CVE Notify
19.1K subscribers
4 photos
182K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
🚨 CVE-2026-41120
Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote Code Execution.

🎖@cveNotify
🚨 CVE-2026-42390
An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.

🎖@cveNotify
🚨 CVE-2026-46732
Dell Display and Peripheral Manager (DDPM Mac), versions prior to 2.3, contain a Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.

🎖@cveNotify
🚨 CVE-2026-46734
Dell Display and Peripheral Manager (DDPM Mac), versions prior to 2.3, contain an Improper Certificate Validation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Protection mechanism bypass.

🎖@cveNotify
🚨 CVE-2026-47145
In EmberZNet v9.0.2 and earlier, malformed Color Control messages can lead to asserts that terminate the process. These messages must come from a device that has already joined the network. Only devices supporting the Color Control cluster may be impacted.

🎖@cveNotify
🚨 CVE-2026-47146
In EmberZNet v9.0.2 and earlier, malformed Color Control messages can lead to asserts that terminate the process. These messages must come from a device that has already joined the network. Only devices supporting the Color Control cluster may be impacted.

🎖@cveNotify
🚨 CVE-2026-47147
In EmberZNet v9.0.2 and earlier, malformed OTA requests can drive the OTA server parser into out-of-bounds reads. A limited amount of data from RAM is read back to the requester. The size and location of this data is limited. These requests must come from a device that has already joined the network. Only devices supporting the OTA Server cluster may be impacted.

🎖@cveNotify
🚨 CVE-2026-47148
In EmberZNet v9.0.2 and earlier, malformed GetGroupMembership commands can trigger repeated reads past the end of the message payload and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed. Only devices supporting the Groups cluster may be impacted.

🎖@cveNotify
🚨 CVE-2026-47149
In EmberZNet v9.0.2 and earlier, malformed or out-of-range Door Lock user identifiers can trigger out-of-bounds table reads and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed. Only devices supporting the Door Lock cluster may be impacted.

🎖@cveNotify
🚨 CVE-2026-47150
In EmberZNet v9.0.2 and earlier, malformed IAS Zone enrollment messages can trigger an out-of-bounds state-table write and terminate the process. The size and location of this write is limited. These messages must come from a device that has already joined the network. Only devices supporting the IAS Zone cluster may be impacted.

🎖@cveNotify
🚨 CVE-2026-47151
In EmberZNet v9.0.2 and earlier, malformed ClearWeekdaySchedule messages can trigger out-of-bounds writes into Door Lock schedule state. The size and location of this data is limited. These messages must come from a device that has already joined the network. Only devices supporting the Door Lock cluster may be impacted.

🎖@cveNotify
🚨 CVE-2026-47152
In EmberZNet v9.0.2 and earlier, a malformed Level Control Move command can terminate the process through a divide-by-zero fault. This command must come from a device that has already joined the network. Only devices supporting the Level Control cluster may be impacted.

🎖@cveNotify
🚨 CVE-2026-47153
In EmberZNet v9.0.2 and earlier, a malformed Level Control Step command can terminate the process through a divide-by-zero fault. This command must come from a device that has already joined the network. Only devices supporting the Level Control cluster may be impacted.

🎖@cveNotify
🚨 CVE-2026-47154
In EmberZNet v9.0.2 and earlier, a malformed GetProfileResponse message can trigger out-of-bounds reads while iterating interval entries and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed. Only devices supporting the Simple Metering cluster may be impacted.

🎖@cveNotify
🚨 CVE-2026-52690
Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.

🎖@cveNotify
🚨 CVE-2026-54829
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jacob N. Breetvelt WP Photo Album Plus allows Blind SQL Injection.

This issue affects WP Photo Album Plus: from n/a through 9.1.13.005.

🎖@cveNotify
🚨 CVE-2026-54842
Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Royal MCP: from n/a through 1.4.25.

🎖@cveNotify
🚨 CVE-2026-54848
Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal APIExperts Square for WooCommerce allows Retrieve Embedded Sensitive Data.

This issue affects APIExperts Square for WooCommerce: from n/a through 4.7.3.

🎖@cveNotify