I found many other possibly problematic init calls in the\nbind function, which I moved as well.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/13440c0db227c5db01da751ed966dde4cdd2ea18","https://git.kernel.org/stable/c/26a879a41ed960b3fb4ec773ef2788c515c0e488","https://git.kernel.org/stable/c/4e0a88254ad59f6c53a34bf5fa241884ec09e8b2","https://git.kernel.org/stable/c/5d1bb391ceeebb28327703dd07af8c6324af298f","https://git.kernel.org/stable/c/81aee4500055876883658b024b6fb61801afe134","https://git.kernel.org/stable/c/8ec6a58586f195a88479edcdb0b8027c39f12d03","https://git.kernel.org/stable/c/de93e0862169b5539e00c2b9980b93fd80c37c0d","https://git.kernel.org/stable/c/f7d00ee1c8082c8a134340aaf16d71a27e29c362"],"published_time":"2026-05-01T15:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31722","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_rndis: Fix net_device lifecycle with device_move\n\nThe net_device is allocated during function instance creation and\nregistered during the bind phase with the gadget device as its sysfs\nparent. When the function unbinds, the parent device is destroyed, but\nthe net_device survives, resulting in dangling sysfs symlinks:\n\n  console:/ # ls -l /sys/class/net/usb0\n  lrwxrwxrwx ... /sys/class/net/usb0 ->\n  /sys/devices/platform/.../gadget.0/net/usb0\n  console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0\n  ls: .../gadget.0/net/usb0: No such file or directory\n\nUse device_move() to reparent the net_device between the gadget device\ntree and /sys/devices/virtual across bind and unbind cycles. During the\nfinal unbind, calling device_move(NULL) moves the net_device to the\nvirtual device tree before the gadget device is destroyed. On rebinding,\ndevice_move() reparents the device back under the new gadget, ensuring\nproper sysfs topology and power management ordering.\n\nTo maintain compatibility with legacy composite drivers (e.g., multi.c),\nthe borrowed_net flag is used to indicate whether the network device is\nshared and pre-registered during the legacy driver's bind phase.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/18ada801899f2b13ef0ceff42427ad980a41e619","https://git.kernel.org/stable/c/1ef251aa63972fe6c0f107f5abd139b7d0f7987a","https://git.kernel.org/stable/c/6045ea5ca6e3fa13f8a9fafb1c535c86e124c14d","https://git.kernel.org/stable/c/e367599529dc42578545a7f85fde517b35b3cda7"],"published_time":"2026-05-01T15:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31723","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_subset: Fix net_device lifecycle with device_move\n\nThe net_device is allocated during function instance creation and\nregistered during the bind phase with the gadget device as its sysfs\nparent. When the function unbinds, the parent device is destroyed, but\nthe net_device survives, resulting in dangling sysfs symlinks:\n\n  console:/ # ls -l /sys/class/net/usb0\n  lrwxrwxrwx ... /sys/class/net/usb0 ->\n  /sys/devices/platform/.../gadget.0/net/usb0\n  console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0\n  ls: .../gadget.0/net/usb0: No such file or directory\n\nUse device_move() to reparent the net_device between the gadget device\ntree and /sys/devices/virtual across bind and unbind cycles. During the\nfinal unbind, calling device_move(NULL) moves the net_device to the\nvirtual device tree before the gadget device is destroyed. On rebinding,\ndevice_move() reparents the device back under the new gadget, ensuring\nproper sysfs topology and power management ordering.\n\nTo maintain compatibility with legacy composite drivers (e.g., multi.c),\nthe bound flag is used to indicate whether the network device is shared\nand pre-registered during the legacy driver's bind phase.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/06524cd1c9011bee141a87e43ab878641ed3652b","https://git.kernel.org/stable/c/70707ce668494c4d35fe070dfbc7cc541b293107","https://git.kernel.org/stable/c/9cbc4f109bb216623894d8819fb930210ed34b21","https://git.kernel.org/stable/c/fde29916e4cc736c4ca6c78f331e12b2c73ccafd"],"published_time":"2026-05-01T15:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31724","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_eem: Fix net_device lifecycle with device_move\n\nThe net_device is allocated during function instance creation and\nregistered during the bind phase with the gadget device as its sysfs\nparent. When the function unbinds, the parent device is destroyed, but\nthe net_device survives, resulting in dangling sysfs symlinks:\n\nconsole:/ # ls -l /sys/class/net/usb0\nlrwxrwxrwx ... /sys/class/net/usb0 ->\n/sys/devices/platform/.../gadget.0/net/usb0\nconsole:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0\nls: .../gadget.0/net/usb0: No such file or directory\n\nUse device_move() to reparent the net_device between the gadget device\ntree and /sys/devices/virtual across bind and unbind cycles. During the\nfinal unbind, calling device_move(NULL) moves the net_device to the\nvirtual device tree before the gadget device is destroyed. On rebinding,\ndevice_move() reparents the device back under the new gadget, ensuring\nproper sysfs topology and power management ordering.\n\nTo maintain compatibility with legacy composite drivers (e.g., multi.c),\nthe bound flag is used to indicate whether the network device is shared\nand pre-registered during the legacy driver's bind phase.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/14730506b9e2a09d10c963a57a72ed528482fc15","https://git.kernel.org/stable/c/4ccdccff8febc5456aff684627f9a4c5c83b9346","https://git.kernel.org/stable/c/a6b8bce01a30a8c05c034bbc36c34845d65d644f","https://git.kernel.org/stable/c/d9270c9a8118c1535409db926ac1e2545dc97b81"],"published_time":"2026-05-01T15:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31725","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ecm: Fix net_device lifecycle with device_move\n\nThe net_device is allocated during function instance creation and\nregistered during the bind phase with the gadget device as its sysfs\nparent. When the function unbinds, the parent device is destroyed, but\nthe net_device survives, resulting in dangling sysfs symlinks:\n\n  console:/ # ls -l /sys/class/net/usb0\n  lrwxrwxrwx ... /sys/class/net/usb0 ->\n  /sys/devices/platform/.../gadget.0/net/usb0\n  console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0\n  ls: .../gadget.0/net/usb0: No such file or directory\n\nUse device_move() to reparent the net_device between the gadget device\ntree and /sys/devices/virtual across bind and unbind cycles. During the\nfinal unbind, calling device_move(NULL) moves the net_device to the\nvirtual device tree before the gadget device is destroyed. On rebinding,\ndevice_move() reparents the device back under the new gadget, ensuring\nproper sysfs topology and power management ordering.\n\nTo maintain compatibility with legacy composite drivers (e.g., multi.c),\nthe bound flag is used to indicate whether the network device is shared\nand pre-registered during the legacy driver's bind phase.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4e34f3f491fd731809b57ddb5329ec763bd39553","https://git.kernel.org/stable/c/5eaeac22240d965d24c3bd0c54ded64efd8f6ca1","https://git.kernel.org/stable/c/9b1e5589593293c78a2ab8bb118a41e2271a2af8","https://git.kernel.org/stable/c/b2cc4fae67a51f60d81d6af2678696accb07c656"],"published_time":"2026-05-01T15:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7582","summary":"A vulnerability was detected in AcademySoftwareFoundation OpenImageIO up to 3.2.0.1-dev. This vulnerability affects unknown code of the file src/dds.imageio/ddsinput.cpp of the component DDS Image Handler. The manipulation results in out-of-bounds write. The attack needs to be approached locally. The exploit is now public and may be used. The patch is identified as 94ec2deec3e3bf2f2e2ff84d008e27425d626fe2. Applying a patch is advised to resolve this issue.","cvss":1.9,"cvss_version":4.0,"cvss_v2":4.3,"cvss_v3":5.3,"cvss_v4":1.9,"epss":0.00013,"ranking_epss":0.02069,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/AcademySoftwareFoundation/OpenImageIO/","https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/94ec2deec3e3bf2f2e2ff84d008e27425d626fe2","https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/5131","https://github.com/biniamf/pocs/tree/main/oiio_ddsinput-readimg","https://vuldb.com/submit/803548","https://vuldb.com/vuln/360529","https://vuldb.com/vuln/360529/cti"],"published_time":"2026-05-01T14:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31719","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: krb5enc - fix async decrypt skipping hash verification\n\nkrb5enc_dispatch_decrypt() sets req->base.complete as the skcipher\ncallback, which is the caller's own completion handler. When the\nskcipher completes asynchronously, this signals \"done\" to the caller\nwithout executing krb5enc_dispatch_decrypt_hash(), completely bypassing\nthe integrity verification (hash check).\n\nCompare with the encrypt path which correctly uses\nkrb5enc_encrypt_done as an intermediate callback to chain into the\nhash computation on async completion.\n\nFix by adding krb5enc_decrypt_done as an intermediate callback that\nchains into krb5enc_dispatch_decrypt_hash() upon async skcipher\ncompletion, matching the encrypt path's callback pattern.\n\nAlso fix EBUSY/EINPROGRESS handling throughout: remove\nkrb5enc_request_complete() which incorrectly swallowed EINPROGRESS\nnotifications that must be passed up to callers waiting on backlogged\nrequests, and add missing EBUSY checks in krb5enc_encrypt_ahash_done\nfor the dispatch_encrypt return value.\n\n\nUnset MAY_BACKLOG on the async completion path so the user won't\nsee back-to-back EINPROGRESS notifications.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00027,"ranking_epss":0.07616,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07cbb1bd424370671814a862913c99a6e1441588","https://git.kernel.org/stable/c/3bfbf5f0a99c991769ec562721285df7ab69240b","https://git.kernel.org/stable/c/e51f42114abbdf47f29dda43e7826be28907fcd2"],"published_time":"2026-05-01T14:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3143","summary":"The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_cli_cancel' function in all versions up to, and including, 1.17.1. This makes it possible for unauthenticated attackers to cancel a pending rollback, potentially preventing a WordPress installation from automatically reverting a failed update.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11274,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/boldgrid-backup/trunk/admin/class-boldgrid-backup-admin-auto-rollback.php#L1202","https://plugins.trac.wordpress.org/browser/boldgrid-backup/trunk/admin/class-boldgrid-backup-admin-core.php#L864","https://plugins.trac.wordpress.org/browser/boldgrid-backup/trunk/includes/class-boldgrid-backup.php#L459","https://plugins.trac.wordpress.org/changeset/3480378/","https://www.wordfence.com/threat-intel/vulnerabilities/id/f25dcd7e-8fb1-471e-bd22-782409de45c4?source=cve"],"published_time":"2026-05-01T14:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42482","summary":"A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_hex_upper() in src/rp_cpu.c in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted rule file, or via the -j or -k rule options used with password candidates of 128 or more characters. The vulnerability is caused by a bounds check that fails to account for the 2x expansion that occurs when password bytes are converted to hexadecimal.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00075,"ranking_epss":0.2232,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f"],"published_time":"2026-05-01T14:16:22","vendor":"hashcat","product":"hashcat","version":null},{"cve_id":"CVE-2026-42483","summary":"A heap-based buffer overflow in the Kerberos hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted Kerberos hash file. The issue affects module_hash_decode in multiple Kerberos-related modules because account_info_len is calculated from untrusted delimiter positions without upper-bound validation before memcpy copies the data into a fixed-size account_info buffer.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00079,"ranking_epss":0.23101,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f","https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f"],"published_time":"2026-05-01T14:16:22","vendor":"hashcat","product":"hashcat","version":null},{"cve_id":"CVE-2026-42484","summary":"A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210, 17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without proper input-length validation.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00075,"ranking_epss":0.2232,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f","https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f"],"published_time":"2026-05-01T14:16:22","vendor":"hashcat","product":"hashcat","version":null},{"cve_id":"CVE-2026-31710","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix dir separator in SMB1 UNIX mounts\n\nWhen calling cifs_mount_get_tcon() with SMB1 UNIX mounts,\n@cifs_sb->mnt_cifs_flags needs to be read or updated only after\ncalling reset_cifs_unix_caps(), otherwise it might end up with missing\nCIFS_MOUNT_POSIXACL and CIFS_MOUNT_POSIX_PATHS bits.\n\nThis fixes the wrong dir separator used in paths caused by the missing\nCIFS_MOUNT_POSIX_PATHS bit in cifs_sb_info::mnt_cifs_flags.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/c4d3fc5844d685441befd0caaab648321013cdfd","https://git.kernel.org/stable/c/fbbfcf35e1ee3396631f3dc6214cb626aa9814c3"],"published_time":"2026-05-01T14:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31711","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: fix active_num_conn leak on transport allocation failure\n\nCommit 77ffbcac4e56 (\"smb: server: fix leak of active_num_conn in\nksmbd_tcp_new_connection()\") addressed the kthread_run() failure\npath.  The earlier alloc_transport() == NULL path in the same\nfunction has the same leak, is reachable pre-authentication via any\nTCP connect to port 445, and was empirically reproduced on UML\n(ARCH=um, v7.0-rc7): a small number of forced allocation failures\nwere sufficient to put ksmbd into a state where every subsequent\nconnection attempt was rejected for the remainder of the boot.\n\nksmbd_kthread_fn() increments active_num_conn before calling\nksmbd_tcp_new_connection() and discards the return value, so when\nalloc_transport() returns NULL the socket is released and -ENOMEM\nreturned without decrementing the counter.  Each such failure\npermanently consumes one slot from the max_connections pool; once\ncumulative failures reach the cap, atomic_inc_return() hits the\nthreshold on every subsequent accept and every new connection is\nrejected.  The counter is only reset by module reload.\n\nAn unauthenticated remote attacker can drive the server toward the\nmemory pressure that makes alloc_transport() fail by holding open\nconnections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN\n(0x00FFFFFF); natural transient allocation failures on a loaded\nhost produce the same drift more slowly.\n\nMirror the existing rollback pattern in ksmbd_kthread_fn(): on the\nalloc_transport() failure path, decrement active_num_conn gated on\nserver_conf.max_connections.\n\nRepro details: with the patch reverted, forced alloc_transport()\nNULL returns leaked counter slots and subsequent connection\nattempts -- including legitimate connects issued after the\nforced-fail window had closed -- were all rejected with \"Limit the\nmaximum number of connections\".  With this patch applied, the same\nconnect sequence produces no rejections and the counter cycles\ncleanly between zero and one on every accept.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00194,"ranking_epss":0.40986,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/283027aa93380380a0994f35dde3ec95318f2654","https://git.kernel.org/stable/c/295a9fc6789d1011c36ded9f0f2907bb34fa0de4","https://git.kernel.org/stable/c/6551300dc452ac16a855a83dbd1e74899542d3b3","https://git.kernel.org/stable/c/97f8d2648ef4871e4cd335e2d769cb40054a6772","https://git.kernel.org/stable/c/fb48185bcd946d42de7017cf27f912f8ab26acf0"],"published_time":"2026-05-01T14:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31712","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: require minimum ACE size in smb_check_perm_dacl()\n\nBoth ACE-walk loops in smb_check_perm_dacl() only guard against an\nunder-sized remaining buffer, not against an ACE whose declared\n`ace->size` is smaller than the struct it claims to describe:\n\n  if (offsetof(struct smb_ace, access_req) > aces_size)\n      break;\n  ace_size = le16_to_cpu(ace->size);\n  if (ace_size > aces_size)\n      break;\n\nThe first check only requires the 4-byte ACE header to be in bounds;\nit does not require access_req (4 bytes at offset 4) to be readable.\nAn attacker who has set a crafted DACL on a file they own can declare\nace->size == 4 with aces_size == 4, pass both checks, and then\n\n  granted |= le32_to_cpu(ace->access_req);               /* upper loop */\n  compare_sids(&sid, &ace->sid);                         /* lower loop */\n\nreads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at\noffset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES\n* 4 bytes).\n\nTighten both loops to require\n\n  ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE\n\nwhich is the smallest valid on-wire ACE layout (4-byte header +\n4-byte access_req + 8-byte sid base with zero sub-auths).  Also\nreject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES\nbefore letting compare_sids() dereference sub_auth[] entries.\n\nparse_sec_desc() already enforces an equivalent check (lines 441-448);\nsmb_check_perm_dacl() simply grew weaker validation over time.\n\nReachability: authenticated SMB client with permission to set an ACL\non a file.  On a subsequent CREATE against that file, the kernel\nwalks the stored DACL via smb_check_perm_dacl() and triggers the\nOOB read.  Not pre-auth, and the OOB read is not reflected to the\nattacker, but KASAN reports and kernel state corruption are\npossible.","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00043,"ranking_epss":0.13031,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/151b1799861fde38087c08f613abc2843ef597b0","https://git.kernel.org/stable/c/90089584b2e25c4510b7b987387b4405f0673ece","https://git.kernel.org/stable/c/95e5aa3c3261da8c95b27d7aecf8ee39b9f86a4c","https://git.kernel.org/stable/c/d07b26f39246a82399661936dd0c853983cfade7"],"published_time":"2026-05-01T14:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31713","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: abort on fatal signal during sync init\n\nWhen sync init is used and the server exits for some reason (error, crash)\nwhile processing FUSE_INIT, the filesystem creation will hang.  The reason\nis that while all other threads will exit, the mounting thread (or process)\nwill keep the device fd open, which will prevent an abort from happening.\n\nThis is a regression from the async mount case, where the mount was done\nfirst, and the FUSE_INIT processing afterwards, in which case there's no\nsuch recursive syscall keeping the fd open.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c7fca880a40a209a9c92be14143996d14b93ff6","https://git.kernel.org/stable/c/204aa22a686bfee48daca7db620c1e017615f2ff","https://git.kernel.org/stable/c/300e812b882a174dca675d8028684001ad5826bc"],"published_time":"2026-05-01T14:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31714","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid memory leak in f2fs_rename()\n\nsyzbot reported a f2fs bug as below:\n\nBUG: memory leak\nunreferenced object 0xffff888127f70830 (size 16):\n  comm \"syz.0.23\", pid 6144, jiffies 4294943712\n  hex dump (first 16 bytes):\n    3c af 57 72 5b e6 8f ad 6e 8e fd 33 42 39 03 ff  <.Wr[...n..3B9..\n  backtrace (crc 925f8a80):\n    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n    slab_post_alloc_hook mm/slub.c:4520 [inline]\n    slab_alloc_node mm/slub.c:4844 [inline]\n    __do_kmalloc_node mm/slub.c:5237 [inline]\n    __kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250\n    kmalloc_noprof include/linux/slab.h:954 [inline]\n    fscrypt_setup_filename+0x15e/0x3b0 fs/crypto/fname.c:364\n    f2fs_setup_filename+0x52/0xb0 fs/f2fs/dir.c:143\n    f2fs_rename+0x159/0xca0 fs/f2fs/namei.c:961\n    f2fs_rename2+0xd5/0xf20 fs/f2fs/namei.c:1308\n    vfs_rename+0x7ff/0x1250 fs/namei.c:6026\n    filename_renameat2+0x4f4/0x660 fs/namei.c:6144\n    __do_sys_renameat2 fs/namei.c:6173 [inline]\n    __se_sys_renameat2 fs/namei.c:6168 [inline]\n    __x64_sys_renameat2+0x59/0x80 fs/namei.c:6168\n    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n    do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94\n    entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is in commit 40b2d55e0452 (\"f2fs: fix to create selinux\nlabel during whiteout initialization\"), we added a call to\nf2fs_setup_filename() without a matching call to f2fs_free_filename(),\nfix it.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04829,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/047c0aef6af37a2a35181aa085c616ad286386f1","https://git.kernel.org/stable/c/369eb2016d8e2f01931b3bad1cb9cefa83f44003","https://git.kernel.org/stable/c/3cf11e6f36c170050c12171dd6fd3142711478fc","https://git.kernel.org/stable/c/a76c1cad4e80a9802ef8048662255417e3ce5b79","https://git.kernel.org/stable/c/c78206dcb912ab60b8ee3cbe8c48d749a9a12e1e"],"published_time":"2026-05-01T14:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31715","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()\n\nThe xfstests case \"generic/107\" and syzbot have both reported a NULL\npointer dereference.\n\nThe concurrent scenario that triggers the panic is as follows:\n\nF2FS_WB_CP_DATA write callback          umount\n                                        - f2fs_write_checkpoint\n                                         - f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA)\n- blk_mq_end_request\n - bio_endio\n  - f2fs_write_end_io\n   : dec_page_count(sbi, F2FS_WB_CP_DATA)\n   : wake_up(&sbi->cp_wait)\n                                        - kill_f2fs_super\n                                         - kill_block_super\n                                          - f2fs_put_super\n                                           : iput(sbi->node_inode)\n                                           : sbi->node_inode = NULL\n   : f2fs_in_warm_node_list\n    - is_node_folio // sbi->node_inode is NULL and panic\n\nThe root cause is that f2fs_put_super() calls iput(sbi->node_inode) and\nsets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is\ndecremented to zero. As a result, f2fs_in_warm_node_list() may\ndereference a NULL node_inode when checking whether a folio belongs to\nthe node inode, leading to a panic.\n\nThis patch fixes the issue by calling f2fs_in_warm_node_list() before\ndecrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the\nuse-after-free condition.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/188bb65f247a7a7c62f287c9a263aee3cad96fa5","https://git.kernel.org/stable/c/2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53","https://git.kernel.org/stable/c/963d2e24d9d92a31e6773b0f642214f10013ebf7"],"published_time":"2026-05-01T14:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31716","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: validate rec->used in journal-replay file record check\n\ncheck_file_record() validates rec->total against the record size but\nnever validates rec->used.  The do_action() journal-replay handlers read\nrec->used from disk and use it to compute memmove lengths:\n\n  DeleteAttribute:    memmove(attr, ..., used - asize - roff)\n  CreateAttribute:    memmove(..., attr, used - roff)\n  change_attr_size:   memmove(..., used - PtrOffset(rec, next))\n\nWhen rec->used is smaller than the offset of a validated attribute, or\nlarger than the record size, these subtractions can underflow allowing\nus to copy huge amounts of memory in to a 4kb buffer, generally\nconsidered a bad idea overall.\n\nThis requires a corrupted filesystem, which isn't a threat model the\nkernel really needs to worry about, but checking for such an obvious\nout-of-bounds value is good to keep things robust, especially on journal\nreplay\n\nFix this up by bounding rec->used correctly.\n\nThis is much like commit b2bc7c44ed17 (\"fs/ntfs3: Fix slab-out-of-bounds\nread in DeleteIndexEntryRoot\") which checked different values in this\nsame switch statement.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01777,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0112e6279420d4005b3d57af36fb45c01b8d0116","https://git.kernel.org/stable/c/0ca0485e4b2e837ebb6cbd4f2451aba665a03e4b","https://git.kernel.org/stable/c/4b1613d7e2deda831a97e427d1ea586e50fe1be5","https://git.kernel.org/stable/c/f79d0403ea20a81bc29105bba54fbcab54e8c403","https://git.kernel.org/stable/c/f90b8a1798b750755a9e9aee66678f0a1820bbaf"],"published_time":"2026-05-01T14:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31717","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate owner of durable handle on reconnect\n\nCurrently, ksmbd does not verify if the user attempting to reconnect\nto a durable handle is the same user who originally opened the file.\nThis allows any authenticated user to hijack an orphaned durable handle\nby predicting or brute-forcing the persistent ID.\n\nAccording to MS-SMB2, the server MUST verify that the SecurityContext\nof the reconnect request matches the SecurityContext associated with\nthe existing open.\nAdd a durable_owner structure to ksmbd_file to store the original opener's\nUID, GID, and account name. and catpure the owner information when a file\nhandle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner()\nto validate the identity of the requester during SMB2_CREATE (DHnC).","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11936,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00ce8d6789dae72d042a4522264964c72891ca37","https://git.kernel.org/stable/c/49110a8ce654bbe56bef7c5e44cce31f4b102b8a","https://git.kernel.org/stable/c/c908c853f304a4969b5aa10eba0b50350cc65b80"],"published_time":"2026-05-01T14:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31718","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger\n\nWhen a durable file handle survives session disconnect (TCP close without\nSMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the\nhandle for later reconnection. However, it did not clean up the byte-range\nlocks on fp->lock_list.\n\nLater, when the durable scavenger thread times out and calls\n__ksmbd_close_fd(NULL, fp), the lock cleanup loop did:\n\n    spin_lock(&fp->conn->llist_lock);\n\nThis caused a slab use-after-free because fp->conn was NULL and the\noriginal connection object had already been freed by\nksmbd_tcp_disconnect().\n\nThe root cause is asymmetric cleanup: lock entries (smb_lock->clist) were\nleft dangling on the freed conn->lock_list while fp->conn was nulled out.\n\nTo fix this issue properly, we need to handle the lifetime of\nsmb_lock->clist across three paths:\n - Safely skip clist deletion when list is empty and fp->conn is NULL.\n - Remove the lock from the old connection's lock_list in\n   session_fd_check()\n - Re-add the lock to the new connection's lock_list in\n   ksmbd_reopen_durable_fd().","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00044,"ranking_epss":0.13136,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/235e32320a470fcd3998fb3774f2290a0eb302a1","https://git.kernel.org/stable/c/3d6682726c2d3a46d31dae88b8166786b09b03ad","https://git.kernel.org/stable/c/b34fc42cfe922e551f7a27d3ac3bb016e41d7dd9","https://git.kernel.org/stable/c/e33c65f011980b4ad4abfd93585ec2079856368f"],"published_time":"2026-05-01T14:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31701","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: take a reference on the USB device in create_card()\n\nThe caiaq driver stores a pointer to the parent USB device in\ncdev->chip.dev but never takes a reference on it. The card's\nprivate_free callback, snd_usb_caiaq_card_free(), can run\nasynchronously via snd_card_free_when_closed() after the USB\ndevice has already been disconnected and freed, so any access to\ncdev->chip.dev in that path dereferences a freed usb_device.\n\nOn top of the refcounting issue, the current card_free implementation\ncalls usb_reset_device(cdev->chip.dev). A reset in a free callback\nis inappropriate: the device is going away, the call takes the\ndevice lock in a teardown context, and the reset races with the\ndisconnect path that the callback is already cleaning up after.\n\nTake a reference on the USB device in create_card() with\nusb_get_dev(), drop it with usb_put_dev() in the free callback,\nand remove the usb_reset_device() call.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04829,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1d9be95aee6c6246a21752e60c9519902649f482","https://git.kernel.org/stable/c/59b622a043cffc58b7638cd85ae6c30a0904f8e6","https://git.kernel.org/stable/c/6473ed16df1fe88051140611b3eb9a49be7f429e","https://git.kernel.org/stable/c/80bb50e2d459213cccff3111d5ef98ed4238c0d5","https://git.kernel.org/stable/c/f6634af5de728a46792f674a66d7843570cb68f7"],"published_time":"2026-05-01T14:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31702","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()\n\nIn f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring\nthe F2FS_WB_CP_DATA counter to zero, unblocking\nf2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount\nCPU. The unmount path then proceeds to call\nf2fs_destroy_page_array_cache(sbi), which destroys\nsbi->page_array_slab via kmem_cache_destroy(), and eventually\nkfree(sbi). Meanwhile, the bio completion callback is still executing:\nwhen it reaches page_array_free(sbi, ...), it dereferences\nsbi->page_array_slab — a destroyed slab cache — to call\nkmem_cache_free(), causing a use-after-free.\n\nThis is the same class of bug as CVE-2026-23234 (which fixed the\nequivalent race in f2fs_write_end_io() in data.c), but in the\ncompressed writeback completion path that was not covered by that fix.\n\nFix this by moving dec_page_count() to after page_array_free(), so\nthat all sbi accesses complete before the counter decrement that can\nunblock unmount. For non-last folios (where atomic_dec_return on\ncic->pending_pages is nonzero), dec_page_count is called immediately\nbefore returning — page_array_free is not reached on this path, so\nthere is no post-decrement sbi access. For the last folio,\npage_array_free runs while the F2FS_WB_CP_DATA counter is still\nnonzero (this folio has not yet decremented it), keeping sbi alive,\nand dec_page_count runs as the final operation.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04829,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2c97dcb6147c8f7f25c629b93be1e69617de5d4a","https://git.kernel.org/stable/c/39d4ee19c1e7d753dd655aebee632271b171f43a","https://git.kernel.org/stable/c/c76cf339b87975ae5b2c06d2d774d5667d25a12a","https://git.kernel.org/stable/c/ef57cd3329b40c739b9a2e1a8a21ecc4171c6280","https://git.kernel.org/stable/c/f5154cf3ce1c8193f0c1891d3769f62740cfe6fe"],"published_time":"2026-05-01T14:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31703","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwriteback: Fix use after free in inode_switch_wbs_work_fn()\n\ninode_switch_wbs_work_fn() has a loop like:\n\n  wb_get(new_wb);\n  while (1) {\n    list = llist_del_all(&new_wb->switch_wbs_ctxs);\n    /* Nothing to do? */\n    if (!list)\n      break;\n    ... process the items ...\n  }\n\nNow adding of items to the list looks like:\n\nwb_queue_isw()\n  if (llist_add(&isw->list, &wb->switch_wbs_ctxs))\n    queue_work(isw_wq, &wb->switch_work);\n\nBecause inode_switch_wbs_work_fn() loops when processing isw items, it\ncan happen that wb->switch_work is pending while wb->switch_wbs_ctxs is\nempty. This is a problem because in that case wb can get freed (no isw\nitems -> no wb reference) while the work is still pending causing\nuse-after-free issues.\n\nWe cannot just fix this by cancelling work when freeing wb because that\ncould still trigger problematic 0 -> 1 transitions on wb refcount due to\nwb_get() in inode_switch_wbs_work_fn(). It could be all handled with\nmore careful code but that seems unnecessarily complex so let's avoid\nthat until it is proven that the looping actually brings practical\nbenefit. Just remove the loop from inode_switch_wbs_work_fn() instead.\nThat way when wb_queue_isw() queues work, we are guaranteed we have\nadded the first item to wb->switch_wbs_ctxs and nobody is going to\nremove it (and drop the wb reference it holds) until the queued work\nruns.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01666,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/028103656b84273c73e9e271cf95c9f3421f4b8a","https://git.kernel.org/stable/c/6689f01d6740cf358932b3e97ee968c6099800d9","https://git.kernel.org/stable/c/9223e5f30403a9b506d6d0bff4f2e29a2d7d46af"],"published_time":"2026-05-01T14:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31704","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: use check_add_overflow() to prevent u16 DACL size overflow\n\nset_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes\nin u16 variables. When a file has many POSIX ACL entries, the\naccumulated size can wrap past 65535, causing the pointer arithmetic\n(char *)pndace + *size to land within already-written ACEs. Subsequent\nwrites then overwrite earlier entries, and pndacl->size gets a\ntruncated value.\n\nUse check_add_overflow() at each accumulation point to detect the\nwrap before it corrupts the buffer, consistent with existing\ncheck_mul_overflow() usage elsewhere in smbacl.c.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04829,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/299f962c0b02d048fb45d248b4da493d03f3175d","https://git.kernel.org/stable/c/5e7b8f3c539d69b2ed5f2408e2f75e68ce7eef43","https://git.kernel.org/stable/c/8d5729350b236896f51379588d9a690b7fafb8db","https://git.kernel.org/stable/c/e1955a94b6f17f4b058afa955a6f187eb3ed7615","https://git.kernel.org/stable/c/ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7"],"published_time":"2026-05-01T14:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31705","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment\n\nsmb2_get_ea() applies 4-byte alignment padding via memset() after\nwriting each EA entry. The bounds check on buf_free_len is performed\nbefore the value memcpy, but the alignment memset fires unconditionally\nafterward with no check on remaining space.\n\nWhen the EA value exactly fills the remaining buffer (buf_free_len == 0\nafter value subtraction), the alignment memset writes 1-3 NUL bytes\npast the buf_free_len boundary. In compound requests where the response\nbuffer is shared across commands, the first command (e.g., READ) can\nconsume most of the buffer, leaving a tight remainder for the QUERY_INFO\nEA response. The alignment memset then overwrites past the physical\nkvmalloc allocation into adjacent kernel heap memory.\n\nAdd a bounds check before the alignment memset to ensure buf_free_len\ncan accommodate the padding bytes.\n\nThis is the same bug pattern fixed by commit beef2634f81f (\"ksmbd: fix\npotencial OOB in get_file_all_info() for compound requests\") and\ncommit fda9522ed6af (\"ksmbd: fix OOB write in QUERY_INFO for compound\nrequests\"), both of which added bounds checks before unconditional\nwrites in QUERY_INFO response handlers.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00046,"ranking_epss":0.13896,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/30010c952077a1c89ecdd71fc4d574c75a8f5617","https://git.kernel.org/stable/c/790304c02bf9bd7b8171feda4294d6e62d32ae8f","https://git.kernel.org/stable/c/922d48fe8c19f388ffa2f709f33acaae4e408de2","https://git.kernel.org/stable/c/98f3de6ef4efbd899348d333f0902dc4ff14380c","https://git.kernel.org/stable/c/ffbce350c6fd1e99116ea57383b9031717e36d3b"],"published_time":"2026-05-01T14:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31706","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()\n\nsmb_inherit_dacl() trusts the on-disk num_aces value from the parent\ndirectory's DACL xattr and uses it to size a heap allocation:\n\n  aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, ...);\n\nnum_aces is a u16 read from le16_to_cpu(parent_pdacl->num_aces)\nwithout checking that it is consistent with the declared pdacl_size.\nAn authenticated client whose parent directory's security.NTACL is\ntampered (e.g. via offline xattr corruption or a concurrent path that\nbypasses parse_dacl()) can present num_aces = 65535 with minimal\nactual ACE data.  This causes a ~8 MB allocation (not kzalloc, so\nuninitialized) that the subsequent loop only partially populates, and\nmay also overflow the three-way size_t multiply on 32-bit kernels.\n\nAdditionally, the ACE walk loop uses the weaker\noffsetof(struct smb_ace, access_req) minimum size check rather than\nthe minimum valid on-wire ACE size, and does not reject ACEs whose\ndeclared size is below the minimum.\n\nReproduced on UML + KASAN + LOCKDEP against the real ksmbd code path.\nA legitimate mount.cifs client creates a parent directory over SMB\n(ksmbd writes a valid security.NTACL xattr), then the NTACL blob on\nthe backing filesystem is rewritten to set num_aces = 0xFFFF while\nkeeping the posix_acl_hash bytes intact so ksmbd_vfs_get_sd_xattr()'s\nhash check still passes.  A subsequent SMB2 CREATE of a child under\nthat parent drives smb2_open() into smb_inherit_dacl() (share has\n\"vfs objects = acl_xattr\" set), which fails the page allocator:\n\n  WARNING: mm/page_alloc.c:5226 at __alloc_frozen_pages_noprof+0x46c/0x9c0\n  Workqueue: ksmbd-io handle_ksmbd_work\n   __alloc_frozen_pages_noprof+0x46c/0x9c0\n   ___kmalloc_large_node+0x68/0x130\n   __kmalloc_large_node_noprof+0x24/0x70\n   __kmalloc_noprof+0x4c9/0x690\n   smb_inherit_dacl+0x394/0x2430\n   smb2_open+0x595d/0xabe0\n   handle_ksmbd_work+0x3d3/0x1140\n\nWith the patch applied the added guard rejects the tampered value\nwith -EINVAL before any large allocation runs, smb2_open() falls back\nto smb2_create_sd_buffer(), and the child is created with a default\nSD.  No warning, no splat.\n\nFix by:\n\n  1. Validating num_aces against pdacl_size using the same formula\n     applied in parse_dacl().\n\n  2. Replacing the raw kmalloc(sizeof * num_aces * 2) with\n     kmalloc_array(num_aces * 2, sizeof(...)) for overflow-safe\n     allocation.\n\n  3. Tightening the per-ACE loop guard to require the minimum valid\n     ACE size (offsetof(smb_ace, sid) + CIFS_SID_BASE_SIZE) and\n     rejecting under-sized ACEs, matching the hardening in\n     smb_check_perm_dacl() and parse_dacl().\n\nv1 -> v2:\n  - Replace the synthetic test-module splat in the changelog with a\n    real-path UML + KASAN reproduction driven through mount.cifs and\n    SMB2 CREATE; Namjae flagged the kcifs3_test_inherit_dacl_old name\n    in v1 since it does not exist in ksmbd.\n  - Drop the commit-hash citation from the code comment per Namjae's\n    review; keep the parse_dacl() pointer.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00043,"ranking_epss":0.13031,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/063a7409b0de46d7c770b65bb0338e6fdb3b1f0a","https://git.kernel.org/stable/c/3e4e2ea2a781018ed5d75f969e3e5606beb66e48","https://git.kernel.org/stable/c/3e5360b422dd741cb315654a191fa73869a37414","https://git.kernel.org/stable/c/59c32abaaec9cdd6164811c7e864e72f7554b82d"],"published_time":"2026-05-01T14:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31707","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate response sizes in ipc_validate_msg()\n\nipc_validate_msg() computes the expected message size for each\nresponse type by adding (or multiplying) attacker-controlled fields\nfrom the daemon response to a fixed struct size in unsigned int\narithmetic.  Three cases can overflow:\n\n  KSMBD_EVENT_RPC_REQUEST:\n      msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz;\n  KSMBD_EVENT_SHARE_CONFIG_REQUEST:\n      msg_sz = sizeof(struct ksmbd_share_config_response) +\n               resp->payload_sz;\n  KSMBD_EVENT_LOGIN_REQUEST_EXT:\n      msg_sz = sizeof(struct ksmbd_login_response_ext) +\n               resp->ngroups * sizeof(gid_t);\n\nresp->payload_sz is __u32 and resp->ngroups is __s32.  Each addition\ncan wrap in unsigned int; the multiplication by sizeof(gid_t) mixes\nsigned and size_t, so a negative ngroups is converted to SIZE_MAX\nbefore the multiply.  A wrapped value of msg_sz that happens to\nequal entry->msg_sz bypasses the size check on the next line, and\ndownstream consumers (smb2pdu.c:6742 memcpy using rpc_resp->payload_sz,\nkmemdup in ksmbd_alloc_user using resp_ext->ngroups) then trust the\nunverified length.\n\nUse check_add_overflow() on the RPC_REQUEST and SHARE_CONFIG_REQUEST\npaths to detect integer overflow without constraining functional\npayload size; userspace ksmbd-tools grows NDR responses in 4096-byte\nchunks for calls like NetShareEnumAll, so a hard transport cap is\nunworkable on the response side.  For LOGIN_REQUEST_EXT, reject\nresp->ngroups outside the signed [0, NGROUPS_MAX] range up front and\nreport the error from ipc_validate_msg() so it fires at the IPC\nboundary; with that bound the subsequent multiplication and addition\nstay well below UINT_MAX.  The now-redundant ngroups check and\npr_err in ksmbd_alloc_user() are removed.\n\nThis is the response-side analogue of aab98e2dbd64 (\"ksmbd: fix\ninteger overflows on 32 bit systems\"), which hardened the request\nside.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/299db777ea0cfa5c407e41b045c24a14c034c27b","https://git.kernel.org/stable/c/7dd0c858e1909769a4c91842724315ee74f1a5f1","https://git.kernel.org/stable/c/99c631d0366c1eab8fb188fe66425f4581ebdde4","https://git.kernel.org/stable/c/d6a6aa81eac2c9bff66dc6e191179cb69a14426b"],"published_time":"2026-05-01T14:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31708","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path\n\nsmb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL\nand the default QUERY_INFO path.  The QUERY_INFO branch clamps\nqi.input_buffer_length to the server-reported OutputBufferLength and then\ncopies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but\nit never verifies that the flexible-array payload actually fits within\nrsp_iov[1].iov_len.\n\nA malicious server can return OutputBufferLength larger than the actual\nQUERY_INFO response, causing copy_to_user() to walk past the response\nbuffer and expose adjacent kernel heap to userspace.\n\nGuard the QUERY_INFO copy with a bounds check on the actual Buffer\npayload.  Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)\nrather than an open-coded addition so the guard cannot overflow on\n32-bit builds.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.118,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/078fae8f50adebb903ccf2252b44391324571e78","https://git.kernel.org/stable/c/85fd46ee26a11841c670449508025965f61ce131","https://git.kernel.org/stable/c/a34d456934fe42e4da5d2cc07787bf418bee99c6","https://git.kernel.org/stable/c/a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e","https://git.kernel.org/stable/c/ac2f14e4705d020f04e806efa0d49ab8dc2b145f"],"published_time":"2026-05-01T14:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31709","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: validate the whole DACL before rewriting it in cifsacl\n\nbuild_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a\nserver-supplied dacloffset and then use the incoming ACL to rebuild the\nchmod/chown security descriptor.\n\nThe original fix only checked that the struct smb_acl header fits before\nreading dacl_ptr->size or dacl_ptr->num_aces.  That avoids the immediate\nheader-field OOB read, but the rewrite helpers still walk ACEs based on\npdacl->num_aces with no structural validation of the incoming DACL body.\n\nA malicious server can return a truncated DACL that still contains a\nheader, claims one or more ACEs, and then drive\nreplace_sids_and_copy_aces() or set_chmod_dacl() past the validated\nextent while they compare or copy attacker-controlled ACEs.\n\nFactor the DACL structural checks into validate_dacl(), extend them to\nvalidate each ACE against the DACL bounds, and use the shared validator\nbefore the chmod/chown rebuild paths.  parse_dacl() reuses the same\nvalidator so the read-side parser and write-side rewrite paths agree on\nwhat constitutes a well-formed incoming DACL.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11538,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0a8cf165566ba55a39fd0f4de172119dd646d39a","https://git.kernel.org/stable/c/b78db9bddc84136f6a0bb49e8883cf200dfb87a8"],"published_time":"2026-05-01T14:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31694","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: reject oversized dirents in page cache\n\nfuse_add_dirent_to_cache() computes a serialized dirent size from the\nserver-controlled namelen field and copies the dirent into a single\npage-cache page. The existing logic only checks whether the dirent fits\nin the remaining space of the current page and advances to a fresh page\nif not. It never checks whether the dirent itself exceeds PAGE_SIZE.\n\nAs a result, a malicious FUSE server can return a dirent with\nnamelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB\npage systems this causes memcpy() to overflow the cache page by 24 bytes\ninto the following kernel page.\n\nReject dirents that cannot fit in a single page before copying them into\nthe readdir cache.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/45c05af36311624c1148123caeb011312495d86b","https://git.kernel.org/stable/c/474ce83c96a55f2eeb14dee2be375eeadfdacdf5","https://git.kernel.org/stable/c/51a8de6c50bf947c8f534cd73da4c8f0a13e7bed","https://git.kernel.org/stable/c/7de93abfaae1b2dc94da8a07a36421bd073f1d8f","https://git.kernel.org/stable/c/d23ad78bfd205eac26766e38ba7d79f279131098"],"published_time":"2026-05-01T14:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31695","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free\n\nCurrently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for\nthe virt_wifi net devices. However, unregistering a virt_wifi device in\nnetdev_run_todo() can happen together with the device referenced by\nSET_NETDEV_DEV().\n\nIt can result in use-after-free during the ethtool operations performed\non a virt_wifi device that is currently being unregistered. Such a net\ndevice can have the `dev.parent` field pointing to the freed memory,\nbut ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`.\n\nLet's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0\n Read of size 2 at addr ffff88810cfc46f8 by task pm/606\n\n Call Trace:\n  <TASK>\n  dump_stack_lvl+0x4d/0x70\n  print_report+0x170/0x4f3\n  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n  kasan_report+0xda/0x110\n  ? __pm_runtime_resume+0xe2/0xf0\n  ? __pm_runtime_resume+0xe2/0xf0\n  __pm_runtime_resume+0xe2/0xf0\n  ethnl_ops_begin+0x49/0x270\n  ethnl_set_features+0x23c/0xab0\n  ? __pfx_ethnl_set_features+0x10/0x10\n  ? kvm_sched_clock_read+0x11/0x20\n  ? local_clock_noinstr+0xf/0xf0\n  ? local_clock+0x10/0x30\n  ? kasan_save_track+0x25/0x60\n  ? __kasan_kmalloc+0x7f/0x90\n  ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0\n  genl_family_rcv_msg_doit+0x1e7/0x2c0\n  ? __pfx_genl_family_rcv_msg_doit+0x10/0x10\n  ? __pfx_cred_has_capability.isra.0+0x10/0x10\n  ? stack_trace_save+0x8e/0xc0\n  genl_rcv_msg+0x411/0x660\n  ? __pfx_genl_rcv_msg+0x10/0x10\n  ? __pfx_ethnl_set_features+0x10/0x10\n  netlink_rcv_skb+0x121/0x380\n  ? __pfx_genl_rcv_msg+0x10/0x10\n  ? __pfx_netlink_rcv_skb+0x10/0x10\n  ? __pfx_down_read+0x10/0x10\n  genl_rcv+0x23/0x30\n  netlink_unicast+0x60f/0x830\n  ? __pfx_netlink_unicast+0x10/0x10\n  ? __pfx___alloc_skb+0x10/0x10\n  netlink_sendmsg+0x6ea/0xbc0\n  ? __pfx_netlink_sendmsg+0x10/0x10\n  ? __futex_queue+0x10b/0x1f0\n  ____sys_sendmsg+0x7a2/0x950\n  ? copy_msghdr_from_user+0x26b/0x430\n  ? __pfx_____sys_sendmsg+0x10/0x10\n  ? __pfx_copy_msghdr_from_user+0x10/0x10\n  ___sys_sendmsg+0xf8/0x180\n  ? __pfx____sys_sendmsg+0x10/0x10\n  ? __pfx_futex_wait+0x10/0x10\n  ? fdget+0x2e4/0x4a0\n  __sys_sendmsg+0x11f/0x1c0\n  ? __pfx___sys_sendmsg+0x10/0x10\n  do_syscall_64+0xe2/0x570\n  ? exc_page_fault+0x66/0xb0\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  </TASK>\n\nThis fix may be combined with another one in the ethtool subsystem:\nhttps://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01762,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5adc01506da94dfaab76f3d1b8410a8ca7bfc59d","https://git.kernel.org/stable/c/5bbadf60b121065ffb267ec92018607b9c1c7524","https://git.kernel.org/stable/c/789b06f9f39cdc7e895bdab2c034e39c41c8f8d6","https://git.kernel.org/stable/c/c5fa98842783ed227365d1303785de6a67020c8d","https://git.kernel.org/stable/c/d1e3aa80e6e04410ba89eaaba4441a0d749d181d","https://git.kernel.org/stable/c/dcb5915696bd7b32b6404a897c24ee47cb23e772","https://git.kernel.org/stable/c/e90f3e74e1ebc26c461a74be490d322716bcdcb4"],"published_time":"2026-05-01T14:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31696","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix missing validation of ticket length in non-XDR key preparsing\n\nIn rxrpc_preparse(), there are two paths for parsing key payloads: the\nXDR path (for large payloads) and the non-XDR path (for payloads <= 28\nbytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly\nvalidates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR\npath fails to do so.\n\nThis allows an unprivileged user to provide a very large ticket length.\nWhen this key is later read via rxrpc_read(), the total\ntoken size (toksize) calculation results in a value that exceeds\nAFSTOKEN_LENGTH_MAX, triggering a WARN_ON().\n\n[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]\n\nFix this by adding a check in the non-XDR parsing path of rxrpc_preparse()\nto ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,\nbringing it into parity with the XDR parsing logic.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05767,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1fa36cf495b0023e8475d038535c05e4063211e1","https://git.kernel.org/stable/c/4458757c020592a3094366e0fb20457383b42f92","https://git.kernel.org/stable/c/a1be1c9ece26cea69654f28b255ff9a7906b897b","https://git.kernel.org/stable/c/ac33733b10b484d666f97688561670afd5861383","https://git.kernel.org/stable/c/ce383ba615339f8eaec646a166d2c2b015bb5ca0"],"published_time":"2026-05-01T14:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31697","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy ID to userspace if PSP command failed\n\nWhen retrieving the ID for the CPU, don't attempt to copy the ID blob to\nuserspace if the firmware command failed.  If the failure was due to an\ninvalid length, i.e. the userspace buffer+length was too small, copying\nthe number of bytes _firmware_ requires will overflow the kernel-allocated\nbuffer and leak data to userspace.\n\n  BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n  BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n  BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n  Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388\n\n  CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G     U     O        7.0.0-smp-DEV #28 PREEMPTLAZY\n  Tainted: [U]=USER, [O]=OOT_MODULE\n  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n   print_address_description ../mm/kasan/report.c:378 [inline]\n   print_report+0xbc/0x260 ../mm/kasan/report.c:482\n   kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n   check_region_inline ../mm/kasan/generic.c:-1 [inline]\n   kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n   instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n   _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n   _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n   copy_to_user ../include/linux/uaccess.h:236 [inline]\n   sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222\n   sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575\n   vfs_ioctl ../fs/ioctl.c:51 [inline]\n   __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n   __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n   do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   </TASK>\n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/06f06d88c05ce176c61fff8c72c372847b0dd2b5","https://git.kernel.org/stable/c/09427bcb1715fb20a80b6acd5156dbf15ab5c363","https://git.kernel.org/stable/c/1fbac0429a42adec830491757a2b53956dd797ea","https://git.kernel.org/stable/c/2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e","https://git.kernel.org/stable/c/4f685dbfa87c546e51d9dc6cab379d20f275e114"],"published_time":"2026-05-01T14:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31698","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed\n\nWhen retrieving the PDH cert, don't attempt to copy the blobs to userspace\nif the firmware command failed.  If the failure was due to an invalid\nlength, i.e. the userspace buffer+length was too small, copying the number\nof bytes _firmware_ requires will overflow the kernel-allocated buffer and\nleak data to userspace.\n\n  BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n  BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n  BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n  Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033\n\n  CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G     U     O        7.0.0-smp-DEV #28 PREEMPTLAZY\n  Tainted: [U]=USER, [O]=OOT_MODULE\n  Hardware name: Google, Inc.                                                       Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n   print_address_description ../mm/kasan/report.c:378 [inline]\n   print_report+0xbc/0x260 ../mm/kasan/report.c:482\n   kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n   check_region_inline ../mm/kasan/generic.c:-1 [inline]\n   kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n   instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n   _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n   _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n   copy_to_user ../include/linux/uaccess.h:236 [inline]\n   sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347\n   sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568\n   vfs_ioctl ../fs/ioctl.c:51 [inline]\n   __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n   __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n   do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   </TASK>\n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/051e51aa55fd4cdc3e8283cf4476aeeb5f563274","https://git.kernel.org/stable/c/50808c13452dae43a2c90b1bbbf9daa16501ce70","https://git.kernel.org/stable/c/78b97e43d0b3e674d9d49ae56937b11e2ba3fcaf","https://git.kernel.org/stable/c/b5c14bd4da1f376f385722fe1da993f1edab6472","https://git.kernel.org/stable/c/e76239fed3cffd6d304d8ca3ce23984fd24f57d3"],"published_time":"2026-05-01T14:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31699","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed\n\nWhen retrieving the PEK CSR, don't attempt to copy the blob to userspace\nif the firmware command failed.  If the failure was due to an invalid\nlength, i.e. the userspace buffer+length was too small, copying the number\nof bytes _firmware_ requires will overflow the kernel-allocated buffer and\nleak data to userspace.\n\n  BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n  BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n  BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n  Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405\n\n  CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G     U     O        7.0.0-smp-DEV #28 PREEMPTLAZY\n  Tainted: [U]=USER, [O]=OOT_MODULE\n  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n   print_address_description ../mm/kasan/report.c:378 [inline]\n   print_report+0xbc/0x260 ../mm/kasan/report.c:482\n   kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n   check_region_inline ../mm/kasan/generic.c:-1 [inline]\n   kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n   instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n   _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n   _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n   copy_to_user ../include/linux/uaccess.h:236 [inline]\n   sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872\n   sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562\n   vfs_ioctl ../fs/ioctl.c:51 [inline]\n   __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n   __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n   do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   </TASK>\n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/111dcc6d0f016076745824a787d25609d0022f4c","https://git.kernel.org/stable/c/3b4fd8f15765d9a3105b834dba8a05d025e5e16e","https://git.kernel.org/stable/c/59e9ae81f8670ccc780bc75f45a355736f640ec9","https://git.kernel.org/stable/c/607ba280f2adb5092cf5386c3935afac2ca0031a","https://git.kernel.org/stable/c/abe4a6d6f606113251868c2c4a06ba904bb41eed"],"published_time":"2026-05-01T14:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31700","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()\n\nIn tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points\ndirectly into the mmap'd TX ring buffer shared with userspace. The\nkernel validates the header via __packet_snd_vnet_parse() but then\nre-reads all fields later in virtio_net_hdr_to_skb(). A concurrent\nuserspace thread can modify the vnet_hdr fields between validation\nand use, bypassing all safety checks.\n\nThe non-TPACKET path (packet_snd()) already correctly copies vnet_hdr\nto a stack-local variable. All other vnet_hdr consumers in the kernel\n(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX\npath is the only caller of virtio_net_hdr_to_skb() that reads directly\nfrom user-controlled shared memory.\n\nFix this by copying vnet_hdr from the mmap'd ring buffer to a\nstack-local variable before validation and use, consistent with the\napproach used in packet_snd() and all other callers.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/28324a3b62d9ce7f9bdd65a8ce63f382041d1b27","https://git.kernel.org/stable/c/2c054e17d9d41f1020376806c7f750834ced4dc5","https://git.kernel.org/stable/c/3a1bf9116ea31470b89692585c3910dfe830dcdd","https://git.kernel.org/stable/c/48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b","https://git.kernel.org/stable/c/74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121"],"published_time":"2026-05-01T14:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7581","summary":"A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function on_prepare of the file app/main.py of the component CORS Policy. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2026.04.10 is able to mitigate this issue. The identifier of the patch is 0072d3488ae5b8d922d3ee87458d829993742a32. It is recommended to upgrade the affected component.","cvss":2.1,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00016,"ranking_epss":0.03935,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/alexta69/metube/","https://github.com/alexta69/metube/commit/0072d3488ae5b8d922d3ee87458d829993742a32","https://github.com/alexta69/metube/pull/949","https://github.com/alexta69/metube/releases/tag/2026.04.10","https://github.com/az10b/security-advisories/blob/main/cors_MeTube.md","https://vuldb.com/submit/801529","https://vuldb.com/vuln/360528","https://vuldb.com/vuln/360528/cti"],"published_time":"2026-05-01T13:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7579","summary":"A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.16.0. This issue affects some unknown processing of the file astrbot/dashboard/routes/auth.py of the component Dashboard. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00045,"ranking_epss":0.13591,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/AstrBotDevs/AstrBot/","https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-vrqm-xcfv-286r","https://github.com/Dave-gilmore-aus/security-advisories/blob/main/AstrBot-Security-Advisory","https://vuldb.com/submit/793437","https://vuldb.com/vuln/360420","https://vuldb.com/vuln/360420/cti","https://vuldb.com/submit/793437"],"published_time":"2026-05-01T12:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7580","summary":"A vulnerability was detected in Exiftool up to 13.53. Impacted is the function Process_mrld of the file lib/Image/ExifTool/GM.pm of the component JPEG/QuickTime/MOV/MP4. The manipulation of the argument -ee results in code injection. Attacking locally is a requirement. Upgrading to version 13.54 is recommended to address this issue. The patch is identified as 5a8b6b6ead12b39e3f32f978a4efd0233facbb01. It is suggested to upgrade the affected component. The fix in the source code mentions: \"[J]ust to be safe, probably never happen\".","cvss":1.9,"cvss_version":4.0,"cvss_v2":4.3,"cvss_v3":5.3,"cvss_v4":1.9,"epss":7e-05,"ranking_epss":0.00608,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/exiftool/exiftool/","https://github.com/exiftool/exiftool/commit/5a8b6b6ead12b39e3f32f978a4efd0233facbb01","https://github.com/exiftool/exiftool/commit/5a8b6b6ead12b39e3f32f978a4efd0233facbb01#diff-5a95c56c6f98f0aa538233fd81bb9967154f3e9ebd4126a98dfb126c4c5629a4","https://github.com/exiftool/exiftool/releases/tag/13.54","https://vuldb.com/submit/800049","https://vuldb.com/vuln/360421","https://vuldb.com/vuln/360421/cti","https://youtu.be/WktMPapQxlM"],"published_time":"2026-05-01T12:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3772","summary":"The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the 'add_plugins_page' and 'add_themes_page' functions. This makes it possible for unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with attacker-controlled code via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00022,"ranking_epss":0.06242,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wp-editor/trunk/classes/WPEditorPlugins.php#L60","https://plugins.trac.wordpress.org/browser/wp-editor/trunk/classes/WPEditorThemes.php#L103","https://plugins.trac.wordpress.org/changeset/3480577/","https://www.wordfence.com/threat-intel/vulnerabilities/id/b1bc4a87-d5de-4d66-9cc5-802ef11f886c?source=cve"],"published_time":"2026-05-01T12:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3140","summary":"The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'handle_module_actions' function. This makes it possible for unauthenticated attackers to toggle plugin modules on or off via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00232,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/ultimate-dashboard/trunk/modules/feature/class-feature-module.php#L120","https://plugins.trac.wordpress.org/changeset/3479396/","https://www.wordfence.com/threat-intel/vulnerabilities/id/bbcdb70f-77db-48ab-ae23-c46caecdd3be?source=cve"],"published_time":"2026-05-01T12:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42404","summary":"Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden.\n\nUsers are recommended to upgrade to version 3.2.2, which fixes this issue.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00027,"ranking_epss":0.07481,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/zdspnt64zznyjyn648553kptx69w23oq","http://www.openwall.com/lists/oss-security/2026/05/01/8"],"published_time":"2026-05-01T11:16:19","vendor":"apache","product":"neethi","version":null},{"cve_id":"CVE-2026-42778","summary":"The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:\n\n\n\n\nThe fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\n\n\n\n\nAffected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.\n\n\n\n\nThe problem is resolved in Apache MINA 2.1.12, and 2.2.7 by \napplying the classname allowlist earlier.\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\nApplications using Apache MINA are advised to upgrade\n\n\n\n\n\n\nThe fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\n\n\n\n\nAffected versions are Apache MINA 2.1.0 <= 2.1.110, and 2.2.0 <= 2.2.6.\n\n\n\n\nThe problem is resolved in Apache MINA 2.1.12, and 2.2.7 by \napplying the classname allowlist earlier.\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\nApplications using Apache MINA are advised to upgrade","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00144,"ranking_epss":0.34249,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0"],"published_time":"2026-05-01T11:16:19","vendor":"apache","product":"mina","version":null},{"cve_id":"CVE-2026-42779","summary":"The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:\n\n\n\n\n\n\n\n\n\n\n\nApache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\n\n\n\n\nThe fix checks if the class is present in the accepted class filter before calling Class.forName(). \n\n\n\n\n\n\nAffected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.\n\n\n\n\n\nThe problem is resolved in Apache MINA 2.1.12, and 2.2.7 by \napplying the classname allowlist earlier.\n\n\n\n\n\nAffected are applications using Apache MINA that call  IoBuffer.getObject().\n\n\n\n\n\nApplications using Apache MINA are advised to upgrade.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00144,"ranking_epss":0.34249,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0"],"published_time":"2026-05-01T11:16:19","vendor":"apache","product":"mina","version":null},{"cve_id":"CVE-2026-7578","summary":"A weakness has been identified in MacCMS Pro up to 2022.1.3. This vulnerability affects the function install of the file /admi.php/admin/addon/add.html of the component Plugin Installation Handler. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":2.0,"cvss_version":4.0,"cvss_v2":5.8,"cvss_v3":4.7,"cvss_v4":2.0,"epss":0.00033,"ranking_epss":0.09464,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/qingyun985/Cyber-Security/issues/1","https://vuldb.com/submit/792283","https://vuldb.com/vuln/360419","https://vuldb.com/vuln/360419/cti"],"published_time":"2026-05-01T11:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7567","summary":"The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to verify that the 'temp-login-token' GET parameter is a scalar string before processing it. When the parameter is supplied as an array, PHP's empty() check is bypassed and sanitize_key() returns an empty string, which is then passed as the meta_value to get_users(). WordPress ignores an empty meta_value and returns all users matching the meta_key '_temporary_login_token', allowing authentication without a valid token. This makes it possible for unauthenticated attackers to authenticate as any active temporary login user by sending a single crafted GET request.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00066,"ranking_epss":0.20191,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/temporary-login/tags/1.0.0/core/admin.php#L135","https://plugins.trac.wordpress.org/browser/temporary-login/tags/1.0.0/core/admin.php#L179","https://plugins.trac.wordpress.org/browser/temporary-login/tags/1.0.0/core/options.php#L157","https://plugins.trac.wordpress.org/browser/temporary-login/trunk/core/admin.php#L135","https://plugins.trac.wordpress.org/browser/temporary-login/trunk/core/admin.php#L179","https://plugins.trac.wordpress.org/browser/temporary-login/trunk/core/options.php#L157","https://www.wordfence.com/threat-intel/vulnerabilities/id/f97c669b-86c1-4873-a050-76972f494099?source=cve"],"published_time":"2026-05-01T10:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42403","summary":"Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition\n\nUsers are recommended to upgrade to version 3.2.2, which fixes this issue.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07251,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/zm6t8skkkskjwk1881l4m4n0l7dqclzo","http://www.openwall.com/lists/oss-security/2026/05/01/7"],"published_time":"2026-05-01T09:16:17","vendor":"apache","product":"neethi","version":null},{"cve_id":"CVE-2026-43001","summary":"An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.","cvss":7.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.9,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01644,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugs.launchpad.net/keystone/+bug/2149775","https://review.opendev.org/c/openstack/keystone/+/985804"],"published_time":"2026-05-01T09:16:17","vendor":"openstack","product":"keystone","version":null},{"cve_id":"CVE-2026-43003","summary":"An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.","cvss":8.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.0,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06793,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugs.launchpad.net/ironic-python-agent/+bug/2148310","https://github.com/openstack/ironic-python-agent/blob/236b33abffe6688afc39c21e351cc3889b3db2dd/ironic_python_agent/efi_utils.py#L134-L139"],"published_time":"2026-05-01T09:16:17","vendor":"openstack","product":"ironic_python_agent","version":null},{"cve_id":"CVE-2026-40201","summary":"@diplodoc/search-extension 1.0.0 through 3.x before 3.0.3 allows stored XSS via the title in a .md file.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01185,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/diplodoc-platform/search-extension/pull/41","https://github.com/diplodoc-platform/search-extension/releases","https://github.com/diplodoc-platform/search-extension/releases/tag/v3.0.3","https://github.com/eyelessgoddd/eyelessgoddd/blob/main/README.md"],"published_time":"2026-05-01T09:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42402","summary":"Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion.\n\nUsers should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08439,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/p826j0phhmr9f83wzpmys1y0bdfrr2q4","http://www.openwall.com/lists/oss-security/2026/05/01/6"],"published_time":"2026-05-01T09:16:16","vendor":"apache","product":"neethi","version":null},{"cve_id":"CVE-2026-7584","summary":"The LabOne Q serialization framework uses a class-loading mechanism (import_cls) to dynamically import and instantiate Python classes during deserialization. Prior to the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without any validation of the target class or restriction on which modules could be imported. An attacker can craft a serialized experiment file that causes the deserialization engine to import and instantiate arbitrary Python classes with attacker-controlled constructor arguments, resulting in arbitrary code execution in the context of the user running the Python process. Exploitation requires the victim to load a malicious file using LabOne Q's deserialization functions, for example a compromised experiment file shared for collaboration or support purposes.","cvss":8.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":8.4,"epss":0.00037,"ranking_epss":0.10748,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zhinst.com/support/security/2026/zi-sa-2026-002/"],"published_time":"2026-05-01T08:16:01","vendor":"zhinst","product":"labone_q","version":null},{"cve_id":"CVE-2026-42996","summary":"JS8Call through 2.3.1 and JS8Call-improved before 3.0 have a stack-based buffer overflow via a radio transmission of @APRSIS GRID followed by a long Maidenhead locator. This occurs in grid2deg in APRSISClient.cpp.","cvss":10.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":10.0,"epss":0.00014,"ranking_epss":0.02521,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://amateur-radio-resources.sourceforge.io/PDF/JS8APRS.pdf","https://github.com/JS8Call-improved/JS8Call-improved/commit/a6c7a19b82bbd7c2c0c892576f84d7449e8c7088","https://github.com/JS8Call-improved/JS8Call-improved/security/advisories/GHSA-98hp-pjp7-w62x","https://github.com/js8call/js8call/blob/fd721e8b67eed84cb3c09d018205ab9a53e1a8b1/APRSISClient.cpp#L89-L102","https://github.com/JS8Call-improved/JS8Call-improved/security/advisories/GHSA-98hp-pjp7-w62x"],"published_time":"2026-05-01T07:15:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6127","summary":"The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _elementor_data meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the _elementor_data meta field with show_in_rest but omits a sanitize_callback, relying instead on a rest_pre_insert_post filter (sanitize_post_data function) that only sanitizes JSON-encoded request bodies. When a contributor sends a form-encoded PATCH request to the WordPress REST API, the json_decode() call on the raw body returns null, causing all sanitization to be skipped. The unsanitized data is then stored via update_post_meta() and later output without escaping through multiple widget sinks including the HTML widget's print_unescaped_setting() function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.12692,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/elementor/tags/4.0.1/includes/base/widget-base.php#L794","https://plugins.trac.wordpress.org/browser/elementor/tags/4.0.1/includes/plugin.php#L840","https://plugins.trac.wordpress.org/browser/elementor/tags/4.0.1/modules/wp-rest/classes/elementor-post-meta.php#L68","https://plugins.trac.wordpress.org/browser/elementor/trunk/includes/base/widget-base.php#L794","https://plugins.trac.wordpress.org/browser/elementor/trunk/includes/plugin.php#L840","https://plugins.trac.wordpress.org/browser/elementor/trunk/modules/wp-rest/classes/elementor-post-meta.php#L68","https://plugins.trac.wordpress.org/changeset/3519457/","https://www.wordfence.com/threat-intel/vulnerabilities/id/826a2003-c526-4760-8c21-10d5ae7bb384?source=cve"],"published_time":"2026-05-01T06:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7554","summary":"A vulnerability was determined in D-Link M60 up to 1.20B02. Affected by this issue is some unknown functionality of the file /usr/bin/httpd. This manipulation causes weak password recovery. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized.","cvss":2.9,"cvss_version":4.0,"cvss_v2":5.1,"cvss_v3":5.6,"cvss_v4":2.9,"epss":0.00045,"ranking_epss":0.13392,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://vuldb.com/submit/805642","https://vuldb.com/vuln/360362","https://vuldb.com/vuln/360362/cti","https://www.dlink.com/","https://www.yuque.com/iam0range/rle72q/dhs1zsbgtm1ne0y1"],"published_time":"2026-05-01T06:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7555","summary":"A vulnerability was identified in itsourcecode Electronic Judging System 1.0. This affects an unknown part of the file /intrams/login.php. Such manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.0003,"ranking_epss":0.08508,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nidieaaa/test/issues/9","https://itsourcecode.com/","https://vuldb.com/submit/805852","https://vuldb.com/vuln/360363","https://vuldb.com/vuln/360363/cti"],"published_time":"2026-05-01T06:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-13362","summary":"Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00086,"ranking_epss":0.24547,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/add-search-to-menu/trunk/includes/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/featured-images-for-rss-feeds/trunk/includes/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/foobox-image-lightbox/tags/2.7.33/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/foogallery/tags/2.4.27/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/independent-analytics/trunk/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/interactive-geo-maps/tags/1.6.21/vendor/freemius/wordpress-sdk/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/internal-links/trunk/vendor/freemius/wordpress-sdk/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/master-addons/trunk/lib/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/menu-image/trunk/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/ocean-extra/trunk/includes/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/pdf-poster/trunk/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/simply-gallery-block/trunk/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/spotlight-social-photo-feeds/trunk/ui/freemius-pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/tablepress/trunk/libraries/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/provider/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/widgets-on-pages/trunk/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/woo-permalink-manager/tags/2.3.11/assets/admin/js/pricing-page/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/wp-meta-and-date-remover/tags/2.3.4/freemius/assets/js/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/browser/wpide/tags/3.5.0/dist/pricing/freemius-pricing.js","https://plugins.trac.wordpress.org/changeset/3229060/","https://plugins.trac.wordpress.org/changeset/3235286/","https://plugins.trac.wordpress.org/changeset/3249130/","https://www.wordfence.com/threat-intel/vulnerabilities/id/d694491c-c0f5-4418-805a-db792ea4f712?source=cve"],"published_time":"2026-05-01T06:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7553","summary":"A vulnerability was found in code-projects Gym Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/edit_exercises.php. The manipulation of the argument edit_exercise results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.","cvss":2.0,"cvss_version":4.0,"cvss_v2":5.8,"cvss_v3":4.7,"cvss_v4":2.0,"epss":0.00027,"ranking_epss":0.07702,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://fox-byte.yuque.com/org-wiki-fox-byte-ig3xms/rdgsp5/yg012bnp1xorwq0p","https://vuldb.com/submit/805603","https://vuldb.com/vuln/360361","https://vuldb.com/vuln/360361/cti"],"published_time":"2026-05-01T05:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7549","summary":"A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts an unknown function of the file /ajax.php?action=delete_customer. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.0003,"ranking_epss":0.08508,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/khairulazly760530-cell/cves/issues/3","https://vuldb.com/submit/805538","https://vuldb.com/vuln/360359","https://vuldb.com/vuln/360359/cti","https://www.sourcecodester.com/"],"published_time":"2026-05-01T05:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7550","summary":"A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected is an unknown function of the file /ajax.php?action=save_customer. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.0003,"ranking_epss":0.08508,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/khairulazly760530-cell/cves/issues/2","https://vuldb.com/submit/805539","https://vuldb.com/vuln/360360","https://vuldb.com/vuln/360360/cti","https://www.sourcecodester.com/"],"published_time":"2026-05-01T05:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42994","summary":"Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, when obtained from npm, had embedded malicious code. This is related to a Checkmarx supply chain incident.","cvss":8.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":8.8,"epss":0.00046,"ranking_epss":0.13894,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127"],"published_time":"2026-05-01T05:16:01","vendor":"bitwarden","product":"cli","version":null},{"cve_id":"CVE-2026-7546","summary":"A security vulnerability has been detected in Totolink NR1800X 9.1.0u.6279_B20210910. The impacted element is the function find_host_ip of the component lighttpd. Such manipulation of the argument Host leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00077,"ranking_epss":0.22668,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/newym/cve/blob/main/totolinknr1800x.md","https://vuldb.com/submit/804404","https://vuldb.com/vuln/360357","https://vuldb.com/vuln/360357/cti","https://www.totolink.net/"],"published_time":"2026-05-01T03:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7548","summary":"A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. This affects the function sub_41A68C of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument setUssd results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.01158,"ranking_epss":0.78669,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/newym/cve/blob/main/totolink%20nr1800x%20command%20injection.md","https://vuldb.com/submit/804417","https://vuldb.com/vuln/360358","https://vuldb.com/vuln/360358/cti","https://www.totolink.net/"],"published_time":"2026-05-01T03:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7536","summary":"A vulnerability was determined in Open5GS up to 2.7.7. This vulnerability affects the function bsf_sess_add_by_ip_address of the file /nbsf-management/v1/pcfBindings of the component BSF. Executing a manipulation of the argument ipv4Addr can lead to denial of service. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":5.3,"cvss_v4":5.5,"epss":0.00042,"ranking_epss":0.12446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/","https://github.com/open5gs/open5gs/issues/4400","https://vuldb.com/submit/804292","https://vuldb.com/vuln/360353","https://vuldb.com/vuln/360353/cti"],"published_time":"2026-05-01T02:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7538","summary":"A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function Vulnerability of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument proto leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75643,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_329/README.md","https://vuldb.com/submit/804321","https://vuldb.com/vuln/360354","https://vuldb.com/vuln/360354/cti","https://www.totolink.net/"],"published_time":"2026-05-01T02:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7545","summary":"A weakness has been identified in SourceCodester Advanced School Management System 1.0. The affected element is an unknown function of the file commonController.php of the component checkEmail Endpoint. This manipulation causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.0003,"ranking_epss":0.08508,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/eqwerwq/CVE/issues/2","https://vuldb.com/submit/804340","https://vuldb.com/vuln/360356","https://vuldb.com/vuln/360356/cti","https://www.sourcecodester.com/"],"published_time":"2026-05-01T02:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7535","summary":"A vulnerability was found in Open5GS up to 2.7.7. This affects the function amf_namf_comm_handle_registration_status_update_request in the library /lib/app/ogs-init.c of the file /namf-comm/v1/ue-contexts/{ueContextId}/transfer-update. Performing a manipulation of the argument ueContextId results in denial of service. The attack can be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00057,"ranking_epss":0.17628,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/","https://github.com/open5gs/open5gs/issues/4399","https://vuldb.com/submit/804291","https://vuldb.com/submit/804303","https://vuldb.com/vuln/360352","https://vuldb.com/vuln/360352/cti"],"published_time":"2026-05-01T01:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7518","summary":"A flaw has been found in Open5GS up to 2.7.7. This issue affects the function amf_namf_callback_handle_sdm_data_change_notify of the file /namf-callback/v1/{id}/sdmsubscription-notify of the component AMF SBI Endpoint. This manipulation of the argument changeItem.newValue causes denial of service. The attack can be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00039,"ranking_epss":0.11536,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/","https://github.com/open5gs/open5gs/issues/4395","https://vuldb.com/submit/804023","https://vuldb.com/vuln/360332","https://vuldb.com/vuln/360332/cti"],"published_time":"2026-05-01T01:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7519","summary":"A vulnerability has been found in Fujian Apex LiveBOS up to 2.0. Impacted is an unknown function of the file /feed/UploadImage.do of the component Endpoint. Such manipulation of the argument filename leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.1 is recommended to address this issue. Upgrading the affected component is advised.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00043,"ranking_epss":0.12881,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://my.feishu.cn/docx/TCyMdptvaoTQCvxkHLbceJZCnge?from=from_copylink","https://vuldb.com/submit/804096","https://vuldb.com/vuln/360333","https://vuldb.com/vuln/360333/cti"],"published_time":"2026-05-01T01:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5656","summary":"Profile import path traversal in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01411,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21115","https://www.wireshark.org/security/wnpa-sec-2026-21.html"],"published_time":"2026-05-01T00:16:25","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-7512","summary":"A flaw has been found in UTT HiPER 1200GW up to 2.5.3-1703. The affected element is the function strcpy of the file /goform/formUser. Executing a manipulation can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00041,"ranking_epss":0.12271,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/kirlic123/IOTvulner/tree/main/4035/3","https://vuldb.com/submit/803995","https://vuldb.com/vuln/360323","https://vuldb.com/vuln/360323/cti"],"published_time":"2026-05-01T00:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7513","summary":"A vulnerability has been found in UTT HiPER 1200GW up to 2.5.3-170306. The impacted element is the function strcpy of the file /goform/formRemoteControl. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00041,"ranking_epss":0.12271,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/kirlic123/IOTvulner/blob/main/4035/4/4.md","https://vuldb.com/submit/803996","https://vuldb.com/vuln/360324","https://vuldb.com/vuln/360324/cti"],"published_time":"2026-05-01T00:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5403","summary":"SBC codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00447,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21103","https://www.wireshark.org/security/wnpa-sec-2026-16.html"],"published_time":"2026-05-01T00:16:24","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-5404","summary":"K12 RF5 file parser crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00665,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21094","https://www.wireshark.org/security/wnpa-sec-2026-15.html"],"published_time":"2026-05-01T00:16:24","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-5405","summary":"RDP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00447,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21105","https://www.wireshark.org/security/wnpa-sec-2026-17.html"],"published_time":"2026-05-01T00:16:24","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-22726","summary":"Route Services can be leveraged to send app traffic to network destinations outside of an app's configured egress rules. As a result, a malicious developer with access to Cloudfoundry could configure a route-service that would allow it to send requests to HTTP services on internal networks reachable by the Gorouter, which may not have previously had direct access from outside networks, or from the application.\nRouting release: affected from v0.118.0 through v0.371.0 (inclusive); upgrade to v0.372.0 or greater. CF Deployment: affected from v0.0.2 through v54.14.0 (inclusive); upgrade to v55.0.0 or greater (includes routing_release v0.372.0).","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":0.00037,"ranking_epss":0.10985,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.cloudfoundry.org/blog/cve-2026-22726-route-services-firewall-bypass/"],"published_time":"2026-05-01T00:16:23","vendor":"cloudfoundry","product":"cf-deployment","version":null},{"cve_id":"CVE-2026-22726","summary":"Route Services can be leveraged to send app traffic to network destinations outside of an app's configured egress rules. As a result, a malicious developer with access to Cloudfoundry could configure a route-service that would allow it to send requests to HTTP services on internal networks reachable by the Gorouter, which may not have previously had direct access from outside networks, or from the application.\nRouting release: affected from v0.118.0 through v0.371.0 (inclusive); upgrade to v0.372.0 or greater. CF Deployment: affected from v0.0.2 through v54.14.0 (inclusive); upgrade to v55.0.0 or greater (includes routing_release v0.372.0).","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":0.00037,"ranking_epss":0.10985,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.cloudfoundry.org/blog/cve-2026-22726-route-services-firewall-bypass/"],"published_time":"2026-05-01T00:16:23","vendor":"cloudfoundry","product":"routing_release","version":null},{"cve_id":"CVE-2026-7508","summary":"A vulnerability was found in Bootstrap CMS 0.9.0-alpha. Affected is an unknown function of the file resources/views/pages/show.blade.php of the component Page Creation Handler. Performing a manipulation of the argument body results in code injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The code repository of the project has not been active for many years. This vulnerability only affects products that are no longer supported by the maintainer.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00041,"ranking_epss":0.12182,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://vuldb.com/submit/803531","https://vuldb.com/vuln/360316","https://vuldb.com/vuln/360316/cti","https://www.yuque.com/fortune-toq55/giqwnb/ra0b34kzmqn8e0m1"],"published_time":"2026-04-30T23:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7510","summary":"A vulnerability was determined in OWAP DefectDojo up to 2.55.4. Affected by this vulnerability is an unknown functionality of the component Benchmark/Engagement/Product/Survey. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.56.0 addresses this issue. This patch is called eb6120a379185d37eb1af17b69bb5614a830ab1f. Upgrading the affected component is recommended.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00043,"ranking_epss":0.1278,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/DefectDojo/django-DefectDojo/commit/eb6120a379185d37eb1af17b69bb5614a830ab1f","https://github.com/DefectDojo/django-DefectDojo/pull/14375","https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.56.0","https://github.com/noname1337h1/cve-bug-bounty/blob/main/dfdj_risk_acceptance_raid_idor_authorization_bypass/dfdj_risk_acceptance_raid_idor_authorization_bypass.md","https://vuldb.com/submit/803751","https://vuldb.com/vuln/360317","https://vuldb.com/vuln/360317/cti"],"published_time":"2026-04-30T23:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-28909","summary":"Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.09607,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/apple/container/security/advisories/GHSA-m5rp-xcpf-r8m7"],"published_time":"2026-04-30T23:16:20","vendor":"apple","product":"container","version":null},{"cve_id":"CVE-2026-4178","summary":"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-30T23:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7505","summary":"A flaw has been found in nextlevelbuilder GoClaw and GoClaw Lite up to 3.8.5. This affects an unknown function of the component RPC Handler. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used. Upgrading to version 3.9.0 mitigates this issue. Patch name: 406022e79f4a18b3070a446712080571eff11e30. You should upgrade the affected component.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00044,"ranking_epss":0.1323,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nextlevelbuilder/goclaw/","https://github.com/nextlevelbuilder/goclaw/commit/406022e79f4a18b3070a446712080571eff11e30","https://github.com/nextlevelbuilder/goclaw/issues/866","https://github.com/nextlevelbuilder/goclaw/pull/950","https://github.com/nextlevelbuilder/goclaw/releases/tag/v3.9.0","https://vuldb.com/submit/803458","https://vuldb.com/vuln/360314","https://vuldb.com/vuln/360314/cti"],"published_time":"2026-04-30T23:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7506","summary":"A vulnerability has been found in SourceCodester Hotel Management System 1.0. This impacts an unknown function of the file /index.php/reservation/check. Such manipulation of the argument room_type leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.0003,"ranking_epss":0.08508,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wangzhongyang085/CVE/issues/2","https://vuldb.com/submit/803492","https://vuldb.com/vuln/360315","https://vuldb.com/vuln/360315/cti","https://www.sourcecodester.com/"],"published_time":"2026-04-30T23:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7551","summary":"HKUDS OpenHarness contains a remote code execution vulnerability in the /bridge slash command that allows remote senders accepted by configuration to execute arbitrary operating system commands. Attackers can invoke the /bridge spawn command with attacker-controlled command text that is forwarded to the bridge session manager and executed through the shared shell subprocess helper, allowing them to spawn shell sessions as the OpenHarness process user and access local files, credentials, workspace state, and repository contents.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00312,"ranking_epss":0.54271,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/HKUDS/OpenHarness/commit/438e37309778e19060dfe7b172eb142e543c4cd6","https://github.com/HKUDS/OpenHarness/pull/208","https://www.vulncheck.com/advisories/hkuds-openharness-remote-command-execution-via-bridge-slash-command"],"published_time":"2026-04-30T22:16:27","vendor":"hkuds","product":"openharness","version":null},{"cve_id":"CVE-2026-6389","summary":"IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01117,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7270720"],"published_time":"2026-04-30T22:16:26","vendor":"ibm","product":"turbonomic_prometurbo_agent","version":null},{"cve_id":"CVE-2026-6542","summary":"IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flow_id to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.07058,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7270886"],"published_time":"2026-04-30T22:16:26","vendor":"langflow","product":"langflow","version":null},{"cve_id":"CVE-2026-6543","summary":"IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow allows an attacker to execute arbitrary commands with the privileges of the process running Langflow. This allows reading sensitive environment variables (API keys, DB credentials), modifying files, or launching further attacks on the internal network.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11006,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7271092"],"published_time":"2026-04-30T22:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7502","summary":"A security vulnerability has been detected in LinkStackOrg LinkStack up to 4.8.6. The affected element is the function saveLink of the file app/Http/Controllers/UserController.php of the component Management Endpoint. The manipulation leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.","cvss":2.1,"cvss_version":4.0,"cvss_v2":5.5,"cvss_v3":5.4,"cvss_v4":2.1,"epss":0.00043,"ranking_epss":0.12824,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/LinkStackOrg/LinkStack/","https://github.com/LinkStackOrg/LinkStack/pull/975","https://github.com/LinkStackOrg/LinkStack/pull/975#issuecomment-4224234970","https://github.com/az10b/security-advisories/blob/main/idor_linkstack.md","https://vuldb.com/submit/801787","https://vuldb.com/vuln/360312","https://vuldb.com/vuln/360312/cti"],"published_time":"2026-04-30T22:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7503","summary":"A vulnerability was detected in code-projects for Plugin 4.1.2cu.5137. The impacted element is the function setWiFiMultipleConfig in the library /lib/cste_modules/wireless.so of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument wepkey2 results in buffer overflow. The attack can be launched remotely. The exploit is now public and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00043,"ranking_epss":0.13013,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A800R/02_Buffer_Overflow_setWiFiMultipleConfig.md","https://vuldb.com/submit/803120","https://vuldb.com/vuln/360313","https://vuldb.com/vuln/360313/cti"],"published_time":"2026-04-30T22:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1577","summary":"IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00048,"ranking_epss":0.14468,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7269434"],"published_time":"2026-04-30T22:16:25","vendor":"ibm","product":"db2","version":null},{"cve_id":"CVE-2026-2311","summary":"IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 s vulnerable to privilege escalation caused by an invalid IBM i Web Administration GUI authorization check.  A malicious actor could cause user-controlled code to run with administrator privilege.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00037,"ranking_epss":0.10748,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7269560"],"published_time":"2026-04-30T22:16:25","vendor":"ibm","product":"i","version":null},{"cve_id":"CVE-2026-3345","summary":"IBM Langflow Desktop <=1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing \"dot dot\" sequences (/../) to view arbitrary files on the system.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00052,"ranking_epss":0.16086,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7271094"],"published_time":"2026-04-30T22:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40684","summary":"In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00055,"ranking_epss":0.16819,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code.exim.org/exim/exim/commit/628bbaca7672748d941a12e7cd5f0122a4e18c81","https://exim.org/static/doc/security/CVE-2026-40684.txt","https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40684.assessment","https://www.openwall.com/lists/oss-security/2026/04/30/21","http://www.openwall.com/lists/oss-security/2026/05/01/11"],"published_time":"2026-04-30T22:16:25","vendor":"exim","product":"exim","version":null},{"cve_id":"CVE-2026-40685","summary":"In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \\ skipping.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00054,"ranking_epss":0.16536,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code.exim.org/exim/exim/commit/9fdc057e71b87c87a0d3d2288b2810a0efaaba57","https://exim.org/static/doc/security/CVE-2026-40685.txt","https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40685.assessment","https://www.openwall.com/lists/oss-security/2026/04/30/21"],"published_time":"2026-04-30T22:16:25","vendor":"exim","product":"exim","version":null},{"cve_id":"CVE-2026-40686","summary":"In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing characters are present (malformed UTF-8 header data). Information might be divulged within an error message produced during handling of an unrelated e-mail message.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.0866,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code.exim.org/exim/exim/commit/f2570bde16fb4d4a1242ff363a4c4eecf6372efc","https://exim.org/static/doc/security/CVE-2026-40686.txt","https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40686.assessment","https://www.openwall.com/lists/oss-security/2026/04/30/21"],"published_time":"2026-04-30T22:16:25","vendor":"exim","product":"exim","version":null},{"cve_id":"CVE-2026-40687","summary":"In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":0.00065,"ranking_epss":0.19804,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code.exim.org/exim/exim/commit/68b963b9f75ca27b38e1c0f8c87037990199f505","https://exim.org/static/doc/security/CVE-2026-40687.txt","https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40687.assessment","https://www.openwall.com/lists/oss-security/2026/04/30/21"],"published_time":"2026-04-30T22:16:25","vendor":"exim","product":"exim","version":null},{"cve_id":"CVE-2025-14688","summary":"IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when certain configurations exist.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00048,"ranking_epss":0.14468,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7269424"],"published_time":"2026-04-30T22:16:24","vendor":"ibm","product":"db2","version":null},{"cve_id":"CVE-2025-36122","summary":"IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service using a specially crafted SQL query due to improper allocation of system resources.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.12435,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7267642"],"published_time":"2026-04-30T22:16:24","vendor":"ibm","product":"db2","version":null},{"cve_id":"CVE-2025-36180","summary":"IBM watsonx.data 2.2 through 2.3 IBM Lakehouse does not properly restrict communication between pods which could allow an attacker to transfer data between pods without restrictions.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03256,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7270593"],"published_time":"2026-04-30T22:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-36335","summary":"IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user.","cvss":6.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01575,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7270923"],"published_time":"2026-04-30T22:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7435","summary":"SSCMS v7.4.0 contains a SQL injection vulnerability in the stl:sqlContent tag where the queryString attribute is passed directly to database execution without parameterization or sanitization. Attackers can craft encrypted payloads submitted to the /api/stl/actions/dynamic endpoint to execute arbitrary SQL statements, leading to unauthorized database access, data disclosure, authentication bypass, data modification, or complete database compromise.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":8.6,"epss":0.00127,"ranking_epss":0.31547,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/siteserver/cms","https://github.com/siteserver/cms/issues/3891","https://www.vulncheck.com/advisories/sscms-sql-injection-via-stl-sqlcontent-querystring","https://github.com/siteserver/cms/issues/3891"],"published_time":"2026-04-30T21:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7501","summary":"A weakness has been identified in LinkStackOrg LinkStack up to 4.8.6. Impacted is the function editPage of the file app/Http/Controllers/UserController.php. Executing a manipulation of the argument pageDescription can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through a pull request but has not reacted yet.","cvss":2.0,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":3.5,"cvss_v4":2.0,"epss":0.00034,"ranking_epss":0.09919,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/LinkStackOrg/LinkStack/","https://github.com/LinkStackOrg/LinkStack/pull/974","https://github.com/az10b/security-advisories/blob/main/stored_xss_linkstack.md","https://vuldb.com/submit/801651","https://vuldb.com/vuln/360311","https://vuldb.com/vuln/360311/cti"],"published_time":"2026-04-30T21:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40950","summary":"CVE-2026-40950 is a buffer overflow vulnerability in the Secure Access \nserver prior to 14.50. Attackers with control of a modified client can \nsend a specially crafted message to the server and cause a denial of \nservice","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00043,"ranking_epss":0.12732,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-40950"],"published_time":"2026-04-30T21:16:33","vendor":"absolute","product":"secure_access","version":null},{"cve_id":"CVE-2026-40951","summary":"CVE-2026-40951 is a memory corruption vulnerability on Secure Access \nWindows clients prior to 14.50. Attackers with local control of the \nWindows client can send malformed data to an API and trigger a denial of\n service.","cvss":6.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":6.8,"epss":0.00015,"ranking_epss":0.03218,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-40951"],"published_time":"2026-04-30T21:16:33","vendor":"absolute","product":"secure_access","version":null},{"cve_id":"CVE-2026-40951","summary":"CVE-2026-40951 is a memory corruption vulnerability on Secure Access \nWindows clients prior to 14.50. Attackers with local control of the \nWindows client can send malformed data to an API and trigger a denial of\n service.","cvss":6.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":6.8,"epss":0.00015,"ranking_epss":0.03218,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-40951"],"published_time":"2026-04-30T21:16:33","vendor":"microsoft","product":"windows","version":null},{"cve_id":"CVE-2026-41174","summary":"Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik correctly rejects direct cross-namespace middleware references from IngressRoute objects, but fails to apply the same restriction to middleware references nested inside a Chain middleware's spec.chain.middlewares[]. An actor with permission to create or update Traefik CRDs in their own namespace can exploit this to cause Traefik to resolve and apply middleware objects from another namespace, bypassing the documented isolation boundary. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":4.8,"epss":0.0001,"ranking_epss":0.01242,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/traefik/traefik/commit/df00d82fc7f12e07199551832b54de6d0e55414d","https://github.com/traefik/traefik/releases/tag/v2.11.43","https://github.com/traefik/traefik/releases/tag/v3.6.14","https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2","https://github.com/traefik/traefik/security/advisories/GHSA-xhjw-95fp-8vgq"],"published_time":"2026-04-30T21:16:33","vendor":"traefik","product":"traefik","version":null},{"cve_id":"CVE-2026-41263","summary":"Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. This restores the original timing oracle and makes it possible to distinguish existing users from non-existing ones by measuring authentication response times. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":6.3,"epss":0.00013,"ranking_epss":0.02124,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/traefik/traefik/releases/tag/v2.11.43","https://github.com/traefik/traefik/releases/tag/v3.6.14","https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2","https://github.com/traefik/traefik/security/advisories/GHSA-6x2q-h3cr-8j2h"],"published_time":"2026-04-30T21:16:33","vendor":"traefik","product":"traefik","version":null},{"cve_id":"CVE-2026-4502","summary":"IBM Langflow Desktop 1.2.0 through 1.8.4 Langflow could allow an authenticated attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing \"dot dot\" sequences (/../) to write arbitrary files on the system.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00046,"ranking_epss":0.14081,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7271097"],"published_time":"2026-04-30T21:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4503","summary":"IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11906,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7271099"],"published_time":"2026-04-30T21:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6539","summary":"Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language pack through community channels that triggers format string interpretation when a user performs search operations, leading to access violations and potential leakage of stack or register contents.","cvss":4.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":4.6,"epss":0.00013,"ranking_epss":0.02013,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://notepad-plus-plus.org/news/v894-released/","https://www.vulncheck.com/advisories/notepad-format-string-injection-via-nativelang-xml"],"published_time":"2026-04-30T21:16:33","vendor":"notepad-plus-plus","product":"notepad++","version":null},{"cve_id":"CVE-2026-35051","summary":"Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.","cvss":7.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":7.8,"epss":0.00014,"ranking_epss":0.02691,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/traefik/traefik/releases/tag/v2.11.43","https://github.com/traefik/traefik/releases/tag/v3.6.14","https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2","https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54"],"published_time":"2026-04-30T21:16:32","vendor":"traefik","product":"traefik","version":null},{"cve_id":"CVE-2026-39858","summary":"Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.","cvss":7.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":7.8,"epss":0.00051,"ranking_epss":0.15722,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/traefik/traefik/releases/tag/v2.11.43","https://github.com/traefik/traefik/releases/tag/v3.6.14","https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2","https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm"],"published_time":"2026-04-30T21:16:32","vendor":"traefik","product":"traefik","version":null},{"cve_id":"CVE-2026-3340","summary":"IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06658,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7271096"],"published_time":"2026-04-30T21:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3346","summary":"IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07213,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.ibm.com/support/pages/node/7271095"],"published_time":"2026-04-30T21:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40912","summary":"Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches the regex against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. When a dot (or multiple dots) appears in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g. /./admin/secret). ForwardAuth receives this dot-segment path in X-Forwarded-Uri, which does not match the protected path patterns and therefore allows the request through. The backend then normalizes the dot-segment to the real path per RFC 3986 and serves the protected content An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.","cvss":7.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.2,"cvss_v4":7.8,"epss":0.00057,"ranking_epss":0.17578,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/traefik/traefik/releases/tag/v2.11.43","https://github.com/traefik/traefik/releases/tag/v3.6.14","https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2","https://github.com/traefik/traefik/security/advisories/GHSA-6jwx-7vp4-9847"],"published_time":"2026-04-30T21:16:32","vendor":"traefik","product":"traefik","version":null},{"cve_id":"CVE-2026-40949","summary":"CVE-2026-40949 is a buffer overflow vulnerability in the Secure Access \nWindows client prior to 14.50. Attackers with local control of the \nWindows client can use it to trigger a denial of service.","cvss":6.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":6.8,"epss":0.00012,"ranking_epss":0.0171,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-40949"],"published_time":"2026-04-30T21:16:32","vendor":"absolute","product":"secure_access","version":null},{"cve_id":"CVE-2026-40949","summary":"CVE-2026-40949 is a buffer overflow vulnerability in the Secure Access \nWindows client prior to 14.50. Attackers with local control of the \nWindows client can use it to trigger a denial of service.","cvss":6.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":6.8,"epss":0.00012,"ranking_epss":0.0171,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-40949"],"published_time":"2026-04-30T21:16:32","vendor":"microsoft","product":"windows","version":null},{"cve_id":"CVE-2026-28532","summary":"FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":6.0,"epss":0.00014,"ranking_epss":0.02841,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FRRouting/frr/commit/f098decf02987fbf1c891766c1516ac832adadfd","https://github.com/FRRouting/frr/pull/21002","https://github.com/FRRouting/frr/releases/tag/frr-10.5.3","https://www.vulncheck.com/advisories/frrouting-integer-overflow-in-ospf-tlv-parser-functions"],"published_time":"2026-04-30T21:16:31","vendor":"frrouting","product":"frrouting","version":null},{"cve_id":"CVE-2026-33449","summary":"CVE-2026-33449 is a buffer overflow in a message handling function of \nthe Secure Access client prior to 14.50. Attackers with control of \na modified server can send a cryptographically valid message to the \nclient, overwriting a small portion of memory conceivably leading to a \ndenial of service.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":2.3,"epss":0.00043,"ranking_epss":0.12812,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33449"],"published_time":"2026-04-30T21:16:31","vendor":"absolute","product":"secure_access","version":null},{"cve_id":"CVE-2026-33450","summary":"CVE-2026-33450 is an out of bounds read vulnerability in the Secure \nAccess MacOS client prior to 14.50. Attackers with control of a modified\n server can send a malformed packet to the client causing a denial of \nservice.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":2.3,"epss":0.00031,"ranking_epss":0.08807,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33450"],"published_time":"2026-04-30T21:16:31","vendor":"absolute","product":"secure_access","version":null},{"cve_id":"CVE-2026-33450","summary":"CVE-2026-33450 is an out of bounds read vulnerability in the Secure \nAccess MacOS client prior to 14.50. Attackers with control of a modified\n server can send a malformed packet to the client causing a denial of \nservice.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":2.3,"epss":0.00031,"ranking_epss":0.08807,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33450"],"published_time":"2026-04-30T21:16:31","vendor":"apple","product":"macos","version":null},{"cve_id":"CVE-2026-33451","summary":"CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure \nAccess Windows client prior to 14.50. Attackers with local control of \nthe Windows client can send malformed data to an API and elevate their \nlevel of privilege to system.","cvss":8.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":8.5,"epss":0.00013,"ranking_epss":0.02103,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33451"],"published_time":"2026-04-30T21:16:31","vendor":"absolute","product":"secure_access","version":null},{"cve_id":"CVE-2026-33451","summary":"CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure \nAccess Windows client prior to 14.50. Attackers with local control of \nthe Windows client can send malformed data to an API and elevate their \nlevel of privilege to system.","cvss":8.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":8.5,"epss":0.00013,"ranking_epss":0.02103,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33451"],"published_time":"2026-04-30T21:16:31","vendor":"microsoft","product":"windows","version":null},{"cve_id":"CVE-2026-33452","summary":"CVE-2026-33452 is a buffer overflow vulnerability in the Secure Access \nWindows client prior to 14.50. Attackers with local control of the \nWindows client can use it to ‘blue screen’ the system.","cvss":5.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":5.9,"epss":0.00013,"ranking_epss":0.0208,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33452"],"published_time":"2026-04-30T21:16:31","vendor":"absolute","product":"secure_access","version":null},{"cve_id":"CVE-2026-33452","summary":"CVE-2026-33452 is a buffer overflow vulnerability in the Secure Access \nWindows client prior to 14.50. Attackers with local control of the \nWindows client can use it to ‘blue screen’ the system.","cvss":5.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":5.9,"epss":0.00013,"ranking_epss":0.0208,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33452"],"published_time":"2026-04-30T21:16:31","vendor":"microsoft","product":"windows","version":null},{"cve_id":"CVE-2026-33448","summary":"CVE-2026-33448 is a format string vulnerability in the logging subsystem\n of Secure Access client for MacOS prior to 14.50. Attackers with \ncontrol of a modified server can force the client to dump the contents \nof a small portion of memory to the log files potentially revealing \nsecrets.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":4.8,"epss":0.00012,"ranking_epss":0.01672,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33448"],"published_time":"2026-04-30T20:16:24","vendor":"absolute","product":"secure_access","version":null},{"cve_id":"CVE-2026-33448","summary":"CVE-2026-33448 is a format string vulnerability in the logging subsystem\n of Secure Access client for MacOS prior to 14.50. Attackers with \ncontrol of a modified server can force the client to dump the contents \nof a small portion of memory to the log files potentially revealing \nsecrets.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":4.8,"epss":0.00012,"ranking_epss":0.01672,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33448"],"published_time":"2026-04-30T20:16:24","vendor":"apple","product":"macos","version":null},{"cve_id":"CVE-2026-7429","summary":"SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Attackers can exploit improper output encoding in the /api/stl/actions/dynamic endpoint to inject executable JavaScript into JSON responses, leading to session hijacking, phishing attacks, and unauthorized actions performed on behalf of users.","cvss":2.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":2.1,"epss":0.00029,"ranking_epss":0.0803,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/siteserver/cms","https://github.com/siteserver/cms/issues/3892","https://www.vulncheck.com/advisories/sscms-reflected-cross-site-scripting-via-stl-processing","https://github.com/siteserver/cms/issues/3892"],"published_time":"2026-04-30T20:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-46115","summary":"An issue in open5gs v.2.7.3 allows a remote attacker to cause a denial of service via a crafted PDU Session Modification Request","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00105,"ranking_epss":0.28015,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/issues/3858"],"published_time":"2026-04-30T20:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-56568","summary":"Assertion failure vulnerability in the PCO (Protocol Configuration Options) parser in the SMF (Session Management Function) component of Open5GS before v2.7.5 allows remote attackers to cause denial of service via specially crafted NGAP messages containing malformed length fields in protocol configuration data.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00106,"ranking_epss":0.28092,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open5gs/open5gs/commit/d7707879c943d2c952235382154d835b5849d54e","https://github.com/open5gs/open5gs/issues/3969"],"published_time":"2026-04-30T20:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33446","summary":"CVE-2026-33446 is a buffer overflow in the authentication sub-system of \nthe Secure Access client prior to 14.50. Attackers with control of a \nmodified server can send a special packet that can overwrite a small \nportion of memory conceivably leading to memory corruption or a denial \nof service.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":2.3,"epss":0.00054,"ranking_epss":0.16666,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33446"],"published_time":"2026-04-30T20:16:23","vendor":"absolute","product":"secure_access","version":null},{"cve_id":"CVE-2026-33447","summary":"CVE-2026-33447 is a buffer overflow in a message parsing function of the\n Secure Access client prior to 14.50. Attackers with control of a \nmodified server can send a special packet that can overwrite a small \nportion of memory conceivably leading to memory corruption or denial of \nservice.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":2.3,"epss":0.00059,"ranking_epss":0.18222,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33447"],"published_time":"2026-04-30T20:16:23","vendor":"absolute","product":"secure_access","version":null},{"cve_id":"CVE-2026-40601","summary":"Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the target chart belongs to a public report, that the project is public, or that sharing policy allows the operation. An unauthenticated attacker who knows a chart identifier can trigger a data refresh and retrieve the current data of private charts. This issue has been patched in version 5.0.0.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00065,"ranking_epss":0.1996,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0","https://github.com/chartbrew/chartbrew/security/advisories/GHSA-cpr6-mhgm-893w"],"published_time":"2026-04-30T19:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40603","summary":"Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even when that user does not have access to the specific project. The route bypasses project-level authorization and returns the raw project object. As a result, a low-privileged same-team user can read another project's dashboard data and recover the project's stored report password from the response. This issue has been patched in version 5.0.0.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.0793,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0","https://github.com/chartbrew/chartbrew/security/advisories/GHSA-6qr3-g75h-xm3f","https://github.com/chartbrew/chartbrew/security/advisories/GHSA-6qr3-g75h-xm3f"],"published_time":"2026-04-30T19:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40904","summary":"Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the requested dataset_id, dataRequest id, and connection_id to the caller's allowed projects. An authenticated attacker who only has access to one project inside a team can read, execute, create, update, and delete datasets and data requests that belong to other projects in the same team. The issue is exploitable remotely with ordinary project-level credentials and leads to cross-project data disclosure and unauthorized use of victim-side database or API connections. This issue has been patched in version 5.0.0.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.0793,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0","https://github.com/chartbrew/chartbrew/security/advisories/GHSA-jq95-gqww-vhm3","https://github.com/chartbrew/chartbrew/security/advisories/GHSA-jq95-gqww-vhm3"],"published_time":"2026-04-30T19:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7461","summary":"Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a specially crafted username field in an ECS task definition. This issue requires permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration.\n\nTo remediate this issue, users should upgrade to version 1.103.0.","cvss":7.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":7.5,"epss":0.00034,"ranking_epss":0.09951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://aws.amazon.com/security/security-bulletins/2026-024-aws/","https://github.com/aws/amazon-ecs-agent/releases/tag/v1.103.0","https://github.com/aws/amazon-ecs-agent/security/advisories/GHSA-fc67-c4hg-q653"],"published_time":"2026-04-30T19:16:10","vendor":"amazon","product":"amazon_ecs_container_agent","version":null},{"cve_id":"CVE-2026-32148","summary":"Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows dependency integrity bypass via unverified lockfile checksums.\n\nHex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However, Hex.RemoteConverger.verify_resolved/2 never executes checksum verification because the lock data returned by Hex.Utils.lock/1 uses string-based dependency names, while the verification logic compares against atom-based names. This type mismatch causes the verification code path to be silently skipped. Checksums are still validated when packages are initially downloaded from the registry, but mismatches between the lockfile and resolved dependencies are not detected.\n\nAn attacker who can influence cached packages (e.g., via local cache poisoning or a compromised registry) can provide modified dependency contents that will be accepted without detection. The mix.lock file is silently rewritten with the checksum values from the registry, erasing evidence of tampering.\n\nThis issue affects hex: from 0.16.0 before 2.4.2.","cvss":8.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":8.9,"epss":0.00017,"ranking_epss":0.0429,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.erlef.org/cves/CVE-2026-32148.html","https://github.com/hexpm/hex/commit/d7528c8199a1144511508bf3a6460026a5a14c8e","https://github.com/hexpm/hex/security/advisories/GHSA-hmv9-4mfr-m92v","https://osv.dev/vulnerability/EEF-CVE-2026-32148","https://github.com/hexpm/hex/security/advisories/GHSA-hmv9-4mfr-m92v"],"published_time":"2026-04-30T19:16:09","vendor":"hex","product":"hex","version":null},{"cve_id":"CVE-2026-35514","summary":"Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoint directly to create a fully active account and receive a valid JWT — even when the instance has existing users and signupRestricted is enabled. This bypass is distinct from the normal registration endpoint (POST /user) which enforces signupRestricted and sets active: false pending verification. This issue has been patched in version 5.0.0.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0008,"ranking_epss":0.23236,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0","https://github.com/chartbrew/chartbrew/security/advisories/GHSA-g47g-v5cp-j8hp"],"published_time":"2026-04-30T19:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40595","summary":"Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level export toggle. The routes do not verify whether the target chart is actually allowed on the public report or whether the governing SharePolicy permits public access. An unauthenticated attacker who knows a chart identifier in a public project can read or export chart data for charts that were intentionally hidden from the report. This issue has been patched in version 5.0.0.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00048,"ranking_epss":0.14564,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0","https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mq7q-6xh6-5649","https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mq7q-6xh6-5649"],"published_time":"2026-04-30T19:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40600","summary":"Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affected routes authorize the caller against the project in the URL path, but they never verify that policy_id belongs to that project. This permits cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings. This issue has been patched in version 5.0.0.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.0793,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0","https://github.com/chartbrew/chartbrew/security/advisories/GHSA-pq8h-2h99-39xm","https://github.com/chartbrew/chartbrew/security/advisories/GHSA-pq8h-2h99-39xm"],"published_time":"2026-04-30T19:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3832","summary":"A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06271,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2026:13274","https://access.redhat.com/security/cve/CVE-2026-3832","https://bugzilla.redhat.com/show_bug.cgi?id=2445762","https://gitlab.com/gnutls/gnutls/-/issues/1801","https://gitlab.com/gnutls/gnutls/-/issues/1801"],"published_time":"2026-04-30T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3833","summary":"A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00032,"ranking_epss":0.09099,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2026:13274","https://access.redhat.com/security/cve/CVE-2026-3833","https://bugzilla.redhat.com/show_bug.cgi?id=2445763","https://gitlab.com/gnutls/gnutls/-/issues/1803","https://gitlab.com/gnutls/gnutls/-/issues/1803"],"published_time":"2026-04-30T18:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36761","summary":"A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the msgContent parameter.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08178,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/thinkgem/jeesite","https://github.com/thinkgem/jeesite/issues/528","https://github.com/thinkgem/jeesite/issues/528"],"published_time":"2026-04-30T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36762","summary":"An issue in the fileEntityId parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08255,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/thinkgem/jeesite","https://github.com/thinkgem/jeesite/issues/529","https://github.com/thinkgem/jeesite/issues/529"],"published_time":"2026-04-30T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36763","summary":"A stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the content parameter.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08093,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chillzhuang/SpringBlade","https://github.com/chillzhuang/SpringBlade/issues/38","https://github.com/shopizer-ecommerce/shopizer/issues/1091","https://github.com/shopizer-ecommerce/shopizer/issues/1091"],"published_time":"2026-04-30T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36765","summary":"An XML external entity (XXE) vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00063,"ranking_epss":0.19204,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chillzhuang/SpringBlade","https://github.com/chillzhuang/SpringBlade/issues/37","https://github.com/chillzhuang/SpringBlade/issues/37"],"published_time":"2026-04-30T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36766","summary":"Multiple authenticated cross-site scripting (XSS) vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the getInputStream() or getReader() functions.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08092,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shopizer-ecommerce/shopizer","https://github.com/shopizer-ecommerce/shopizer/issues/1093","https://github.com/shopizer-ecommerce/shopizer/issues/1093"],"published_time":"2026-04-30T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33845","summary":"A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10247,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2026:13274","https://access.redhat.com/security/cve/CVE-2026-33845","https://bugzilla.redhat.com/show_bug.cgi?id=2450624"],"published_time":"2026-04-30T18:16:28","vendor":"gnu","product":"gnutls","version":null},{"cve_id":"CVE-2026-33845","summary":"A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10247,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2026:13274","https://access.redhat.com/security/cve/CVE-2026-33845","https://bugzilla.redhat.com/show_bug.cgi?id=2450624"],"published_time":"2026-04-30T18:16:28","vendor":"redhat","product":"openshift_container_platform","version":null},{"cve_id":"CVE-2026-33845","summary":"A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10247,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2026:13274","https://access.redhat.com/security/cve/CVE-2026-33845","https://bugzilla.redhat.com/show_bug.cgi?id=2450624"],"published_time":"2026-04-30T18:16:28","vendor":"redhat","product":"enterprise_linux","version":null},{"cve_id":"CVE-2026-36760","summary":"An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations while chunked upload is enabled.","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.1184,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/thinkgem/jeesite","https://github.com/thinkgem/jeesite/issues/530","https://github.com/thinkgem/jeesite/issues/530"],"published_time":"2026-04-30T17:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36764","summary":"A Server-Side Request Forgery (SSRF) in the /ureport/datasource/testConnection endpoint of SpringBlade v4.8.0 allows authenticated attackers to scan internal resources via a crafted GET request.","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06994,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chillzhuang/SpringBlade","https://github.com/chillzhuang/SpringBlade/issues/36","https://github.com/chillzhuang/SpringBlade/issues/36"],"published_time":"2026-04-30T17:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36767","summary":"A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":null,"epss":0.00063,"ranking_epss":0.19415,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shopizer-ecommerce/shopizer","https://github.com/shopizer-ecommerce/shopizer/issues/1091","https://github.com/shopizer-ecommerce/shopizer/issues/1091"],"published_time":"2026-04-30T17:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-51846","summary":"CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.00506,"ranking_epss":0.66283,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/JohnPerifanis/cryptpad-cve-2025-51846-advisory/blob/main/README.md","https://github.com/cryptpad/cryptpad/pull/2239/changes/1e0c06ad8a0c5dab795f85f9730ec2693320c62e","https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-119-01.json","https://www.cve.org/CVERecord?id=CVE-2025-51846"],"published_time":"2026-04-30T17:16:25","vendor":"xwiki","product":"cryptpad","version":null},{"cve_id":"CVE-2025-71284","summary":"Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can inject arbitrary shell commands by submitting a POST request with crafted radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters along with save=1 and enable_radius=1 to achieve remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC).","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00494,"ranking_epss":0.65764,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/synway/synwaysmg-radius-rce.yaml","https://mp.weixin.qq.com/s/PyepoFSuQ63E3RnpQa9nsA","https://mrxn.net/jswz/synway-9-2radius-rce.html","https://www.synway.net/","https://www.vulncheck.com/advisories/synway-smg-gateway-management-software-os-command-injection-via-radius-address"],"published_time":"2026-04-30T17:16:25","vendor":"synway","product":"smg_gateway_management_software","version":null},{"cve_id":"CVE-2026-36757","summary":"A Server-Side Request Forgery (SSRF) in the /plugins/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06994,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf1/readme.md","https://github.com/halo-dev/halo","https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf1/readme.md"],"published_time":"2026-04-30T17:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2022-50992","summary":"Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods. Attackers can exploit these methods without authentication to retrieve sensitive files including system configuration files and database credentials from the server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC).","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.00122,"ranking_epss":0.30668,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://blog.csdn.net/qq_36618918/article/details/135104295","https://blog.csdn.net/xiayu729100940/article/details/135205082","https://www.cnvd.org.cn/flaw/show/CNVD-2022-43245","https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-arbitrary-file-read-via-xmlrpcservlet","https://www.weaver.com.cn/cs/ecology_full_log.html","https://www.weaver.com.cn/cs/securityDownload.html#"],"published_time":"2026-04-30T17:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2022-50993","summary":"Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload malicious files by sending multipart POST requests with arbitrary filenames and disguised content types. Attackers can upload PHP webshells to the Document directory and execute them via HTTP GET requests to achieve remote code execution as the web server user. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-10-10 (UTC).","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00215,"ranking_epss":0.43717,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bbs.chaitin.cn/topic/37","https://cn-sec.com/archives/1453025.html","https://service.e-office.cn/knowledge/detail/5","https://www.vulncheck.com/advisories/weaver-e-office-10-0-20221201-unauthenticated-arbitrary-file-read-via-xmlrpcservlet"],"published_time":"2026-04-30T17:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4670","summary":"Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass.\n\nThis issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00189,"ranking_epss":0.40317,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174"],"published_time":"2026-04-30T16:16:44","vendor":"progress","product":"moveit_automation","version":null},{"cve_id":"CVE-2026-5174","summary":"Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation.\n\nThis issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":0.00098,"ranking_epss":0.26617,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174"],"published_time":"2026-04-30T16:16:44","vendor":"progress","product":"moveit_automation","version":null},{"cve_id":"CVE-2026-36960","summary":"A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04868,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://u-speed.com","https://github.com/kirubel-cve/CVE-2026-36960","https://github.com/kirubel-cve/CVE-2026-36960"],"published_time":"2026-04-30T16:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38939","summary":"Cross Site Scripting vulnerability in andrewtch88 mvc-ecommerce v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the product_catalogue.php component","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00055,"ranking_epss":0.17052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/spico8/3b8b64a58069fc189ca28563dd1249e8","https://gist.github.com/spico8/3b8b64a58069fc189ca28563dd1249e8"],"published_time":"2026-04-30T16:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38940","summary":"Cross Site Scripting vulnerability in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows a remote attacker to execute arbitrary code via the detail_produk.php component","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00055,"ranking_epss":0.17052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/spico8/3b8b64a58069fc189ca28563dd1249e8","https://gist.github.com/spico8/3b8b64a58069fc189ca28563dd1249e8"],"published_time":"2026-04-30T16:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34997","summary":"Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-30T16:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34998","summary":"Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-30T16:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36340","summary":"An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.0008,"ranking_epss":0.23223,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://drive.google.com/file/d/1yBdvbrXGf9fsFckmK9zTe2v8_vDtdicH/view","https://github.com/cybercrewinc/CVE-2026-36340","https://github.com/krayin/laravel-crm/releases/tag/v2.1.6","https://github.com/cybercrewinc/CVE-2026-36340"],"published_time":"2026-04-30T16:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36756","summary":"A Server-Side Request Forgery (SSRF) in the /plugins/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06994,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf2/readme.md","https://github.com/halo-dev/halo","https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf2/readme.md"],"published_time":"2026-04-30T16:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36758","summary":"A Server-Side Request Forgery (SSRF) in the /themes/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06994,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf3/readme.md","https://github.com/halo-dev/halo","https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf3/readme.md"],"published_time":"2026-04-30T16:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36759","summary":"A Server-Side Request Forgery (SSRF) in the /themes/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.0793,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf4/readme.md","https://github.com/halo-dev/halo","https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf4/readme.md"],"published_time":"2026-04-30T16:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34994","summary":"Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-30T16:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34995","summary":"Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-30T16:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34996","summary":"Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-30T16:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-14543","summary":"Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*.","cvss":8.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":8.8,"epss":0.00028,"ranking_epss":0.07741,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.rti.com/vulnerabilities/#cve-2025-14543"],"published_time":"2026-04-30T16:16:40","vendor":"rti","product":"connext_professional","version":null},{"cve_id":"CVE-2025-51847","summary":"Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-30T16:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-51849","summary":"Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-30T16:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-51850","summary":"Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-30T16:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-13890","summary":"Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-12494. Reason: This candidate is a reservation duplicate of CVE-2025-12494. Notes: All CVE users should reference CVE-2025-12494 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-30T16:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36959","summary":"U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthorized access to the router management interface.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0006,"ranking_epss":0.18383,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://u-speed.com","https://github.com/kirubel-cve/CVE-2026-36959","https://github.com/kirubel-cve/CVE-2026-36959"],"published_time":"2026-04-30T15:16:23","vendor":"u-speed","product":"n300_firmware","version":null},{"cve_id":"CVE-2026-36959","summary":"U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthorized access to the router management interface.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0006,"ranking_epss":0.18383,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://u-speed.com","https://github.com/kirubel-cve/CVE-2026-36959","https://github.com/kirubel-cve/CVE-2026-36959"],"published_time":"2026-04-30T15:16:23","vendor":"u-speed","product":"n300","version":null},{"cve_id":"CVE-2026-7500","summary":"When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06355,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-7500","https://bugzilla.redhat.com/show_bug.cgi?id=2464126"],"published_time":"2026-04-30T15:16:23","vendor":"redhat","product":"build_of_keycloak","version":null},{"cve_id":"CVE-2026-36956","summary":"A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints such as /api/setWlan. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04325,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://dbit.com","https://github.com/kirubel-cve/CVE-2026-36956","https://github.com/kirubel-cve/CVE-2026-36956"],"published_time":"2026-04-30T15:16:22","vendor":"dbitnet","product":"dbit_n300_t1_pro_firmware","version":null},{"cve_id":"CVE-2026-36956","summary":"A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints such as /api/setWlan. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04325,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://dbit.com","https://github.com/kirubel-cve/CVE-2026-36956","https://github.com/kirubel-cve/CVE-2026-36956"],"published_time":"2026-04-30T15:16:22","vendor":"dbitnet","product":"dbit_n300_t1_pro","version":null},{"cve_id":"CVE-2026-36957","summary":"Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 is vulnerable to Denial of Service via the boa web server URI handler. By initiating a high-volume flood of HTTP GET requests to non-existent URIs, an attacker can exhaust critical system resources, including file descriptors and memory buffers. This results in a kernel deadlock or system hang that disables the web management portal and all routing capabilities.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.1103,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://dbit.com","https://github.com/kirubel-cve/CVE-2026-36957","https://github.com/kirubel-cve/CVE-2026-36957"],"published_time":"2026-04-30T15:16:22","vendor":"dbitnet","product":"dbit_n300_t1_pro_firmware","version":null},{"cve_id":"CVE-2026-36957","summary":"Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 is vulnerable to Denial of Service via the boa web server URI handler. By initiating a high-volume flood of HTTP GET requests to non-existent URIs, an attacker can exhaust critical system resources, including file descriptors and memory buffers. This results in a kernel deadlock or system hang that disables the web management portal and all routing capabilities.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.1103,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://dbit.com","https://github.com/kirubel-cve/CVE-2026-36957","https://github.com/kirubel-cve/CVE-2026-36957"],"published_time":"2026-04-30T15:16:22","vendor":"dbitnet","product":"dbit_n300_t1_pro","version":null},{"cve_id":"CVE-2026-36958","summary":"A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large number of concurrent HTTP requests to random or non-existent endpoints on the web management interface, an attacker can exhaust system resources in the embedded Boa HTTP server. This causes the router web interface to become unresponsive and may require manual reboot to restore normal operation.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11084,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://u-speed.com","https://github.com/kirubel-cve/CVE-2026-36958"],"published_time":"2026-04-30T15:16:22","vendor":"u-speed","product":"n300_firmware","version":null},{"cve_id":"CVE-2026-36958","summary":"A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large number of concurrent HTTP requests to random or non-existent endpoints on the web management interface, an attacker can exhaust system resources in the embedded Boa HTTP server. This causes the router web interface to become unresponsive and may require manual reboot to restore normal operation.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11084,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://u-speed.com","https://github.com/kirubel-cve/CVE-2026-36958"],"published_time":"2026-04-30T15:16:22","vendor":"u-speed","product":"n300","version":null},{"cve_id":"CVE-2026-7163","summary":"A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. \n\nThe credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace.\n\nThe affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected.\nThis issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode.\n\nSuccessful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.0068,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2026:11511","https://access.redhat.com/errata/RHSA-2026:11512","https://access.redhat.com/errata/RHSA-2026:12116","https://access.redhat.com/errata/RHSA-2026:12337","https://access.redhat.com/security/cve/CVE-2026-7163","https://bugzilla.redhat.com/show_bug.cgi?id=2463152"],"published_time":"2026-04-30T14:16:36","vendor":"redhat","product":"multicluster_engine_for_kubernetes","version":null},{"cve_id":"CVE-2026-7246","summary":"Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.0725,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pallets/click/releases/tag/8.3.3","https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw","https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw"],"published_time":"2026-04-30T14:16:36","vendor":"palletsprojects","product":"click","version":null},{"cve_id":"CVE-2026-2892","summary":"The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated users. The 'check_purchase' method trusts this cookie data without performing server-side verification against the Stripe API for one-time 'payment' mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the 'o_stripe_data' cookie with a target product ID, which is publicly exposed in the checkout block's HTML source.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00057,"ranking_epss":0.17433,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/otter-blocks/trunk/inc/plugins/class-block-conditions.php#L274","https://plugins.trac.wordpress.org/browser/otter-blocks/trunk/inc/plugins/class-stripe-api.php#L260","https://plugins.trac.wordpress.org/browser/otter-blocks/trunk/inc/plugins/class-stripe-api.php#L284","https://plugins.trac.wordpress.org/changeset/3471326/","https://www.wordfence.com/threat-intel/vulnerabilities/id/3443950f-1f94-4e0b-8906-1a9b9602a746?source=cve"],"published_time":"2026-04-30T14:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7382","summary":"Exposure of Sensitive Information to an Unauthorized Actor, Exposure of private personal information to an unauthorized actor vulnerability in MeWare Software Development Inc. PDKS allows Excavation.\n\nThis issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01493,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.usom.gov.tr/bildirim/tr-26-0141"],"published_time":"2026-04-30T13:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7399","summary":"Authorization bypass through User-Controlled key vulnerability in MeWare Software Development Inc. PDKS allows Privilege Abuse.\n\nThis issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01251,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.usom.gov.tr/bildirim/tr-26-0141"],"published_time":"2026-04-30T13:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7402","summary":"Improper Control of Interaction Frequency vulnerability in MeWare Software Development Inc. PDKS allows Flooding.\n\nThis issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02188,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.usom.gov.tr/bildirim/tr-26-0141"],"published_time":"2026-04-30T13:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-13971","summary":"Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.7,"epss":0.00017,"ranking_epss":0.04286,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-005/"],"published_time":"2026-04-30T13:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-14576","summary":"Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.","cvss":7.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":7.4,"epss":9e-05,"ranking_epss":0.00884,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273"],"published_time":"2026-04-30T13:16:02","vendor":"qt","product":"qtdeclarative","version":null},{"cve_id":"CVE-2026-31693","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: some missing initializations on replay\n\nIn several places in the code, we have a label to signify\nthe start of the code where a request can be replayed if\nnecessary. However, some of these places were missing the\nnecessary reinitializations of certain local variables\nbefore replay.\n\nThis change makes sure that these variables get initialized\nafter the label.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/14f66f44646333d2bfd7ece36585874fd72f8286","https://git.kernel.org/stable/c/1d731e512134495e0ef490ade0e4d91dc0d515ec","https://git.kernel.org/stable/c/7c9ce68192eef14c777cb6ce17155d2eb2431aea","https://git.kernel.org/stable/c/c854ab481ece4b3e5f4c2e8b22824f015ff874a5","https://git.kernel.org/stable/c/c99e160938b627f6f28edee930e8abc157e84386"],"published_time":"2026-04-30T12:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41882","summary":"In JetBrains IntelliJ IDEA before 2024.3.7.1, \n2025.1.7.1,\n2025.2.6.2,  \n2025.3.4.1, \n2026.1.1 reading arbitrary local files was possible via built-in web server","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":1e-05,"ranking_epss":0.00016,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.jetbrains.com/privacy-security/issues-fixed/"],"published_time":"2026-04-30T12:16:24","vendor":"jetbrains","product":"intellij_idea","version":null},{"cve_id":"CVE-2026-5080","summary":"Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely.\n\nThe session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times.\n\nThe path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations.\n\nThe epoch time can be guessed by an attacker, and may be leaked in the HTTP header.\n\nThe process id comes from a small set of numbers, and workers may have sequential process ids.\n\nThe built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications.\n\nPredictable session ids could allow an attacker to gain access to systems.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11091,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://metacpan.org/release/BIGPRESH/Dancer-1.3522/source/lib/Dancer/Session/Abstract.pm#L85-102","https://security.metacpan.org/patches/D/Dancer/1.3522/CVE-2026-5080-r1.patch","http://www.openwall.com/lists/oss-security/2026/04/30/19"],"published_time":"2026-04-30T12:16:24","vendor":"perldancer","product":"dancer","version":null},{"cve_id":"CVE-2026-1493","summary":"LEX Baza Dokumentów is vulnerable to DOM-based XSS in \"em\" cookie parameter. The application unsafely\nprocesses the parameter on the client side, allowing an attacker to execute arbitrary\nJavaScript in the context of the victim's browser.\nAn attacker with ability to set a cookie can perform a more severe attack, so we evaluate the impact and risk of exploitation as minimal. However, the vendor considered this a vulnerability and released a security patch.\n\nThis issue was fixed in version 1.3.4.","cvss":4.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":4.6,"epss":8e-05,"ranking_epss":0.00817,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert.pl/posts/2026/04/CVE-2025-1493","https://www.wolterskluwer.com/pl-pl/solutions/lex-baza-dokumentow"],"published_time":"2026-04-30T12:16:23","vendor":"wolterskluwer","product":"lex_baza_dokumentow","version":null},{"cve_id":"CVE-2026-31787","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: fix double free via VMA splitting\n\nprivcmd_vm_ops defines .close (privcmd_close), but neither .may_split\nnor .open. When userspace does a partial munmap() on a privcmd mapping,\nthe kernel splits the VMA via __split_vma(). Since may_split is NULL,\nthe split is allowed. vm_area_dup() copies vm_private_data (a pages\narray allocated in alloc_empty_pages()) into the new VMA without any\nfixup, because there is no .open callback.\n\nBoth VMAs now point to the same pages array. When the unmapped portion\nis closed, privcmd_close() calls:\n    - xen_unmap_domain_gfn_range()\n    - xen_free_unpopulated_pages()\n    - kvfree(pages)\n\nThe surviving VMA still holds the dangling pointer. When it is later\ndestroyed, the same sequence runs again, which leads to a double free.\n\nFix this issue by adding a .may_split callback denying the VMA split.\n\nThis is XSA-487 / CVE-2026-31787","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.0943,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1576ff3869cbd3620717195f971c85b7d7fd62b5","https://git.kernel.org/stable/c/24daca4fc07f3ff8cd0e3f629cd982187f48436a","https://git.kernel.org/stable/c/2894a351fe2ea8684919d36df3188b9a35e3926f","https://git.kernel.org/stable/c/2b985d3a024b9e8c24e21671b34e855569763808","https://git.kernel.org/stable/c/402d84ad9e89bd4cbfd07ca8598532b7021daf95","https://git.kernel.org/stable/c/446ee446d9ae66f36e95c3c90bbcc4e56b94cde0","https://git.kernel.org/stable/c/71bf829800758a6e3889096e4754ef47ba7fc850","https://git.kernel.org/stable/c/dbf862ce9f009128ab86b234d91413a3e450beb4","http://www.openwall.com/lists/oss-security/2026/04/28/14","http://xenbits.xen.org/xsa/advisory-487.html"],"published_time":"2026-04-30T11:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31692","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: add missing netlink_ns_capable() check for peer netns\n\nrtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer\nnetwork namespace when creating paired devices (veth, vxcan,\nnetkit). This allows an unprivileged user with a user namespace\nto create interfaces in arbitrary network namespaces, including\ninit_net.\n\nAdd a netlink_ns_capable() check for CAP_NET_ADMIN in the peer\nnamespace before allowing device creation to proceed.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06276,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0975b64ffb34560042090a5986c3a02e6c80f36f","https://git.kernel.org/stable/c/7b735ef81286007794a227ce2539419479c02a5f","https://git.kernel.org/stable/c/d04cc16d3624218a5458b2b664ae431f1b3b334d"],"published_time":"2026-04-30T11:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31786","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBuffer overflow in drivers/xen/sys-hypervisor.c\n\nThe build id returned by HYPERVISOR_xen_version(XENVER_build_id) is\nneither NUL terminated nor a string.\n\nThe first causes a buffer overflow as sprintf in buildid_show will\nread and copy till it finds a NUL.\n\n00000000  f4 91 51 f4 dd 38 9e 9d  65 47 52 eb 10 71 db 50  |..Q..8..eGR..q.P|\n00000010  b9 a8 01 42 6f 2e 32                              |...Bo.2|\n00000017\n\nSo use a memcpy instead of sprintf to have the correct value:\n\n00000000  f4 91 51 f4 dd 00 9e 9d  65 47 52 eb 10 71 db 50  |..Q.....eGR..q.P|\n00000010  b9 a8 01 42                                       |...B|\n00000014\n\n(the above have a hack to embed a zero inside and check it's\nreturned correctly).\n\nThis is XSA-485 / CVE-2026-31786","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01539,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/27fdbab4221b375de54bf91919798d88520c6e28","https://git.kernel.org/stable/c/4b4defd2fce3f966c25adabf46644a85558f1169","https://git.kernel.org/stable/c/52cecff98bda2c51eed1c6ce9d21c5d6268fb19d","https://git.kernel.org/stable/c/5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a","https://git.kernel.org/stable/c/8288d031a01dbacfde3fc643f7be3d23504de64d","https://git.kernel.org/stable/c/d5f59216650c51e5e3fcb7517c825bc8047f60ef","https://git.kernel.org/stable/c/e3af585e1728c917682b6a3de9a69b41fb9194d4","https://git.kernel.org/stable/c/f458ba102da97fafca106327086fc95f3fc764cb","http://www.openwall.com/lists/oss-security/2026/04/28/12","http://xenbits.xen.org/xsa/advisory-485.html"],"published_time":"2026-04-30T11:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42800","summary":"NULL pointer dereference vulnerability in ASR1903 in ASR Lapwing_Linux on Linux (ims_client modules) allows Pointer Manipulation.\n\n This vulnerability is associated with program files sip/utils/src/sipuri.c.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02085,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.asrmicro.com/en/goods/psirt?cid=44"],"published_time":"2026-04-30T10:16:02","vendor":"asrmicro","product":"asr1901_firmware","version":null},{"cve_id":"CVE-2026-42800","summary":"NULL pointer dereference vulnerability in ASR1903 in ASR Lapwing_Linux on Linux (ims_client modules) allows Pointer Manipulation.\n\n This vulnerability is associated with program files sip/utils/src/sipuri.c.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02085,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.asrmicro.com/en/goods/psirt?cid=44"],"published_time":"2026-04-30T10:16:02","vendor":"asrmicro","product":"asr1901","version":null},{"cve_id":"CVE-2026-42800","summary":"NULL pointer dereference vulnerability in ASR1903 in ASR Lapwing_Linux on Linux (ims_client modules) allows Pointer Manipulation.\n\n This vulnerability is associated with program files sip/utils/src/sipuri.c.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02085,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.asrmicro.com/en/goods/psirt?cid=44"],"published_time":"2026-04-30T10:16:02","vendor":"asrmicro","product":"asr1903_firmware","version":null},{"cve_id":"CVE-2026-42800","summary":"NULL pointer dereference vulnerability in ASR1903 in ASR Lapwing_Linux on Linux (ims_client modules) allows Pointer Manipulation.\n\n This vulnerability is associated with program files sip/utils/src/sipuri.c.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02085,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.asrmicro.com/en/goods/psirt?cid=44"],"published_time":"2026-04-30T10:16:02","vendor":"asrmicro","product":"asr1903","version":null},{"cve_id":"CVE-2026-6498","summary":"The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the valid_payment() function using a PHP loose comparison (==) between the attacker-controlled payment_id POST parameter and the booking's stripe_payment_intent_id property. When an unauthenticated attacker submits a request to the nopriv AJAX handler rtb_stripe_pmt_succeed before the Stripe payment intent has been created for a booking (i.e., before the JavaScript-triggered create_stripe_pmtIntnt() call has stored an intent ID in post meta), the stripe_payment_intent_id property on the booking object remains null. The comparison sanitize_text_field('') == null evaluates to TRUE in PHP loose comparison, causing the payment verification check to pass with zero actual payment. This makes it possible for unauthenticated attackers to mark any existing payment_pending booking as paid without completing a Stripe payment by submitting an empty payment_id parameter.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07111,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/restaurant-reservations/tags/2.7.13/includes/PaymentGatewayStripe.class.php#L404","https://plugins.trac.wordpress.org/browser/restaurant-reservations/tags/2.7.13/includes/PaymentGatewayStripe.class.php#L458","https://plugins.trac.wordpress.org/browser/restaurant-reservations/trunk/includes/PaymentGatewayStripe.class.php#L404","https://plugins.trac.wordpress.org/browser/restaurant-reservations/trunk/includes/PaymentGatewayStripe.class.php#L458","https://plugins.trac.wordpress.org/changeset/3518833/restaurant-reservations/trunk/includes/PaymentGatewayStripe.class.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Frestaurant-reservations/tags/2.7.16&new_path=%2Frestaurant-reservations/tags/2.7.17","https://www.wordfence.com/threat-intel/vulnerabilities/id/8ee08aac-7bcc-4809-a5aa-7b95ed736f19?source=cve"],"published_time":"2026-04-30T10:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-41016","summary":"Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent `login()` call. Users are advised to upgrade to the `apache-airflow-providers-smtp` version that contains the fix.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00043,"ranking_epss":0.1296,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/apache/airflow/pull/65346","https://lists.apache.org/thread/gb202qy5r31bgdd3d51d7s5o1jh40kc4"],"published_time":"2026-04-30T10:16:01","vendor":"apache","product":"airflow","version":null},{"cve_id":"CVE-2026-35547","summary":"When processing the header of an incoming message, libnv failed to properly validate the message size.\n\nThe lack of validation allows a malicious program to write outside the bounds of a heap allocation.  This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00045,"ranking_epss":0.13565,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.freebsd.org/advisories/FreeBSD-SA-26:17.libnv.asc"],"published_time":"2026-04-30T09:16:03","vendor":"freebsd","product":"freebsd","version":null},{"cve_id":"CVE-2026-39457","summary":"When exchanging data over a socket, libnv uses select(2) to wait for data to arrive.  However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024).\n\nAn attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption.  If the target application is setuid-root, then this could be used to elevate local privileges.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02103,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.freebsd.org/advisories/FreeBSD-SA-26:16.libnv.asc"],"published_time":"2026-04-30T09:16:03","vendor":"freebsd","product":"freebsd","version":null},{"cve_id":"CVE-2026-42512","summary":"As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers.  The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun.\n\nA specially crafted packet can cause dhclient to overrun its buffer of environment entries.  This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00089,"ranking_epss":0.2495,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.freebsd.org/advisories/FreeBSD-SA-26:15.dhclient.asc"],"published_time":"2026-04-30T09:16:03","vendor":"freebsd","product":"freebsd","version":null},{"cve_id":"CVE-2026-42799","summary":"Out-of-bounds read vulnerability in ASR Kestrel (nr_fw modules) allows Overflow Buffers.\n\n This vulnerability is associated with program files Code/Nr/nr_fw/RA/src/NrPwrCtrl.C.\n\n\n\nThis issue affects Kestrel: before 2026/02/10.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.00043,"ranking_epss":0.1275,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.asrmicro.com/en/goods/psirt?cid=44"],"published_time":"2026-04-30T09:16:03","vendor":"asrmicro","product":"asr1803_firmware","version":null},{"cve_id":"CVE-2026-42799","summary":"Out-of-bounds read vulnerability in ASR Kestrel (nr_fw modules) allows Overflow Buffers.\n\n This vulnerability is associated with program files Code/Nr/nr_fw/RA/src/NrPwrCtrl.C.\n\n\n\nThis issue affects Kestrel: before 2026/02/10.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.00043,"ranking_epss":0.1275,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.asrmicro.com/en/goods/psirt?cid=44"],"published_time":"2026-04-30T09:16:03","vendor":"asrmicro","product":"asr1803","version":null},{"cve_id":"CVE-2026-22070","summary":"ColorOS Assistant has an unauthenticated start-download channel, leading to file path traversal.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07996,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2049764240746881024"],"published_time":"2026-04-30T09:16:02","vendor":"oppo","product":"coloros_assistant","version":null},{"cve_id":"CVE-2026-7164","summary":"Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters.  This can eventually result in a stack overflow and panic.\n\nRemote attackers can craft packets which cause affected systems to panic.  This affects any system where pf is configured to process traffic, independent of the configured ruleset.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00125,"ranking_epss":0.31115,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.freebsd.org/advisories/FreeBSD-SA-26:14.pf.asc"],"published_time":"2026-04-30T08:16:07","vendor":"freebsd","product":"freebsd","version":null},{"cve_id":"CVE-2026-6537","summary":"ZigBee protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01822,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21125","https://www.wireshark.org/security/wnpa-sec-2026-24.html","https://gitlab.com/wireshark/wireshark/-/work_items/21125"],"published_time":"2026-04-30T07:16:41","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6538","summary":"BEEP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21120","https://www.wireshark.org/security/wnpa-sec-2026-23.html","https://gitlab.com/wireshark/wireshark/-/work_items/21120"],"published_time":"2026-04-30T07:16:41","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6867","summary":"SMB2 protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00665,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21191","https://www.wireshark.org/security/wnpa-sec-2026-45.html"],"published_time":"2026-04-30T07:16:41","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6869","summary":"WebSocket protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00665,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21190","https://www.wireshark.org/security/wnpa-sec-2026-44.html","https://gitlab.com/wireshark/wireshark/-/work_items/21190"],"published_time":"2026-04-30T07:16:41","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6870","summary":"GSM RP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00665,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21189","https://www.wireshark.org/security/wnpa-sec-2026-43.html","https://gitlab.com/wireshark/wireshark/-/work_items/21189"],"published_time":"2026-04-30T07:16:41","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-7270","summary":"An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers.\n\nThe bug may be exploitable by an unprivileged user to obtain superuser privileges.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02103,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.freebsd.org/advisories/FreeBSD-SA-26:13.exec.asc"],"published_time":"2026-04-30T07:16:41","vendor":"freebsd","product":"freebsd","version":null},{"cve_id":"CVE-2026-6528","summary":"TLS protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01822,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21147","https://gitlab.com/wireshark/wireshark/-/work_items/21151","https://www.wireshark.org/security/wnpa-sec-2026-33.html"],"published_time":"2026-04-30T07:16:40","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6529","summary":"iLBC audio codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00665,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21145","https://www.wireshark.org/security/wnpa-sec-2026-32.html"],"published_time":"2026-04-30T07:16:40","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6530","summary":"DCP-ETSI protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00665,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21144","https://www.wireshark.org/security/wnpa-sec-2026-31.html","https://gitlab.com/wireshark/wireshark/-/work_items/21144"],"published_time":"2026-04-30T07:16:40","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6531","summary":"SANE protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01822,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21139","https://www.wireshark.org/security/wnpa-sec-2026-30.html","https://gitlab.com/wireshark/wireshark/-/work_items/21139"],"published_time":"2026-04-30T07:16:40","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6532","summary":"Kismet protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01776,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21128","https://gitlab.com/wireshark/wireshark/-/issues/21129","https://www.wireshark.org/security/wnpa-sec-2026-29.html","https://gitlab.com/wireshark/wireshark/-/work_items/21129"],"published_time":"2026-04-30T07:16:40","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6533","summary":"Dissection engine LZ77 decompression crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01822,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21127","https://www.wireshark.org/security/wnpa-sec-2026-28.html","https://gitlab.com/wireshark/wireshark/-/work_items/21127"],"published_time":"2026-04-30T07:16:40","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6534","summary":"USB HID protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01822,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21121","https://www.wireshark.org/security/wnpa-sec-2026-27.html","https://gitlab.com/wireshark/wireshark/-/work_items/21121"],"published_time":"2026-04-30T07:16:40","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6535","summary":"Dissection engine zlib decompression crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21097","https://gitlab.com/wireshark/wireshark/-/issues/21098","https://www.wireshark.org/security/wnpa-sec-2026-26.html"],"published_time":"2026-04-30T07:16:40","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6536","summary":"DLMS/COSEM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01846,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21065","https://www.wireshark.org/security/wnpa-sec-2026-25.html","https://gitlab.com/wireshark/wireshark/-/work_items/21065"],"published_time":"2026-04-30T07:16:40","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6519","summary":"MBIM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03043,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21184","https://www.wireshark.org/security/wnpa-sec-2026-41.html","https://gitlab.com/wireshark/wireshark/-/work_items/21184"],"published_time":"2026-04-30T07:16:39","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6520","summary":"OpenFlow v6 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03043,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21181","https://www.wireshark.org/security/wnpa-sec-2026-40.html"],"published_time":"2026-04-30T07:16:39","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6521","summary":"OpenFlow v5 protocol dissector infinite loops in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01822,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21182","https://gitlab.com/wireshark/wireshark/-/work_items/21188","https://www.wireshark.org/security/wnpa-sec-2026-39.html"],"published_time":"2026-04-30T07:16:39","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6522","summary":"RPKI-Router protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00665,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21186","https://www.wireshark.org/security/wnpa-sec-2026-42.html","https://gitlab.com/wireshark/wireshark/-/work_items/21186"],"published_time":"2026-04-30T07:16:39","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6523","summary":"GNW protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00665,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21177","https://www.wireshark.org/security/wnpa-sec-2026-38.html"],"published_time":"2026-04-30T07:16:39","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6524","summary":"MySQL protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00665,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21172","https://www.wireshark.org/security/wnpa-sec-2026-37.html"],"published_time":"2026-04-30T07:16:39","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6526","summary":"RTSP protocol dissector crash in Wireshark 4.6.0 to 4.6.4","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21173","https://www.wireshark.org/security/wnpa-sec-2026-35.html"],"published_time":"2026-04-30T07:16:39","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6527","summary":"ASN.1 PER protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00665,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21149","https://www.wireshark.org/security/wnpa-sec-2026-34.html"],"published_time":"2026-04-30T07:16:39","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-5407","summary":"SMB2 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21073","https://www.wireshark.org/security/wnpa-sec-2026-11.html","https://gitlab.com/wireshark/wireshark/-/work_items/21073"],"published_time":"2026-04-30T07:16:38","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-5408","summary":"BT-DHT protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01822,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21067","https://www.wireshark.org/security/wnpa-sec-2026-09.html","https://gitlab.com/wireshark/wireshark/-/work_items/21067"],"published_time":"2026-04-30T07:16:38","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-5409","summary":"Monero protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01822,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21066","https://www.wireshark.org/security/wnpa-sec-2026-08.html","https://gitlab.com/wireshark/wireshark/-/work_items/21066"],"published_time":"2026-04-30T07:16:38","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-5653","summary":"DCP-ETSI protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.03994,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21122","https://www.wireshark.org/security/wnpa-sec-2026-22.html","https://gitlab.com/wireshark/wireshark/-/work_items/21122"],"published_time":"2026-04-30T07:16:38","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-5654","summary":"AMR-NB codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.03994,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21111","https://www.wireshark.org/security/wnpa-sec-2026-18.html","https://gitlab.com/wireshark/wireshark/-/work_items/21111"],"published_time":"2026-04-30T07:16:38","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-5655","summary":"SDP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.03994,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21112","https://www.wireshark.org/security/wnpa-sec-2026-19.html","https://gitlab.com/wireshark/wireshark/-/work_items/21112"],"published_time":"2026-04-30T07:16:38","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-5657","summary":"iLBC codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.03994,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21113","https://www.wireshark.org/security/wnpa-sec-2026-20.html","https://gitlab.com/wireshark/wireshark/-/work_items/21113"],"published_time":"2026-04-30T07:16:38","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-41226","summary":"Open redirect vulnerability exists in Multiple laser printers and MFPs which implement Ricoh Web Image Monitor. When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":5.1,"epss":0.00029,"ranking_epss":0.08061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://jp.ricoh.com/security/products/vulnerabilities/vul?id=ricoh-2026-000004","https://jvn.jp/en/jp/JVN65118274/","https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2026-000004"],"published_time":"2026-04-30T07:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-42511","summary":"The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives.  When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it.\n\nA rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00045,"ranking_epss":0.13565,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.freebsd.org/advisories/FreeBSD-SA-26:12.dhclient.asc"],"published_time":"2026-04-30T07:16:37","vendor":"freebsd","product":"freebsd","version":null},{"cve_id":"CVE-2026-42798","summary":"Little CMS (lcms2) 2.16 through 2.18 before 2.19 has an integer overflow in ParseCube in cmscgats.c.","cvss":4.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.0,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01732,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/mm2/Little-CMS/commit/6a686019825a89b715d16671f18d049523354176","https://github.com/mm2/Little-CMS/compare/lcms2.18...lcms2.19","https://www.openwall.com/lists/oss-security/2026/04/30/8"],"published_time":"2026-04-30T07:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5299","summary":"ICMPv6 PvD protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00665,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21077","https://www.wireshark.org/security/wnpa-sec-2026-12.html"],"published_time":"2026-04-30T07:16:37","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-5401","summary":"AFP Spotlight protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00665,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21088","https://www.wireshark.org/security/wnpa-sec-2026-13.html","https://gitlab.com/wireshark/wireshark/-/issues/21088"],"published_time":"2026-04-30T07:16:37","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-5402","summary":"TLS protocol dissector heap overflow in Wireshark 4.6.0 to 4.6.4 allows denial of service and possible code execution","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00027,"ranking_epss":0.07447,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21090","https://www.wireshark.org/security/wnpa-sec-2026-14.html"],"published_time":"2026-04-30T07:16:37","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-5406","summary":"FC-SWILS protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":7e-05,"ranking_epss":0.00512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/issues/21070","https://www.wireshark.org/security/wnpa-sec-2026-10.html","https://gitlab.com/wireshark/wireshark/-/work_items/21070"],"published_time":"2026-04-30T07:16:37","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2024-39847","summary":"Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.00038,"ranking_epss":0.11275,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://4d.com","https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-002/"],"published_time":"2026-04-30T07:16:36","vendor":"4d","product":"server","version":null},{"cve_id":"CVE-2026-7376","summary":"Crash in sharkd 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02599,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21206","https://www.wireshark.org/security/wnpa-sec-2026-48.html"],"published_time":"2026-04-30T06:16:17","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-7378","summary":"Crash in sharkd 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02599,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21207","https://www.wireshark.org/security/wnpa-sec-2026-49.html"],"published_time":"2026-04-30T06:16:17","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-7379","summary":"Memory leak in sharkd 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02599,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21214","https://www.wireshark.org/security/wnpa-sec-2026-47.html"],"published_time":"2026-04-30T06:16:17","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-6868","summary":"HTTP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02599,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21185","https://www.wireshark.org/security/wnpa-sec-2026-46.html"],"published_time":"2026-04-30T06:16:16","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2026-7375","summary":"UDS protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02599,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/wireshark/wireshark/-/work_items/21225","https://www.wireshark.org/security/wnpa-sec-2026-50.html"],"published_time":"2026-04-30T06:16:16","vendor":"wireshark","product":"wireshark","version":null},{"cve_id":"CVE-2025-13030","summary":"All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of file names.","cvss":2.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":2.0,"epss":0.00083,"ranking_epss":0.2395,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pylixm/django-mdeditor/blob/e8dd73fb8571ddff2e7a20a4bfa88c376cc33b62/mdeditor/views.py%23L25","https://github.com/pylixm/django-mdeditor/commit/3e80f9edcabc5d2fc136b05a501964b8a5e97cfe","https://github.com/pylixm/django-mdeditor/issues/151","https://github.com/pylixm/django-mdeditor/pull/185","https://security.snyk.io/vuln/SNYK-PYTHON-DJANGOMDEDITOR-8630926"],"published_time":"2026-04-30T06:16:14","vendor":"pylixm","product":"django-mdeditor","version":null},{"cve_id":"CVE-2026-7470","summary":"A flaw has been found in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01. Affected is the function sub_427C3C of the file /goform/SafeMacFilter. This manipulation of the argument page causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00076,"ranking_epss":0.22413,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Axelioc/CVE/blob/main/Tenda/US_4G300/sub_427C3C/sub_427C3C.md","https://vuldb.com/submit/804269","https://vuldb.com/vuln/360206","https://vuldb.com/vuln/360206/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-30T03:16:01","vendor":"tenda","product":"4g300_firmware","version":null},{"cve_id":"CVE-2026-7470","summary":"A flaw has been found in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01. Affected is the function sub_427C3C of the file /goform/SafeMacFilter. This manipulation of the argument page causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00076,"ranking_epss":0.22413,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Axelioc/CVE/blob/main/Tenda/US_4G300/sub_427C3C/sub_427C3C.md","https://vuldb.com/submit/804269","https://vuldb.com/vuln/360206","https://vuldb.com/vuln/360206/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-30T03:16:01","vendor":"tenda","product":"4g300","version":null},{"cve_id":"CVE-2026-7469","summary":"A vulnerability was detected in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01. This impacts the function sub_425A28 of the file /goform/DelFil. The manipulation of the argument delflag results in command injection. The attack may be launched remotely. The exploit is now public and may be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.03792,"ranking_epss":0.88125,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Axelioc/CVE/blob/main/Tenda/US_4G300/sub_425A28/sub_425A28.md","https://vuldb.com/submit/804268","https://vuldb.com/vuln/360205","https://vuldb.com/vuln/360205/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-30T02:16:06","vendor":"tenda","product":"4g300_firmware","version":null},{"cve_id":"CVE-2026-7469","summary":"A vulnerability was detected in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01. This impacts the function sub_425A28 of the file /goform/DelFil. The manipulation of the argument delflag results in command injection. The attack may be launched remotely. The exploit is now public and may be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.03792,"ranking_epss":0.88125,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Axelioc/CVE/blob/main/Tenda/US_4G300/sub_425A28/sub_425A28.md","https://vuldb.com/submit/804268","https://vuldb.com/vuln/360205","https://vuldb.com/vuln/360205/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-30T02:16:06","vendor":"tenda","product":"4g300","version":null},{"cve_id":"CVE-2026-7468","summary":"A security vulnerability has been detected in 1024-lab smart-admin up to 3.30.0. This affects an unknown function of the file /smart-admin-api/druid/index.html of the component Demo Site. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00041,"ranking_epss":0.12099,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/1024-lab/smart-admin/","https://github.com/1024-lab/smart-admin/issues/117","https://vuldb.com/submit/804228","https://vuldb.com/vuln/360204","https://vuldb.com/vuln/360204/cti"],"published_time":"2026-04-30T01:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7447","summary":"A flaw has been found in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code of the file /admin/update_customer.php. This manipulation of the argument type/length/business parameter validity causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00028,"ranking_epss":0.07901,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/zhi-cyber/cve/issues/1","https://vuldb.com/submit/804209","https://vuldb.com/vuln/360188","https://vuldb.com/vuln/360188/cti","https://www.sourcecodester.com/"],"published_time":"2026-04-30T01:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7445","summary":"A security vulnerability has been detected in ZachHandley ZMCPTools up to 0.2.2. Affected by this issue is some unknown functionality of the file src/managers/ResourceManager.ts of the component MCP Log Resource Handler. The manipulation of the argument dirname leads to path traversal. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00057,"ranking_epss":0.17507,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/BruceJqs/public_exp/issues/23","https://github.com/ZachHandley/ZMCPTools/","https://github.com/ZachHandley/ZMCPTools/issues/8","https://vuldb.com/submit/804058","https://vuldb.com/vuln/360186","https://vuldb.com/vuln/360186/cti"],"published_time":"2026-04-30T00:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7446","summary":"A vulnerability was detected in VetCoders mcp-server-semgrep 1.0.0. This affects the function analyze_results/filter_results/export_results/compare_results/scan_directory/create_rule of the file src/index.ts of the component MCP Interface. The manipulation of the argument ID results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.1 is able to mitigate this issue. The patch is identified as 141335da044e53c3f5b315e0386e01238405b771. It is advisable to upgrade the affected component.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.01068,"ranking_epss":0.77814,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/VetCoders/mcp-server-semgrep/","https://github.com/VetCoders/mcp-server-semgrep/commit/141335da044e53c3f5b315e0386e01238405b771","https://github.com/VetCoders/mcp-server-semgrep/issues/12","https://github.com/VetCoders/mcp-server-semgrep/pull/15","https://github.com/VetCoders/mcp-server-semgrep/releases/tag/v1.0.1","https://vuldb.com/submit/804100","https://vuldb.com/vuln/360187","https://vuldb.com/vuln/360187/cti"],"published_time":"2026-04-30T00:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7419","summary":"A vulnerability was identified in UTT HiPER 1250GW up to 3.2.7-210907-180535. This issue affects the function strcpy of the file route/goform/formTaskEdit_ap. The manipulation of the argument Profile leads to buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.1391,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/kirlic123/IOTvulner/blob/main/4035/2/2.md","https://vuldb.com/submit/803994","https://vuldb.com/vuln/360156","https://vuldb.com/vuln/360156/cti"],"published_time":"2026-04-29T23:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7420","summary":"A security flaw has been discovered in UTT HiPER 1250GW up to 3.2.7-210907-180535. Impacted is the function strcpy of the file route/goform/ConfigAdvideo. The manipulation of the argument Profile results in buffer overflow. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.1391,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/kirlic123/IOTvulner/blob/main/4035/5/5.md","https://vuldb.com/submit/803997","https://vuldb.com/vuln/360157","https://vuldb.com/vuln/360157/cti"],"published_time":"2026-04-29T23:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7443","summary":"A weakness has been identified in BurtTheCoder mcp-dnstwist up to 1.0.4. Affected by this vulnerability is the function fuzz_domain of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument Request can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.01761,"ranking_epss":0.82702,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/BruceJqs/public_exp/issues/22","https://github.com/BurtTheCoder/mcp-dnstwist/","https://github.com/BurtTheCoder/mcp-dnstwist/issues/13","https://vuldb.com/submit/804027","https://vuldb.com/vuln/360185","https://vuldb.com/vuln/360185/cti"],"published_time":"2026-04-29T23:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6221","summary":"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-29T23:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7381","summary":"Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.\n\nPlack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.\n\nA malicious client can set the X-Sendfile-Type header to \"X-Accel-Redirect\" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.\n\nSince 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.\n\nThis is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the \"X-Accel-Redirect\" type.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.0231,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes","https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE","https://nvd.nist.gov/vuln/detail/CVE-2025-61780"],"published_time":"2026-04-29T23:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7410","summary":"A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=add_to_cart. The manipulation of the argument pid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":2.1,"epss":0.00031,"ranking_epss":0.08941,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/r3ng4f/Pizzafy_1/blob/main/04-exploit.md","https://vuldb.com/submit/803625","https://vuldb.com/vuln/360144","https://vuldb.com/vuln/360144/cti","https://www.sourcecodester.com/"],"published_time":"2026-04-29T22:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7416","summary":"A vulnerability was found in PolarVista xcode-mcp-server 1.0.0. This issue affects the function build_project/run_tests of the file src/index.ts of the component MCP Interface. The manipulation of the argument Request results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00414,"ranking_epss":0.61603,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/BruceJqs/public_exp/issues/19","https://github.com/PolarVista/Xcode-mcp-server/","https://github.com/PolarVista/Xcode-mcp-server/issues/4","https://vuldb.com/submit/803974","https://vuldb.com/vuln/360145","https://vuldb.com/vuln/360145/cti"],"published_time":"2026-04-29T22:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7417","summary":"A vulnerability was found in Algovate xhs-mcp 0.8.11. This affects the function xhs_publish_content of the file src/server/mcp.server.ts of the component MCP Interface. Performing a manipulation of the argument media_paths results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00059,"ranking_epss":0.18247,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Algovate/xhs-mcp/","https://github.com/Algovate/xhs-mcp/issues/6","https://github.com/BruceJqs/public_exp/issues/21","https://vuldb.com/submit/803991","https://vuldb.com/vuln/360154","https://vuldb.com/vuln/360154/cti"],"published_time":"2026-04-29T22:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7418","summary":"A vulnerability was determined in UTT HiPER 1250GW up to 3.2.7-210907-180535. This vulnerability affects the function strcpy of the file route/goform/NTP. Executing a manipulation of the argument Profile can lead to buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.1391,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/kirlic123/IOTvulner/blob/main/4035/1/1.md","https://vuldb.com/submit/803993","https://vuldb.com/vuln/360155","https://vuldb.com/vuln/360155/cti"],"published_time":"2026-04-29T22:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7409","summary":"A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function save_user of the file /admin/ajax.php?action=save_user. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.","cvss":2.0,"cvss_version":4.0,"cvss_v2":5.8,"cvss_v3":4.7,"cvss_v4":2.0,"epss":0.00036,"ranking_epss":0.10559,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/r3ng4f/Pizzafy_1/blob/main/03-exploit.md","https://vuldb.com/submit/803624","https://vuldb.com/vuln/360143","https://vuldb.com/vuln/360143/cti","https://www.sourcecodester.com/"],"published_time":"2026-04-29T22:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7403","summary":"A security flaw has been discovered in geldata gel-mcp 0.1.0. This impacts the function list_rules/fetch_rule of the file src/gel_mcp/server.py. The manipulation of the argument rule_name results in path traversal. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":5.3,"cvss_v4":5.5,"epss":0.00016,"ranking_epss":0.03832,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/geldata/gel-mcp/","https://github.com/geldata/gel-mcp/issues/11","https://vuldb.com/submit/803530","https://vuldb.com/vuln/360139","https://vuldb.com/vuln/360139/cti"],"published_time":"2026-04-29T21:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7404","summary":"A weakness has been identified in getsimpletool mcpo-simple-server up to 0.2.0. Affected is the function delete_shared_prompt of the file src/mcpo_simple_server/services/prompt_manager/base_manager.py. This manipulation of the argument detail causes relative path traversal. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00023,"ranking_epss":0.06461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/getsimpletool/mcpo-simple-server/","https://github.com/getsimpletool/mcpo-simple-server/issues/4","https://vuldb.com/submit/803612","https://vuldb.com/vuln/360140","https://vuldb.com/vuln/360140/cti"],"published_time":"2026-04-29T21:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7407","summary":"A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function save_settings of the file /pizzafy/admin/ajax.php?action=save_settings of the component Setting Handler. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.","cvss":2.0,"cvss_version":4.0,"cvss_v2":5.8,"cvss_v3":4.7,"cvss_v4":2.0,"epss":0.00036,"ranking_epss":0.10559,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/r3ng4f/Pizzafy_1/blob/main/01-exploit.md","https://vuldb.com/submit/803613","https://vuldb.com/vuln/360141","https://vuldb.com/vuln/360141/cti","https://www.sourcecodester.com/"],"published_time":"2026-04-29T21:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7408","summary":"A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function save_menu of the file /admin/ajax.php?action=save_menu. Performing a manipulation results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.","cvss":2.0,"cvss_version":4.0,"cvss_v2":5.8,"cvss_v3":4.7,"cvss_v4":2.0,"epss":0.00036,"ranking_epss":0.10559,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/r3ng4f/Pizzafy_1/blob/main/02-exploit.md","https://vuldb.com/submit/803623","https://vuldb.com/vuln/360142","https://vuldb.com/vuln/360142/cti","https://www.sourcecodester.com/"],"published_time":"2026-04-29T21:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1858","summary":"wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01068,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.tenable.com/security/research/tra-2026-37"],"published_time":"2026-04-29T21:16:20","vendor":"gnu","product":"wget2","version":null},{"cve_id":"CVE-2025-50328","summary":"A vulnerability in B1 Free Archiver v1.5.86 allows files extracted from downloaded archives to bypass Windows Mark of the Web (MotW) protections. When an archive is downloaded from the internet and extracted using B1 Free Archiver, the software fails to propagate the 'Zone.Identifier' alternate data stream to the extracted files. As a result, these files can be executed without triggering Windows Defender SmartScreen warnings or security prompts, enabling untrusted code execution without standard security restrictions.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06943,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://b1.org/","https://github.com/math69b/B1FREE/blob/main/B1%20Free%20Archiver%20version","https://github.com/math69b/B1FREE/blob/main/B1%20Free%20Archiver%20version"],"published_time":"2026-04-29T21:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7425","summary":"Insufficient option length validation in the IPv6 Router Advertisement parser in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause a denial of service (device crash) by sending a crafted Router Advertisement with a truncated PREFIX_INFORMATION option that is smaller than the expected structure size.\n\n\n\nTo mitigate this issue, users should upgrade to the fixed version when available.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":6.0,"epss":0.00019,"ranking_epss":0.05271,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://aws.amazon.com/security/security-bulletins/2026-023-aws/","https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6","https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1","https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-gffr-xgjg-jh9j"],"published_time":"2026-04-29T20:16:32","vendor":"amazon","product":"freertos-plus-tcp","version":null},{"cve_id":"CVE-2026-7426","summary":"Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted.\n\n\n\nTo mitigate this issue, users should upgrade to the fixed version when available.","cvss":6.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":6.1,"epss":0.00019,"ranking_epss":0.05304,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://aws.amazon.com/security/security-bulletins/2026-023-aws/","https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6","https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1","https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-97qg-4359-xm3x"],"published_time":"2026-04-29T20:16:32","vendor":"amazon","product":"freertos-plus-tcp","version":null},{"cve_id":"CVE-2026-7400","summary":"A security vulnerability has been detected in geekgod382 filesystem-mcp-server 1.0.0. This issue affects the function is_path_allowed of the file server.py of the component read_file_tool/write_file_tool. Such manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.1.0 is capable of addressing this issue. The name of the patch is 45364545fc60dc80aadcd4379f08042d3d3d292e. Upgrading the affected component is advised.","cvss":5.5,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":5.5,"epss":0.00067,"ranking_epss":0.20453,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/geekgod382/filesystem-mcp-server/","https://github.com/geekgod382/filesystem-mcp-server/commit/45364545fc60dc80aadcd4379f08042d3d3d292e","https://github.com/geekgod382/filesystem-mcp-server/issues/1","https://github.com/geekgod382/filesystem-mcp-server/releases/tag/v1.1.0","https://vuldb.com/submit/803495","https://vuldb.com/vuln/360123","https://vuldb.com/vuln/360123/cti"],"published_time":"2026-04-29T20:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-7401","summary":"A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This vulnerability affects unknown code of the file /index.php?action=register of the component Registration. The manipulation of the argument student_id/full_name/section/username results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00035,"ranking_epss":0.1033,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Xmyronn/Stored-XSS-in-CET-Automated-Grading-System-Student-Registration-Unauthenticated-Admin-Dashboard-.git","https://vuldb.com/submit/803525","https://vuldb.com/vuln/360133","https://vuldb.com/vuln/360133/cti","https://www.sourcecodester.com/"],"published_time":"2026-04-29T20:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34965","summary":"Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00431,"ranking_epss":0.62624,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/thepiyushkumarshukla/64d2318518b17f529bc3ccb11fd5be90","https://github.com/agentejo/cockpit","https://github.com/agentejo/cockpit/commits/494765e4f0fb9484f320aee0c6ee889b6fa789b9","https://www.vulncheck.com/advisories/cockpit-cms-authenticated-remote-code-execution-via-collections"],"published_time":"2026-04-29T20:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25313","summary":"SysGauge 4.5.18 contains a buffer overflow vulnerability in the proxy configuration handler that allows local attackers to cause a denial of service by supplying an oversized string. Attackers can inject a large payload through the Proxy Server Host Name field in the Options menu to crash the application.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":6.9,"epss":0.00017,"ranking_epss":0.04245,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.exploit-db.com/exploits/44372","https://www.vulncheck.com/advisories/sysgauge-local-denial-of-service-via-proxy-configuration"],"published_time":"2026-04-29T20:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25314","summary":"Allok soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized string in the License Name field. Attackers can craft a malicious input containing shellcode with structured exception handler (SEH) overwrite to bypass protections and execute code with application privileges.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":8.6,"epss":0.00018,"ranking_epss":0.0457,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.alloksoft.com","http://www.alloksoft.com/wmv.htm","https://www.exploit-db.com/exploits/44365","https://www.vulncheck.com/advisories/allok-soft-wmv-to-avi-mpeg-dvd-wmv-converter-buffer-overflow"],"published_time":"2026-04-29T20:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25315","summary":"Alloksoft Video joiner 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Name field. Attackers can craft a payload with structured exception handler (SEH) overwrite and shellcode to achieve code execution when the application processes the license registration input.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":8.6,"epss":0.00018,"ranking_epss":0.0457,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.alloksoft.com","http://www.alloksoft.com/joiner.htm","https://www.exploit-db.com/exploits/44364","https://www.vulncheck.com/advisories/alloksoft-video-joiner-buffer-overflow-via-license-name"],"published_time":"2026-04-29T20:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25316","summary":"Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the goform/AdvSetDns endpoint with a crafted admin language cookie to change DNS servers and redirect user traffic to malicious sites.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00161,"ranking_epss":0.36504,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.exploit-db.com/exploits/44373","https://www.vulncheck.com/advisories/tenda-w308r-v2-cookie-session-weakness-dns-change"],"published_time":"2026-04-29T20:16:27","vendor":"tenda","product":"w308r_firmware","version":null}]}