๐จ CVE-2026-10640
Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned successfully. On the success path the network stack owns and releases the packet's reference (the L2/driver send unrefs it, e.g. ethernet_send - net_pkt_unref), so for a freshly allocated packet with refcount 1 the net_pkt slab block can be freed before the statistics line runs (synchronously when no TX queue thread is configured, or via a concurrent TX thread otherwise).
The subsequent net_pkt_iface(pkt) reads pkt-iface from the freed slab block, and with CONFIG_NET_STATISTICS_PER_INTERFACE enabled that loaded pointer is dereferenced to increment iface-stats.icmp.sent, a use-after-free (CWE-416). If the slab block was reallocated in the meantime the read/increment targets unrelated or attacker-influenced memory, yielding corrupted statistics, a fault/crash (denial of service), or potential limited memory corruption.
The vulnerable Neighbor Advertisement path is reachable by any unauthenticated on-link node simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 enabled (handle_ns_input - net_ipv6_send_na).
Affected from v3.3.0 through v4.4.0; the fix uses the already-available iface argument instead of touching the sent packet. Configurations without per-interface statistics dereference only a global counter and are not affected by the memory-safety aspect.
๐@cveNotify
Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned successfully. On the success path the network stack owns and releases the packet's reference (the L2/driver send unrefs it, e.g. ethernet_send - net_pkt_unref), so for a freshly allocated packet with refcount 1 the net_pkt slab block can be freed before the statistics line runs (synchronously when no TX queue thread is configured, or via a concurrent TX thread otherwise).
The subsequent net_pkt_iface(pkt) reads pkt-iface from the freed slab block, and with CONFIG_NET_STATISTICS_PER_INTERFACE enabled that loaded pointer is dereferenced to increment iface-stats.icmp.sent, a use-after-free (CWE-416). If the slab block was reallocated in the meantime the read/increment targets unrelated or attacker-influenced memory, yielding corrupted statistics, a fault/crash (denial of service), or potential limited memory corruption.
The vulnerable Neighbor Advertisement path is reachable by any unauthenticated on-link node simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 enabled (handle_ns_input - net_ipv6_send_na).
Affected from v3.3.0 through v4.4.0; the fix uses the already-available iface argument instead of touching the sent packet. Configurations without per-interface statistics dereference only a global counter and are not affected by the memory-safety aspect.
๐@cveNotify
GitHub
net: ipv6: nbr: fix use-after-free ยท zephyrproject-rtos/zephyr@aaed833
Avoid accessing the packet after sending it, as the driver may
have already unreferenced or freed it. Use iface argument instead
of calling net_pkt_iface() on a potentially freed packet when
updati...
have already unreferenced or freed it. Use iface argument instead
of calling net_pkt_iface() on a potentially freed packet when
updati...
๐จ CVE-2025-71379
vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns โ in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint โ are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.
๐@cveNotify
vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns โ in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint โ are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.
๐@cveNotify
GitHub
A series of simple Redos in vllm.
### Summary
A recent review identified several regular expressions in the vllm codebase that are susceptible to Regular Expression Denial of Service (ReDoS) attacks. These patterns, if fed with cr...
A recent review identified several regular expressions in the vllm codebase that are susceptible to Regular Expression Denial of Service (ReDoS) attacks. These patterns, if fed with cr...
๐จ CVE-2026-56340
vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed (negative or out-of-bounds) tensor indices, when the prompt-embeds feature is enabled, to trigger crashes or resource exhaustion (denial of service), with potential for out-of-bounds/write-what-where memory corruption. This continues CVE-2025-62164, whose prior fix only disabled the feature by default rather than addressing the root cause.
๐@cveNotify
vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed (negative or out-of-bounds) tensor indices, when the prompt-embeds feature is enabled, to trigger crashes or resource exhaustion (denial of service), with potential for out-of-bounds/write-what-where memory corruption. This continues CVE-2025-62164, whose prior fix only disabled the feature by default rather than addressing the root cause.
๐@cveNotify
GitHub
Missing validation of multimodal embeddings leading to DoS and potential RCE
### Summary
The fix [here](https://github.com/vllm-project/vllm/pull/27204) for CVE-2025-62164 is not sufficient. The fix only disables prompt embeds by default rather than addressing the root cau...
The fix [here](https://github.com/vllm-project/vllm/pull/27204) for CVE-2025-62164 is not sufficient. The fix only disables prompt embeds by default rather than addressing the root cau...
๐จ CVE-2026-56425
The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol.
The application used the PHP session identifier (session_id()) as the OAuth state parameter. Because session identifiers are long-lived authentication credentials, exposing them in OAuth redirect URLs could leak valid session tokens through browser history, HTTP Referer headers, reverse proxies, access logs, or third-party infrastructure involved in the authentication flow. If obtained by an attacker, the leaked session identifier could potentially be used for session hijacking.
Additionally, the implementation did not regenerate the session identifier after successful authentication, leaving authenticated sessions susceptible to session fixation attacks where an attacker forces a victim to use a known session identifier before login and later reuses that identifier after authentication.
The OAuth state value was also not implemented as a dedicated, single-use nonce. This weakened CSRF protections and increased the risk of replay attacks against the OAuth callback process.
The authentication flow further failed to enforce HTTPS for the configured OAuth redirect URI. If a non-HTTPS redirect URI was used, OAuth authorization codes and access tokens could traverse the network in plaintext, exposing sensitive credentials to network attackers.
Finally, OAuth error responses containing attacker-controlled GET parameters were logged verbatim. An attacker could inject control characters or crafted log content, leading to log forging, log injection, or corruption of audit records.
The fix introduces:
*
A dedicated cryptographically random OAuth state value.
*
Single-use state validation and invalidation.
*
Constant-time state comparison using hash_equals().
*
Session identifier rotation after successful authentication.
*
Enforcement of HTTPS-only redirect URIs.
*
Sanitized and length-limited logging of OAuth error parameters.
AAD Authentication Plugin (OAuth 2.0 / Azure Active Directory integration)
๐@cveNotify
The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol.
The application used the PHP session identifier (session_id()) as the OAuth state parameter. Because session identifiers are long-lived authentication credentials, exposing them in OAuth redirect URLs could leak valid session tokens through browser history, HTTP Referer headers, reverse proxies, access logs, or third-party infrastructure involved in the authentication flow. If obtained by an attacker, the leaked session identifier could potentially be used for session hijacking.
Additionally, the implementation did not regenerate the session identifier after successful authentication, leaving authenticated sessions susceptible to session fixation attacks where an attacker forces a victim to use a known session identifier before login and later reuses that identifier after authentication.
The OAuth state value was also not implemented as a dedicated, single-use nonce. This weakened CSRF protections and increased the risk of replay attacks against the OAuth callback process.
The authentication flow further failed to enforce HTTPS for the configured OAuth redirect URI. If a non-HTTPS redirect URI was used, OAuth authorization codes and access tokens could traverse the network in plaintext, exposing sensitive credentials to network attackers.
Finally, OAuth error responses containing attacker-controlled GET parameters were logged verbatim. An attacker could inject control characters or crafted log content, leading to log forging, log injection, or corruption of audit records.
The fix introduces:
*
A dedicated cryptographically random OAuth state value.
*
Single-use state validation and invalidation.
*
Constant-time state comparison using hash_equals().
*
Session identifier rotation after successful authentication.
*
Enforcement of HTTPS-only redirect URIs.
*
Sanitized and length-limited logging of OAuth error parameters.
AAD Authentication Plugin (OAuth 2.0 / Azure Active Directory integration)
๐@cveNotify
GitHub
fix: [security] AAD auth hardening ยท MISP/MISP@146bc40
- as reported by Cormac Doherty
๐จ CVE-2026-37452
Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component
๐@cveNotify
Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component
๐@cveNotify
๐จ CVE-2026-38637
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input.
๐@cveNotify
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input.
๐@cveNotify
GitHub
pocs/redox/CVE-2026-38637 at master ยท Marsman1996/pocs
to show pocs found. Contribute to Marsman1996/pocs development by creating an account on GitHub.
๐จ CVE-2026-38640
A reachable unwrap in the __assert_fail function (/assert/mod.rs) of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted string.
๐@cveNotify
A reachable unwrap in the __assert_fail function (/assert/mod.rs) of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted string.
๐@cveNotify
GitHub
pocs/redox/CVE-2026-38640 at master ยท Marsman1996/pocs
to show pocs found. Contribute to Marsman1996/pocs development by creating an account on GitHub.
๐จ CVE-2026-8797
An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges.
๐@cveNotify
An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges.
๐@cveNotify
๐จ CVE-2026-57920
Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
๐@cveNotify
Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
๐@cveNotify
๐จ CVE-2026-57940
HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.
๐@cveNotify
HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.
๐@cveNotify
GitHub
htmly/system/admin/admin.php at c8b7ed9af39a266b256759becf26dba6a59e11e6 ยท danpros/htmly
Simple and fast databaseless PHP blogging platform, and Flat-File CMS - danpros/htmly
๐จ CVE-2026-30040
A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to cause a execute arbitrary code in the context of the current process via supplying a crafted JPEG 2000 (JP2) file.
๐@cveNotify
A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to cause a execute arbitrary code in the context of the current process via supplying a crafted JPEG 2000 (JP2) file.
๐@cveNotify
kb.cert.org
CERT/CC Vulnerability Note VU#936962
Multiple file parsing vulnerabilities in FastStone Image Viewer 8.3.0.0
๐จ CVE-2026-30041
An integer overflow in the PSD parser compnent of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via supplying a crafted PSD file.
๐@cveNotify
An integer overflow in the PSD parser compnent of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via supplying a crafted PSD file.
๐@cveNotify
kb.cert.org
CERT/CC Vulnerability Note VU#936962
Multiple file parsing vulnerabilities in FastStone Image Viewer 8.3.0.0
๐จ CVE-2026-8636
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 allows an attacker to retrieve user passwords and cryptographic keys from memory. Attacker can use the same keys to decrypt password, gain access to the application and access sensitive data in the database.
๐@cveNotify
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 allows an attacker to retrieve user passwords and cryptographic keys from memory. Attacker can use the same keys to decrypt password, gain access to the application and access sensitive data in the database.
๐@cveNotify
Ibm
Security Bulletin: Multiple Vulnerabilities in IBM Datacap
Multiple vulnerabilities were addressed in IBM Datacap version 9.1.9 Interim Fix 008.
๐จ CVE-2026-9610
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 exposes resources or functionality that isn't linked in the UI but is accessible by directly requesting the URL, bypassing intended access controls.
๐@cveNotify
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 exposes resources or functionality that isn't linked in the UI but is accessible by directly requesting the URL, bypassing intended access controls.
๐@cveNotify
Ibm
Security Bulletin: Multiple Vulnerabilities in IBM Datacap
Multiple vulnerabilities were addressed in IBM Datacap version 9.1.9 Interim Fix 008.
๐จ CVE-2026-57620
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor allows Stored XSS.
This issue affects Exclusive Addons Elementor: from n/a through 2.7.9.8.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor allows Stored XSS.
This issue affects Exclusive Addons Elementor: from n/a through 2.7.9.8.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Exclusive Addons Elementor Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2025-66123
Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.
๐@cveNotify
Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.
๐@cveNotify
Patchstack
Insecure Direct Object References (IDOR) in WordPress BookPro Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-24547
Unauthenticated Broken Access Control in SiteGround Email Marketing <= 1.7.5 versions.
๐@cveNotify
Unauthenticated Broken Access Control in SiteGround Email Marketing <= 1.7.5 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress SiteGround Email Marketing Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-54837
Unauthenticated Broken Access Control in Intranet & Private Site – All-In-One Intranet <= 1.8.1 versions.
๐@cveNotify
Unauthenticated Broken Access Control in Intranet & Private Site – All-In-One Intranet <= 1.8.1 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress Intranet & Private Site โ All-In-One Intranet Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56010
Subscriber Privilege Escalation in Abandoned Cart Pro for WooCommerce <= 10.4.0 versions.
๐@cveNotify
Subscriber Privilege Escalation in Abandoned Cart Pro for WooCommerce <= 10.4.0 versions.
๐@cveNotify
Patchstack
Privilege Escalation in WordPress Abandoned Cart Pro for WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56029
Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versions.
๐@cveNotify
Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versions.
๐@cveNotify
Patchstack
Broken Authentication in WordPress CorvusPay WooCommerce Payment Gateway Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.