Security Research
Deep-dive technical analysis, CVE breakdowns, threat actor profiles, and mobile security research. Written by practitioners, for practitioners.
CVE-2026-4798: Avada Builder Unauthenticated Time-Based SQLi via product_order
Avada Builder ≤3.15.1 passes the `product_order` parameter directly into a WooCommerce fallback query path without escaping or preparation, enabling unauthenticated time-based blind SQL injection.
CVE-2026-5441: OOB Read in Orthanc PSMCT_RLE1 Decoder Leaks Heap
The DecodePsmctRle1 function in Orthanc's DicomImageDecoder.cpp fails to validate escape markers near end-of-buffer, leaking heap contents into rendered DICOM image output.
CVE-2026-0029: pKVM __pkvm_init_vm Logic Error Enables Local EoP
A logic error in __pkvm_init_vm of pkvm.c allows memory corruption in Android's protected KVM hypervisor layer, enabling local privilege escalation with no additional permissions required.
CVE-2026-5760: SGLang Rerank Endpoint RCE via Unsandboxed Jinja2
SGLang's /v1/rerank endpoint renders Jinja2 chat templates without sandboxing, allowing RCE via malicious tokenizer.chat_template in a loaded model file. CVSS 9.8.
CVE-2025-48574: Android DisplayPolicy Missing Permission Check Enables Drag-and-Drop Hijack
A missing permission check in validateAddingWindowLw of DisplayPolicy.java allows unprivileged apps to intercept drag-and-drop events, enabling local privilege escalation without user interaction.
CVE-2025-48645: DeviceAdminInfo.loadDescription Persistent Package Privilege Escalation
Improper input validation in DeviceAdminInfo.loadDescription() allows a malicious package to persist with elevated privileges. No additional execution privileges or user interaction required.
CVE-2026-34645: Adobe Commerce Incorrect Authorization Leads to Unauthenticated Write
Adobe Commerce's REST API authorization middleware fails to validate role scope on nested resource writes, allowing unauthenticated attackers to gain arbitrary write access without user interaction.
CVE-2026-23827: Heap Overflow in AOS Network Management Service Enables Unauthenticated RCE
A heap-based buffer overflow in AOS-8/AOS-10's network management service allows unauthenticated remote attackers to corrupt heap metadata and achieve privileged RCE. No authentication required.
CVE-2026-23826: AOS-8 Network Management Service Remote DoS via Malformed Packets
An unauthenticated attacker can crash the AOS-8 network management service by sending crafted packets that trigger an unhandled length/state condition, terminating the process.
CVE-2026-23825: AOS-8/10 Protocol Handler DoS via Malformed Network Messages
Insufficient input validation in AOS-8 and AOS-10 protocol-handling components allows unauthenticated remote attackers to terminate critical system processes via crafted network messages.
CVE-2026-23824: AOS-8/10 Protocol Handler DoS via Malformed Network Messages
Insufficient input validation in AOS-8/AOS-10's protocol-handling subsystem allows unauthenticated attackers to terminate a critical process via crafted network messages, causing a denial-of-service condition.
CVE-2026-39432: Timetics Plugin Broken Access Control via Unauthenticated REST Endpoints
Timetics ≤1.0.53 exposes AJAX/REST handlers without capability checks, allowing unauthenticated actors to manipulate booking data and staff assignments. CVSS 8.2 HIGH.
CVE-2026-45430: CSRF via Missing OAuth State in Backdrop Salesforce
The Backdrop CMS Salesforce module omits a cryptographic state parameter from OAuth flows, enabling CSRF-driven token hijacking and remote account compromise.
CVE-2026-34263: SAP Commerce Cloud RCE via Spring Security Misconfiguration
An unauthenticated attacker can upload arbitrary Groovy/Spring configuration to SAP Commerce Cloud, achieving remote code execution with full application privileges. CVSS 9.6 Critical.
CVE-2026-34260: SQL Injection in SAP Enterprise Search for ABAP
SAP S/4HANA's Enterprise Search for ABAP concatenates user input directly into SQL queries. Authenticated attackers can exfiltrate sensitive database content or crash the application.
CVE-2026-34259: OS Command Injection in SAP Forecasting & Replenishment
An authenticated admin in SAP F&R can invoke a non-remote-enabled function module to inject arbitrary OS commands. Full CIA triad compromise on the underlying host.
CVE-2025-64784: DNG SDK 1.7.0 Heap Overflow via Malicious Image File
DNG SDK ≤1.7.0 contains a heap-based buffer overflow in its tile/strip data parsing path. A crafted DNG file can expose sensitive heap memory or crash the host application.
CVE-2026-0047: Missing Permission Check in dumpBitmapsProto Enables Local Privilege Escalation
A missing permission check in ActivityManagerService.dumpBitmapsProto allows any unprivileged app to access private task snapshot bitmaps, enabling local privilege escalation with no user interaction required.
CVE-2025-38618: vsock VMADDR_PORT_ANY Autobind Use-After-Free
A use-after-free in Linux vsock allows an autobiound socket accepted via accept() to trigger an extra refcount decrement when bound to VMADDR_PORT_ANY, corrupting socket lifecycle state.
CVE-2026-42611: Grav CMS SVG Injection to RCE via Admin Nonce Chain
A low-privileged Grav CMS user can inject SVG payloads into page content, escalating stored XSS to full RCE by stealing admin nonces and chaining authenticated requests.
CVE-2026-42607: Grav CMS ZIP Upload RCE via Direct Install
Grav's Direct Install tool validates file extensions but never inspects ZIP contents, allowing authenticated admins to extract arbitrary PHP webshells and achieve persistent RCE.
CVE-2026-4802: Cockpit Log UI Shell Metacharacter Injection RCE
Cockpit's system logs UI passes unsanitized user-controlled parameters directly to shell execution, allowing remote attackers to inject metacharacters and achieve full host compromise.
CVE-2026-43500: rxrpc Shared Fragment In-Place Decryption RCE
Linux rxrpc fails to unshare skbs with externally-owned paged fragments before AEAD decryption, enabling in-place crypto corruption via splice-loopback. CVSS 7.8.
CVE-2026-0020: Android Permission Group Parsing Bypass via ParsedPermissionUtils
A logic flaw in parsePermissionGroup() allows a malicious app to bypass consent dialogs and silently acquire dangerous permissions. No user interaction required; local privilege escalation without additional execution privileges.
CVE-2025-48605: Android KeyguardViewMediator Logic Error Enables Lockscreen Bypass
A logic error in KeyguardViewMediator.java allows local privilege escalation by bypassing the Android lockscreen entirely. No additional privileges or user interaction required.
CVE-2026-5444: Orthanc PAM Parser Integer Overflow → Heap Buffer Overflow
32-bit integer overflow in Orthanc's PAM image dimension calculation allocates an undersized heap buffer, enabling a controlled heap write during pixel processing of crafted DICOM files.
CVE-2026-8260: D-Link DCS-935L HNAP SetDeviceSettings Stack Overflow
A stack buffer overflow in the DCS-935L HNAP service allows unauthenticated remote code execution via an oversized AdminPassword field in SetDeviceSettings requests.
CVE-2021-47935: Sentry RCE via Pickle Deserialization in Audit Log
Sentry 8.2.0 deserializes attacker-controlled pickle data in the admin audit log endpoint without sanitization, allowing authenticated superusers to achieve RCE with application privileges.
CVE-2021-47933: MStore API Unauthenticated File Upload to RCE
MStore API 2.0.6 exposes an unauthenticated REST endpoint that accepts arbitrary file uploads, enabling direct PHP webshell deployment and remote code execution without credentials.
CVE-2021-47932: TheCartPress AJAX Handler Unauthenticated Admin Creation
TheCartPress 1.5.3.6 exposes a registration AJAX handler that accepts attacker-supplied roles, allowing unauthenticated creation of administrator accounts via a single POST request.
CVE-2026-8234: Stack Overflow in ipTIME A8004T formWifiBasicSet
EFM ipTIME A8004T 14.18.2 exposes an unauthenticated stack-based buffer overflow via the security_5g parameter in /goform/WifiBasicSet, enabling remote code execution.
CVE-2026-42605: AzuraCast Path Traversal to RCE via Flow.js Upload
Unsanitized currentDirectory parameter in AzuraCast's Flow.js upload endpoint allows authenticated users to write arbitrary files outside station root, enabling PHP webshell deployment.
CVE-2026-42575: apko Skips Per-Package Checksum Validation
apko verifies the APKINDEX signature but never compares downloaded .apk checksums against the signed index. An attacker controlling any mirror can silently substitute arbitrary packages into built OCI images.
CVE-2026-42574: apko Symlink Tar Entry Escapes Build Root
A crafted .apk's TypeSymlink tar entry can redirect subsequent writes outside the apko build root, giving an attacker host-path write primitives during image construction.
CVE-2026-0013: DocumentsUI Confused Deputy Enables Arbitrary Activity Launch
A confused deputy flaw in PickActivity.java's setupLayout() allows any unprivileged app to launch arbitrary activities under DocumentsUI's identity, achieving local privilege escalation without user interaction.
CVE-2026-5756: Unauthenticated Config Write in DRC COS
DRC INSIGHT's Central Office Services exposes /v0/configuration without auth, allowing any LAN peer to overwrite server config and redirect test data to attacker-controlled infrastructure.
CVE-2026-3828: Authenticated RCE in Discontinued Hikvision Switch Firmware
Hikvision switch firmware fails to sanitize attacker-controlled input before shell execution, allowing authenticated users to run arbitrary OS commands. Affects discontinued product lines EOL'd December 2023.
CVE-2025-48602: Android Keyguard Logic Error Enables Lockscreen Bypass
A logic error in exitKeyguardAndFinishSurfaceBehindRemoteAnimation allows local privilege escalation by bypassing the lockscreen without any user interaction or additional privileges.
CVE-2026-0025: Android Notification.hasImage() Cross-User Info Disclosure
A permissions bypass in Notification.java's hasImage() allows cross-user data exposure and local privilege escalation with no user interaction required on affected Android builds.
CVE-2026-0032: OOB Write in mem_protect.c Enables Local Privilege Escalation
A logic error across multiple functions in Android's mem_protect.c allows an out-of-bounds write, enabling local privilege escalation without additional privileges or user interaction.
CVE-2026-42296: Argo Workflows templateReferencing Strict Mode Bypass
A logic flaw in Argo Workflows allows users with Workflow create permissions to bypass templateReferencing: Strict, gaining host network access, SA token mounting, and control-plane scheduling. Patched in 3.7.14 and 4.0.5.
CVE-2026-41512: RCE via JS Injection in ai-scanner PlaywrightService
ai-scanner 1.0.0–1.4.0 allows unauthenticated RCE through JavaScript injection in BrowserAutomation::PlaywrightService. Patched in 1.4.1.
CVE-2026-41507: math-codegen RCE via new Function() Code Injection
math-codegen <0.4.3 injects unsanitized string literals verbatim into new Function() bodies, enabling full RCE from any user-controlled math evaluation endpoint.
CVE-2026-41496: SQL Injection Across Nine PraisonAI Storage Backends
PraisonAI's partial fix for CVE-2026-40315 left nine storage backends vulnerable to table_prefix SQL injection. 52 unsanitized injection points remain across MySQL, PostgreSQL, async variants, Turso, SingleStore, Supabase, and SurrealDB.
CVE-2026-31431: algif_aead In-Place Op Confusion Leads to LPE
A broken in-place scatter-gather optimization in Linux's algif_aead socket layer allows heap corruption via mismatched src/dst mappings, enabling local privilege escalation to root.
CVE-2026-0034: ManagedServices Policy Desync Enables Local Privilege Escalation
A missing validation check in setPackageOrComponentEnabled() allows an unprivileged caller to desync Android's notification policy state, enabling local privilege escalation without user interaction.
CVE-2026-0023: PackageInstallerService Missing Permission Check Enables Privilege Escalation
A missing permission check in createSessionInternal allows any app to hijack installer session ownership, enabling local privilege escalation without additional execution privileges.
CVE-2022-50994: DrayTek Vigor 2960 Unauthenticated RCE via CGI Login
DrayTek Vigor 2960 firmware <1.5.1.4 exposes an OS command injection in mainfunction.cgi's login handler. Unsanitized formpassword input reaches otp_check.sh, enabling pre-auth RCE.
CVE-2026-41500: Command Injection in electerm's runMac() Yields RCE
electerm's npm/install.js appends unsanitized releaseInfo.name into a shell exec() call. Pre-3.3.8, a malicious update server achieves unauthenticated RCE on macOS.
CVE-2026-8128: SQL Injection in SUP Online Shopping viewmsg.php
Unsanitized msgid parameter in /admin/viewmsg.php enables blind and UNION-based SQLi. Full database read and potential OS-level RCE via INTO OUTFILE.
CVE-2026-8126: SQL Injection to RCE in SourceCodester Comment System 1.0
Unsanitized Name parameter in post_comment.php enables stacked-query SQL injection against MySQL, enabling remote code execution via INTO OUTFILE webshell drop on default configurations.
CVE-2026-8098: SQL Injection in Feedback System 1.0 checklogin.php
Unauthenticated SQL injection in /admin/checklogin.php allows remote attackers to bypass authentication and dump the database via unsanitized email parameter.
CVE-2026-42239: Budibase JWT Cookie Exposed via httpOnly: false
Budibase sets its auth JWT cookie without httpOnly, secure, or sameSite flags, turning any XSS into full persistent account takeover via document.cookie exfiltration.
CVE-2026-41688: DNS Rebinding TOCTOU in Wallos Webhook Validation
Wallos ≤4.8.4 validates webhook URLs with gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning, creating an exploitable DNS rebinding window across 10 of 11 HTTP endpoints.
CVE-2026-41589: Path Traversal in Wish SCP Middleware
The Wish SSH server's SCP middleware fails to sanitize ../sequences in client-supplied filenames, allowing arbitrary read/write and directory creation outside the configured root.
CVE-2025-14341: DivvyDrive Mass Assignment + Resource Exhaustion RCE
DivvyDrive's sync engine accepts attacker-controlled attribute names without a whitelist and allocates unbounded buffers, enabling remote code execution via heap corruption and resource exhaustion.
CVE-2026-8093: Memory Safety Corruption in Firefox 150.0.1
Multiple memory safety bugs in Firefox 150.0.1 show evidence of heap corruption. Reporters include Jan de Mooij and the Mozilla Fuzzing Team; fixed in 150.0.2.
CVE-2025-1978: RCE in Hitachi VSP Storage Navigator Management Console
Remote code execution in Hitachi VSP Storage Navigator affects G/F/E series and One Block platforms. Unauthenticated network attack via the SVP management interface enables full controller compromise.
CVE-2026-41201: CI4MS Stored DOM XSS to Full Account Takeover
CI4MS 0.31.4.0 backup module unsafely renders SQL filenames, enabling stored DOM XSS via crafted filename fields. Leads to session hijack and full privilege escalation.
CVE-2026-43581: OpenClaw CDP Relay Exposes DevTools on 0.0.0.0
OpenClaw's sandbox browser CDP relay binds Chrome DevTools Protocol to 0.0.0.0 instead of 127.0.0.1, escaping sandbox isolation. Remote attackers gain full browser control without authentication.
CVE-2026-43580: OpenClaw Navigation Guard Bypass Enables SSRF-Gated RCE
OpenClaw's browser interaction handlers skip post-action SSRF policy checks on pressKey and type-submit flows, letting attackers navigate to arbitrary internal endpoints without enforcement.
CVE-2026-43578: OpenClaw Heartbeat Owner Downgrade Misses Async Exec Completion
OpenClaw's heartbeat owner downgrade logic fails to observe local background async exec completion events, allowing untrusted completion content to persist in a privileged execution context.
CVE-2026-43575: OpenClaw noVNC Helper Route Auth Bypass
OpenClaw's sandbox noVNC helper route omits bridge authentication checks, exposing interactive browser session credentials to unauthenticated attackers. CVSS 9.8 critical.
CVE-2026-20167: Cisco IoT FND Improper Error Handling Triggers Router DoS
Authenticated low-privilege attackers can force Cisco IoT FND to request unauthorized files from managed routers, triggering a reload and DoS via crafted web interface input.
CVE-2026-20035: SSRF in Cisco Unity Connection Web Inbox
Improper input validation in Cisco Unity Connection's Web Inbox UI enables unauthenticated SSRF, allowing arbitrary network requests sourced from the device. CVSS 7.2 HIGH.
CVE-2026-20034: Cisco Unity Connection Authenticated RCE via API Input Validation Failure
Insufficient validation in Cisco Unity Connection's web management API allows authenticated attackers to execute arbitrary code as root via a crafted API request.
CVE-2026-6691: MongoDB C Driver SASL Username Canonicalization Heap Overflow
The MongoDB C Driver performs an unsafe strcpy during GSSAPI username canonicalization, triggering a heap buffer overflow before any network authentication occurs. CVSS 7.8.
CVE-2026-40562: Gazelle ≤0.49 HTTP Request Smuggling via Header Precedence
Gazelle's PSGI server incorrectly prioritizes Content-Length over Transfer-Encoding: chunked, violating RFC 7230 §3.3.3 and enabling CL.TE request smuggling against reverse-proxied deployments.
CVE-2026-3059: Unauthenticated RCE in SGLang via ZMQ Pickle Deserialization
SGLang's multimodal ZMQ broker deserializes attacker-controlled data via pickle.loads() with no authentication, enabling unauthenticated RCE against inference servers. CVSS 9.8.
CVE-2026-0008: Confused Deputy Leads to Local Privilege Escalation
A confused deputy vulnerability in multiple system locations allows local privilege escalation with no additional permissions or user interaction required. CVSS 8.4 HIGH.
CVE-2026-7841: RCE via Command Injection in GeoVision GV-ASWeb 6.2.0
An authenticated attacker with System Setting permissions can execute arbitrary OS commands on GeoVision GV-ASWeb 6.2.0 by injecting shell metacharacters into Notification Settings fields routed through ASWebCommon.srf.
CVE-2026-7332: Unauthenticated Stored XSS in LatePoint via booking_form_page_url
LatePoint ≤5.5.0 writes unsanitized booking_form_page_url into the WordPress database via an order intent hook that fires before Stripe validation, enabling unauthenticated stored XSS.
CVE-2026-7857: D-Link DI-8100 CGI sprintf Stack Overflow via user_group.asp
The D-Link DI-8100 CGI handler blindly passes attacker-controlled query parameters into a fixed-size stack buffer via sprintf, enabling unauthenticated remote stack corruption.
CVE-2026-7856: Stack Overflow in D-Link DI-8100 /url_member.asp
D-Link DI-8100 16.07.26A1 web management interface performs an unbounded strcpy into a fixed stack buffer when processing the Name argument in /url_member.asp, enabling unauthenticated RCE.
CVE-2026-44331: ProFTPD mod_wrap2_sql Blind SQL Injection via Reverse DNS
ProFTPD's sqltab_fetch_clients_cb() passes attacker-controlled reverse DNS hostnames directly into SQL queries without escaping. Exploitable when UseReverseDNS is enabled.
CVE-2023-54347: OpenEMR 7.0.1 Authentication Rate Limiting Bypass
OpenEMR 7.0.1 fails to enforce account lockout on its primary login endpoint, allowing unrestricted credential stuffing via POST to interface/main/main_screen.php.
ERPNext 13.4.0: RestrictedPython Sandbox Escape via Frame Introspection
ERPNext 13.4.0 allows System Manager role users to escape the RestrictedPython sandbox via gi_frame traversal, reaching os.popen for arbitrary command execution through the Server Script endpoint.
CVE-2023-54344: Eclipse Equinox OSGi Console Unauthenticated RCE
Eclipse Equinox OSGi ≤3.7.2 exposes an unauthenticated Telnet console that accepts raw shell commands, enabling full RCE via base64-encoded payloads wrapped in fork directives.
CVE-2023-54342: Unauthenticated RCE in Eclipse Equinox OSGi Console
Eclipse Equinox OSGi 3.8–3.18 exposes an unauthenticated telnet console accepting arbitrary fork commands. A remote attacker can download and execute malicious Java bytecode with no credentials required.
CVE-2026-35228: SQL Injection via Unsanitized HTTP Input in Oracle MCP Server Helper
Oracle MCP Server Helper Tool 1.0.1–1.0.156 exposes an unauthenticated HTTP endpoint that passes attacker-controlled input directly to SQL execution without parameterization or escaping.
CVE-2025-13618: WordPress Mentoring Plugin Unauthenticated Privilege Escalation
The Mentoring plugin ≤1.2.8 allows unauthenticated attackers to register administrator accounts by passing arbitrary role parameters to mentoring_process_registration(). CVSS 9.8.
CVE-2026-5722: MoreConvert Pro Auth Bypass via Token Fixation
MoreConvert Pro ≤1.9.14 allows unauthenticated attackers to hijack any account by exploiting stale guest waitlist tokens that survive email address reassignment.
CVE-2026-44028: Nix NAR Parser Stack-to-Heap Overflow RCE
Unbounded recursion in Nix's NAR archive parser overflows coroutine stacks lacking guard pages, enabling heap corruption and RCE as root in multi-user daemon mode.
CVE-2026-7791: TOCTOU Race in WorkSpaces Skylight Agent Yields SYSTEM
A TOCTOU race in the Skylight Workspace Config Service log rotation allows a local user to plant arbitrary files in privileged locations, escalating to SYSTEM on Windows.
CVE-2026-6321: fast-uri Normalizes Encoded Traversal Past Policy Boundaries
fast-uri ≤3.1.0 decodes percent-encoded slashes and dot segments before applying RFC 3986 dot-segment removal, allowing attacker-controlled URIs to collapse onto paths outside enforced prefixes.
CVE-2026-23918: Apache HTTP/2 Early Reset Double Free and RCE
A double free in Apache httpd 2.4.66's HTTP/2 early reset handling allows heap corruption leading to possible remote code execution. Fixed in 2.4.67 via r1930444.
CVE-2025-58074: Norton Secure VPN Installer Race Enables Arbitrary File Deletion EoP
A TOCTOU race in Norton Secure VPN's Microsoft Store installer lets a low-privilege user replace staged files mid-install, triggering SYSTEM-level arbitrary file deletion and full privilege escalation.
CVE-2026-7482: Ollama GGUF Loader Heap OOB Read Leaks Process Memory
A missing bounds check in Ollama's GGUF tensor loader allows attacker-supplied offsets to drive heap reads past allocated buffers, leaking API keys and conversation data via /api/push exfiltration.
CVE-2026-7719: Stack Overflow in Totolink WA300 loginauth via http_host
The loginauth handler in Totolink WA300 5.2cu.7112_B20190227 performs an unchecked strcpy of the attacker-controlled http_host POST parameter into a fixed stack buffer, enabling unauthenticated RCE.
CVE-2026-7711: MindsDB BYOM Engine Handler Unrestricted Upload via exec()
MindsDB's BYOM proc_wrapper.py passes attacker-controlled model code directly to exec() without path sanitization or file type validation, enabling remote code execution via malicious engine upload.
CVE-2026-7710: JWT Auth Bypass via mock-token in yudao-cloud
JwtAuthenticationTokenFilter in yudao-cloud ≤3.8.0 allows unauthenticated access by accepting a crafted mock-token header, bypassing the entire Spring Security filter chain.
CVE-2026-7698: OS Command Injection in Tiandy Easy7 via week Parameter
Tiandy Easy7 7.17.0 exposes an unauthenticated REST endpoint that passes a user-controlled `week` argument directly into a shell command, enabling remote code execution.
CVE-2026-7695: SQL Injection in Acrel EEMS via fCircuitids Parameter
Acrel EEMS 1.3.0 exposes an unauthenticated SQL injection in /SubstationWEBV2/main/elecMaxMinAvgValue via unsanitized fCircuitids. Remote exploitation yields full database read/write.
CVE-2026-7694: Blind SQLi in Acrel ECEMS via fCircuitids Parameter
Acrel ECEMS 1.3.0 exposes an unauthenticated SQL injection in /SubstationWEBV2/main/elecMaxMinAvgValue. The fCircuitids parameter is concatenated directly into a query with no sanitization.
CVE-2026-7685: Stack Overflow in Edimax BR-6208AC setWAN via pptpDfGateway
Edimax BR-6208AC ≤1.02 exposes an unauthenticated stack overflow in /goform/setWAN. The pptpDfGateway argument is copied into a fixed stack buffer without length validation, enabling RCE.
CVE-2026-7684: Stack Overflow in Edimax BR-6428nC via pptpDfGateway
The /goform/setWAN handler in Edimax BR-6428nC ≤1.16 copies the pptpDfGateway POST parameter into a fixed-size stack buffer without bounds checking, enabling unauthenticated RCE.
CVE-2026-7679: OAuth2 Token Bypass in YunaiV yudao-cloud
A logic flaw in OAuth2TokenServiceImpl.getAccessToken() allows remote attackers to bypass authentication in yudao-cloud ≤2026.01 by manipulating token validation inputs.
CVE-2026-7675: Stack Buffer Overflow in LBT-T300-HW1 apply.cgi start_lan
Unauthenticated stack overflow in Shenzhen Libituo LBT-T300-HW1 ≤1.2.8 via unsanitized Channel/ApCliSsid CGI params in start_lan(). CVSS 8.8, remotely exploitable.
CVE-2026-7674: Stack Overflow in LBT-T300-HW1 VPN Parameter Handling
Unauthenticated stack buffer overflow in start_single_service() on Libituo LBT-T300-HW1 ≤1.2.8 via oversized vpn_pptp_server/vpn_l2tp_server POST parameters. CVSS 8.8, remotely exploitable.
CVE-2026-7670: SQL Injection in Jinher OA 1.0 UserSel.aspx
Jinher OA 1.0 fails to sanitize the DeptIDList parameter in UserSel.aspx, enabling unauthenticated remote SQL injection. Full exploit has been published; vendor has not responded to disclosure.
CVE-2026-7668: MikroTik RouterOS SCEP ASN.1 Out-of-Bounds Read
MikroTik RouterOS 6.49.8 SCEP endpoint mishandles ASN.1 string data in transactionID/messageType fields, enabling remote out-of-bounds read via crafted PKIMessage requests.
CVE-2026-2554: WCFM IDOR Allows Vendors to Delete WordPress Admins
WCFM Frontend Manager ≤6.7.25 exposes an unauthenticated object reference in wcfm_delete_wcfm_customer, letting Vendor-level accounts delete arbitrary users including site Administrators.
CVE-2026-4100: Paid Memberships Pro Stripe Webhook Takeover via Missing Capability Checks
Missing capability checks on three AJAX handlers in Paid Memberships Pro ≤3.6.5 allow any authenticated subscriber to destroy or hijack Stripe webhook configuration, halting all payment processing.
CVE-2026-4061: Time-Based SQLi in Geo Mashup via Unescaped IN() Clause
Geo Mashup ≤1.13.18 strips WordPress magic quotes in SearchResults then concatenates map_post_type directly into an IN() clause. Unauthenticated time-based blind SQLi results.
CVE-2026-7649: Unauthenticated Blind SQLi in ARMember orderby Parameter
ARMember ≤4.0.60 passes attacker-controlled `orderby` directly into a raw SQL query. Unauthenticated attackers can exfiltrate the full WordPress database via time-based blind injection.
CVE-2026-7607: Stack Overflow in TRENDnet TEW-821DAP auto_update_firmware
The auto_update_firmware handler in TRENDnet TEW-821DAP 1.12B01 performs an unbounded strcpy on an attacker-supplied URL string, overflowing a fixed stack buffer. CVSS 8.8, remotely triggerable, no authentication required on LAN.
CVE-2026-2052: WordPress Widget Options RCE via eval() Blocklist Bypass
Widget Options ≤4.2.2 passes unsanitized Display Logic expressions to eval(). Contributor-level attackers bypass the blocklist via array_map with string concatenation to achieve unauthenticated RCE.
CVE-2026-7049: Blind SSRF in PixelYourSite Pro scan_video Endpoint
Unauthenticated SSRF in PixelYourSite Pro ≤12.5.0.1 via scan_video allows arbitrary internal network requests. Response bodies are never returned, making this a blind oracle against internal services.
CVE-2026-6963: WP Mail Gateway SMTP Hijack → Admin Takeover
Missing capability check on wmg_save_provider_config lets any Subscriber rewrite SMTP config, redirect password reset emails, and fully compromise WordPress admin accounts.
CVE-2026-4882: Unauthenticated RCE via Unrestricted File Upload in URAF Plugin
The User Registration Advanced Fields plugin fails to validate MIME type or extension in its AJAX upload handler, allowing unauthenticated attackers to upload arbitrary PHP webshells and achieve RCE.
CVE-2026-7594: Path Traversal in mcp-game-asset-gen image_to_3d_async
Unsanitized statusFile argument in mcp-game-asset-gen 0.1.0's image_to_3d_async allows remote path traversal via the MCP interface. Arbitrary file read/write reachable without authentication.
CVE-2026-7593: OS Command Injection in command-executor-mcp-server
Unsanitized user input flows directly into shell execution in command-executor-mcp-server ≤0.1.0. Remote attackers can inject arbitrary OS commands via the MCP Interface's execute_command function.
CVE-2026-7592: SQL Injection to RCE in Courier Management System 1.0
Unsanitized `id` parameter in edit_staff.php enables blind SQL injection via UNION-based extraction and INTO OUTFILE shell write, achieving unauthenticated RCE.
CVE-2026-42484: Heap Overflow in hashcat PKZIP Hash Parser
A heap-based buffer overflow in hashcat's hex_to_binary routine allows attacker-controlled PKZIP hash input to corrupt adjacent heap chunks, enabling denial-of-service or arbitrary code execution.
CVE-2026-42483: Heap Overflow in Hashcat Kerberos Hash Parser
A missing bounds check in hashcat's Kerberos module_hash_decode allows account_info_len to be attacker-controlled, enabling heap overflow via memcpy into a fixed-size buffer. CVSS 9.8.
CVE-2026-42482: Stack Overflow in hashcat's Hex Mangle Functions
A bounds check in hashcat's mangle_to_hex_lower/upper fails to account for 2x byte expansion during hex encoding, enabling stack corruption via crafted rules or long password candidates.
CVE-2026-7579: Hard-Coded Credentials in AstrBot Dashboard Auth
AstrBot ≤4.16.0 ships static credentials in auth.py, granting unauthenticated remote access to the management dashboard. No interaction required beyond network reachability.
CVE-2026-7567: Auth Bypass via Array Injection in Temporary Login Plugin
PHP type confusion in maybe_login_temporary_user() allows unauthenticated attackers to bypass token validation and authenticate as any temporary login user via a single crafted GET request.
CVE-2026-7584: LabOne Q import_cls Deserialization Leads to RCE
LabOne Q's import_cls mechanism deserializes arbitrary Python classes without allowlist validation. A crafted experiment file triggers instantiation of attacker-chosen classes with controlled arguments.
CVE-2026-7555: SQL Injection to RCE in Electronic Judging System 1.0
Unauthenticated SQL injection in /intrams/login.php via the Username parameter allows remote code execution through stacked queries and FILE privilege abuse.
CVE-2026-7546: Stack Overflow in Totolink NR1800X lighttpd find_host_ip
Unbounded strcpy into a fixed stack buffer in lighttpd's find_host_ip() allows remote unauthenticated RCE via a crafted HTTP Host header on Totolink NR1800X 9.1.0u.6279_B20210910.
CVE-2026-7545: SQL Injection via checkEmail Endpoint Enables RCE
SourceCodester Advanced School Management System 1.0 exposes an unsanitized parameter in commonController.php's checkEmail endpoint, enabling blind SQLi-to-RCE via stacked queries and INTO OUTFILE.
CVE-2026-7538: OS Command Injection via proto Arg in Totolink A8000RU CGI
Totolink A8000RU 7.1cu.643_b20200521 exposes unauthenticated OS command injection through the proto argument in cstecgi.cgi. CVSS 9.8, remotely exploitable, PoC public.
CVE-2026-7519: Path Traversal in LiveBOS UploadImage.do Endpoint
Fujian Apex LiveBOS ≤2.0 exposes an unauthenticated file-write primitive via unsanitized filename parameter in /feed/UploadImage.do, enabling arbitrary server-side file placement.
CVE-2026-7435: SSCMS v7.4.0 SQL Injection via stl:sqlContent queryString
SSCMS v7.4.0 passes the queryString attribute of the stl:sqlContent tag directly to database execution without parameterization, enabling arbitrary SQL via encrypted payloads to /api/stl/actions/dynamic.
CVE-2026-36959: U-SPEED N300 /api/login Lacks Rate Limiting
The U-SPEED N300 V1.0.0 /api/login endpoint accepts unlimited authentication attempts with no lockout, enabling local-network brute-force of the admin credential in seconds.
CVE-2026-36958: Boa HTTPd Resource Exhaustion in U-SPEED N300 V1.0.0
Concurrent HTTP flood to the Boa web server on U-SPEED N300 V1.0.0 exhausts per-process file descriptors and connection slots, rendering the management interface permanently unresponsive without reboot.
CVE-2026-36957: Dbit N300 Boa URI Handler Resource Exhaustion DoS
The Dbit N300 T1 Pro boa web server fails to bound concurrent connection state, allowing unauthenticated HTTP flood to exhaust file descriptors and trigger kernel deadlock.
CVE-2026-2892: Otter Blocks Stripe Purchase Verification Bypass via Unsigned Cookie
Otter Blocks ≤3.1.4 trusts an unsigned o_stripe_data cookie to gate Stripe-purchased content, allowing unauthenticated attackers to forge product ownership and access paywalled content.
CVE-2025-48636: Path Traversal in BugreportContentProvider Enables LPE
A path traversal in BugreportContentProvider.openFile() allows arbitrary file read/write with no additional privileges. Affects Wear OS; exploitable by any local app without user interaction.
CVE-2025-48650: SQL Injection in Android Enables Local Privilege Escalation
A SQL injection vulnerability in multiple Android system locations allows local privilege escalation with no additional privileges or user interaction required. CVSS 8.4 HIGH.
CVE-2026-42799: OOB Read in ASR Kestrel nr_fw Power Control
Out-of-bounds read in ASR Kestrel's NrPwrCtrl.C allows buffer overflow via unchecked array indexing in 5G NR power control firmware. Affects all Kestrel builds before 2026-02-10.
CVE-2025-39946: Linux Kernel TLS SKB Overflow via Bogus Record Headers
A heap overflow in the Linux kernel TLS subsystem allows overflow of allocated SKB space when bogus record headers arrive in small OOB chunks. CVSS 9.8 critical.
CVE-2026-7470: Stack Overflow in Tenda 4G300 SafeMacFilter via page Argument
sub_427C3C in /goform/SafeMacFilter copies the attacker-controlled `page` parameter into a fixed-size stack buffer without bounds checking, enabling remote pre-auth RCE at CVSS 8.8.
CVE-2026-7468: smart-admin Druid Console Auth Bypass via Missing Access Control
smart-admin ≤3.30.0 exposes the Druid monitoring console at /smart-admin-api/druid/index.html without authentication enforcement, allowing unauthenticated remote access to database connection pools and query internals.
CVE-2018-25304: Free Download Manager 2.0 SEH Chain Overwrite via URL Import
Free Download Manager 2.0 Build 417's URL import parser overflows a fixed stack buffer during Location header processing, enabling SEH chain overwrite and arbitrary code execution via a crafted .url file.
CVE-2018-25303: SEH Overwrite via Stack Overflow in Allok Video to DVD Burner 2.6.1217
Allok Video to DVD Burner 2.6.1217 contains a stack-based buffer overflow in the License Name registration field. 780 bytes of junk corrupts the SEH chain, enabling arbitrary code execution.
CVE-2018-25302: SEH Buffer Overflow in Allok AVI Converter 4.0.1217
Allok AVI to DVD SVCD VCD Converter 4.0.1217 contains a classic SEH-based stack buffer overflow in the license registration dialog. Supplying a crafted License Name string achieves arbitrary code execution.
CVE-2018-25301: SEH Overwrite in Easy MPEG to DVD Burner 1.7.11
Easy MPEG to DVD Burner 1.7.11 contains a classic SEH-based stack buffer overflow in its username field handler. Unbounded string copy overwrites the SEH chain, redirecting execution to attacker shellcode.
CVE-2018-25299: Prime95 29.4b8 SEH Buffer Overflow via Proxy Hostname
Prime95 29.4b8 contains a stack buffer overflow in PrimeNet proxy hostname parsing. An attacker-controlled hostname field overwrites SEH chain pointers, enabling arbitrary code execution.
CVE-2026-5140: CRLF Injection Auth Bypass in Pardus
CRLF injection in TUBITAK BILGEM's Pardus (≤0.6.4) allows unauthenticated session fixation and authentication bypass. CVSS 8.8 HIGH, no patch before 0.8.0.
CVE-2026-42524: Stored XSS in Jenkins HTML Publisher Plugin Legacy Wrapper
Jenkins HTML Publisher Plugin ≤427 fails to escape job name and URL in the legacy wrapper file, enabling stored XSS for any attacker with Item/Configure permission.
CVE-2026-42523: Stored XSS in Jenkins GitHub Plugin via Job URL
Jenkins GitHub Plugin ≤1.46.0 unsafely injects the current job URL into inline JavaScript for GITScm polling validation, enabling stored XSS by any authenticated user with Overall/Read.
CVE-2026-42520: Jenkins Credentials Binding Path Traversal to RCE
Jenkins Credentials Binding Plugin ≤719.v80e905ef14eb_ skips filename sanitization for file/zip credentials, enabling path traversal writes and RCE on the built-in node.
CVE-2026-40886: Argo Workflows Controller Crash Loop via Malformed Pod Annotation
An unchecked array index in podGCFromPod() causes a controller-wide panic when processing a malformed pod-gc-strategy annotation, enabling a persistent crash loop that halts all workflow processing.
CVE-2026-0011: Logic Error in enableSystemPackageLPw Enables Local Privilege Escalation
A logic error in Settings.java's enableSystemPackageLPw silently skips re-enabling system packages, allowing an attacker to permanently suppress location services without elevated privileges.
CVE-2026-3060: Unauthenticated RCE in SGLang's Disaggregation Module via pickle.loads()
SGLang's encoder parallel disaggregation system deserializes untrusted network data with pickle.loads() and no authentication, enabling unauthenticated remote code execution against any exposed inference server.
CVE-2025-13952: UAF in Imagination GPU Shader Compiler (CVSS 9.8)
A crafted WebGL shader triggers a write use-after-free in the Imagination GPU compiler process. On privileged compiler processes, this enables full device compromise.
CVE-2025-27807: OOB Write via Malformed NAS Packets in Exynos Modem
Missing length validation in Exynos modem NAS packet parsing enables out-of-bounds writes across 18 SoC families. CVSS 9.1 critical, remotely triggerable via malformed LTE/5G control plane messages.
CVE-2025-65018: libpng Heap Overflow in 16-bit Interlaced PNG Processing
A heap buffer overflow in libpng's simplified API png_image_finish_read corrupts memory when downsampling 16-bit interlaced PNGs to 8-bit output, affecting versions 1.6.0–1.6.50.
CVE-2025-48635: Activity Token Leak in TaskFragmentOrganizerController
A logic error in TaskFragmentOrganizerController.java leaks activity IBinder tokens to unprivileged apps, enabling local privilege escalation without user interaction on Android.
CVE-2026-41380: OpenClaw Allowlist Bypass via Dispatch Wrapper Carrier Routing
OpenClaw's exec-approvals-allowlist.ts trusts the carrier executable rather than the invoked target, letting dispatch wrappers register overly broad allow-always entries. CVSS 7.3.
CVE-2026-41379: OpenClaw Operator Privilege Escalation via chat.send to Admin Voice Config
Authenticated operators with write permissions can reach admin-class Talk Voice configuration via the chat.send endpoint, bypassing role-based access controls entirely. CVSS 7.1 HIGH, no authentication bypass required.
CVE-2026-41378: OpenClaw node.event Dispatch Bypass Leads to RCE
Paired nodes with role=node in OpenClaw can dispatch unrestricted agent.request events via the gateway, bypassing tool ACLs and achieving remote code execution. CVSS 8.8.
CVE-2026-7288: Stack Overflow in D-Link DIR-825M VPN Config Handler
D-Link DIR-825M 1.1.12 exposes a stack-based buffer overflow in sub_4151FC via the submit-url parameter of /boafrm/formVpnConfigSetup. Unauthenticated remote code execution is achievable.
CVE-2026-7272: Path Traversal in matlab-mcp-server MCP Interface
Unsanitized scriptPath argument in matlab-mcp-server's generate_matlab_code/execute_matlab_code allows remote path traversal via the MCP interface. Affects all commits through ab88f6b9bf5f36f7.
CVE-2026-5944: Unauthenticated API Passthrough in Cisco Intersight Device Connector
The Intersight Device Connector for Nutanix Prism Central exposes an unauthenticated API passthrough on TCP/7373, permitting cluster enumeration and maintenance workflow invocation without credentials.
CVE-2026-5435: glibc ns_sprintrrf TSIG Out-of-Bounds Write
A missing bounds check in glibc's ns_sprintrrf TSIG handling path allows up to 6 bytes of out-of-bounds write via sprintf, affecting all glibc versions since 2.2.
CVE-2026-7216: Path Traversal in processing-claude-mcp-bridge via sketch_name
The create_sketch tool in donchelo/processing-claude-mcp-bridge fails to sanitize the sketch_name argument, enabling remote path traversal through directory separators. Arbitrary file write is achievable without authentication.
CVE-2026-7215: Command Injection in gmx-vmd-mcp VMD Launch Handler
Unsanitized file path arguments in gmx-vmd-mcp's launch_vmd_gui_tool function allow remote command injection via shell metacharacters in structure_file or trajectory_file parameters.
CVE-2026-7214: Path Traversal in engineer-your-data File API
engineer-your-data ≤0.1.3 exposes unauthenticated file-system access via unsanitized WORKSPACE_PATH in four server endpoints. Remote attackers can read, write, and enumerate arbitrary host files.
CVE-2026-7213: Path Traversal in MLOps_MCP save_file Tool
MLOps_MCP 1.0.0's save_file tool passes attacker-controlled filename/destination arguments directly to file I/O without sanitization, enabling arbitrary write outside the intended working directory.
CVE-2026-7212: Path Traversal in notes-mcp via Unsanitized root_dir
notes-mcp ≤0.1.4 exposes arbitrary filesystem read/write through unsanitized path arguments in its MCP tool handlers. An attacker with MCP client access can escape the intended notes directory.
CVE-2026-7154: Totolink A8000RU CGI OS Command Injection via tty_server
Unauthenticated OS command injection in Totolink A8000RU 7.1cu.643_b20200521 via the tty_server parameter in setAdvancedInfoShow. CVSS 9.8, remotely exploitable, PoC public.
CVE-2026-7153: OS Command Injection in Totolink A8000RU CGI Handler
The setMiniuiHomeInfoShow function in Totolink A8000RU 7.1cu.643_b20200521 passes attacker-controlled sys_info directly to a shell command without sanitization, enabling unauthenticated RCE.
CVE-2026-7152: OS Command Injection in Totolink A8000RU setTelnetCfg
The setTelnetCfg handler in Totolink A8000RU 7.1cu.643_b20200521 passes attacker-controlled input directly to a shell command string. Unauthenticated remote code execution, CVSS 9.8.
CVE-2026-7151: Stack Buffer Overflow in Tenda HG3 formUploadConfig
Tenda HG3 2.0's formUploadConfig handler on /boaform/formIPv6Routing performs no bounds check on the destNet parameter, enabling unauthenticated remote stack corruption with CVSS 8.8.
CVE-2026-6741: LatePoint Agent Role Escalates to WordPress Admin
Missing authorization in LatePoint's connect-customer-to-wp-user ability lets any latepoint_agent link a customer record to an admin account and hijack it via password reset.
CVE-2026-7122: Totolink A8000RU setUPnPCfg Command Injection
Unauthenticated OS command injection in Totolink A8000RU's setUPnPCfg CGI handler allows remote code execution via unsanitized `enable` parameter passed directly to a shell.
CVE-2026-7121: OS Command Injection in Totolink A8000RU setWizardCfg
Unauthenticated OS command injection in Totolink A8000RU 7.1cu.643_b20200521 via the wizard argument in setWizardCfg CGI handler. CVSS 9.8, remotely exploitable, no auth required.
CVE-2026-7119: OS Command Injection in Tenda HG3 /boaform/formCountrystr
Tenda HG3 2.0 exposes an unauthenticated command injection vector via the countrystr parameter in /boaform/formCountrystr. Unsanitized input reaches a shell execution sink directly.
CVE-2026-7094: SSRF via Unvalidated URL in GlutamateMCPServers puppeteer_navigate
ShadowCloneLabs GlutamateMCPServers exposes an SSRF primitive through puppeteer_navigate's url argument. No origin validation allows attackers to proxy requests through the server to internal networks.
CVE-2026-7077: SQL Injection to RCE in Courier Management System
Unsanitized `id` parameter in edit_parcel.php enables blind SQLi in itsourcecode Courier Management System 1.0. Exploitable remotely with no authentication required.
CVE-2026-3006: Linux Kernel Heap Overflow via Race Condition → LPE
A race condition in the Linux kernel's file operation dispatch path allows heap overflow via unsynchronized size validation, leading to local privilege escalation to root.
CVE-2026-7076: SQL Injection to RCE in Courier Management System 1.0
Unsanitized GET/POST parameter in edit_branch.php enables blind SQL injection. Chained with INTO OUTFILE, this yields unauthenticated remote code execution on misconfigured deployments.
CVE-2026-7075: SQL Injection to RCE in itsourcecode Construction Management System
Unsanitized `address` parameter in `/locations.php` passes attacker input directly into a MySQL query, enabling UNION-based extraction and stacked-query RCE via INTO OUTFILE.
CVE-2026-7074: SQL Injection via Unsanitized `code` Parameter in execute1.php
itsourcecode Construction Management System 1.0 passes attacker-controlled input directly into a SQL query in execute1.php. Unauthenticated remote exploitation enables data exfiltration and OS-level command execution via stacked queries.
CVE-2018-25263: Faleemi Desktop SEH Overwrite via Device Alias Field
Faleemi Desktop Software 1.8.2 contains an unbounded stack copy in the Device alias field, enabling SEH chain overwrite and arbitrary code execution via a crafted payload.
CVE-2026-6786: Memory Safety Bugs Enable RCE in Firefox 149 / ESR 140.9
Memory corruption in Firefox 149 and ESR 140.9 spans the JS engine, WebRTC, and Web Codecs subsystems. Sufficient effort converts these bugs into arbitrary code execution.
CVE-2026-6785: Memory Safety Bugs Enable RCE in Firefox ESR 115/140
Memory corruption bugs across Firefox ESR 115.34 and 140.9 show evidence of heap corruption. With sufficient effort, arbitrary code execution is achievable via browser-resident JavaScript.
CVE-2026-7039: Command Injection in ssh-mcp via shell.write Description Arg
ssh-mcp ≤1.5.0 passes an unsanitized Description argument directly into a shell command string inside shell.write, enabling local command injection with process privileges.
CVE-2026-7037: OS Command Injection in Totolink A8000RU setVpnPassCfg
Unauthenticated remote command injection in Totolink A8000RU 7.1cu.643_b20200521 via unsanitized pptpPassThru argument passed directly to a shell executor in setVpnPassCfg.
CVE-2026-7036: Path Traversal in Tenda i9 R7WebsSecurityHandler
Tenda i9 1.0.0.5(2204) exposes an unauthenticated path traversal via R7WebsSecurityHandler in the HTTP stack. Remote attackers can read arbitrary files from the device filesystem.
CVE-2026-7035: Stack Overflow in Tenda FH1202 fromWrlclientSet via Go Arg
Tenda FH1202 1.2.0.14 httpd exposes a stack-based buffer overflow in fromWrlclientSet. Unauthenticated remote attackers can overwrite saved return address via unchecked Go parameter.
CVE-2026-7034: Tenda FH1202 WrlExtraSet Stack Buffer Overflow
A stack-based buffer overflow in Tenda FH1202's httpd WrlExtraSet handler allows remote unauthenticated attackers to achieve code execution via a crafted Go parameter.
CVE-2026-7031: Stack Overflow in Tenda F456 fromSafeMacFilter
Tenda F456 1.0.0.5 exposes a stack-based buffer overflow in fromSafeMacFilter via the page parameter, allowing unauthenticated RCE over the LAN. CVSS 8.8.
CVE-2026-7030: Stack Buffer Overflow in Tenda F456 fromRouteStatic
The fromRouteStatic handler in Tenda F456 1.0.0.5 copies an attacker-controlled `page` parameter into a fixed-size stack buffer without bounds validation, enabling unauthenticated RCE via HTTP.
CVE-2026-7029: Tenda F456 addressNat Stack Overflow via Unbounded strcpy
fromaddressNat() in Tenda F456 1.0.0.5 copies attacker-controlled POST parameters into fixed-size stack buffers without bounds checks, enabling unauthenticated RCE from the LAN.
CVE-2026-7025: SSRF in Typecho Pingback via Unvalidated X-Pingback Header
Typecho ≤1.3.0 allows unauthenticated SSRF through Service::sendPingHandle. Attacker-controlled X-Pingback/link values trigger outbound HTTP requests to arbitrary internal hosts.
CVE-2026-7022: SmythOS AgentRuntime HTTP Header Authentication Bypass
SmythOS sre ≤0.0.15 exposes unauthenticated remote code execution via debug HTTP headers in AgentRuntime. X-DEBUG-RUN and X-DEBUG-INJ bypass all authentication middleware.
CVE-2026-7019: Tenda F456 fromP2pListFilter Stack Buffer Overflow
A remotely exploitable stack buffer overflow in Tenda F456 1.0.0.5 allows unauthenticated attackers to corrupt stack memory via the manufacturer/Go argument in the P2pListFilter goform handler.
CVE-2025-54957: Integer Wraparound OOB Write in Dolby UDC DD+ Decoder
An integer wraparound in evo_priv.c's length calculation allows a malformed DD+ bitstream to trigger an out-of-bounds heap write in Dolby UDC 4.5–4.13, exploitable 0-click via Android audio transcription.
CVE-2025-48615: MediaSession Persistence Desync Enables Local Privilege Escalation
A resource-exhaustion-induced desync in MediaButtonReceiverHolder.getComponentName() allows a local attacker to corrupt media session state and escalate privileges without user interaction.
CVE-2025-49495: Exynos WiFi Driver NL80211 Vendor Command Buffer Overflow
Samsung Exynos 1380/1480/2400/1580 WiFi drivers mishandle NL80211 vendor command payloads, triggering a kernel-space buffer overflow. CVSS 8.4 HIGH, no bounds check on attacker-controlled length field.
CVE-2026-20990: Secure Folder Improper Export Enables Privilege Escalation
An improperly exported Android component in Samsung Secure Folder allows local attackers to launch arbitrary activities with Secure Folder privileges, bypassing Knox isolation boundaries.
CVE-2026-0028: pKVM Integer Overflow Enables Hypervisor OOB Write
An integer overflow in __pkvm_host_share_guest() allows an unprivileged local attacker to corrupt hypervisor-managed memory, enabling privilege escalation to EL2 without any user interaction.
CVE-2026-6988: Tenda HG10 formRoute nextHop Stack Overflow via Boa
A stack buffer overflow in Tenda HG10's formRoute handler allows unauthenticated remote attackers to corrupt the stack via an oversized nextHop argument. CVSS 8.8.
CVE-2026-6980: Command Injection in GitPilot-MCP repo_path
GitPilot-MCP's repo_path function passes unsanitized user input directly to shell execution. Remote attackers can achieve arbitrary command execution via crafted MCP tool arguments.
CVE-2025-48654: CompanionDeviceManagerService Confused Deputy LPE
A logic error in CompanionDeviceManagerService.onStart() enables a confused deputy attack, allowing any local app to escalate privileges with zero user interaction required.
CVE-2025-52519: Exynos issimian Driver Input Validation Flaw Leaks Kernel Memory
The issimian camera device driver on Exynos 1330–2500 fails to validate user-space ioctl input, enabling unprivileged kernel memory disclosure and local DoS via a malformed request.
CVE-2026-6977: Improper Authorization in Vanna-AI Legacy Flask API
Vanna-AI's legacy Flask API skips authorization checks on sensitive endpoints, allowing unauthenticated remote callers to invoke arbitrary query and training functions through version 2.0.2.
CVE-2025-48619: Read-Only ContentProvider File Truncation Leads to LPE
A logic error in Android's ContentProvider.java allows read-only apps to truncate arbitrary files, enabling local privilege escalation without user interaction on all affected Android versions.
CVE-2026-20432: MediaTek Modem OOB Write via Rogue Base Station
Missing bounds check in MediaTek's modem stack allows a rogue LTE/NR base station to trigger an out-of-bounds write, enabling remote privilege escalation with no modem-side privileges required.
CVE-2026-41485: Kyverno forEach Type Assertion Crashes Cluster Controllers
An unchecked type assertion in Kyverno's forEach mutation handler lets any Policy-creating user crash the background controller into a persistent CrashLoopBackOff and block all admission operations.
CVE-2026-6951: simple-git RCE via --config Filter Bypass
simple-git <3.36.0 allows RCE by passing --config instead of -c to git clone, bypassing the CVE-2022-25912 patch. CVSS 9.8.
CVE-2026-41414: Skim's PR Workflow Executes Attacker Code with Secret Access
Skim's pr.yml workflow checks out fork code and runs it via cargo run with SKIM_RS_BOT_PRIVATE_KEY exposed. Any GitHub user can trigger full secret exfiltration by opening a pull request.
CVE-2026-41328: DQL Injection in Dgraph Exposes Full Database Read
Dgraph's addQueryIfUnique constructs DQL queries via fmt.Sprintf with unsanitized language-tag input, enabling unauthenticated full database read via two HTTP POSTs to port 8080.
CVE-2026-41327: Dgraph Upsert Mutation DQL Injection Gives Full DB Read
Dgraph's upsert mutation handler concatenates attacker-controlled cond strings directly into DQL query bodies. Single unauthenticated HTTP POST achieves full database exfiltration pre-25.3.3.
CVE-2026-33662: OP-TEE EMSA-PKCS#1 Integer Underflow → Unbounded memset
Integer underflow in emsa_pkcs1_v1_5_encode() lets an attacker with a small-modulus RSA key corrupt the entire OP-TEE secure heap via an unbounded memset(), crashing the TEE.
CVE-2026-33524: Zserio Array Length Confusion Triggers 16 GB OOM
A 4-byte crafted Zserio payload forces allocation of up to 16 GB via unchecked varuint array length fields, crashing any process with OOM. Fixed in 2.18.1.
CVE-2026-0010: OOB Write in IDrmManagerService Enables Local LPE
Missing bounds check in IDrmManagerService::onTransact allows an out-of-bounds write via crafted Binder transactions, enabling local privilege escalation with no additional permissions required.
CVE-2026-24765: PHPUnit PHPT Coverage Deserialization RCE
PHPUnit's cleanupForCoverage() deserializes stale .coverage files without allowed_classes restriction, enabling RCE via attacker-placed gadget chains prior to PHPT test execution.
CVE-2025-48646: ActivityStarter Confused Deputy Enables Local Privilege Escalation
A confused deputy in ActivityStarter.executeRequest() allows an unprivileged app to launch arbitrary activities in foreign task stacks, achieving local privilege escalation without extra permissions.
CVE-2026-0035: MediaProvider createRequest Logic Error Enables Privilege Escalation
A logic error in MediaProvider.java's createRequest grants arbitrary read/write to non-existent files, enabling local privilege escalation with no user interaction required.
CVE-2026-22042: RustFS IAM Action Mismatch Enables Privilege Escalation
RustFS's ImportIam admin API validates against ExportIAMAction instead of ImportIAMAction, letting export-only principals perform privileged IAM writes. CVSS 8.8.
CVE-2026-3308: Integer Overflow in MuPDF pdf_load_image_imp Enables Heap OOB Write
An integer overflow in MuPDF 1.27.0's pdf_load_image_imp allows a crafted PDF to trigger a heap out-of-bounds write, potentially enabling arbitrary code execution on any platform running the viewer.
CVE-2026-5443: Heap Overflow in Orthanc DICOM Palette Color Decoder
32-bit integer overflow in Orthanc's PALETTE COLOR pixel length calculation silently passes validation, enabling heap buffer overflow during DICOM image decoding. CVSS 9.8.
CVE-2026-5367: OVN DHCPv6 Client ID OOB Read Leaks Heap Memory
OVN's DHCPv6 SOLICIT handler trusts an attacker-supplied Client ID length field, triggering an out-of-bounds heap read that returns sensitive memory to the attacker's VM port.
CVE-2026-41068: Kyverno ConfigMap Context Loader RBAC Bypass
Kyverno's ConfigMap context loader accepts arbitrary namespace values with zero validation, letting a namespace admin read ConfigMaps cluster-wide via Kyverno's privileged service account.
CVE-2026-41309: OSSN Image Decompression DoS via Unchecked Pixel Dimensions
OSSN <9.0 fails to validate image pixel dimensions before allocation, allowing a crafted PNG to exhaust server memory and CPU. CVSS 8.2 HIGH.
CVE-2026-33318: Actual Budget Auth Chain Yields ADMIN Escalation
Three weaknesses in Actual's auth migration path combine into a full privilege escalation: any BASIC user can overwrite the admin password hash and authenticate as ADMIN via a client-supplied loginMethod bypass.
CVE-2026-33317: OP-TEE PKCS#11 OOB Read/Write in entry_get_attribute_value()
Missing bounds checks in OP-TEE's PKCS#11 TA allow an attacker to read 7 bytes past a heap template buffer and write arbitrary attribute data beyond it, affecting versions 3.13.0–4.10.0.
CVE-2026-41270: Flowise SSRF Bypass via Unguarded Node.js VM Modules
Flowise's Custom Function sandbox blocks axios/node-fetch via HTTP_DENY_LIST but leaves native Node.js http, https, and net modules fully unrestricted, enabling authenticated SSRF to internal metadata services.
CVE-2026-41269: Flowise MIME Bypass Enables Persistent Node.js Web Shell RCE
Flowise's chatflow config upload endpoint accepts attacker-modified MIME types, permitting .js file uploads that persist as server-side Node.js web shells enabling full RCE.
CVE-2026-41268: Flowise Unauthenticated RCE via NODE_OPTIONS Injection
Flowise <3.1.0 allows unauthenticated RCE via FILE-STORAGE:: keyword parameter override combined with NODE_OPTIONS environment variable injection. Single HTTP request, root-level command execution.
CVE-2026-41138: RCE via Prompt Injection in Flowise AirtableAgent
Flowise's AirtableAgent passes unsanitized user input directly into a Python code-execution prompt template, enabling remote code execution prior to 3.1.0.
CVE-2026-34001: Use-After-Free in X.Org miSyncTriggerFence()
A use-after-free in X.Org's XSYNC fence triggering logic allows local attackers to crash the X server or corrupt heap memory via miSyncTriggerFence().
CVE-2026-23751: Unauthenticated RCE via .NET Remoting in Tungsten Capture
Tungsten Capture 6.0.0.0 exposes an unauthenticated .NET Remoting HTTP channel on port 2424, enabling arbitrary file read/write and RCE via object unmarshalling without credentials.
CVE-2025-62373: Pipecat LiveKit Serializer RCE via Unsafe pickle.loads()
Pipecat versions 0.0.41–0.0.93 pass untrusted WebSocket data directly into pickle.loads() in LivekitFrameSerializer.deserialize(), enabling unauthenticated RCE against any server using this serializer.
CVE-2026-41460: SocialEngine get-memberall SQLi to RCE
Unauthenticated SQL injection in SocialEngine ≤7.8.0 via the `text` parameter of `/activity/index/get-memberall` enables full database read, admin password reset, and RCE via Packages Manager.
CVE-2025-70994: Yadea T5 EV1527 Fixed-Code Replay Attack Enables Full Vehicle Takeover
Yadea T5 e-bikes (2024+) use EV1527 fixed-code RF with no rolling codes or challenge-response. One captured transmission is sufficient for permanent unauthorized access.
CVE-2026-6903: Path Traversal in Zurich Instruments LabOne Web Server
The LabOne Web Server exposes an unauthenticated path traversal allowing arbitrary file reads on the host. A secondary CORS misconfiguration enables cross-origin exploitation via malicious websites.
CVE-2026-6886: Borg SPM 2007 Authentication Bypass — Full Unauthenticated Login
Borg SPM 2007's session validation logic can be trivially bypassed by remote unauthenticated attackers, granting full access as any system user. CVSS 9.8.
CVE-2026-5464: ExactMetrics Onboarding Key Leak Enables Unauthenticated RCE
ExactMetrics leaks its onboarding_key transient to low-privilege users, chaining through an unchecked AJAX endpoint to achieve arbitrary plugin ZIP installation and remote code execution.
CVE-2026-3844: Breeze Cache Gravatar Upload Leads to RCE
Breeze Cache ≤2.4.4 accepts attacker-controlled file extensions in fetch_gravatar_from_remote(), allowing unauthenticated arbitrary file upload and remote code execution.
CVE-2026-41679: Unauthenticated RCE in Paperclip AI Orchestrator
A six-stage exploit chain bypasses Paperclip's authentication layer entirely, achieving unauthenticated RCE on default deployments. No credentials, no interaction, CVSS 10.0.
CVE-2026-41208: Paperclip Agent API Key Escalates to Host RCE
An agent credential in Paperclip ≤2026.415.x allows arbitrary OS command injection via adapterConfig.workspaceStrategy.provisionCommand, executed unsanitized by the server runtime.
CVE-2026-41180: PsiTransfer Path Traversal to RCE via tus Upload Handler
PsiTransfer's PATCH upload flow validates the encoded req.path but writes using the decoded req.params.uploadId, enabling path traversal to plant attacker-controlled JS config files executed on restart.
CVE-2026-34415: Xerte elFinder Auth Bypass + PHP4 Upload RCE
Xerte ≤3.15 elFinder connector allows unauthenticated PHP4 shell upload via broken regex, session fixation bypass, and path traversal. CVSS 9.8.
CVE-2026-34414: Xerte elFinder Connector Path Traversal to RCE
Xerte Online Toolkits ≤3.15 exposes an unsanitized rename endpoint in its elFinder connector, allowing authenticated attackers to relocate arbitrary PHP files into the webroot for unauthenticated RCE.
CVE-2026-34413: Xerte elFinder Auth Bypass Leads to RCE
Xerte Online Toolkits ≤3.15 exposes elFinder's connector.php without authentication enforcement. A missing exit() after HTTP redirect allows full PHP execution, enabling unauthenticated file upload and RCE.
CVE-2026-26354: Stack Overflow in Dell DD OS Enables Unauthenticated RCE
A stack-based buffer overflow in Dell PowerProtect Data Domain OS affects versions 7.7.1.0–8.6. An unauthenticated remote attacker can achieve arbitrary command execution without credentials.
CVE-2025-48653: Permission Obscuring Logic Error Enables LPE
A logic error in loadDataAndPostValue allows an unprivileged local process to obscure permission usage, achieving privilege escalation without user interaction on Android.
CVE-2025-48582: Android Intent Redirect Bypasses MANAGE_EXTERNAL_STORAGE
An intent redirect in Android's media stack allows unprivileged apps to delete arbitrary external storage files without MANAGE_EXTERNAL_STORAGE. No user interaction required, CVSS 8.4.
CVE-2026-6857: RCE via Unsafe Deserialization in camel-infinispan ProtoStream
Unsafe deserialization in camel-infinispan's ProtoStream remote aggregation repository allows low-privileged attackers to achieve arbitrary code execution by sending crafted payloads to the aggregation endpoint.
CVE-2026-6855: InstructLab Chat Session Path Traversal via logs_dir
InstructLab's chat session handler fails to sanitize the logs_dir parameter, allowing local attackers to traverse directory boundaries and write files to arbitrary filesystem locations.
CVE-2026-22754: Spring Security Servlet-Path Authorization Bypass
Spring Security 7.0.0–7.0.4 fails to include the servlet-path when computing path matchers, silently dropping intercept-url authorization rules and enabling unauthenticated access to protected endpoints.
CVE-2026-40871: Second-Order SQL Injection in mailcow quarantine_notify
mailcow's quarantine_category API field stores unsanitized input that quarantine_notify.py later interpolates into raw SQL, enabling UNION-based credential exfiltration via deferred injection.
CVE-2026-40870: Decidim GraphQL API Authorization Bypass via Root commentable Field
Decidim's root-level GraphQL `commentable` field exposes all platform resources without permission checks. Unauthenticated attackers can enumerate and extract sensitive participatory data via the public `/api` endpoint.
CVE-2026-40869: Decidim Amendment Authorization Bypass Enables Privilege Escalation
Any authenticated Decidim user can accept or reject amendments on proposals they don't own, hijacking authorship. Affects versions 0.19.0 through 0.30.4 and 0.31.0.
CVE-2026-40613: Coturn STUN Misaligned Pointer Cast Crashes ARM64 Servers
Unsafe uint8_t* to uint16_t* casts in coturn's STUN attribute parser trigger SIGBUS on ARM64 strict-alignment hosts. A single crafted UDP packet kills any unauthenticated turnserver process.
CVE-2025-14362: GoAnywhere MFT SFTP Login Limiter Bypass Enables SSH Key Brute Force
GoAnywhere MFT's SFTP subsystem fails to enforce login attempt limits for SSH key-authenticated Web Users, allowing unauthenticated brute force of private keys prior to 7.10.0.
CVE-2026-6784: Memory Corruption in Firefox 149 Enables RCE
Firefox 149 and Thunderbird 149 contain memory safety bugs with evidence of heap corruption across JS engine, WebRTC, and Web Codecs components. Arbitrary code execution is presumed achievable with sufficient effort.
CVE-2026-20983: Samsung Dialer Improper Component Export Enables Privilege Escalation
Samsung Dialer exposes an improperly exported Activity component, allowing any local application to launch arbitrary activities under the Dialer's system-level privileges without authorization.
CVE-2026-20401: MediaTek Modem Uncaught Exception Remote DoS
A missing exception handler in MediaTek's modem stack allows a rogue base station to crash any connected UE remotely. No privileges or user interaction required.
CVE-2025-54602: Samsung Exynos Wi-Fi Driver UAF via Ioctl Race
Improper synchronization on a global variable in the Samsung Exynos Wi-Fi driver allows concurrent ioctl callers to race into a use-after-free. CVSS 7.0, affects Exynos 980 through W1000.
CVE-2026-31368: Type Privilege Bypass in HONOR AiAssistant
AiAssistant on HONOR devices contains a type privilege bypass allowing unprivileged callers to invoke restricted service operations, leading to service availability impact.
CVE-2026-40497: FreeScout CSS Injection Leaks CSRF Tokens
FreeScout's stripDangerousTags() omits <style> sanitization, allowing CSS attribute-selector exfiltration of CSRF tokens from any agent viewing an attacker-controlled mailbox.
CVE-2026-39973: Apktool Path Traversal via Stripped Sanitization Call
A security regression in Apktool 3.0.0–3.0.1 removed BrutIO.sanitizePath(), allowing ../sequences in resources.arsc to escape the output directory and write arbitrary files, enabling RCE.
CVE-2026-39320: ReDoS via Unescaped Regex in Signal K WebSocket Subscriptions
Signal K Server <2.25.0 allows unauthenticated attackers to inject regex metacharacters into the WebSocket `context` parameter, triggering catastrophic backtracking and 100% CPU DoS.
CVE-2026-32604: Spinnaker Clouddriver RCE via Unsanitized Git Artifact
Spinnaker's clouddriver service passes attacker-controlled git repo URLs directly to shell execution, enabling trivial unauthenticated RCE. CVSS 9.9 critical, all versions prior to 2026.1.0 affected.
CVE-2026-6257: Vvveb CMS File Rename Logic Flaw Enables RCE
A missing return statement in Vvveb CMS v1.0.8's file rename handler allows authenticated attackers to bypass extension blocklists, upload .htaccess and .php files, and execute arbitrary OS commands as www-data.
CVE-2026-6249: Vvveb CMS 1.0.8 RCE via .phtml Extension Bypass
Vvveb CMS 1.0.8 media upload handler fails to block .phtml extensions, allowing authenticated attackers to upload PHP webshells and achieve full server compromise via HTTP request.
CVE-2026-5478: Everest Forms Path Traversal → Arbitrary File Read & Deletion
Unauthenticated attackers exploit attacker-controlled old_files parameters in Everest Forms ≤3.4.4 to read wp-config.php via notification email attachment and delete arbitrary files via unlink().
CVE-2026-6248: wpForo Arbitrary File Deletion → RCE via Unsanitized Profile Field
wpForo ≤3.0.5 allows subscriber-level users to store arbitrary filesystem paths in file-type custom profile fields, which are later passed unvalidated to unlink(), enabling RCE via wp-config.php deletion.
CVE-2026-3519: OS Command Injection RCE in Progress ADC LoadMaster API
Unsanitized input in the `aclcontrol` API command allows authenticated attackers with VS Administration permissions to inject arbitrary OS commands on Progress ADC LoadMaster appliances.
CVE-2026-3518: OS Command Injection RCE in Progress ADC LoadMaster API
Unsanitized input in the LoadMaster `killsession` API command allows authenticated attackers with "All" permissions to inject arbitrary OS commands and achieve RCE on the appliance.
CVE-2026-3517: OS Command Injection RCE in Progress ADC LoadMaster API
Authenticated attackers with Geo Administration permissions can inject arbitrary OS commands via the unsanitized `addcountry` API parameter in Progress ADC LoadMaster, achieving full appliance RCE.
CVE-2026-6635: JWE Header Bypass in rowboat tools_webhook
rowboat ≤0.1.67 tools_webhook fails to validate the X-Tools-JWE header before dispatching tool calls, allowing unauthenticated remote code execution via crafted webhook requests.
CVE-2026-6615: Path Traversal to RCE in SuperAGI Multipart Upload
SuperAGI's multipart upload handler fails to sanitize the filename argument, enabling path traversal that allows remote attackers to write arbitrary files and achieve code execution.
CVE-2026-5966: ThreatSonar Path Traversal Enables Arbitrary File Deletion
ThreatSonar Anti-Ransomware by TeamT5 exposes an authenticated path traversal bug allowing remote attackers to delete arbitrary files via the web interface. CVSS 8.1.
CVE-2026-32956: Heap Overflow in silex SD-330AC Redirect URL Parsing
A pre-auth heap-based buffer overflow in silex SD-330AC and AMC Manager's redirect URL processing allows remote code execution. CVSS 9.8, no authentication required.
CVE-2026-32955: Stack Buffer Overflow in silex SD-330AC Redirect URL Handling
silex SD-330AC ≤1.42 and AMC Manager ≤5.0.2 contain a stack-based buffer overflow in redirect URL processing. Authenticated network attackers can achieve arbitrary code execution on the device.
CVE-2026-6596: Unrestricted File Upload RCE in Langflow API
Langflow ≤1.1.0 allows unauthenticated arbitrary file upload via create_upload_file(), bypassing extension and MIME validation entirely. Remote code execution is achievable by uploading a Python module to a predictable path.
CVE-2026-6595: Blind SQLi in School Management buslocation.php
Unauthenticated SQL injection via bus_id GET parameter in buslocation.php allows full database exfiltration. No sanitization, no parameterization, direct string interpolation into query.
CVE-2026-6581: Stack Overflow in H3C Magic B1 SetMobileAPInfoById
H3C Magic B1 routers up to 100R004 expose an unauthenticated stack buffer overflow via the SetMobileAPInfoById handler at /goform/aspForm. Remote code execution is trivially achievable.
CVE-2026-6580: Hard-Coded Crypto Key in DjangoBlog OwnTracks Handler
DjangoBlog ≤2.1.0.0 embeds a static AES/HMAC key in owntracks/views.py, enabling any remote attacker to forge location payloads or decrypt intercepted traffic.
CVE-2026-6577: Missing Authentication on DjangoBlog OwnTracks Endpoint
DjangoBlog ≤2.1.0.0 exposes the logtracks endpoint in owntracks/views.py without authentication, allowing unauthenticated remote attackers to write location tracking data.
CVE-2025-48634: WMS relayoutWindow Missing Permission Check Enables Tapjacking
A missing permission check in WindowManagerService.relayoutWindow() allows unprivileged apps to manipulate window layout parameters, enabling tapjack attacks and local privilege escalation without user interaction.
CVE-2025-48579: MediaProvider Confused Deputy Bypasses External Storage Write
A confused deputy in MediaProvider.java allows any local app to bypass external storage write permissions, achieving local privilege escalation with zero user interaction required.
CVE-2026-6574: Hard-Coded Credentials in LightPicture lp.sql Install Endpoint
LightPicture ≤1.2.2 ships a publicly accessible install SQL file containing hard-coded admin credentials. Remote unauthenticated attackers can extract and reuse these credentials for full application compromise.
CVE-2026-6568: Path Traversal in KodExplorer 4.52 Public Share Handler
KodExplorer's initShareOld() fails to sanitize the path argument before filesystem access, enabling unauthenticated directory traversal. Remote attackers can read arbitrary files outside the webroot.
CVE-2026-6563: Stack Overflow in H3C Magic B1 SetAPWifiorLedInfoById
H3C Magic B1 routers up to 100R004 expose an unauthenticated stack buffer overflow in SetAPWifiorLedInfoById via /goform/aspForm. Remote code execution is trivially achievable with a crafted param argument.
CVE-2026-6562: SQL Injection in muucmf getListByPage via keyword Param
muucmf 1.9.5.20260309's getListByPage function passes unsanitized keyword input directly into a SQL query string. Remote unauthenticated attackers can exfiltrate the full database.
CVE-2026-6560: Stack Buffer Overflow in H3C Magic B0 Edit_BasicSSID
H3C Magic B0 routers up to 100R002 expose a stack buffer overflow in Edit_BasicSSID via /goform/aspForm. Remote unauthenticated attackers can corrupt the stack and achieve code execution.
CVE-2026-5438: Orthanc gzip Decompression Bomb via Unbounded Allocation
Orthanc ≤1.12.10 allocates memory based on attacker-controlled gzip metadata with no size ceiling. A crafted Content-Encoding: gzip request exhausts system memory and crashes the server.
CVE-2025-54601: Samsung Exynos Wi-Fi Driver Double Free via ioctl Race
A race condition in Samsung's Exynos Wi-Fi driver allows concurrent ioctl callers to double-free a global variable, yielding local privilege escalation on affected Exynos SoCs.
CVE-2025-32313: OOB Write in Android UsageEvents Parcel Deserialization
An incorrect bounds check in UsageEvents.java allows an out-of-bounds write during Parcel deserialization, enabling local privilege escalation with no user interaction required.
CVE-2025-48544: SQL Injection in Android Enables Cross-App File Read
A SQL injection flaw in Android's content provider layer allows local privilege escalation by reading files belonging to other apps. No additional privileges or user interaction required.
CVE-2026-0030: OOB Write in __host_check_page_state_range Enables LPE
An incorrect bounds check in __host_check_page_state_range of mem_protect.c allows an out-of-bounds write, enabling local privilege escalation with no additional privileges required.
CVE-2026-33825: Microsoft Defender ACL Granularity LPE
Insufficient access control granularity in Microsoft Defender allows a local authorized attacker to escalate privileges to SYSTEM via a logic flaw in the service's IPC surface.
CVE-2026-5231: WP Statistics utm_source Stored XSS via innerHTML Sink
WP Statistics ≤14.16.4 copies raw utm_source into source_name on wildcard channel match, then renders it via innerHTML in admin chart legends — no escaping, no authentication required.
CVE-2026-40262: Note Mark Asset Handler Stored XSS via MIME Sniffing
Note Mark's asset delivery handler serves uploaded files inline with no Content-Type or nosniff header, enabling stored XSS via SVG/HTML upload that executes under the app's origin.
CVE-2026-41113: qmail tls_quit RCE via popen() in notlshosts_auto
sagredo qmail before 2026.04.07 exposes a remote code execution path through unsanitized popen() calls in notlshosts_auto triggered during TLS negotiation teardown.
CVE-2026-40170: ngtcp2 qlog Stack Buffer Overflow via QUIC Transport Params
ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking, enabling remote stack corruption during QUIC handshake.
CVE-2026-6442: Snowflake Cortex CLI Bash Sandbox Escape → RCE
Improper command validation in Snowflake Cortex Code CLI ≤1.0.24 allows sandboxed bash commands to escape agent isolation, achieving arbitrary code execution from malicious repository content.
CVE-2026-37337: SQL Injection to RCE in Simple Music Cloud Community System
Unauthenticated SQL injection in view_playlist.php allows full database extraction and remote code execution via stacked queries. CVSS 7.3 HIGH.
CVE-2026-37336: SQL Injection to RCE in Simple Music Cloud v1.0
Unauthenticated SQL injection in view_music.php allows full database read and potential RCE via stacked queries. CVSS 7.3 HIGH, no patch available.
CVE-2026-31843: Unauthenticated RCE in goodoneuz/pay-uz via PHP File Overwrite
The pay-uz Laravel package exposes an unauthenticated endpoint that writes attacker-controlled PHP into executable hook files, enabling trivial remote code execution on any default install.
CVE-2026-23772: Dell Replay Manager Local Privilege Escalation via Improper Service Privilege Management
Dell Storage Manager Replay Manager 8.0 exposes a local privilege escalation path through misconfigured service permissions, allowing low-privileged users to hijack execution context and gain SYSTEM.
CVE-2024-2374: XXE in WSO2 Products Enables File Read and SSRF
WSO2 XML parsers accept user-supplied data without disabling external entity resolution, enabling file disclosure, SSRF, and DoS via recursive entity expansion.
CVE-2026-34621: Prototype Pollution RCE in Adobe Acrobat Reader
A prototype pollution vulnerability in Acrobat Reader's JavaScript engine allows arbitrary code execution via malicious PDF. Exploited in the wild against versions ≤26.001.21367.
CVE-2026-33032: Nginx UI MCP Endpoint Auth Bypass Enables Full Service Takeover
The /mcp_message endpoint in nginx-ui ≤2.3.5 skips AuthRequired() middleware, letting any network attacker invoke all MCP tools unauthenticated — rewriting configs, restarting nginx, achieving full service takeover.
CVE-2025-20658: MediaTek DA2 USB Handler Heap Overflow → ACE
A logic error in MediaTek's Download Agent USB command handler allows heap overflow via a malformed USB packet, enabling arbitrary code execution with physical access.
CVE-2026-6351: CRLF Injection to LFI in Openfind MailGates/MailAudit
Unauthenticated CRLF injection in Openfind MailGates/MailAudit allows arbitrary system file read via HTTP response splitting. No authentication required.
CVE-2026-6350: Openfind MailGates Stack Buffer Overflow → Unauthenticated RCE
A stack-based buffer overflow in Openfind MailGates/MailAudit allows unauthenticated remote attackers to corrupt the stack frame and achieve arbitrary code execution. CVSS 9.8, no authentication required.
CVE-2026-40504: Heap Overflow in Gravity VM Fiber Reassignment Enables RCE
A heap buffer overflow in gravity_fiber_reassign() allows attackers to corrupt heap metadata via crafted scripts with excessive global string literals, achieving arbitrary code execution in any application embedding Gravity before 0.9.6.
CVE-2026-40960: Luanti Mod Sandbox Escape via Trusted Env Interception
A logic flaw in Luanti's Lua sandbox dispatcher allows a crafted mod to intercept and inherit the insecure environment or HTTP API granted to a trusted mod, enabling RCE via unsandboxed Lua execution.
CVE-2026-40502: OpenHarness Gateway Handler Command Injection
OpenHarness prior to dd1d235 fails to distinguish local-only from remote-safe commands in its gateway handler, allowing remote chat users to execute administrative commands like /permissions full_auto without operator authorization.
CVE-2026-35569: Stored XSS in ApostropheCMS SEO Fields Enables RCE
ApostropheCMS ≤4.28.0 fails to encode SEO field output in title tags, meta attributes, and JSON-LD contexts, allowing stored XSS leading to authenticated API exfiltration.
CVE-2025-41118: Pyroscope Leaks Tencent COS Secret Key via API
Pyroscope's COS storage backend exposes secret_key credentials through the unauthenticated API. CVSS 9.1 critical. Fixed in 1.15.2, 1.16.1, 1.17.0.
CVE-2026-30615: Prompt Injection to RCE via Windsurf MCP Config Hijack
Windsurf 1.9544.26 processes attacker-controlled HTML without sanitization, allowing injected LLM instructions to rewrite MCP STDIO server config and execute arbitrary commands without user interaction.
CVE-2026-20204: Splunk apptemp RCE via Insecure Temp File Handling
A low-privileged Splunk user can achieve RCE by uploading a malicious file to the apptemp directory. Affects Splunk Enterprise below 10.2.1/10.0.5/9.4.10/9.3.11 and multiple Cloud Platform versions.
CVE-2024-53412: Command Injection via Port Field in ShoppingCart 0.0.2
The connect() function in NietThijmen ShoppingCart 0.0.2 passes an attacker-controlled Port field directly to a shell command, enabling unauthenticated RCE via classic command injection.
CVE-2025-64893: DNG SDK OOB Read Exposes Process Memory
Adobe DNG SDK ≤1.7.0 contains an out-of-bounds read in IFD/tile parsing that leaks heap memory and can crash the host application when processing a malformed DNG file.
CVE-2025-58411: Imagination GPU Driver Use-After-Free via Refcount Mismanagement
A reference counting flaw in Imagination Technologies' GPU kernel driver allows an unprivileged user to trigger a write use-after-free via malformed GPU syscalls, enabling potential RCE at kernel privilege.
CVE-2025-52908: Samsung Exynos Wi-Fi Driver NL80211 Buffer Overflow
Samsung Exynos Wi-Fi driver mishandles NL80211 vendor command ioctl input, enabling heap buffer overflow via crafted netlink messages. CVSS 9.8 critical, affects Exynos 980 through W1000.
CVE-2025-13476: Viber Cloak Mode Static TLS Fingerprint Bypass
Viber's Cloak proxy mode emits a static, predictable TLS ClientHello fingerprint trivially detectable by DPI. CVSS 9.8. Android v25.7.2.0g and Windows v25.6.0.0–v25.8.1.0 affected.
CVE-2025-38616: Linux TLS ULP Dangling Anchor After Queue Drain
A race between TCP receive queue consumers and TLS ULP installation leaves a parsing anchor pointing to freed socket buffers, enabling out-of-bounds reads and memory corruption.
CVE-2025-64720: libpng OOB Read via Palette Alpha Invariant Violation
libpng 1.6.0–1.6.50 misapplies background compositing during premultiplication on palette images with PNG_FLAG_OPTIMIZE_ALPHA, violating component ≤ alpha×257 and triggering an out-of-bounds read.
CVE-2026-5445: DICOM Palette OOB Read Leaks Heap via Android Image Decoder
DecodeLookupTable in DicomImageDecoder.cpp fails to bounds-check pixel indices against palette size, exposing heap memory through crafted PALETTE COLOR DICOM images on Android.
CVE-2026-0006: Heap Buffer Overflow Enabling Unauthenticated RCE
A heap buffer overflow in a cross-platform parsing component allows unauthenticated remote code execution via crafted network input. No user interaction required; CVSS 9.8.
CVE-2025-20658: MediaTek Download Agent Logic Flaw Enables Local Privilege Escalation via Physical Access
A logic error in MediaTek's Download Agent permits permission bypass and local privilege escalation on affected devices. Organizations managing shared or high-value endpoints should treat this as an urgent patching priority.
CVE-2026-27289: Out-of-Bounds Read in Adobe Photoshop Desktop Enables Code Execution via Malicious File
A high-severity memory corruption flaw in Adobe Photoshop Desktop allows attackers to achieve code execution by tricking victims into opening a crafted file. CVSS score: 7.8.
CVE-2026-27284: Critical Memory Corruption Vulnerability in Adobe InDesign Desktop
Adobe InDesign Desktop suffers from an out-of-bounds read vulnerability that could allow attackers to execute arbitrary code. User interaction required through malicious file opening.
CVE-2026-27283: Critical Use-After-Free Vulnerability in Adobe InDesign Desktop
Adobe InDesign Desktop contains a high-severity Use-After-Free vulnerability allowing arbitrary code execution. User interaction required through malicious file opening.
CVE-2026-27238: Critical Heap Buffer Overflow in Adobe InDesign Desktop Enables Remote Code Execution
Adobe InDesign Desktop versions 20.5.2 and 21.2 contain a heap-based buffer overflow vulnerability allowing arbitrary code execution. Exploitation requires opening malicious files.
CVE-2026-38527: Critical SSRF Vulnerability in Webkul Krayin CRM Webhook Component
A high-severity Server-Side Request Forgery vulnerability in Krayin CRM's webhook creation endpoint allows attackers to scan internal infrastructure. The flaw affects version 2.2.x installations.
CVE-2026-23708: Critical Authentication Bypass in Fortinet FortiSOAR Through 2FA Replay Attack
A high-severity vulnerability allows unauthenticated attackers to bypass two-factor authentication in FortiSOAR platforms. The flaw enables replay attacks against captured 2FA requests.
CVE-2026-22828: Critical Heap Buffer Overflow in Fortinet Cloud Management Platforms
A high-severity heap buffer overflow in FortiAnalyzer and FortiManager Cloud allows remote code execution. ASLR and segmentation provide some protection.
Critical Authentication Bypass in Siemens Industrial Edge Management Exposes OT Networks
CVE-2026-33892 allows unauthenticated attackers to bypass authentication in Siemens Industrial Edge Management systems. Industrial organizations must patch immediately to prevent unauthorized access to critical infrastructure devices.
CVE-2026-33892: Critical Authentication Bypass in Industrial Edge Management Systems
A high-severity vulnerability allows unauthenticated attackers to impersonate legitimate users in Industrial Edge Management systems. Remote exploitation possible through header manipulation.
Critical Memory Corruption in Qualcomm Firmware Exploited in Wild: CVE-2026-21385 Analysis
A critical memory alignment vulnerability in Qualcomm firmware is being actively exploited, allowing attackers to achieve arbitrary code execution. Security teams must prioritize patching immediately.
CVE-2026-6264: Critical Unauthenticated RCE in Talend JobServer via JMX Monitoring Port
A critical vulnerability in Talend JobServer and Runtime enables unauthenticated remote code execution through exposed JMX monitoring ports. Organizations must patch immediately or disable JMX access to prevent complete system compromise.
CVE-2026-6264: Critical Remote Code Execution in Talend JobServer JMX Monitoring Port
A critical vulnerability in Talend JobServer and Runtime enables unauthenticated remote code execution through exposed JMX monitoring ports. Immediate patching required.
CVE-2026-6227: Critical Local File Inclusion Vulnerability in BackWPup WordPress Plugin Enables Remote Code Execution
BackWPup plugin versions up to 5.6.6 contain a high-severity LFI vulnerability allowing authenticated administrators to read sensitive files and achieve RCE. The flaw stems from inadequate path traversal sanitization in a REST API endpoint.
Critical SQL Injection Vulnerability in JetEngine WordPress Plugin Affects Custom Content Types
CVE-2026-4352 exposes a high-severity SQL injection flaw in JetEngine's REST API search functionality. Unauthenticated attackers can exploit unsanitized parameters to execute arbitrary database queries.
CVE-2026-34256: Critical Authorization Bypass in SAP ERP Allows ABAP Report Overwriting
A missing authorization check in SAP ERP and S/4HANA allows authenticated attackers to overwrite executable ABAP reports. This vulnerability poses significant risks to system availability and integrity.
CVE-2026-40164: Critical Hash Collision Vulnerability in jq JSON Processor Enables DoS Attacks
A hardcoded seed in jq's MurmurHash3 implementation allows attackers to craft malicious JSON payloads causing severe CPU exhaustion. The vulnerability affects CI/CD pipelines and web services processing JSON data.
Get new research delivered weekly. Join security professionals getting the CypherByte digest.