CVE Notify
19.3K subscribers
4 photos
204K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
🚨 CVE-2026-54369
acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attackers who control any component of a pathname processed by a privileged caller can redirect ACL read or write operations to arbitrary files or directories, enabling unauthorized manipulation of access control lists and local privilege escalation.

πŸŽ–@cveNotify
🚨 CVE-2026-23537
A vulnerability has been identified in the Feast Feature Server’s `/save-document` endpoint that allows an unauthenticated remote attacker to write arbitrary JSON files to the server's filesystem. Although the system attempts to restrict file locations, these protections can be bypassed, enabling an attacker to overwrite vital application configurations or startup scripts. Because this flaw requires no credentials or special privileges, any attacker with network access to the server can potentially compromise the integrity of the system. This could lead to unauthorized system modifications, denial of service through disk exhaustion, or potential remote code execution.

πŸŽ–@cveNotify
🚨 CVE-2026-54430
liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT
header. If signer matches the configured ARN, kid is appended to
alb_base_url without URL encoding or path sanitization, and the HTTP GET
is issued before signature verification. This allows an attacker to force
the server to send a GET request to an attacker-chosen internal path.

This issue was fixed in version 2.3.0

πŸŽ–@cveNotify
🚨 CVE-2026-54431
In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header.

This issue was fixed in version 2.3.0

πŸŽ–@cveNotify
🚨 CVE-2026-11946
An unauthenticated remote attacker can exhaust
server memory via the GetEndpoints Discovery Service in open62541. The
endpointUrl field of GetEndpointsRequest is not validated for length. An
attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32
length field) delivered across intermediate chunks without ever sending the
final chunk. The server buffers all chunks in RAM indefinitely until the
SecureChannel times out. The attack is
pre-session and bypasses all encryption configurations.



The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.

πŸŽ–@cveNotify
🚨 CVE-2026-14449
u5CMS through v12.8.8 is vulnerable to reflected XSS via the β€˜thanks’ parameter in multiple form components

πŸŽ–@cveNotify