CVE Notify
19.3K subscribers
4 photos
199K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
🚨 CVE-2026-43701
The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may be able to process restricted web content outside the sandbox.

πŸŽ–@cveNotify
🚨 CVE-2026-43703
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

πŸŽ–@cveNotify
🚨 CVE-2026-43704
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious web extension may be able to cause an unexpected process crash.

πŸŽ–@cveNotify
🚨 CVE-2026-43705
A type confusion issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to memory corruption.

πŸŽ–@cveNotify
🚨 CVE-2026-43706
A double free issue was addressed with improved memory management. This issue is fixed in iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

πŸŽ–@cveNotify
🚨 CVE-2026-43707
A memory corruption issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

πŸŽ–@cveNotify
🚨 CVE-2026-43708
The issue was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.

πŸŽ–@cveNotify
🚨 CVE-2026-43709
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

πŸŽ–@cveNotify
🚨 CVE-2026-2725
Incorrect authorization in the "submitted together" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches via a crafted submission matching the "topic" tag of an unapproved change.

πŸŽ–@cveNotify
🚨 CVE-2026-36738
U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Incorrect Access Control. The device exposes a UART interface that lacks authentication, authorization, or access control mechanisms. An attacker with physical access to the UART pins can connect to the interface and gain unrestricted access to device functionality.

πŸŽ–@cveNotify
🚨 CVE-2019-25716
DrΓ€ger Infinity Delta, Delta XL, and Kappa patient monitors contain a denial-of-service vulnerability that allows remote attackers to cause the monitor to reboot by sending a malformed network packet. Attackers can repeatedly send malformed network packets to disrupt patient monitoring until the device falls back to default configuration and loses network connectivity.

πŸŽ–@cveNotify
🚨 CVE-2019-25718
DrΓ€ger Infinity Explorer C700 contains a privilege escalation vulnerability that allows attackers to break out of kiosk mode and access the underlying operating system through a specific dialog interaction. Attackers can exploit this kiosk escape to take control of the operating system and cause the device to display incorrect or no information from the connected Delta Family patient monitor.

πŸŽ–@cveNotify
🚨 CVE-2019-25717
DrΓ€ger Infinity Delta, Delta XL, and Kappa patient monitors contain an information disclosure vulnerability that allows unauthenticated network attackers to access log files over a network connection. Attackers can retrieve device internals, location information, and wired network configuration details from the exposed log files.

πŸŽ–@cveNotify
🚨 CVE-2026-47065
ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy


Assessment: Fully addressed.


When the serialised stream contains a TC_PROXYCLASSDESC (the marker
for a java.lang.reflect.Proxy ), JDK’s ObjectInputStream.readProxyDesc()
is
dispatched. JDK then calls the default
ObjectInputStream.resolveProxyClass(interfaces) implementation, which
performs Class.forName(intf, false, latestUserDefinedLoader()) for EACH
interface name and constructs the proxy class Ò€” bypassing the accepted
classes list .


ZDRES-233: Class.forName(name, initialize=true, classLoader) in
readClassDescriptor Triggers Static Initialiser of Allow-Listed Classes


Assessment: Fully addressed.


For ANY class on the allow-list, deserialising a stream that names it triggers the class’s
(static initialiser) BEFORE any instance is constructed. This means an
attacker who supplies a class name on the allow-list (e.g., the
developer wrote accept(β€œcom.myapp.*") , attacker supplies
com.myapp.SomeClass ) causes <clinit> of SomeClass Ò€” and many
real-world classes have side-effecting static initialisers


Both issues have been fixed.

πŸŽ–@cveNotify
🚨 CVE-2026-6657
A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, which only anchors at the start of the string. This allows attacker-controlled domains such as `trusted.example.com.evil.com` to pass validation against patterns intended to match `trusted.example.com`. The vulnerability affects multiple locations in the codebase, including CORS headers, WebSocket connections, referer validation, and login redirects, potentially enabling phishing attacks, arbitrary code execution, and unauthorized access to sensitive API responses.

πŸŽ–@cveNotify
🚨 CVE-2026-22054
Active IQ Config Advisor version 6.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations.

πŸŽ–@cveNotify
🚨 CVE-2026-22055
Active IQ OneCollect version 2.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations.

πŸŽ–@cveNotify
🚨 CVE-2026-7764
An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.12 allows an unauthenticated attacker within radio range to disclose a small amount of kernel heap memory or cause a Denial of Service (kernel oops/panic) via a crafted 802.11ah beacon or probe response frame containing a malformed Vendor Information Element. The function morse_vendor_find_vendor_ie() does not validate the IE length against the expected structure size before its result is passed to morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(), which read at fixed offsets into the IE data. Because the length check only requires the IE to be longer than 3 bytes, an attacker can supply an undersized IE, causing a heap out-of-bounds read of up to 9 bytes. No authentication, association, or user interaction is required.

πŸŽ–@cveNotify
🚨 CVE-2026-4881
In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.

πŸŽ–@cveNotify
🚨 CVE-2025-12694
A local privilege escalation vulnerability exists in Forcepoint VPN Client that allows a local non-administrative user to escalate privileges to SYSTEM. This issue affects VPN Client for Windows: versions 6.11.3 and prior.

πŸŽ–@cveNotify
🚨 CVE-2026-47430
## Summary

The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560–574`). Any web content loaded inside the InAppBrowser can fire any pending Cordova callback in the host app by posting a message whose `id` field is a guessable or enumerated callback identifier. An attack abusing this weakness must be tailored to the specific plugins and callback IDs the host app uses. Though an attacker with knowledge of common Cordova plugin configurations could craft reusable payloads targeting widely-adopted plugins.


## Impact

An unauthenticated remote attacker who controls content displayed in the InAppBrowser β€” via a URL the app opens (OAuth redirect, marketing link, deep-link target) or a network interception β€” can call `window.webkit.messageHandlers.cordova_iab.postMessage({id: '<victim-callback-id>', d: '...'})` to fire callbacks belonging to any other installed Cordova plugin (Camera, Contacts, File, Geolocation). Cordova callback IDs follow the predictable format `<PluginName><sequential-integer>`, making enumeration feasible. Successful exploitation allows the attacker to spoof plugin results across trust boundaries β€” for example, injecting a forged camera approval, a fabricated contacts list, or a crafted file-read response.

This issue affects Cordova Plugin InAppBrowser: from 3.1.0 through 6.0.0.

Users are recommended to upgrade to version 6.0.1, which fixes the issue.

πŸŽ–@cveNotify