By year
Vulnerabilities disclosed in 2026
CVEs published in 2026 with SEC.co analysis.
1014 published vulnerabilities · page 4 of 11
- CVE-2026-0087HIGH 7.8
A logic error in Android's domain verification service allows a local attacker to hijack app links associated with arbitrary applications. By exploiting this flaw, an attacker can redirect app links to malicious apps, potentially intercepting sensitive user actions or data. The vulnerability requires local access but no special permissions or user interaction, making it a meaningful escalation path on compromised or personally-owned devices.
- CVE-2026-0088HIGH 7.8
A flaw in Android's certificate installer component allows a malicious app with basic system privileges to bypass security dialogs that normally protect sensitive operations. By exploiting misleading UI presentation, an attacker can escalate their permissions without user knowledge or interaction. The vulnerability is particularly dangerous because it requires no special execution rights—a standard app can trigger it.
- CVE-2026-0089HIGH 7.8
CVE-2026-0089 is a vulnerability in Android's PackageInstallerService that allows a local attacker with basic user-level permissions to bypass security checks and install applications without proper verification. Because the vulnerability exists in multiple functions that lack proper permission validation, an attacker can escalate their privileges by sidestepping the normal app installation safeguards. No user interaction or special device access is required to exploit this flaw once an attacker has obtained standard user privileges on the device.
- CVE-2026-0091HIGH 7.8
A privilege escalation vulnerability exists in Android where an over-privileged shell user can execute arbitrary code within the launcher process. An attacker with local access can exploit this weakness to gain elevated privileges without needing special execution rights or user interaction. This is a local-only threat that targets the core launcher functionality central to Android's user interface and app management.
- CVE-2026-0093HIGH 7.8
CVE-2026-0093 is a local privilege escalation vulnerability affecting Google Android. The flaw stems from misleading user interface elements that obscure the true nature of certain operations, potentially tricking users into granting elevated permissions. An attacker with local access to the device can exploit this weakness to escalate privileges without needing special system permissions beforehand, and notably, without requiring any user interaction during the actual exploitation phase. The vulnerability allows an attacker to read, modify, or delete sensitive data and potentially take control of affected system functions.
- CVE-2026-0094HIGH 7.8
A flaw in Android's KeyChain component allows a local attacker with user-level privileges to manipulate the certificate approval interface in a way that tricks the system into granting access to certificates without explicit user consent. The vulnerability stems from misleading or incomplete UI messaging in the getApplicationLabel function, enabling privilege escalation entirely through local interaction. No special permissions or user action is required to exploit it once initiated.
- CVE-2026-0096HIGH 7.8
CVE-2026-0096 is a local privilege escalation vulnerability in Android's ForgetDeviceDialogFragment that allows an attacker with local access to manipulate or bypass a device-forget confirmation flow due to misleading UI elements. The vulnerability requires no user interaction to exploit and can result in unauthorized privilege escalation on the affected device.
- CVE-2026-0098HIGH 7.8
CVE-2026-0098 is a local privilege escalation vulnerability in Android's package-calling logic that allows a malicious app to bypass restrictions on which activities it can start. The flaw stems from a confused deputy problem—the system incorrectly trusts the calling context of an app requesting activity launches. An attacker with a local app installation can exploit this without special permissions or user interaction to gain elevated privileges, potentially accessing sensitive device functions or data reserved for system components.
- CVE-2026-0099HIGH 7.8
A vulnerability exists in Android's host emulation manager that allows a malicious app to launch activities (screen components) from the background without proper authorization. The flaw stems from a logic error in how the system validates binding requests. While an attacker needs to be a local user with some system access already, they can exploit this to gain elevated privileges on the device. The vulnerability requires user interaction to trigger—likely through social engineering or user action within a compromised app context.
- CVE-2026-0100HIGH 7.8
A heap buffer overflow vulnerability exists in Android's resource loading code (LoadedArsc.cpp) that allows a local attacker with standard user privileges to write data beyond the intended buffer boundaries. This memory corruption can be exploited to gain elevated system privileges without requiring special permissions or user interaction, making it a serious local privilege escalation vector.
- CVE-2026-10046HIGH 7.8
Bitdefender Napoca is a bare-metal hypervisor—a foundational piece of virtualization software that runs directly on hardware. A vulnerability exists in how it handles a legacy BIOS memory lookup request (INT 0x15). When a guest operating system makes this request with specific register values, the hypervisor fails to check whether the destination memory address is valid, allowing data to be written beyond the allocated buffer. An attacker with access to a guest system can exploit this to write data into the hypervisor's internal memory, potentially compromising the entire virtualization layer. Importantly, Napoca is end-of-life and no longer receives vendor support.
- CVE-2026-10047HIGH 7.8
Bitdefender's Napoca bare-metal hypervisor contains a memory safety flaw that allows a local attacker with limited privileges to write data beyond the boundaries of an internal memory buffer. By crafting specific processor register values, an attacker can overflow into the hypervisor's heap memory, potentially corrupting critical hypervisor state or executing arbitrary code. This vulnerability affects an end-of-life product that is no longer receiving security updates.
- CVE-2026-10118HIGH 7.8
Poppler, a widely-used PDF rendering library, contains a vulnerability in its Splash graphics backend that allows attackers to execute arbitrary code or crash applications by delivering specially crafted PDF files. The flaw stems from an integer overflow in the tiling pattern fill function—a feature used to render repeating graphical patterns in PDFs. When an attacker-controlled integer value overflows during this calculation, it causes the library to allocate insufficient heap memory. This undersized buffer is then written to beyond its boundaries, corrupting adjacent memory and potentially enabling code execution.
- CVE-2026-10942HIGH 7.8
Google Chrome on Windows contains a UI implementation flaw that allows a local attacker to escalate privileges by opening a malicious file. The vulnerability affects Chrome versions prior to 149.0.7827.53 and requires user interaction (opening a file) but no authentication. If exploited, an attacker could gain elevated system privileges on an affected machine.
- CVE-2026-20455HIGH 7.8
CVE-2026-20455 is a local privilege escalation vulnerability in MediaTek's geniezone component affecting a wide range of SoC firmware versions. An attacker who already holds system-level privileges can exploit a missing bounds check in memory write operations to escalate their access further. The vulnerability requires no user interaction and impacts dozens of MediaTek chipset families used in Android devices and embedded systems.
- CVE-2026-24221HIGH 7.8
NVIDIA's NVTabular library contains a deserialization vulnerability that could allow an authenticated attacker to execute arbitrary code, modify data, or steal sensitive information. The vulnerability is rated HIGH severity and requires local system access and valid user credentials to exploit. While not currently listed as actively exploited, this flaw merits prompt attention given the potential for code execution on systems processing sensitive machine learning datasets.
- CVE-2026-24237HIGH 7.8
NVIDIA NVTabular is vulnerable to unsafe deserialization of untrusted data. An attacker with local access and basic user privileges could exploit this flaw to execute arbitrary code, modify data, or steal sensitive information from systems running the affected software.
- CVE-2026-25260HIGH 7.8
A memory corruption vulnerability in Qualcomm firmware and associated devices allows a local, authenticated attacker to corrupt memory by modifying shared buffers concurrently without the system validating those changes. This is a time-of-check-time-of-use (TOCTOU) style flaw where kernel or firmware code assumes a buffer's contents remain unchanged, but a malicious user-mode process modifies it between the check and actual use. The vulnerability requires local access and valid credentials but can lead to complete system compromise.
- CVE-2026-25551HIGH 7.8
Seagull Software BarTender versions 2021 R1 through 12.0.1 contain a flaw that allows local users with standard privileges to gain system-level access. The vulnerability stems from how BarTender's system service handles incoming network requests—it trusts serialized data without proper validation, allowing an attacker to craft malicious requests that execute code with the highest Windows privileges. Because the vulnerable service only listens on the local machine, an attacker must already have a local user account to exploit it, but once inside, they can escalate to full system control.
- CVE-2026-27788HIGH 7.8
ServerView Agents for Windows versions up to 11.60.04 contain a privilege escalation vulnerability rooted in improper file or resource permissions. Any local user with valid credentials on the affected server can exploit this flaw to gain SYSTEM-level access, effectively taking complete control of the system. The vulnerability requires no user interaction and affects all Windows deployments running the vulnerable software versions.
- CVE-2026-28577HIGH 7.8
A vulnerability in Android's window management system allows a locally authenticated attacker to perform a tapjacking attack—placing hidden overlay windows on top of legitimate applications to intercept user input or actions. This attack doesn't require user interaction to trigger and can result in unauthorized privilege escalation. The attacker needs only local access to the device (such as through an installed app), making it a practical threat in real-world scenarios.
- CVE-2026-28580HIGH 7.8
CVE-2026-28580 is a local privilege escalation vulnerability affecting Google Android. An attacker with basic user-level access to a device can exploit an incorrect bounds check in multiple persistence-related functions to gain elevated privileges without requiring additional capabilities or interaction from the user. The issue stems from a synchronization problem that allows the attacker to manipulate persistent data in an unexpected way, ultimately escalating their permissions on the system.
- CVE-2026-32325HIGH 7.8
ServerView Agents for Windows contains a privilege escalation flaw that allows an already-authenticated local user to gain SYSTEM-level access. This is not a remote attack—the attacker must have legitimate credentials and local login capability on the affected server. However, once inside, they can elevate to the highest privilege level, potentially taking full control of the system.
- CVE-2026-36574HIGH 7.8
CactusViewer v2.3.0 contains a DLL hijacking vulnerability that allows an attacker to execute arbitrary code and escalate privileges on a system where the application is installed. The flaw occurs because the application loads dynamic libraries in an unsafe manner, enabling an attacker to place a malicious DLL in a location the application searches before legitimate system libraries. When CactusViewer runs, it loads the attacker's malicious code instead of the legitimate library, granting the attacker the same privilege level as the user running the application.
- CVE-2026-38950HIGH 7.8
ESA AnomalyMatch versions before 1.3.1 contain a critical flaw that allows attackers with local system access to run malicious code by uploading specially crafted model checkpoint files. The vulnerability stems from the application's use of unsafe deserialization when loading PyTorch model files, which can execute arbitrary Python code during the loading process. An attacker who can place a malicious model file in the session directories—or trick a user into loading one—gains the ability to execute commands with the privileges of the AnomalyMatch process.
- CVE-2026-40290HIGH 7.8
OP-TEE is a trusted execution environment that provides a secure processing space on Arm-based processors. A race condition in OP-TEE versions 3.16.0 through 4.10.x creates a use-after-free vulnerability in the shared memory management code. The vulnerability occurs when OP-TEE is configured to manage secure partitions (a specific operational mode). A local user could exploit this by timing concurrent operations on shared memory to cause the system to access memory that has already been freed, potentially compromising the confidentiality, integrity, or availability of the secure environment.
- CVE-2026-40619HIGH 7.8
A high-severity vulnerability in Genetec Security Center main server installations can allow an attacker who already has local access to the server's operating system to steal the Server Admin credentials. The unusual aspect of this vulnerability is that it affects specific installation builds rather than entire product versions—meaning two installations of the same version number could have different risk levels depending on which build was deployed. There is currently no public evidence that this flaw is being actively exploited in the wild.
- CVE-2026-40715HIGH 7.8
Dell ThinOS 10 versions before 2602_10.0765 contain an access control flaw that allows a user with basic system access to gain elevated administrative privileges. An attacker already on the system as a regular user could leverage this vulnerability to take full control, making it a critical privilege escalation risk for any organization relying on ThinOS-based thin clients or endpoints.
- CVE-2026-41859HIGH 7.8
BOSH nats-sync, a component that synchronizes NATS authorization data with BOSH director state, fails to validate SSL/TLS certificates when communicating with the BOSH director. An attacker positioned on the network between nats-sync and the director can intercept traffic, steal administrative credentials (HTTP Basic auth headers or UAA client secrets), and modify the list of VMs that nats-sync writes to the NATS authorization file. This combination of credential theft and authorization tampering could grant attackers full administrative control of the BOSH deployment.
- CVE-2026-43958HIGH 7.8
CVE-2026-43958 is a stack-based buffer overflow vulnerability in rrdcached, the caching daemon component of rrdtool (a time-series data storage and graphing tool commonly used in network monitoring and systems management). An attacker with local access to the rrdcached socket can trigger the flaw by sending a specially crafted CREATE request with an oversized payload. Successful exploitation could crash the daemon, causing service disruption, or potentially enable arbitrary code execution with the privileges of the rrdcached process.
- CVE-2026-45322HIGH 7.8
Microsoft's UFO framework, an open-source tool for automating tasks across devices, contains a command injection flaw in its shell execution component. An attacker with write access to UFO's session files can embed malicious system commands that execute with the privileges of the UFO process when a session is resumed or replayed. This creates a local privilege escalation risk in environments where session files may be accessible or shared.
- CVE-2026-46105HIGH 7.8
A flaw in the Linux kernel's mpt3sas driver allows NVMe storage controllers to accept I/O requests larger than the driver can safely handle. The driver allocates a fixed 4 KB buffer that can hold at most 512 entries in its request queue (PRP list), limiting safe transfers to 2 MiB. However, the firmware may advertise support for larger transfers based on the drive's capabilities. When oversized requests are issued, the kernel can crash. This vulnerability requires local access and valid user privileges to exploit.
- CVE-2026-46107HIGH 7.8
A bug in the Linux kernel's device mapper thin provisioning layer can cause reference counting errors when managing shared metadata trees. When the kernel tries to reorganize a btree node that has been shared across multiple data structures, it fails to properly track pointers to child nodes, leading to crashes and data unavailability. The flaw occurs specifically in the rebalance_children function during metadata tree operations.
- CVE-2026-46111HIGH 7.8
A use-after-free vulnerability exists in the Linux kernel's Bluetooth connection handling code. When creating a Broadcast Isochronous Group (BIG) connection, the kernel can attempt to access a connection object that has already been freed. This occurs because the code doesn't properly validate that a connection still exists before operating on it, and doesn't keep a reference to the connection object while asynchronous operations are in flight. A local attacker with limited privileges could exploit this to crash the system or potentially execute code with elevated privileges.
- CVE-2026-46112HIGH 7.8
A locking bug exists in the Linux kernel's RDMA HNS driver when creating queue pairs. During error recovery in queue pair creation, the code attempts to clean up resources without holding required synchronization locks. This unlocked cleanup can corrupt internal kernel memory structures, potentially allowing a local attacker to escalate privileges or crash the system. The vulnerability affects the error handling path specifically—the normal operation path uses proper locking.
- CVE-2026-46116HIGH 7.8
A memory safety bug exists in the Linux kernel's IPsec implementation where the xfrm_state subsystem can encounter use-after-free errors when network security policies are deleted or when network namespaces are torn down. The kernel's code was using inconsistent methods to track whether data structures were properly removed from internal lists, causing the same memory region to sometimes be deleted twice. This corrupts kernel memory and can lead to privilege escalation or denial of service on affected systems.
- CVE-2026-46117HIGH 7.8
A flaw in the Linux kernel's RDMA/mana driver allows unprivileged local users to trigger a kernel warning and corrupt memory by creating queue pairs (QPs) that share the same completion queue (CQ) through the user-space API. The vulnerability bypasses validation logic that should reject this invalid configuration, leading to kernel memory corruption. The fix enforces proper validation to reject such requests at creation time rather than allowing them to proceed and corrupt state.
- CVE-2026-46120HIGH 7.8
A flaw in the Linux kernel's IPv6 GRE tunnel implementation allows a local attacker with unprivileged user namespace capabilities to trigger memory corruption. The vulnerability stems from inconsistent netns (network namespace) handling in the ip6erspan_changelink() function, which fails to use the correct cached network namespace context when reconfiguring an ERSPAN tunnel after it has been migrated between namespaces. This can lead to kernel crashes and potential privilege escalation.
- CVE-2026-46121HIGH 7.8
A use-after-free vulnerability exists in the Linux kernel's DAMON (Data Access Monitoring) subsystem, specifically in how it manages memory cgroup path strings through its sysfs interface. When users read and write the 'memcg_path' file concurrently using separate file handles, a race condition can occur where one process reads a pointer to memory that another process has already freed. This allows an attacker with local access to crash the system or potentially execute code with kernel privileges.
- CVE-2026-46122HIGH 7.8
A flaw exists in the Linux kernel's b43 wireless driver that can allow a local attacker to read memory outside the bounds of an internal array. The issue stems from insufficient validation of a firmware-supplied index value used to access encryption keys. When the firmware provides an invalid index—one larger than the 58-entry key array—the driver does not properly reject it in production systems, leading to an out-of-bounds read. An attacker with local system access could exploit this to leak sensitive kernel memory.
- CVE-2026-46129HIGH 7.8
A double-free memory corruption bug exists in the Linux kernel's Btrfs filesystem implementation. When the kernel initializes and registers filesystem space information objects with the sysfs interface, a failure in that registration process can cause the same memory block to be freed twice. This happens because the error recovery code doesn't account for cleanup already performed by the object release callback. A local attacker with unprivileged user access could trigger this condition and gain kernel-level privileges.
- CVE-2026-46136HIGH 7.8
A flaw in the Linux kernel's MT7921 Wi-Fi driver can cause a buffer length counter to drop below zero under specific conditions when the driver processes country power settings from the Carrier List Configuration (CLC). This underflow triggers either an excessive loop that nearly hangs the system or applies an invalid power setting, preventing the driver from initializing properly. An attacker with local access could exploit this to degrade Wi-Fi functionality or trigger a denial of service.
- CVE-2026-46145HIGH 7.8
CVE-2026-46145 is a memory corruption vulnerability in the Linux kernel's RDMA/mana driver. An unprivileged local user can manipulate a parameter called rx_hash_key_len from user space to cause an unbounded memory copy operation, corrupting kernel memory. The vulnerability stems from insufficient validation of user-supplied input before it is passed to a memory copy function, creating a path for local privilege escalation or system crash.
- CVE-2026-46157HIGH 7.8
A concurrency bug exists in the Linux kernel's ALSA (Advanced Linux Sound Architecture) OSS (Open Sound System) compatibility layer. When multiple processes try to access and modify the trigger control bit simultaneously, the kernel lacks proper synchronization, allowing writes to corrupt not just the intended trigger flag but adjacent bit fields in memory. This confusion can destabilize audio subsystem behavior. The vulnerability requires local access and privileges to trigger.
- CVE-2026-46162HIGH 7.8
A flaw in the Linux kernel's ice (Intel ice) network driver creates a double-free memory corruption condition in the auxiliary device activation error handler. When the driver attempts to activate a subfunction Ethernet device but the operation fails partway through, the error handling code frees the same memory region twice, corrupting the kernel heap. An attacker with local access and unprivileged user privileges can trigger this condition to escalate privileges or crash the system.
- CVE-2026-46163HIGH 7.8
A flaw exists in the Linux kernel's b43legacy wireless driver that fails to properly validate array index bounds when processing incoming wireless frames. The firmware supplies a key index value that the driver uses to access a cryptographic key array, but there is no enforcing check to ensure this index stays within valid bounds. In production builds, this allows an attacker with local access to trigger an out-of-bounds memory read by crafting malicious wireless traffic, potentially exposing sensitive kernel memory or causing a system crash.
- CVE-2026-10107HIGH 7.7
MoviePilot v2 has a security flaw in its image proxy feature that lets authenticated users access internal network resources they shouldn't be able to reach. An attacker with valid login credentials can trick the proxy into fetching files or services from private networks—like personal media servers—by crafting requests with specific cookies and domain names. The vulnerability exists because the security check only verifies that a domain name appears to be allowed, but doesn't block access to internal, private, or loopback addresses. This means an attacker could map out internal services or steal data from them.
- CVE-2026-4035HIGH 7.7
MLflow, a popular open-source machine learning platform, contains a credential exposure vulnerability affecting versions before 3.11.0. The flaw allows attackers to extract sensitive server-side environment variables—such as AWS credentials—by manipulating how the AI Gateway handles secrets. An attacker with basic authentication access (or no authentication in default setups) can craft requests that trick MLflow into exposing these credentials to attacker-controlled endpoints. This is particularly dangerous because exposed cloud credentials could allow further compromise of artifact repositories and downstream systems.
- CVE-2026-42398HIGH 7.7
CVE-2026-42398 is a Server-Side Request Forgery (SSRF) vulnerability in Kibana that allows authenticated users with connector management privileges to circumvent network egress restrictions. An attacker with the right permissions can configure a malicious Webhook connector that tricks Kibana into making outbound HTTP requests to internal or restricted destinations that should have been blocked by the organization's firewall or allowlist policies. This effectively punches through network security controls by leveraging Kibana's own trusted outbound connection capability.
- CVE-2026-42965HIGH 7.7
OpenShift Router contains a flaw that allows users with EndpointSlice write permissions to redirect traffic through the router to cloud metadata endpoints. By crafting a Service backed by an FQDN-based EndpointSlice pointing to a cloud metadata service, an attacker can intercept and read sensitive instance credentials and metadata that should never be exposed. This circumvents existing IP address validation protections designed to block such access.
- CVE-2026-44285HIGH 7.7
FastGPT, an AI Agent building platform, contains a Server-Side Request Forgery (SSRF) vulnerability in versions before 4.15.0-beta1. An authenticated user can bypass the platform's internal network protection and send HTTP requests to services on the internal network that should be inaccessible. The flaw exists in the dataset preview feature when using the externalFile import type. This allows an attacker with valid credentials to potentially access sensitive internal services, databases, or administrative endpoints that are normally restricted from external access.
- CVE-2026-46123HIGH 7.7
A vulnerability in the Linux kernel's Bluetooth virtio backend driver allows a malicious or buggy virtual device to expose uninitialized kernel memory to unprivileged processes. The driver fails to properly validate the length of data reported by the virtual device, permitting reads beyond the intended 1000-byte receive buffer. An attacker with the ability to control a virtio Bluetooth backend—such as a compromised hypervisor or malicious VM—can leak sensitive kernel heap data or trigger denial of service. This is a local attack requiring some form of device emulation control, but it directly compromises memory isolation guarantees in virtualized environments.
- CVE-2019-25722HIGH 7.6
Dräger's patient monitoring devices contain hard-coded login credentials embedded in their source code and are vulnerable to denial-of-service attacks via malformed network packets. An attacker with physical access can use these credentials to gain unauthorized entry and reconfigure clinical settings. A remote attacker can crash the devices repeatedly, severing network connectivity and interrupting patient monitoring—a particularly serious concern in hospital environments where continuous surveillance is critical to patient care.
- CVE-2025-15655HIGH 7.6
Mojoomla School Management contains a SQL injection vulnerability that allows authenticated administrators to execute arbitrary SQL commands against the underlying database. An attacker with high-level privileges can exploit this flaw to read sensitive data, modify school records, or cause service disruptions. The vulnerability affects all versions up to and including 93.2.0.
- CVE-2026-24782HIGH 7.6
Kiteworks, a platform designed to securely manage private data networks, contains multiple SQL injection flaws in its Secure Data Forms feature. Prior to version 9.3.0, an authenticated user with FormBuilder role permissions can exploit these vulnerabilities to access or alter form definitions belonging to other users and potentially modify some system-wide settings. This is a privilege escalation and data exposure risk that requires prompt patching.
- CVE-2026-41234HIGH 7.6
Froxlor, an open-source server administration platform, contains a vulnerability in its DNS management API that allows authenticated users to break out of TXT record fields and inject malicious DNS directives. An attacker with customer-level DNS editing permissions can inject newline characters into TXT record values, causing them to span multiple lines in the generated BIND zone file. This allows injection of arbitrary BIND directives like `$INCLUDE` or `$GENERATE`, as well as unauthorized DNS records (A, MX, CNAME entries). The vulnerability affects all versions prior to 2.3.7 and is notable because it bypassed an earlier attempted fix for similar issues in other record types.
- CVE-2026-41518HIGH 7.6
Chartbrew, an open-source data visualization platform, contains a stored cross-site scripting (XSS) vulnerability affecting versions 4.9.0 through 5.0.0. A project editor can inject malicious HTML and JavaScript into chart legend fields, which is then executed in the browsers of anyone viewing the public dashboard—including unauthenticated users—without requiring any user interaction. This allows an attacker to steal sensitive data, hijack user sessions, or perform actions on behalf of viewers.
- CVE-2018-25391HIGH 7.5
HaPe PKH 1.1 contains a critical authorization bypass flaw that allows anyone on the internet to delete administrative records without logging in or proving identity. An attacker can craft simple requests to remove administrator accounts and system updates by directly specifying which records to delete. The application fails to verify whether the requester has permission to perform these destructive actions, making it trivial to sabotage the system's core administrative functions.
- CVE-2018-25396HIGH 7.5
Heatmiser Wifi Thermostat version 1.7 exposes administrator credentials in plaintext to anyone with network access. An attacker can visit a specific page (networkSetup.htm) without logging in and retrieve the admin username and password directly from the HTML. This is a serious problem because it bypasses all authentication and gives attackers full control of the device.
- CVE-2018-25408HIGH 7.5
A vulnerability in Open ISES Project version 3.30A allows anyone on the internet to download files from an affected server without needing to log in. An attacker can craft a specially formatted request to the ajax/download.php endpoint that uses path traversal techniques (such as ../ sequences) to escape the intended download directory and retrieve sensitive files like configuration files, database backups, or system files. The vulnerability requires no authentication, no special user interaction, and can be exploited over the network.
- CVE-2018-25426HIGH 7.5
WinMTR version 0.91 has a denial-of-service flaw that allows remote attackers to crash the application without authentication. By sending a specially crafted input file with approximately 238 bytes of repeated characters, an attacker can trigger a buffer overflow condition that terminates the application. This is a straightforward denial-of-service attack with no authentication requirement, making it accessible to any network-adjacent threat actor.
- CVE-2024-14036HIGH 7.5
Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service flaw affecting hospital networks. An attacker on the same network can send specially crafted, unencrypted discovery messages that force the affected system to consume excessive CPU resources. Once the system is overloaded, it stops processing legitimate discovery messages, disrupting device communication. This requires network access but no authentication.
- CVE-2025-41271HIGH 7.5
A path traversal vulnerability exists in the Waterfall WF-500 Console WebUI that allows attackers to read sensitive files from affected devices without requiring authentication. The flaw stems from improper handling of relative file paths, enabling an attacker to navigate outside intended directories and access arbitrary files on the system. This is a remote attack requiring only network access—no user interaction or special privileges needed.
- CVE-2025-46638HIGH 7.5
Dell BSAFE SSL-J contains a resource exhaustion vulnerability that allows an unauthenticated attacker on the network to overwhelm the application by allocating unbounded resources without limits or throttling mechanisms. This causes a denial of service condition, rendering the service unavailable to legitimate users. No authentication is required to trigger the flaw, making it accessible to any remote attacker.
- CVE-2025-58024HIGH 7.5
UnboundStudio's Accordion FAQ plugin contains a vulnerability that allows authenticated users to include and execute arbitrary local files on the server. An attacker with login credentials could potentially read sensitive files or execute malicious code by manipulating how the plugin handles file inclusion requests. This is a local file inclusion (LFI) issue, not a remote file inclusion despite the CWE classification, meaning attackers must have valid user access to exploit it.
- CVE-2025-70099HIGH 7.5
A vulnerability in the lwext4 library (version 1.0.0) can crash applications that process specially crafted EXT4 filesystem images. The flaw occurs when the code attempts to read file information from a corrupted directory entry without first verifying the entry pointer exists. An attacker could provide a malicious filesystem image to trigger this crash, disrupting service availability. This is a denial-of-service issue with no data theft or system compromise risk.
- CVE-2025-8873HIGH 7.5
A flaw in Arista EOS can be triggered by a specially crafted network packet when IPsec is enabled, causing the system to stop forwarding all IPsec-protected traffic. While the control plane may attempt to recover and restart IPsec processing, traffic flow may not resume afterward. Non-IPsec traffic and IPsec sessions not local to the affected device remain unaffected. An Arista customer first reported this issue.
- CVE-2026-10003HIGH 7.5
A use-after-free vulnerability in Chrome's Views component allows attackers to execute arbitrary code on affected systems. The flaw requires user interaction—specifically, the victim must perform particular UI gestures after being convinced to visit a malicious webpage. Once triggered, the vulnerability grants the attacker the same privileges as the user running the browser, potentially leading to complete system compromise.
- CVE-2026-10005HIGH 7.5
Google Chrome on macOS contains a use-after-free vulnerability in its WebAppInstalls component that can be exploited to execute arbitrary code. An attacker would need to convince a user to perform specific gestures within a crafted HTML page to trigger the flaw. This affects Chrome versions prior to 148.0.7778.216.
- CVE-2026-10006HIGH 7.5
A race condition in Google Chrome's WebAudio component allows attackers to execute arbitrary code within the browser sandbox by serving a specially crafted HTML page to a user. The vulnerability requires user interaction (clicking or navigating to the malicious page) but does not require special privileges. Successfully exploiting this issue could allow an attacker to run code with the permissions of the Chrome process, potentially leading to data theft, malware installation, or further system compromise.
- CVE-2026-10009HIGH 7.5
A mathematical error in Chrome's graphics rendering engine (Skia) could allow attackers to break out of the browser sandbox and run malicious code if they've already compromised the browser's rendering process. The vulnerability affects Chrome versions before 148.0.7778.216 and requires user interaction, such as visiting a malicious webpage, to trigger the exploit.
- CVE-2026-10022HIGH 7.5
A type confusion flaw in Google Chrome's V8 JavaScript engine (CVE-2026-10022) allows attackers to execute arbitrary code within the browser sandbox if they can trick a user into installing a malicious Chrome extension. The vulnerability affects Chrome versions before 148.0.7778.216 and impacts Windows, macOS, and Linux systems. While the underlying Chromium severity is rated Medium by Google, the CVSS v3.1 score of 7.5 reflects the practical risk: an attacker gaining code execution inside the Chrome sandbox can read sensitive data, modify browser state, or escalate privileges. The attack requires social engineering to distribute the malicious extension, which limits opportunistic exploitation but remains a credible threat in targeted campaigns.
- CVE-2026-10044HIGH 7.5
Usagi-org's ai-goofish-monitor application contains a critical flaw that allows anyone on the network to read files from an affected Windows server without authentication. By crafting a specially-formed request to the GET /api/prompts/{filename} endpoint, an attacker can bypass the application's path-checking logic and access sensitive files stored on the system—such as configuration files, credentials, or other sensitive data accessible to the application process. The vulnerability exploits a weakness in how the application validates file paths, specifically by allowing absolute Windows paths and backslash characters that the incomplete validation routine fails to detect.
- CVE-2026-10056HIGH 7.5
Network Optix Nx Witness VMS contains a cross-origin resource sharing (CORS) misconfiguration in its REST API that allows an unauthenticated attacker to steal a logged-in user's session token and hijack their administrator account. The vulnerability exists only in the default Standard security mode on Linux and Windows systems running versions prior to 6.1.2. An attacker would craft a malicious web page and trick a victim into visiting it while authenticated to the VMS; the browser would then leak the session credentials to the attacker. The High security mode configuration is not affected by this flaw.
- CVE-2026-10069HIGH 7.5
A denial-of-service vulnerability exists in Shibby Tomato 1.28's miniupnpd service that allows unauthenticated attackers to exhaust system resources remotely. The flaw resides in an unspecified function within the UPnP daemon and can be triggered without special privileges or user interaction. While Shibby Tomato is no longer maintained (superseded by FreshTomato), organizations still running this legacy firmware remain at risk.
- CVE-2026-10073HIGH 7.5
DreamMaker, a product by Interinfo, contains a flaw that allows attackers to read arbitrary files from the system without authentication. An attacker can exploit a relative path traversal weakness to access sensitive system files they shouldn't be able to reach. This is a network-accessible vulnerability, meaning an attacker doesn't need physical access or prior system credentials to attempt exploitation.
- CVE-2026-10108HIGH 7.5
xiaomusic version 0.5.7 contains an unauthenticated vulnerability that allows attackers to download files from anywhere on the server, not just the music directory. The flaw exists in how the application validates file paths when serving content. An attacker can craft special requests that bypass this validation to read sensitive files—such as configuration files, private keys, or application source code—without needing any credentials. The vulnerability affects any exposed xiaomusic instance running the affected version.
- CVE-2026-10621HIGH 7.5
Collibra Agent contains a path traversal vulnerability in its restore handler that allows attackers to write arbitrary files to a system by uploading a malicious ZIP archive. The vulnerability stems from insufficient validation of file paths during ZIP extraction, enabling an attacker to escape the intended extraction directory and place files anywhere on the system. No authentication is required to exploit this flaw.
- CVE-2026-10701HIGH 7.5
Firefox's text rendering engine contains a flaw in how it validates memory boundaries when processing text data. An attacker on the network can exploit this without requiring user interaction or special permissions, allowing them to read sensitive information from the browser's memory. The vulnerability affects Firefox versions prior to 151.0.3.
- CVE-2026-10737HIGH 7.5
The SP Project & Document Manager plugin for WordPress has a serious authorization flaw that allows anyone on the internet to download files from project folders without logging in. The vulnerability stems from a flawed permission check that uses logic errors to bypass all security gates. An attacker only needs to know or guess a file ID to request access through a standard WordPress admin interface, potentially exposing confidential project documents, contracts, customer data, or other sensitive files stored within the plugin.
- CVE-2026-10796HIGH 7.5
nvm (Node Version Manager) versions through 0.40.4 contain a command injection vulnerability in how they process version strings retrieved from configured Node.js mirrors. When you run commands like `nvm install`, the tool fetches available versions from a mirror's index and builds download URLs and shell commands using the version string without proper sanitization. An attacker controlling the mirror, intercepting unencrypted mirror traffic, or providing malicious mirror content can inject arbitrary commands that execute with the privileges of the user running nvm. The official default mirror (nodejs.org over HTTPS) is not affected, but users relying on alternative mirrors or unencrypted connections face significant risk.
- CVE-2026-10899HIGH 7.5
A use-after-free vulnerability exists in Google Chrome's Ozone display system on Linux that could allow an attacker to corrupt the browser's memory. If a user is tricked into performing specific UI interactions on a malicious webpage, the attacker could potentially execute code or crash the browser. This flaw affects Chrome versions prior to 149.0.7827.53 on Linux systems.
- CVE-2026-10900HIGH 7.5
A use-after-free flaw in Google Chrome's password management feature on macOS allows attackers to corrupt memory and potentially execute code if they trick a user into performing specific interactions with a malicious webpage. The vulnerability requires user interaction and affects Chrome versions before 149.0.7827.53. While rated HIGH by CVSS, the attack surface is narrowed by the need for deliberate user gestures and the complexity of reliable exploitation.
- CVE-2026-10901HIGH 7.5
A use-after-free memory flaw exists in Google Chrome's password manager on macOS. An attacker can trigger the vulnerability by convincing a user to interact with a specially crafted webpage in specific ways—for example, through unusual clicking patterns or drag-and-drop actions in the password UI. Successful exploitation allows remote code execution with the privileges of the Chrome process. This is a memory safety issue where the browser continues to reference password manager data after it has been freed, creating an opportunity for malicious code injection.
- CVE-2026-10906HIGH 7.5
Google Chrome contains a use-after-free vulnerability in its WebAuthentication implementation that can lead to heap memory corruption. An attacker must craft a malicious HTML page and convince a user to interact with it in a specific way—such as clicking or gesturing within the web interface—to trigger the flaw. Successfully exploiting this could allow the attacker to execute arbitrary code or crash the browser. The vulnerability affects Chrome versions before 149.0.7827.53.
- CVE-2026-10946HIGH 7.5
Google Chrome versions before 149.0.7827.53 contain a heap buffer overflow vulnerability in its media processing component. An attacker can exploit this by hosting a specially crafted HTML page and convincing a user to interact with it in specific ways—such as clicking, dragging, or performing other UI gestures. If successful, the attacker gains the ability to run arbitrary code, but crucially, that code executes within Chrome's sandbox, limiting lateral damage to the user's system. The vulnerability requires active user involvement, which raises the bar for exploitation but remains a meaningful risk given how often users interact with web content.
- CVE-2026-10969HIGH 7.5
A flaw in Google Chrome's extension validation system allows attackers to escalate privileges if they've already compromised Chrome's rendering engine. An attacker would need to trick a user into viewing a specially crafted webpage while the renderer process is already under their control, leading to unauthorized system-level access. This is a High-severity issue affecting Chrome versions before 149.0.7827.53.
- CVE-2026-32847HIGH 7.5
DeepCode contains a path traversal vulnerability that allows anyone on the internet to read sensitive files from the server without needing to authenticate or provide credentials. An attacker can craft specially-encoded URLs that trick the application into serving files it shouldn't, such as SSH keys, TLS certificates, and application secrets. The vulnerability exists in how the application handles file paths in its web interface, and the encoding bypass makes it straightforward to exploit.
- CVE-2026-32995HIGH 7.5
Rocket.Chat contains an authentication bypass vulnerability in its direct message protocol (DDP) translation feature. An authenticated user—even without access to specific rooms or channels—can read private messages, direct messages, and end-to-end encrypted messages from other users by exploiting an unprotected DDP method. The flaw stems from insufficient permission checks when a client requests message translation, allowing lateral message enumeration across the entire Rocket.Chat instance.
- CVE-2026-34077HIGH 7.5
React Router versions 7.7.0 through 7.13.1 contain a client-side Cross-Site Scripting (XSS) vulnerability when using the unstable React Server Components (RSC) APIs. If an application accepts redirect parameters from untrusted sources and processes them through React Router's RSC redirect handling, an attacker could inject malicious scripts that execute in users' browsers. The vulnerability does not affect applications that do not use the unstable RSC APIs. Shopify's React Router package released patch version 7.13.2 to address this issue.
- CVE-2026-34126HIGH 7.5
TP-Link's Tapo smart home devices—the L535E light strip, P300 smart plug, and D100C chime—send unencrypted Bluetooth data during initial setup. An attacker nearby could intercept this traffic, eavesdrop on setup credentials or configuration, or manipulate the transmitted data to take control of a device while it's being paired. The vulnerability only affects the initialization phase; once setup is complete, Bluetooth is not used. The practical threat depends on physical proximity and whether an attacker is present during a user's setup window, which typically occurs in the home or office.
- CVE-2026-3514HIGH 7.5
Prefect version 3.6.19 contains an authentication bypass vulnerability in its health check exemption logic. The system automatically skips authentication for any URL path ending in 'health' or 'ready', a design meant to allow infrastructure monitoring. An attacker can exploit this by creating resources—such as variables, flows, work pools, work queues, or deployments—with names ending in those keywords, then access them without credentials. This can expose sensitive secrets like API keys and database passwords that are stored in Prefect Variables.
- CVE-2026-35672HIGH 7.5
phpMyFAQ versions before 4.1.3 have a critical flaw in their API that allows anyone on the network to create and modify FAQ entries without logging in. The vulnerability exists because the system accepts an empty authentication token by default, meaning attackers can submit requests with no valid credentials and the API will process them anyway. This permits unauthorized content injection into your knowledge base, potentially spreading misinformation, malware links, or defacement across your FAQ system.
- CVE-2026-37220HIGH 7.5
FlexRIC v2.0.0 can be crashed by an attacker who connects to its E2 interface (port 36421) and immediately disconnects without sending any control messages. The near-RT RIC software assumes that every SCTP connection is paired with an E2 node setup, but this assumption breaks when a connection closes before that setup happens. An attacker anywhere on the network can trigger this crash repeatedly, causing service disruption.
- CVE-2026-37221HIGH 7.5
FlexRIC v2.0.0 contains a denial-of-service vulnerability where the near-RT RIC (Real-time Intelligent Controller) crashes when it receives a malformed RIC subscription response message. An attacker on the network can send a specially crafted response with an unknown subscription ID to port 36421, causing the service to crash. The crash occurs because the code uses assert() statements to validate internal state—a mechanism that terminates the program rather than handling errors gracefully. No authentication is required to exploit this issue.
- CVE-2026-37222HIGH 7.5
FlexRIC v2.0.0 contains a flaw that allows an unauthenticated attacker to crash the RAN Intelligent Controller (RIC) by sending specially crafted network messages. The vulnerability stems from overly strict validation logic that expects an exact count of data fields in E2AP protocol messages. When a message arrives with a different (but still valid per the protocol specification) number of fields, the application crashes rather than handling the variation gracefully. An attacker on the network can trigger this denial-of-service condition without any credentials or prior access.
- CVE-2026-37223HIGH 7.5
FlexRIC v2.0.0 has a flaw in how it handles incoming E2AP messages from radio access network controllers. The software uses an assertion check that crashes the entire process if it receives a message type it doesn't recognize. Because the iApp component and the near-RT RIC service run in the same process, crashing iApp takes down the entire RIC service, severing all connections to E2 Nodes and xApps. An attacker on the network can exploit this without authentication by sending a valid but unlisted E2AP message, causing immediate denial of service.
- CVE-2026-37224HIGH 7.5
FlexRIC v2.0.0 contains a denial-of-service vulnerability in its iApp registry component. When the application receives two E2_SETUP_REQUEST messages claiming to be from the same E2 Node (either legitimately duplicate or spoofed), the registry crashes instead of rejecting the duplicate. An attacker on the network can exploit this by sending crafted setup requests to port 36421, causing the iApp process to terminate. No authentication or special privileges are required.
- CVE-2026-37225HIGH 7.5
FlexRIC v2.0.0 contains a denial-of-service vulnerability in its iApp process that can be triggered remotely without authentication. An attacker can send a specially crafted subscription request with an incomplete field definition over the network, causing the application to crash immediately. The vulnerability stems from a mismatch between two internal validation layers: the network decoder accepts the malformed request as valid, but a downstream encoder enforces stricter rules and crashes the process rather than rejecting the input gracefully.
- CVE-2026-37226HIGH 7.5
FlexRIC v2.0.0 contains a denial-of-service vulnerability in its iApp component. When the application receives a subscription request referencing an E2 Node that doesn't exist in the system, it crashes instead of handling the invalid reference gracefully. An attacker on the network can trigger this crash by sending a specially crafted request, causing the iApp process to go offline and disrupting O-RAN operations.