By severity

Medium-severity vulnerabilities

CVEs rated Medium by CVSS, with SEC.co remediation and prioritization guidance.

422 published vulnerabilities · page 3 of 5

  • CVE-2026-2425MEDIUM 6.1

    The hiWeb Migration Simple WordPress plugin contains a reflected cross-site scripting (XSS) vulnerability in how it handles the 'new_domain' parameter. An attacker can craft a malicious link and trick a WordPress administrator into clicking it, causing arbitrary JavaScript to execute in the admin's browser session. This could allow the attacker to steal session tokens, modify site content, or perform administrative actions on behalf of the compromised admin. The vulnerability affects all versions through 2.0.0.1.

  • CVE-2026-30586MEDIUM 6.1

    A cross-site scripting (XSS) vulnerability exists in usememos Memos version 0.26.0 that allows an attacker to inject malicious code into memo pages. When a user views a compromised memo—whether public or private—the attacker's script executes in the user's browser, potentially exposing sensitive information. The vulnerability stems from improper sanitization of user input in the memo rendering component, meaning the application fails to adequately strip or encode dangerous HTML and JavaScript before displaying memo content.

  • CVE-2026-33553MEDIUM 6.1

    Northern.tech CFEngine Enterprise contains a cross-site scripting (XSS) vulnerability in versions 3.24.3 before 3.24.4 and 3.27.0 before 3.27.1. An attacker can inject malicious scripts that execute in the browser context of users interacting with the CFEngine Enterprise interface, potentially compromising user sessions or stealing sensitive information without requiring authentication.

  • CVE-2026-35212MEDIUM 6.1

    OpenCTI, an open-source threat intelligence platform, contains a cross-site scripting (XSS) vulnerability in how it renders email message data. An attacker can craft a malicious email observable with unsanitized content in the message body, which executes JavaScript in a victim's browser when they view it. Because threat intelligence is often shared across teams via STIX files or automated ingesters, this could be weaponized to steal session cookies at scale, potentially compromising multiple analysts' accounts. The vulnerability requires user interaction—someone must view the crafted email observable—but the attack surface is broad given how threat intelligence is typically distributed.

  • CVE-2026-36324MEDIUM 6.1

    SourceCodester Doctor Appointment System version 1.0 contains a Cross-Site Scripting (XSS) vulnerability in its user registration form. An attacker can inject malicious scripts into the registration page, which are then executed in the browsers of other users who view that registration data. This allows the attacker to steal session cookies, redirect users to phishing sites, or perform actions on behalf of legitimate users without their knowledge.

  • CVE-2026-40181MEDIUM 6.1

    React Router, a widely-used navigation library for React applications, contains an open redirect vulnerability in specific versions. When certain URLs are passed to the redirect function, the library can inadvertently send users to an external website controlled by an attacker. This happens because paths beginning with double slashes (//) are misinterpreted as protocol-relative URLs, allowing an attacker to craft a malicious URL that bypasses the intended redirect destination. The vulnerability only affects applications using the programmatic redirect function; applications built with React Router's declarative mode (using <BrowserRouter>) are not impacted. The severity of the risk depends on how thoroughly the application validates URLs before redirecting.

  • CVE-2026-40713MEDIUM 6.1

    Dell ThinOS 10 devices running versions before 2602_10.0765 have a flaw that allows someone with physical access to the device—without needing to log in—to view sensitive information stored on it. This is a medium-severity issue because it requires hands-on access to the hardware, but once someone has that access, the controls meant to protect data don't work properly.

  • CVE-2026-41569MEDIUM 6.1

    authentik, an open-source identity provider, contains a URL validation flaw in its WS-Federation provider that allows attackers to redirect users' login credentials to attacker-controlled domains. The vulnerability stems from incomplete validation of the wreply parameter—a redirect URL used after authentication. An attacker can craft a malicious login link where the wreply parameter points to a lookalike domain (for example, https://portal.example.com.evil.tld/) that bypasses the validation check, tricking users into sending their signed authentication response to the attacker instead of the legitimate application. This affects authentik versions prior to 2026.2.3.

  • CVE-2026-42253MEDIUM 6.1

    Apache ActiveMQ's web console contains a cross-site scripting (XSS) vulnerability that allows an attacker to inject malicious content into HTTP response headers. The flaw exists in how the MessageServlet handles JMS message properties—it copies them directly into HTTP headers without filtering or validation. An attacker who can craft a JMS message with specially crafted properties could inject security headers, potentially leading to session hijacking, credential theft, or malware delivery when a user views the affected web console. The vulnerability requires user interaction (a victim must view the injected content) and affects versions of ActiveMQ and ActiveMQ Web released before 5.19.7 and 6.2.6.

  • CVE-2026-42998MEDIUM 6.0

    OpenStack Keystone contains an authentication bypass vulnerability in its application credential system. An attacker with valid credentials can request a token while impersonating another user by manipulating the user identity in the authentication request. Keystone fails to validate that the requesting user owns the application credential being used, allowing the attacker to obtain a token attributed to a victim account. The token grants access only to projects shared between the attacker and victim, and only with roles that overlap between both users' permissions, but this is still sufficient for account takeover scenarios and audit trail manipulation.

  • CVE-2026-42999MEDIUM 6.0

    OpenStack Keystone contains a critical authorization bypass vulnerability that allows any authenticated user to escalate their privileges and access resources belonging to other users or projects. The vulnerability stems from a flaw in how Keystone processes policy enforcement—it blindly merges user-supplied JSON request data into the authorization check dictionary, overwriting the trusted database-sourced security context. This means an attacker can simply inject fake user IDs or project IDs into their API request to trick the system into granting them permissions they shouldn't have. The issue affects all versions before 29.0.2 and has existed since Rocky (14.0.0).

  • CVE-2026-43000MEDIUM 6.0

    An authenticated attacker with basic member-level permissions on an OpenStack Keystone project can escalate their privileges to administrator by chaining two Keystone features—application credentials and trusts—in an unintended way. The attack exploits a validation gap: when an impersonated token is created, Keystone checks the victim's stored admin role assignment in the database rather than validating against the actual permissions on the requesting token. This allows the attacker to create a trust that delegates the victim's admin privileges to themselves. The resulting admin access persists independently and can be maintained through additional credential chains, while all actions appear in audit logs under the victim's identity.

  • CVE-2026-44394MEDIUM 6.0

    OpenStack Keystone, the identity service underlying many cloud deployments, has a flaw in how it handles federated user logins through SAML2 or OpenID Connect. When a user rescopes a token (essentially asking for a new token with different permissions or projects), the system doesn't carry forward the original token's expiration time. Instead, it issues a fresh token with a standard lifetime. An attacker with valid federated credentials can exploit this by repeatedly rescoping their token just before it expires, effectively creating a token that never truly expires. This bypasses the organization's configured token lifetime policies, allowing indefinite access once initial compromise occurs.

  • CVE-2023-52951MEDIUM 5.9

    Synology Note Station Client versions before 2.2.4-703 transmit user credentials in cleartext over the network, allowing attackers positioned to intercept traffic—such as those on the same Wi-Fi network or controlling network infrastructure—to capture login credentials. This is a network-based credential theft vulnerability that does not require authentication or user interaction to exploit, though the attacker must be able to intercept the specific traffic.

  • CVE-2023-5502MEDIUM 5.9

    Arista EOS devices configured with 802.1x authentication on network access ports have a weakness that allows a malicious user to bypass the authentication requirement under specific conditions. The vulnerability exists when 802.1x is enabled on access or trunk ports and routing is enabled on the access VLAN. An attacker could potentially gain network access without providing valid authentication credentials, though exploitation requires specific network configuration and circumstances to be in place.

  • CVE-2026-0061MEDIUM 5.9

    CVE-2026-0061 is a privilege escalation vulnerability in Android's WindowState component that allows an attacker to manipulate the permission-granting UI through overlay attacks (tapjacking). By displaying a malicious overlay on top of the system permission dialog, an attacker can trick users into granting sensitive permissions without explicit awareness. The critical aspect is that this requires no special execution privileges and no user interaction in the traditional sense—the attack succeeds through visual deception rather than social engineering or code execution exploits.

  • CVE-2026-0075MEDIUM 5.9

    CVE-2026-0075 is a SQL injection vulnerability in Google Android's contact database access functions that allows local attackers to escalate privileges without needing special permissions or user interaction. An attacker with local access to an Android device can exploit this flaw to read, modify, or delete contact information and potentially gain elevated system privileges.

  • CVE-2026-10584MEDIUM 5.9

    Graph Explorer versions prior to 3.0.1 contain a flaw in their proxy server that causes HTTPS connections to silently downgrade to unencrypted HTTP when certificate files are unavailable. An attacker positioned to intercept network traffic could potentially eavesdrop on sensitive information that was intended to be transmitted securely. This is a configuration-dependent issue—the vulnerability manifests only when certificates are missing—but the silent fallback behavior makes it particularly insidious because applications may not explicitly warn users that encryption has been disabled.

  • CVE-2026-25861MEDIUM 5.9

    QloApps versions through 1.7.0 use MD5 to hash passwords, a cryptographic method that is computationally cheap to crack. The vulnerability is particularly severe because QloApps concatenates a static value (a cookie key) with user passwords before hashing, reducing the effective randomness of the hash. When guest accounts are automatically converted to customer accounts, the system assigns simple 8-character passwords, which are trivially recoverable through offline brute-force attacks. An attacker who gains access to the password database can extract user credentials without needing to interact with the application in real time.

  • CVE-2026-28116MEDIUM 5.9

    Emilia Projects Progress Planner versions 1.9.0 and earlier contain a stored cross-site scripting (XSS) vulnerability that allows authenticated administrators to inject malicious scripts into the application. When other users view affected pages, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or further lateral movement within the application environment.

  • CVE-2026-36610MEDIUM 5.9

    Mercusys AC12G (EU) V1 routers with firmware version AC12G(EU)_V1_200909 transmit Dynamic DNS (DDNS) credentials using only Base64 encoding over unencrypted HTTP connections. Base64 is not encryption—it's merely encoding and can be trivially decoded by anyone observing network traffic. Because the firmware lacks TLS/SSL support entirely, an attacker positioned on the network path can intercept and recover DDNS service credentials, potentially compromising the domain name update service tied to the affected router.

  • CVE-2026-36616MEDIUM 5.9

    Mercusys AC12G (EU) V1 routers contain hardcoded credentials baked directly into the firmware. A researcher can extract a WiFi driver password, RADIUS shared secret, WPS test key, and default network password from the device's production binary. This allows someone with network access to bypass WiFi protections and potentially reach internal network resources, though the attack requires being within radio range and some technical effort to extract and use these credentials.

  • CVE-2026-41017MEDIUM 5.9

    Apache Airflow's JWT authentication middleware fails to mark session cookies as secure, exposing them to interception when the API server sits behind a TLS-terminating reverse proxy—a standard cloud architecture. An attacker on a shared network (public Wi-Fi, compromised LAN, or captive portal) can intercept an authenticated user's session token and replay it to gain API access. The vulnerability only materializes in specific deployment topologies where the reverse proxy strips HTTPS before forwarding to Airflow; teams running Airflow with end-to-end encryption or without reverse proxies are not affected. Apache Airflow 3.2.2 and later patch this issue.

  • CVE-2026-43625MEDIUM 5.9

    CodexBar versions before 0.32.0 have a vulnerability where session cookies imported from your browser can be intercepted over the network. When CodexBar redirects requests to Amp or Ollama providers, attackers positioned on your network path can capture these cookies if the redirect sends them over unencrypted HTTP. This requires the attacker to be on the network between you and the provider, but the leaked cookies could grant them access to your sessions on those services.

  • CVE-2026-10517MEDIUM 5.8

    Clair, a container image scanning tool, has a server-side request forgery (SSRF) vulnerability in its fetcher component. When processing container manifests, Clair can be tricked into making HTTP requests to attacker-controlled URLs without proper validation. An attacker who is unauthenticated can submit a malicious manifest pointing to internal services or cloud metadata endpoints, causing Clair to reach out to those targets. When the request fails, error messages leak up to 256 bytes of the response, potentially exposing sensitive information like API credentials or internal configuration. Red Hat Quay deployments that are operator-managed are automatically protected because they enable pre-shared key (PSK) authentication by default; self-managed Clair installations without PSK are at risk.

  • CVE-2026-40425MEDIUM 5.7

    A vulnerability in the Danelec MacGregor Voyage Data Recorder web interface allows an authenticated administrator to directly modify sensitive authentication-related files on the system. This could enable an attacker with admin credentials to alter the root password and gain elevated system control. While exploitation requires existing administrative access, the ability to change root credentials represents a critical privilege escalation path that should be addressed promptly.

  • CVE-2026-40989MEDIUM 5.7

    Spring Cloud Function versions across multiple release lines contain a flaw in the routing layer that can trigger infinite recursion during request handling. This recursion exhausts available memory, causing an out-of-memory (OOM) error that crashes the application. The vulnerability requires either physical access to the system or authenticated local access to exploit, which limits its immediate risk in cloud-native deployments but remains a concern for containerized environments or systems with weak internal network segmentation.

  • CVE-2026-40990MEDIUM 5.7

    A resource exhaustion flaw exists in Spring Cloud Function that allows an attacker to trigger out-of-memory (OOM) errors by registering an excessive number of functions in the Function Registry. The vulnerability requires local or adjacent network access and user interaction, making it a medium-severity concern primarily affecting development and hybrid deployment environments. Multiple versions across Spring Cloud Function 3.2 through 5.0 are vulnerable.

  • CVE-2026-41918MEDIUM 5.7

    RUGGEDCOM RST2428P industrial switches store sensitive configuration data in the web browser's cache when authenticated users make changes. An attacker with valid credentials and access to the same system could potentially retrieve this cached data, exposing sensitive operational information. The vulnerability affects all versions prior to V4.0.

  • CVE-2026-10222MEDIUM 5.6

    A vulnerability exists in NousResearch's hermes-agent software that allows attackers to inject malicious code through improper sanitization of environment variables. The flaw resides in the configuration parsing logic and can be exploited remotely, though successful exploitation requires substantial technical knowledge and effort. While a public exploit exists, the attack surface is limited by high complexity requirements. This is a medium-severity issue affecting versions up to 2026.4.30.

  • CVE-2025-48648MEDIUM 5.5

    CVE-2025-48648 is a denial-of-service vulnerability in Android's NotificationManagerService that allows a local attacker to exhaust system resources and crash the notification service. An attacker with basic user privileges can trigger this flaw without user interaction, causing persistent disruption to the device's notification functionality.

  • CVE-2025-5085MEDIUM 5.5

    The WP Nano AD plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions 1.31 and earlier. An authenticated administrator can inject malicious scripts through the 'blogrole_link' parameter that persist in the database and execute in the browsers of users who view affected pages. The vulnerability is limited to WordPress multisite installations or those with the 'unfiltered_html' capability disabled, which narrows its real-world scope but makes it critical for affected deployments.

  • CVE-2025-55664MEDIUM 5.5

    CVE-2025-55664 is a heap buffer overflow vulnerability in GPAC MP4Box version 2.4 that can be triggered when processing a specially crafted MP4 file. An attacker can exploit this by tricking a user into opening a malicious MP4 file, causing the application to crash or become unresponsive. This is a local, user-interaction-based attack that does not allow data theft or system compromise, but disrupts availability of the MP4Box tool.

  • CVE-2025-59609MEDIUM 5.5

    CVE-2025-59609 is a medium-severity information disclosure vulnerability affecting multiple Qualcomm wireless and audio chipset products. The flaw occurs when devices process Wi-Fi advertisement frames containing malformed MBSSID (Multiple BSSID) elements that are shorter than expected. An attacker with network proximity and valid credentials can craft these frames to trigger uninitialized memory access, potentially exposing sensitive data. The attack requires user interaction and specific network conditions to succeed, limiting its practical exploitability but still warranting prompt patching given the breadth of affected components.

  • CVE-2025-60481MEDIUM 5.5

    GPAC Project's MP4Box, a widely-used multimedia framework and command-line tool, contains a flaw in how it processes AC4 audio configuration data within media files. When a specially crafted AC4 file is opened, the application crashes due to a null pointer dereference—essentially trying to access memory that hasn't been properly initialized. This is a local denial-of-service vulnerability that requires user interaction (opening the malicious file) but could disrupt workflows involving media processing or transcoding pipelines.

  • CVE-2025-60483MEDIUM 5.5

    A flaw in GPAC Project/MP4Box's AC4 audio file parser can crash the application when processing a specially crafted audio file. An attacker would need to trick a user into opening a malicious AC4 file, causing the service to stop responding. This is a moderate-risk issue affecting organizations that rely on MP4Box for media processing or transcoding workflows.

  • CVE-2025-60485MEDIUM 5.5

    CVE-2025-60485 is a memory safety flaw in GPAC's MP4Box tool that causes the application to crash when processing a specially crafted MP4 media file. An attacker can exploit this by distributing a malicious MP4 that triggers the crash, disrupting service for anyone using MP4Box to process or analyze video files. The vulnerability requires local access and user interaction (opening or processing the file), so it is most relevant in environments where untrusted media files are routinely handled.

  • CVE-2025-60486MEDIUM 5.5

    A memory safety flaw in GPAC's MP4Box tool allows an attacker to crash the application by processing a specially crafted MPEG-2 video file. The vulnerability stems from improper memory management in the dasher_process function—specifically, the code attempts to access memory that has already been freed. An attacker with local file access can exploit this by distributing a malicious video file that, when opened in MP4Box, triggers the defect and renders the tool unusable. This is a denial-of-service issue rather than a path to code execution or data theft.

  • CVE-2025-60495MEDIUM 5.5

    GPAC's MP4Box, a widely-used multimedia toolkit, contains a memory safety flaw in its color information parsing logic. When MP4Box processes a specially crafted media file, the vulnerable code attempts to access memory in an unsafe manner, causing the application to crash. An attacker with the ability to supply a malicious file to a user or system running MP4Box can trigger this denial of service. This is a local impact issue—it requires user interaction to open the file—but the barrier to exploitation is low.

  • CVE-2025-70100MEDIUM 5.5

    CVE-2025-70100 is a denial-of-service vulnerability in lwext4, a lightweight ext4 filesystem library. An attacker can craft a malicious ext4 filesystem image containing a zero logical block size that crashes any application using lwext4 to mount or process the image. The library fails to validate the block size parameter before performing arithmetic operations, leading to a divide-by-zero condition. While this vulnerability cannot be exploited for data theft or system compromise, it can disrupt services that depend on lwext4 for filesystem operations, such as embedded systems, recovery tools, or specialized storage applications.

  • CVE-2025-71313MEDIUM 5.5

    A memory allocation failure in the Linux kernel's PCI endpoint driver could cause the system to crash. When the kernel tries to create a work queue for handling PCI endpoint-to-endpoint communication, it doesn't properly check whether that operation succeeded. If memory is scarce and the allocation fails, the driver continues anyway and later attempts to use the non-existent queue, triggering a NULL pointer dereference that halts the affected system. The fix is straightforward: check whether the allocation succeeded before proceeding.

  • CVE-2025-71314MEDIUM 5.5

    A vulnerability in the Linux kernel's Panthor GPU driver can cause the graphics system to hang indefinitely when memory subsystem operations fail to complete. The issue arises because the driver lacks proper recovery mechanisms for stuck cache-flush operations. When a GPU memory flush times out, the driver now schedules a reset and recovers gracefully instead of hanging. This affects systems using Panthor-based GPUs (primarily ARM Mali GPUs in certain SoCs).

  • CVE-2026-0018MEDIUM 5.5

    CVE-2026-0018 is a denial-of-service vulnerability in Android's AccessibilityManagerService that allows a local attacker with user-level privileges to crash or hang the accessibility subsystem persistently. No special permissions, code execution, or user interaction are required to trigger the flaw—an authenticated local process can simply send malformed input to designated service functions that fail to properly validate their parameters. This could degrade or disable accessibility features for affected users.

  • CVE-2026-0042MEDIUM 5.5

    CVE-2026-0042 is a resource exhaustion vulnerability in Google Android's UBSan runtime component that allows a local attacker to cause a persistent denial of service. An attacker with basic user-level access can trigger the flaw without user interaction, exhausting system resources and rendering the device unavailable. The vulnerability does not enable unauthorized access or data theft—only availability disruption.

  • CVE-2026-0043MEDIUM 5.5

    CVE-2026-0043 is a medium-severity integer overflow vulnerability in Android's UBSan runtime library that can cause a persistent denial of service and local privilege escalation. The flaw resides in multiple functions within ubsan_throwing_runtime.cpp and requires only local access to exploit—no special privileges or user interaction are needed. Once triggered, the integer overflow can exhaust system resources or corrupt memory state, denying service to the affected device or enabling an attacker to elevate their privileges locally.

  • CVE-2026-0060MEDIUM 5.5

    CVE-2026-0060 is a local denial-of-service vulnerability in Android's graphics driver management system. A local attacker with basic user privileges can trigger a persistent crash condition in the GraphicsDriverEnableAngleAsSystemDriverController component, rendering the graphics subsystem unavailable without requiring elevated permissions or user interaction. The issue stems from improper state handling in the updateState method.

  • CVE-2026-0067MEDIUM 5.5

    A logic error in Android's ubsan_throwing_runtime.cpp file can be exploited by a local attacker to permanently deny service to affected devices. The vulnerability requires only basic user-level permissions and no special interaction to trigger, making it a straightforward availability threat for any Android user or administrator managing affected deployments.

  • CVE-2026-0069MEDIUM 5.5

    CVE-2026-0069 is a resource exhaustion vulnerability in Android's signature verification code that allows a local attacker to crash the system without needing special privileges or user interaction. An attacker with basic local access can trigger excessive resource consumption in the APK checksum verification process, causing a denial of service.

  • CVE-2026-0070MEDIUM 5.5

    A flaw in Android's DevicePolicyManagerService allows a local attacker with standard user privileges to hide critical system packages through improper validation of input parameters. This creates a denial-of-service condition by making essential system components inaccessible, potentially rendering the device unstable or non-functional without requiring any special permissions or user interaction.

  • CVE-2026-0074MEDIUM 5.5

    CVE-2026-0074 is a denial-of-service vulnerability in Android's LauncherProcessImageListener component. An attacker with local system access can exhaust device resources through the getPreferredSize function, causing the launcher process to become unresponsive or crash. No special privileges or user interaction are required to trigger the flaw, making it a concern for multi-user devices and environments where untrusted code may run locally.

  • CVE-2026-0079MEDIUM 5.5

    CVE-2026-0079 is a denial-of-service vulnerability in Android's ubsan_throwing_runtime.cpp component. An integer overflow flaw allows a local attacker to crash or hang affected systems persistently without requiring elevated privileges or user interaction. The vulnerability resides in multiple functions within the runtime component responsible for undefined behavior sanitization, making it accessible to processes running with standard user permissions.

  • CVE-2026-0085MEDIUM 5.5

    A flaw in Android's contact data handling allows a local attacker to crash the system by inserting an unusually large contact name. The vulnerability exists in the DataRowHandler component, which fails to properly validate the size of contact name input before processing it. Because the attack requires only local access and no special privileges, any app on a compromised device could trigger the denial of service without user interaction.

  • CVE-2026-10688MEDIUM 5.5

    A code injection vulnerability exists in ahujasid blender-mcp, a tool used for integrating Blender with model context protocol systems. An authenticated attacker can inject and execute arbitrary code by manipulating the 'code' parameter passed to the execute_blender_code function in the server. The vulnerability has been publicly disclosed and exploit code is available. The project uses rolling releases, making it difficult to identify fixed versions; however, the maintainers have been notified but have not yet responded with a patch or mitigation guidance.

  • CVE-2026-20456MEDIUM 5.5

    A flaw in MediaTek's wireless LAN driver allows an authenticated local user to crash the system without any user interaction. The vulnerability stems from missing boundary validation in the wlan STA (Station) driver code, permitting an attacker with user-level access to send crafted input that causes an out-of-bounds write. The impact is denial of service—the device becomes unresponsive until rebooted.

  • CVE-2026-28578MEDIUM 5.5

    A flaw in Android's device policy management system allows a local attacker to cause the device to become unstable or unresponsive by exploiting improper input validation in DevicePolicyManagerService. An attacker with basic user-level access can trigger this issue without user interaction, potentially disrupting device functionality. This is a local denial-of-service vulnerability with no remote attack vector.

  • CVE-2026-46104MEDIUM 5.5

    A flaw exists in how the Linux kernel's SELinux security module accesses socket security data when multiple security modules are stacked together. The vulnerability occurs because SELinux directly reads socket security information from a hardcoded memory location, assuming it will always find its own data there. When another security module is loaded first, SELinux reads the wrong data instead, potentially using invalid security identifiers in permission checks. This can cause the kernel to crash due to invalid memory access or improper security decisions.

  • CVE-2026-46106MEDIUM 5.5

    A race condition in the Linux kernel's eventfs subsystem can cause memory corruption or system crashes when users simultaneously remount the tracefs filesystem (which hosts performance monitoring tools) while creating or deleting tracepoints. The vulnerability arises because the kernel walks through a list of event structures during remount without proper synchronization, allowing concurrent operations to corrupt data structures or access freed memory. This is a local issue affecting only users with permission to remount filesystems and modify tracing events.

  • CVE-2026-46108MEDIUM 5.5

    A flaw in the Linux kernel's IPMI serial interface (SI) driver can leave the system in an abnormal state when message allocation fails. Normally, failed operations trigger cleanup routines that reset the driver to a ready state. This vulnerability occurs because certain error paths skip that reset logic, potentially causing the driver to remain hung or unresponsive. An attacker with local system access could trigger memory allocation failures under specific conditions, degrading system availability until the driver is manually restarted or the system reboots.

  • CVE-2026-46109MEDIUM 5.5

    A memory leak exists in the Linux kernel's USB ULPI (UTMI Low Pin Interface) driver registration code. When certain initialization steps fail early in the device registration process, allocated memory is not properly freed, allowing memory to accumulate over repeated failures. This is a residual issue from a prior fix that addressed a different memory safety problem. The vulnerability requires local access and elevated privileges to trigger.

  • CVE-2026-46118MEDIUM 5.5

    A flaw in the Linux kernel's PAPR hypervisor pipe driver can cause the kernel to crash when attempting to create a device handle. The issue stems from a recent code refactoring that changed how the driver manages memory allocation and cleanup. When the driver tries to reuse a data structure after it has been cleared, the kernel attempts to access invalid memory, leading to a null pointer dereference and system panic. An unprivileged local user with ioctl access can trigger this crash, resulting in a denial of service.

  • CVE-2026-46126MEDIUM 5.5

    CVE-2026-46126 is a memory cleanup bug in the Linux kernel's RDMA/mana driver that occurs during queue pair creation with RSS (Receive Side Scaling) support. When certain operations fail during setup, the kernel fails to properly release allocated work queue objects, leaving dangling resources. An unprivileged local user can trigger this condition to cause a denial of service by exhausting kernel resources or crashing the system.

  • CVE-2026-46127MEDIUM 5.5

    A local memory safety issue exists in the Linux kernel's RDMA over Converged Ethernet (OCRDMA) driver. During certain error conditions in the protection domain setup function, the code attempts to dereference a null pointer instead of using a valid reference, potentially crashing the system. The vulnerability requires local access and specific user privileges to trigger, making it a moderate-severity issue affecting system stability rather than confidentiality or integrity.

  • CVE-2026-46128MEDIUM 5.5

    A vulnerability in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem allows local authenticated users to cause a denial of service. The issue stems from insufficient validation of event message buffer responses from Baseboard Management Controllers (BMCs). Some BMCs may return empty or malformed event messages instead of proper error responses, which the kernel fails to validate immediately. This can lead to kernel crashes or hangs when processing these invalid responses. The vulnerability requires local access and authenticated privileges to trigger, limiting its immediate blast radius but requiring attention in environments where untrusted local users have system access.

  • CVE-2026-46131MEDIUM 5.5

    A flaw exists in the Linux kernel's virtualization layer (KVM) where the hypervisor incorrectly validates guest memory operations in nested virtual machines. The vulnerability occurs when checking whether a guest is running nested virtualization—the code currently checks only whether an L2 guest exists, but fails to verify that nested EPT (Extended Page Tables) or NPT (Nested Page Tables) is actually enabled. This mismatch allows a local process running inside a nested guest to trigger denial-of-service conditions by invoking hypercalls that attempt invalid memory translations. The impact is limited to availability; an attacker cannot read or modify data.

  • CVE-2026-46132MEDIUM 5.5

    CVE-2026-46132 is a kernel memory leak in the Linux networking subsystem that allows unprivileged local users to read up to 26 bytes of uninitialized kernel stack memory per virtual function (VF) per request. The vulnerability exists in the rtnetlink interface handler that reports virtual NIC configuration. When a user requests virtual function information, the kernel fails to zero-initialize a buffer before partially filling it with MAC broadcast data, leaving residual stack contents exposed to userspace. An attacker needs only basic local network namespace access to trigger repeated information leaks.

  • CVE-2026-46134MEDIUM 5.5

    A Linux kernel vulnerability in the Chrome OS Embedded Controller (cros_ec) Thunderbolt registration code fails to initialize a mutex lock, causing the system to crash when the uninitialized lock is later accessed. This affects devices that use the affected kernel code path during Thunderbolt device registration and mode switching. An unprivileged local user can trigger the crash by interacting with Thunderbolt/USB-C functionality, resulting in a denial of service.

  • CVE-2026-46139MEDIUM 5.5

    A flaw in the Linux kernel's SMB client code leaves a security descriptor buffer partially uninitialized when building access control lists. Specifically, a 2-byte reserved field in the ACL structure—which must be zero according to the SMB protocol specification—is left containing whatever garbage data happened to be in that heap memory. When Samba or other SMB servers validate the descriptor, they reject it if those bytes are non-zero, causing file permission operations like chmod to fail with an invalid argument error. The fix is straightforward: replace the memory allocation function with one that zeroes the buffer before use.

  • CVE-2026-46141MEDIUM 5.5

    A memory leak vulnerability exists in the Linux kernel's PowerPC XIVE interrupt handling code. When allocating MSI-X interrupt vectors for NVMe devices, the kernel creates interrupt data structures but fails to properly clean them up when the interrupt domain is freed. This occurs because the code looks for the data in the wrong place during cleanup, causing allocated memory to be abandoned. While this is a localized memory management issue, repeated device allocation and deallocation cycles could gradually consume system memory and degrade performance.

  • CVE-2026-46142MEDIUM 5.5

    A flaw in the Linux kernel's libwx network driver allows a virtual machine or container running as a non-privileged user to trigger a system hang by reading a hardware register that should only be accessible to the physical device owner. During virtual function (VF) initialization, the driver incorrectly attempts to access a restricted register (WX_CFG_PORT_ST), causing the system to hang. The issue stems from the driver not properly distinguishing between physical function (PF) and virtual function device contexts when accessing low-level hardware state.

  • CVE-2026-46143MEDIUM 5.5

    CVE-2026-46143 is a memory leak vulnerability in the Linux kernel's QCOM audio subsystem. The issue occurs in the ASoC (ALSA System on Chip) driver for QCOM Q6APM LPASS audio interfaces, where the prepare function can be invoked multiple times. Each invocation opens a new graph for the playback path without checking if one is already open, resulting in cumulative resource exhaustion. While the vulnerability requires local access and low-privilege execution context, the impact is availability disruption through memory exhaustion.

  • CVE-2026-46144MEDIUM 5.5

    A memory cleanup issue exists in the Linux kernel's RDMA/mana driver when creating RSS (Receive-Side Scaling) queue pairs. If an error occurs during queue pair creation, a virtual port steering configuration is not properly freed, leading to a resource leak. While this is a memory management issue rather than a direct data breach risk, it can degrade system stability under error conditions or be exploited to exhaust kernel memory resources on systems with RDMA/mana network adapters.

  • CVE-2026-46146MEDIUM 5.5

    A vulnerability exists in the Linux kernel's USB audio driver that could cause the system to hang indefinitely when processing a specially crafted USB device descriptor. The flaw is in the convert_chmap_v3() function, which processes audio channel mapping information without properly validating the descriptor size field. An attacker with local access could trigger this endless loop, causing a denial of service. The issue affects multiple versions of the Linux kernel and requires local access to exploit.

  • CVE-2026-46147MEDIUM 5.5

    A flaw in the Linux kernel's ARM64 KVM (virtualization) implementation can cause system resource leaks and expose partially initialized virtual CPU objects to concurrent access. When vCPU initialization encounters an error partway through, cleanup code fails to release pinned memory references, accumulating leak over time. Additionally, the vCPU object is published to shared state without proper synchronization barriers, risking observers seeing an incompletely initialized structure. This affects hypervisor deployments using ARM64-based KVM virtualization.

  • CVE-2026-46148MEDIUM 5.5

    A flaw in the Linux kernel's Microchip CoreQSPI SPI controller driver causes incorrect chip select (CS) line management when multiple SPI devices are connected. The hardware's built-in CS is automatically controlled by design, but this automatic behavior conflicts with proper operation when GPIO-based chip selects are also in use. The driver was modified to manually control the CS line instead, allowing correct behavior for both active-low and active-high devices, and preventing the built-in CS from being asserted while other GPIO-controlled devices are being accessed.

  • CVE-2026-46151MEDIUM 5.5

    A flaw in the Linux kernel's USB printer driver (usblp) allows a malicious or malfunctioning printer to leak uninitialized kernel memory to local users. When a printer responds to a device ID request with fewer bytes than claimed in its length header, the driver fails to zero out the remaining buffer before exposing it via sysfs or an ioctl. An attacker with local access could craft a printer (or intercept USB traffic) to trigger this and read sensitive kernel memory.

  • CVE-2026-46153MEDIUM 5.5

    A memory leak exists in the Linux kernel's VLAN (802.1Q) network driver. When network administrators repeatedly configure and then clear egress QoS priority mappings on VLAN interfaces, the kernel fails to properly delete the cleared mappings. Instead, it retains them as empty placeholders (tombstones) in memory. Over time, this causes memory to accumulate and leak, eventually exhausting system resources when the VLAN device is torn down. The fix involves properly deleting these cleared mappings after a safe grace period rather than leaving them in place.

  • CVE-2026-46156MEDIUM 5.5

    A flaw in the Linux kernel's Loongson GPU driver can cause a system crash when the code attempts to read from an invalid memory address during hardware initialization. The vulnerability occurs in the `loongson_gpu_fixup_dma_hang()` function, which uses incorrect logic to identify and configure GPU devices on certain Loongarch-based systems. When a discrete GPU is present in a non-standard PCI slot configuration, the driver may try to access memory at a random address, triggering a kernel panic. This is a local issue that requires prior system access and affects the stability and availability of affected systems.

  • CVE-2026-46158MEDIUM 5.5

    CVE-2026-46158 is a resource leak in the Linux kernel's MPTCP (Multipath TCP) protocol implementation. When the kernel retransmits an ADD_ADDR control message, it fails to properly release a reference to a socket object in certain error paths, allowing the socket's memory to remain allocated longer than necessary. This leak occurs only when specific unlikely conditions are met during ADD_ADDR retransmission, making it a localized but real availability concern on systems handling MPTCP traffic.

  • CVE-2026-46160MEDIUM 5.5

    A flaw in the Linux kernel's Btrfs filesystem can corrupt the transaction log during recovery if a directory is removed while a process still holds an open file descriptor to it and performs an fsync operation. When the system crashes after this sequence, the filesystem becomes inconsistent and fails to mount, resulting in data loss or extended downtime. This is a local issue requiring user-level access and specific conditions to trigger.

  • CVE-2026-46161MEDIUM 5.5

    A divide-by-zero vulnerability exists in the Linux kernel's RAID10 disk management code. When a user configures RAID10 with a "far_copies" value of zero, the kernel crashes instead of rejecting the invalid configuration. This requires local access and root-level privileges to trigger, making it a local denial-of-service risk rather than a remote compromise threat.

  • CVE-2026-46165MEDIUM 5.5

    A self-deadlock vulnerability exists in the Linux kernel's Open vSwitch module when tunnel ports are released. The issue occurs because the code attempts to clean up network device references while holding locks that prevent the cleanup from completing, causing the system to hang during tunnel port deletion. This is a local denial-of-service condition that affects systems running vulnerable kernel versions with Open vSwitch configured.

  • CVE-2026-46167MEDIUM 5.5

    A flaw in the Linux kernel's USB printer driver (usblp) allows uninitialized kernel memory to leak to user-space applications through the LPGETSTATUS ioctl command. When a USB printer responds with fewer bytes than expected, the driver fails to initialize the response buffer properly, potentially exposing stale heap memory to callers. This can occur even with standard-behaving printers; the vulnerability is particularly concerning in multi-user environments where one user's application could inadvertently receive residual kernel memory from prior operations.

  • CVE-2026-46168MEDIUM 5.5

    A vulnerability in the Linux kernel's multipath TCP (MPTCP) implementation allows a local attacker with standard user privileges to trigger a denial-of-service condition. The issue stems from improper locking during socket option handling for timestamps. When the kernel attempts to set timestamp options, it uses a fast atomic lock that cannot safely call functions designed to sleep, resulting in a kernel panic. An unprivileged user can exploit this by making specific socket option calls, causing the system to crash or become unresponsive.

  • CVE-2026-46169MEDIUM 5.5

    CVE-2026-46169 is a memory initialization bug in the Linux kernel's HFS+ filesystem driver. When mounting a corrupted HFS+ filesystem, the kernel may read incomplete catalog records and fail to detect that the data is truncated. This leaves portions of a kernel data structure uninitialized. Later, when the filesystem code attempts to process the incomplete record—such as performing case-insensitive string comparison—it uses the uninitialized memory as array indices, triggering a kernel warning. An unprivileged local attacker with the ability to mount a crafted filesystem image could trigger this condition, potentially causing a denial of service or information disclosure.

  • CVE-2026-46170MEDIUM 5.5

    A flaw in the Linux kernel's MPTCP (Multipath TCP) path manager can cause a denial of service when certain network protocol messages are retransmitted. Specifically, when an ADD_ADDR message is resent, the kernel may mismanage internal reference counting for a socket object, potentially leading to a deadlock or crash. An unprivileged local user can trigger this condition, causing the affected system to become unresponsive.

  • CVE-2018-25384MEDIUM 5.4

    Wikidforum 2.20 has a stored cross-site scripting (XSS) flaw that lets authenticated users inject malicious JavaScript into forum replies. When other users view those compromised posts through the rpc.php endpoint, the injected code executes in their browsers, potentially stealing session cookies, redirecting to phishing pages, or performing unauthorized actions on their behalf.

  • CVE-2019-25739MEDIUM 5.4

    GigToDo version 1.3 is vulnerable to a stored cross-site scripting (XSS) attack. An authenticated user can inject malicious JavaScript or HTML code into a proposal description field. When other users—particularly administrators—view that proposal, the attacker's code executes in their browser, potentially stealing session cookies or redirecting them to malicious sites. The vulnerability requires an attacker to already have valid login credentials, but the impact affects anyone who later views the compromised proposal.

  • CVE-2019-25742MEDIUM 5.4

    The Zoner Real Estate WordPress theme version 4.1.1 has a stored cross-site scripting (XSS) flaw in its property creation form. Authenticated real estate agents can inject malicious JavaScript into the property's address field, and that script will execute when site administrators review the property for approval. This could allow attackers to steal admin session cookies or hijack their accounts.

  • CVE-2019-25743MEDIUM 5.4

    WordPress Soliloquy Lite version 2.5.6 contains a stored cross-site scripting (XSS) vulnerability in its post editing functionality. An authenticated attacker can inject malicious JavaScript code into a post's title field, which persists in the WordPress database. When other users—particularly administrators or editors—preview that post, the injected script executes in their browser, potentially compromising their session or enabling further attacks. The vulnerability requires an attacker to have valid WordPress credentials but does not require tricking users into clicking malicious links, making it a genuine persistence risk in multi-user WordPress environments.

  • CVE-2019-25744MEDIUM 5.4

    WordPress Popup Builder version 3.49 contains a stored cross-site scripting (XSS) flaw that allows authenticated users to inject malicious JavaScript into posts or pages. An attacker with WordPress login credentials can craft a specially formatted post title containing script code that breaks out of HTML option tags, causing the malicious script to execute in the browsers of site visitors viewing popup selections. This is a persistence vulnerability—the injected code remains in the database and executes repeatedly.

  • CVE-2026-10213MEDIUM 5.4

    AstrBot version 4.23.6 contains a path traversal vulnerability in its API endpoint that handles skill deletion. An authenticated attacker can manipulate the Name parameter to traverse the file system and read or modify files outside the intended directory structure. The vulnerability is network-accessible and does not require user interaction beyond the attacker having valid credentials. Public exploit code is available, increasing the risk of active exploitation.

  • CVE-2026-10218MEDIUM 5.4

    A security flaw exists in nextlevelbuilder GoClaw versions up to 3.11.3 that allows authenticated users to perform actions they shouldn't be authorized to perform. The vulnerability resides in the authentication logic of the application and can be exploited remotely by someone with valid login credentials. Because the flaw has been publicly disclosed, there's elevated risk that attackers may attempt to exploit it.

  • CVE-2026-10284MEDIUM 5.4

    A security flaw in DevaslanPHP project-management versions up to 2.0.0-beta1 allows authenticated users to bypass authorization controls when editing or deleting comments in ticket management workflows. An attacker with login credentials can manipulate comment-related functions to perform actions they shouldn't be authorized to perform, such as deleting or modifying comments belonging to other users. The issue resides in the Livewire handler component and can be exploited remotely without requiring additional user interaction.

  • CVE-2026-10285MEDIUM 5.4

    DevaslanPHP project-management versions up to 2.0.0-beta1 contain an authorization flaw in the ticket handler component. An authenticated user can manipulate ticket records in ways they should not be permitted to perform, potentially modifying or deleting ticket data without proper access controls. The vulnerability requires an existing login but can be exploited remotely over the network.

  • CVE-2026-10984MEDIUM 5.4

    Google Chrome on Android contains a flaw in how it handles accessibility features that allows attackers to trick users with a fake interface. By hosting a malicious webpage, an attacker can make Chrome display misleading or fraudulent content that mimics legitimate UI elements, potentially deceiving users into performing unintended actions. The vulnerability requires user interaction—specifically, a user must visit the crafted page—but does not require special privileges or complex setup.

  • CVE-2026-24754MEDIUM 5.4

    Kiteworks, a private data network platform used for secure file sharing and collaboration, contains a stored cross-site scripting (XSS) vulnerability in its Secure Data Forms feature. An authenticated user with legitimate access could craft malicious input that persists in the application and executes in other users' browsers when they view the affected form. This allows the attacker to steal session tokens, perform actions on behalf of victims, or harvest sensitive data passing through their sessions. The vulnerability requires prior authentication and user interaction (clicking a link or viewing a page), limiting but not eliminating its risk. Kiteworks versions before 9.3.0 are affected; upgrading resolves the issue.

  • CVE-2026-24755MEDIUM 5.4

    Kiteworks, a platform for secure data sharing and management, contains a flaw in its Secure Data Forms feature that allows logged-in users to change permissions on files and folders belonging to other users. The vulnerability stems from the system not properly verifying whether a user actually owns or has authority over a resource before allowing permission changes. An attacker with valid credentials could exploit this to gain access to, or revoke access from, other users' sensitive data without authorization.

  • CVE-2026-26378MEDIUM 5.4

    Koha, an open-source library management system, contains a cross-site scripting (XSS) vulnerability in its Invoice feature file upload functionality. An authenticated attacker can craft a malicious file upload that executes arbitrary code in the browsers of users who interact with the uploaded invoice. The vulnerability affects Koha version 25.11 and earlier. Exploitation requires an attacker to have valid library system credentials and user interaction—typically a staff member viewing or processing the invoice.

  • CVE-2026-27351MEDIUM 5.4

    Sekander Badsha Crew HRM contains a missing authorization vulnerability that allows authenticated users to perform actions they should not be permitted to perform due to incorrectly configured access controls. An attacker with valid login credentials can exploit weak permission checks to modify data or disrupt availability, even if their role should restrict such access.

  • CVE-2026-33244MEDIUM 5.4

    React Router versions 7.5.1 through 7.13.1 contain a cross-site scripting (XSS) vulnerability when used in Framework Mode with pre-rendering. If your application redirects users to untrusted URLs and generates static HTML files during build time, attackers can inject malicious scripts into those pre-rendered pages. This vulnerability does not affect applications using the more common Declarative Mode or Data Mode routing approaches. The issue has been fixed in version 7.13.2.