CVE Notify
19.1K subscribers
4 photos
185K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
๐Ÿšจ CVE-2026-46108
In the Linux kernel, the following vulnerability has been resolved:

ipmi:si: Return state to normal if message allocation fails

There were places where nothing would get started if a message
allocation failed, so the driver needs to return to normal state.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2025-64719
Gogs is an open source self-hosted Git service. Prior to 0.14.3, a malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki. The issue is present in file internal/route/repo/wiki.go and internal/route/repo/view.go where the pages try to recover commit information. If errors are returned while recovering commit information, the page will return a 500 error and stop rendering, resulting in a denial of service. This vulnerability is fixed in 0.14.3.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-52796
Gogs is an open source self-hosted Git service. Prior to 0.14.3, specially crafted issue index pattern can cause a panic when rendering, resulting in denial of service. In internal/markup/markup.go, RenderIssueIndexPattern renders the issue index pattern to a link using com.Expand, which is not safe: when the configured pattern contains an opening brace { but no closing brace }, strings.Index(template, "}") returns -1 and the subsequent slice template[:-1] triggers a panic. Once such a pattern is set, any page in the affected repository that contains an issue index reference such as #1 becomes unavailable. This vulnerability is fixed in 0.14.3.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-52804
Gogs is an open source self-hosted Git service. Prior to 0.14.3, a repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function. This vulnerability is fixed in 0.14.3.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-52811
Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component โ€” UploadRepoFiles is the lone outlier. An attacker with repo-write access plus a multipart upload whose filename contains a literal backslash (preserved by filepath.Base on Linux, then converted to / by pathx.Clean) redirects the write through a previously-committed directory symlink. iox.CopyFile opens the destination with os.Create (no O_NOFOLLOW), so the kernel follows the parent symlink and writes attacker bytes anywhere the gogs UID can write โ€” ~git/.ssh/authorized_keys โ†’ SSH foothold, or <repo>.git/hooks/post-receive โ†’ next-push RCE. This vulnerability is fixed in 0.14.3.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-52816
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability. This vulnerability is fixed in 0.14.3.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-9099
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.

Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-56767
Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12473
Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user's OIDC Bearer token into the resulting requests, sending it to the attacker-controlled server. DICOMweb data sources are not impacted.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-37452
Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-38637
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-38640
A reachable unwrap in the __assert_fail function (/assert/mod.rs) of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted string.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-56445
The qrscp application's C-STORE handler uses a specific instance from attacker-supplied DICOM datasets directly in os.path.join() without sanitization, allowing file writes to arbitrary paths.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-6450
A CRL critical extension bypass exists in ParseCRL_Extensions where critical extensions are not properly enforced, allowing a crafted CRL with an unhandled critical extension to be accepted. This only affects builds with CRL support enabled and where a crafted CRL had a trusted signature when parsed.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-6679
A heap buffer overflow could occur in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The buffer overflow was due to an integer truncation when computing the length of the ACK record-number list, causing an undersized buffer to be allocated and then overrun. This affects builds using DTLS 1.3 and wolfSSL version 5.9.0 and earlier. A fix was added to the 5.9.1 release.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-6681
The PKCS#7 decode path ignores the caller-supplied output buffer size (outputSz), allowing decoded content to be written past the bounds of the provided buffer. This affects wolfSSL 5.9.0 and earlier and was fixed in the 5.9.1 release.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-6731
X.509 name constraint bypass via the Subject Common Name when treated as a DNS-type name. A certificate whose Subject CN violates an issuing CA's DNS name constraints could be accepted.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-2377
A flaw was found in Red Hat Quay and mirror registry for Red Hat OpenShift. The log export feature in these products allows an authenticated user to specify an arbitrary callback URL. A backend process then makes server-side HTTP requests to this provided URL. This vulnerability, known as Server-Side Request Forgery (SSRF), could allow an attacker to send requests from the application's internal network, potentially leading to the disclosure of sensitive information.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-9795
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.

๐ŸŽ–@cveNotify