By severity
High-severity vulnerabilities
CVEs rated High by CVSS, with SEC.co remediation and prioritization guidance.
47 published vulnerabilities
- CVE-2026-35671HIGH 8.8
phpMyFAQ versions before 4.1.3 contain a privilege escalation vulnerability in the admin password management API. An authenticated administrator with low-level privileges can manipulate API requests to reset any user's password, including SuperAdmin accounts, bypassing normal authorization checks. This allows attackers to seize full control of the FAQ system.
- CVE-2026-46113HIGH 8.8
A use-after-free vulnerability exists in the Linux kernel's KVM (Kernel Virtual Machine) shadow page table management. The issue arises when guest page tables are modified between VM entries, causing KVM to track memory references incorrectly. This can lead to the kernel accessing freed memory structures, potentially allowing a local attacker with guest access to crash the system or execute code with elevated privileges. The vulnerability requires local access and affects systems running KVM with shadow paging enabled.
- CVE-2026-46125HIGH 8.8
CVE-2026-46125 is a memory safety bug in Linux kernel WiFi driver code that can cause system crashes or privilege escalation. When the kernel attempts to establish a multi-link WiFi connection and that setup fails, the code incorrectly retains station references that should have been cleaned up. This leaves dangling pointers in memory that can be exploited or cause the system to crash when the kernel debugfs interface tries to access them later. The vulnerability requires local network access and affects systems with WiFi enabled.
- CVE-2026-46152HIGH 8.8
A vulnerability in the Linux kernel's WiFi driver (mac80211) allows concurrent network packet processing threads to interfere with each other. The issue stems from a shared variable that should have been unique to each processing thread. When multiple packets arrive simultaneously, one thread's processing result can be overwritten by another, causing packets to be misrouted or incorrectly marked as already processed. This can lead to dropped packets, incorrect packet handling, or exposure of network data.
- CVE-2026-46166HIGH 8.8
A memory safety flaw exists in the Linux kernel's Wi-Fi driver subsystem (mac80211). When the kernel performs radar detection checks on wireless channels, it can inadvertently access memory that has already been freed, potentially causing a system crash or enabling privilege escalation. The issue stems from unsafe iteration over a list of wireless channel contexts that can be modified during the operation.
- CVE-2026-44461HIGH 8.6
Zed, a modern code editor, has a vulnerability in how it constructs commands for remote development over SSH or WSL (Windows Subsystem for Linux). When opening a terminal in a remote session, Zed builds a shell command that includes environment variables, but it doesn't properly escape or validate the names of those variables. An attacker who can inject a malicious environment variable name—such as through project-level terminal settings—can embed shell commands within that name. When the remote shell executes the command, it interprets these embedded instructions, allowing arbitrary code execution on the remote machine under the user's privileges. The flaw has been patched in version 0.227.1.
- CVE-2026-44463HIGH 8.6
Zed, a modern code editor, contains a security flaw in how it controls which programs can run in the integrated terminal. An attacker can bypass these permission restrictions by sneaking environment variable assignments into commands that are supposed to be allowed. By manipulating variables like PAGER, an attacker can redirect the editor to run malicious code when it attempts to display output. This affects Zed versions before 0.229.0 and is resolved in that release.
- CVE-2026-35675HIGH 8.2
phpMyFAQ versions before 4.1.3 contain a critical flaw in their password reset mechanism that completely bypasses authentication checks. An attacker does not need valid credentials or access to a victim's email to reset passwords—they can simply request a password reset for any user account, and the system grants it without verification. This means attackers can take over any account, including administrator accounts, giving them full control of the FAQ system and potentially the underlying server.
- CVE-2026-35676HIGH 8.2
phpMyFAQ versions before 4.1.3 contain a critical flaw that allows anyone on the internet to reset user account passwords without authentication. An attacker can enumerate valid usernames and email addresses, then forcibly change passwords by sending direct API requests. This bypasses normal security controls and immediately locks legitimate users out of their accounts.
- CVE-2026-44358HIGH 8.2
Espressif's Shared GitHub DangerJS Action, a reusable CI workflow component, contains a privilege escalation vulnerability in versions prior to 1.0.1. When processing pull requests from forks, the action's entrypoint script executes DangerJS from an untrusted search path after copying fork code into the working directory. This allows fork-supplied code to run inside the action container with the permissions of the workflow, rather than the action's own trusted code. An attacker can exploit this by submitting a malicious pull request from a fork, causing arbitrary code execution in the CI/CD environment.
- CVE-2026-46138HIGH 8.1
A flaw in the Linux kernel's Bluetooth event handler can cause the kernel to read memory beyond the bounds of a data structure and enter an infinite loop. The vulnerability occurs when a Bluetooth controller sends a specific event (LE_Create_BIG_Complete) with mismatched or insufficient data. An attacker with local or adjacent network access to a vulnerable system could exploit this to cause a denial of service by freezing the kernel with a lock held, making the system unresponsive.
- CVE-2026-37266HIGH 8.0
Responsive File Manager version 9.14.0 contains a remote code execution vulnerability in its force_download.php component. An authenticated attacker can exploit this flaw to execute arbitrary code on the server, potentially gaining full control of the application and underlying system. The vulnerability requires an attacker to have valid login credentials and user interaction (such as clicking a malicious link), but poses a significant risk in multi-user or publicly accessible deployments.
- CVE-2026-45322HIGH 7.8
Microsoft's UFO framework, an open-source tool for automating tasks across devices, contains a command injection flaw in its shell execution component. An attacker with write access to UFO's session files can embed malicious system commands that execute with the privileges of the UFO process when a session is resumed or replayed. This creates a local privilege escalation risk in environments where session files may be accessible or shared.
- CVE-2026-46105HIGH 7.8
A flaw in the Linux kernel's mpt3sas driver allows NVMe storage controllers to accept I/O requests larger than the driver can safely handle. The driver allocates a fixed 4 KB buffer that can hold at most 512 entries in its request queue (PRP list), limiting safe transfers to 2 MiB. However, the firmware may advertise support for larger transfers based on the drive's capabilities. When oversized requests are issued, the kernel can crash. This vulnerability requires local access and valid user privileges to exploit.
- CVE-2026-46107HIGH 7.8
A bug in the Linux kernel's device mapper thin provisioning layer can cause reference counting errors when managing shared metadata trees. When the kernel tries to reorganize a btree node that has been shared across multiple data structures, it fails to properly track pointers to child nodes, leading to crashes and data unavailability. The flaw occurs specifically in the rebalance_children function during metadata tree operations.
- CVE-2026-46111HIGH 7.8
A use-after-free vulnerability exists in the Linux kernel's Bluetooth connection handling code. When creating a Broadcast Isochronous Group (BIG) connection, the kernel can attempt to access a connection object that has already been freed. This occurs because the code doesn't properly validate that a connection still exists before operating on it, and doesn't keep a reference to the connection object while asynchronous operations are in flight. A local attacker with limited privileges could exploit this to crash the system or potentially execute code with elevated privileges.
- CVE-2026-46112HIGH 7.8
A locking bug exists in the Linux kernel's RDMA HNS driver when creating queue pairs. During error recovery in queue pair creation, the code attempts to clean up resources without holding required synchronization locks. This unlocked cleanup can corrupt internal kernel memory structures, potentially allowing a local attacker to escalate privileges or crash the system. The vulnerability affects the error handling path specifically—the normal operation path uses proper locking.
- CVE-2026-46116HIGH 7.8
A memory safety bug exists in the Linux kernel's IPsec implementation where the xfrm_state subsystem can encounter use-after-free errors when network security policies are deleted or when network namespaces are torn down. The kernel's code was using inconsistent methods to track whether data structures were properly removed from internal lists, causing the same memory region to sometimes be deleted twice. This corrupts kernel memory and can lead to privilege escalation or denial of service on affected systems.
- CVE-2026-46117HIGH 7.8
A flaw in the Linux kernel's RDMA/mana driver allows unprivileged local users to trigger a kernel warning and corrupt memory by creating queue pairs (QPs) that share the same completion queue (CQ) through the user-space API. The vulnerability bypasses validation logic that should reject this invalid configuration, leading to kernel memory corruption. The fix enforces proper validation to reject such requests at creation time rather than allowing them to proceed and corrupt state.
- CVE-2026-46120HIGH 7.8
A flaw in the Linux kernel's IPv6 GRE tunnel implementation allows a local attacker with unprivileged user namespace capabilities to trigger memory corruption. The vulnerability stems from inconsistent netns (network namespace) handling in the ip6erspan_changelink() function, which fails to use the correct cached network namespace context when reconfiguring an ERSPAN tunnel after it has been migrated between namespaces. This can lead to kernel crashes and potential privilege escalation.
- CVE-2026-46121HIGH 7.8
A use-after-free vulnerability exists in the Linux kernel's DAMON (Data Access Monitoring) subsystem, specifically in how it manages memory cgroup path strings through its sysfs interface. When users read and write the 'memcg_path' file concurrently using separate file handles, a race condition can occur where one process reads a pointer to memory that another process has already freed. This allows an attacker with local access to crash the system or potentially execute code with kernel privileges.
- CVE-2026-46122HIGH 7.8
A flaw exists in the Linux kernel's b43 wireless driver that can allow a local attacker to read memory outside the bounds of an internal array. The issue stems from insufficient validation of a firmware-supplied index value used to access encryption keys. When the firmware provides an invalid index—one larger than the 58-entry key array—the driver does not properly reject it in production systems, leading to an out-of-bounds read. An attacker with local system access could exploit this to leak sensitive kernel memory.
- CVE-2026-46129HIGH 7.8
A double-free memory corruption bug exists in the Linux kernel's Btrfs filesystem implementation. When the kernel initializes and registers filesystem space information objects with the sysfs interface, a failure in that registration process can cause the same memory block to be freed twice. This happens because the error recovery code doesn't account for cleanup already performed by the object release callback. A local attacker with unprivileged user access could trigger this condition and gain kernel-level privileges.
- CVE-2026-46136HIGH 7.8
A flaw in the Linux kernel's MT7921 Wi-Fi driver can cause a buffer length counter to drop below zero under specific conditions when the driver processes country power settings from the Carrier List Configuration (CLC). This underflow triggers either an excessive loop that nearly hangs the system or applies an invalid power setting, preventing the driver from initializing properly. An attacker with local access could exploit this to degrade Wi-Fi functionality or trigger a denial of service.
- CVE-2026-46145HIGH 7.8
CVE-2026-46145 is a memory corruption vulnerability in the Linux kernel's RDMA/mana driver. An unprivileged local user can manipulate a parameter called rx_hash_key_len from user space to cause an unbounded memory copy operation, corrupting kernel memory. The vulnerability stems from insufficient validation of user-supplied input before it is passed to a memory copy function, creating a path for local privilege escalation or system crash.
- CVE-2026-46157HIGH 7.8
A concurrency bug exists in the Linux kernel's ALSA (Advanced Linux Sound Architecture) OSS (Open Sound System) compatibility layer. When multiple processes try to access and modify the trigger control bit simultaneously, the kernel lacks proper synchronization, allowing writes to corrupt not just the intended trigger flag but adjacent bit fields in memory. This confusion can destabilize audio subsystem behavior. The vulnerability requires local access and privileges to trigger.
- CVE-2026-46162HIGH 7.8
A flaw in the Linux kernel's ice (Intel ice) network driver creates a double-free memory corruption condition in the auxiliary device activation error handler. When the driver attempts to activate a subfunction Ethernet device but the operation fails partway through, the error handling code frees the same memory region twice, corrupting the kernel heap. An attacker with local access and unprivileged user privileges can trigger this condition to escalate privileges or crash the system.
- CVE-2026-46163HIGH 7.8
A flaw exists in the Linux kernel's b43legacy wireless driver that fails to properly validate array index bounds when processing incoming wireless frames. The firmware supplies a key index value that the driver uses to access a cryptographic key array, but there is no enforcing check to ensure this index stays within valid bounds. In production builds, this allows an attacker with local access to trigger an out-of-bounds memory read by crafting malicious wireless traffic, potentially exposing sensitive kernel memory or causing a system crash.
- CVE-2026-46123HIGH 7.7
A vulnerability in the Linux kernel's Bluetooth virtio backend driver allows a malicious or buggy virtual device to expose uninitialized kernel memory to unprivileged processes. The driver fails to properly validate the length of data reported by the virtual device, permitting reads beyond the intended 1000-byte receive buffer. An attacker with the ability to control a virtio Bluetooth backend—such as a compromised hypervisor or malicious VM—can leak sensitive kernel heap data or trigger denial of service. This is a local attack requiring some form of device emulation control, but it directly compromises memory isolation guarantees in virtualized environments.
- CVE-2026-32995HIGH 7.5
Rocket.Chat contains an authentication bypass vulnerability in its direct message protocol (DDP) translation feature. An authenticated user—even without access to specific rooms or channels—can read private messages, direct messages, and end-to-end encrypted messages from other users by exploiting an unprotected DDP method. The flaw stems from insufficient permission checks when a client requests message translation, allowing lateral message enumeration across the entire Rocket.Chat instance.
- CVE-2026-35672HIGH 7.5
phpMyFAQ versions before 4.1.3 have a critical flaw in their API that allows anyone on the network to create and modify FAQ entries without logging in. The vulnerability exists because the system accepts an empty authentication token by default, meaning attackers can submit requests with no valid credentials and the API will process them anyway. This permits unauthorized content injection into your knowledge base, potentially spreading misinformation, malware links, or defacement across your FAQ system.
- CVE-2026-41565HIGH 7.5
CryptX, a cryptographic library for Perl, contains a stack buffer overflow vulnerability in its AEAD (Authenticated Encryption with Associated Data) decryption functions. When these functions process an authentication tag longer than expected, they overflow a fixed-size buffer on the stack, potentially corrupting memory and crashing the application. An attacker who can supply a maliciously long authentication tag to vulnerable code paths can trigger this crash. The vulnerability affects four specific decryption functions: gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify, and eax_decrypt_verify. Patches were released incrementally, with gcm_decrypt_verify fixed in version 0.088 and the remaining three functions addressed in version 0.088_001.
- CVE-2026-44594HIGH 7.5
esm.sh, a popular CDN for JavaScript development that eliminates the need for build processes, contains a vulnerability in how it processes package metadata. An attacker can publish a malicious npm package that tricks the esm.sh server into reading and exposing sensitive files from its own filesystem. This happens because the service doesn't properly validate how it interprets the 'browser' field in package.json during the build process. While the attacker cannot modify files or crash the service, they can gain unauthorized access to confidential data stored on esm.sh infrastructure.
- CVE-2026-45017HIGH 7.5
Python Liquid is a templating engine used to process dynamic content. Versions before 2.2.0 contain a path traversal flaw that lets an attacker with the ability to author templates bypass security restrictions and read arbitrary files from the server. An attacker could use the {% include %} or {% render %} template tags with absolute file paths to access files outside the intended template directory. The compromised files are then processed as templates, potentially exposing their contents. This requires the attacker to have template authoring privileges and targets files readable by the application.
- CVE-2026-46110HIGH 7.5
CVE-2026-46110 is a NULL pointer dereference vulnerability in the Linux kernel's stmmac network driver that can crash a system when memory becomes exhausted during packet reception. The driver manages a circular ring of descriptors to coordinate DMA transfers between the CPU and network hardware. When the driver runs out of memory to allocate new receive buffers, it can incorrectly process already-used descriptors as if they were fresh, leading to a kernel panic. This occurs because the driver doesn't properly distinguish between descriptors that are waiting to be refilled versus those that have already been processed.
- CVE-2026-46114HIGH 7.5
A memory leak vulnerability exists in the Linux kernel's RDMA over Converged Ethernet (RoCE) driver. An attacker on the network can send specially crafted RDMA ATOMIC_WRITE requests with zero-length payloads to trigger the responder into reading uninitialized kernel memory and inadvertently leaking it back to the attacker. The vulnerability specifically affects how the kernel validates packet lengths before dereferencing memory, allowing 8 bytes of sensitive kernel data (including kernel strings and pointer information) to be extracted per malicious probe.
- CVE-2026-46124HIGH 7.5
A vulnerability in the Linux kernel's ISO 9660 filesystem (isofs) allows an attacker to read arbitrary blocks from a storage device when the filesystem is exported over NFS. An authenticated attacker can craft a malicious NFS file handle that causes the kernel to interpret unrelated data on the underlying block device as if it were part of the ISO filesystem, leaking that data to the NFS client. While this does not cause memory corruption or system crashes, it exposes sensitive information from adjacent partitions or disk regions. The issue affects systems that export ISO images (typically loop-mounted) over NFS, which is a narrower deployment scenario but still represents a data confidentiality risk.
- CVE-2026-46133HIGH 7.5
A flaw in the Linux kernel's RDMA/rxe (Soft RoCE) driver allows an unauthenticated attacker to crash the system by sending a specially crafted UDP packet with an invalid opcode. The vulnerability exists in how the driver validates incoming packets before processing checksums. When a packet uses an undefined opcode value, the driver fails to properly validate packet length, leading to an out-of-bounds memory read that triggers a kernel panic. An attacker needs only network access to the RDMA port and can exploit this without authentication, credentials, or any prior connection setup.
- CVE-2026-37579HIGH 7.3
SMSGate sms-core versions 2.1.13.6 and earlier contain a remote code execution vulnerability in the CMPP7 message handling component. An unauthenticated attacker on the network can exploit this flaw to execute arbitrary code on affected systems without any user interaction, potentially gaining full control of the SMS gateway infrastructure.
- CVE-2026-2374HIGH 7.2
The Login No Captcha reCAPTCHA WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in all versions up to 1.8.0. An unauthenticated attacker can exploit this by triggering a login attempt from a non-standard login page URL (such as xmlrpc.php), which causes the plugin to store malicious JavaScript in the WordPress admin dashboard settings. When an administrator logs in within 30 seconds of the attack, that JavaScript executes in their browser with the administrator's privileges. The vulnerability requires the admin to have a whitelisted IP address configured in the plugin, which is a common configuration for sites restricting login access.
- CVE-2026-46130HIGH 7.1
A bug in the Linux kernel's dm-verity-fec (forward error correction) component can cause it to read data from outside the intended memory buffer. This occurs when parity bytes used to verify disk integrity are split across storage blocks in a specific way. Under certain non-default configurations and low-memory conditions, the code attempts to access more data than is available, leading to potential information disclosure or system instability. The issue only manifests with particular combinations of error correction parameters and buffer allocation scenarios.
- CVE-2026-46140HIGH 7.1
A flaw in the Linux kernel's Bluetooth driver (btmtk) fails to verify that incoming firmware responses contain sufficient data before reading from them. If a Bluetooth device sends a truncated or malformed response, the kernel code will read beyond the valid data boundaries, potentially exposing sensitive kernel memory. A local attacker with Bluetooth access could exploit this to leak information or crash the system.
- CVE-2026-46149HIGH 7.1
A vulnerability in the Linux kernel's SCSI target subsystem allows a local attacker with low privileges to read sensitive kernel memory and potentially crash the system. The issue occurs in the configfs interface where storage path group membership information is displayed. When a storage fabric's name is unusually long, the kernel writes more data than expected to a temporary buffer, and then copies that overrun data to a user-readable sysfs file. On systems with fortify checks enabled, this causes a kernel panic; on others, it leaks kernel memory to unprivileged users.
- CVE-2026-46150HIGH 7.1
A flaw in the Linux kernel's fanotify file monitoring subsystem can allow a local user with minimal privileges to bypass permission checks on file access events. The vulnerability stems from a logic error where the kernel incorrectly returns false for marks belonging to unrelated monitoring groups, causing permission event validation to be skipped. An attacker with local access could exploit this to circumvent intended file access restrictions.
- CVE-2026-44604HIGH 7.0
A flaw in RPM's archive extraction tool allows an attacker to run arbitrary commands on a system by crafting a malicious archive with shell metacharacters embedded in its folder name. When a user extracts such an archive using the rpmuncompress utility, the unsanitized folder name is passed directly into a shell command, enabling code execution with the privileges of the extracting user. The vulnerability affects ZIP, 7z, and GEM archive formats.
- CVE-2026-46154HIGH 7.0
A race condition exists in the Linux kernel's scheduler extension (sched_ext) cgroup interface that can lead to use-after-free memory access. When system administrators adjust cgroup scheduling parameters like weight, idle status, or bandwidth, the kernel reads a pointer to the scheduler without proper synchronization. If another process simultaneously disables and re-enables a different scheduler, the cached pointer becomes stale and points to freed memory. When the original operation tries to use this pointer, it dereferences already-freed kernel memory, potentially allowing local privilege escalation.
- CVE-2026-46164HIGH 7.0
A memory management bug in the Linux kernel's Btrfs filesystem can cause the same memory region to be freed twice when a sysfs initialization step fails. This double-free condition can lead to memory corruption and potentially allow an attacker with local access to crash the system or execute code with elevated privileges. The issue occurs in error handling code that wasn't properly coordinated between two layers of the filesystem's initialization logic.