newsThe portal itself — self-promo until real sponsors land
Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
25 results//sorted by published//last sync 2026-06-30 20:42Z
Subscribe to news →
CVE-2026-31570 — Linux: Confirmed with KASAN on linux-7.0-rc2: BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0 Read of size 1
In the Linux kernel, the following vulnerability has been resolved: can: gw: fix OOB heap access in cgw_csum_crc8_rel() cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx(): int from = calc_idx(crc8->from_idx, cf->len); int to = calc_idx(crc8->to_idx, cf->len); int res = calc_idx(crc8->result_idx, cf->len); if (from < 0 || to < 0 || res < 0) return; However, the loop and the result write then use the raw s8 fields directl CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile
8.8
CVSS v3.1
94
Edit Score
CVE-2026-31558 — Linux: This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this case so as to make it more robust. This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[]. CVSSv3.1 8.8 (HIGH) · EPSS 5th percentile
8.8
CVSS v3.1
94
Edit Score
CVE-2026-31553 — Linux: In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix the
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc() Using "(u64 __user *)hva + offset" to get the virtual addresses of S1/S2 descriptors looks really wrong, if offset is not zero. What we want to get for swapping is hva + offset, not hva + offset*8. ;-) Fix it. CVSSv3.1 8.8 (HIGH) · EPSS 5th percentile
8.8
CVSS v3.1
94
Edit Score
CVE-2026-31536 — Linux: In the Linux kernel, the following vulnerability has been resolved: smb: server: let send_done
In the Linux kernel, the following vulnerability has been resolved: smb: server: let send_done handle a completion without IB_SEND_SIGNALED With smbdirect_send_batch processing we likely have requests without IB_SEND_SIGNALED, which will be destroyed in the final request that has IB_SEND_SIGNALED set. If the connection is broken all requests are signaled even without explicit IB_SEND_SIGNALED. CVSSv3.1 9.8 (CRITICAL) · EPSS 4th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-25660 — Ericsson Codechecker: Authentication bypass occurs when the URL ends with Authentication with certain function calls.
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permission to any user existing in CodeChecker. This issue affects CodeChecker: through 6.27.3. CVSSv3.1 9.8 (CRITICAL) · EPSS 17th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-5367 — OVN: This out-of-bounds read can lead to the disclosure of sensitive information stored in heap
A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port. CVSSv3.1 8.6 (HIGH)
8.6
CVSS v3.1
93
Edit Score
CVE-2026-21515 — Exposure: of sensitive information to an unauthorized actor in Azure IOT Central allows an
Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network. CVSSv3.1 9.9 (CRITICAL)
9.9
CVSS v3.1
100
Edit Score
CVE-2026-23902 — Incorrect: Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to
Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution. This issue affects Apache DolphinScheduler versions prior to 3.4.1. Users are recommended to upgrade to version 3.4.1, which fixes this issue. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-41044 — Input: Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to send a message to trig CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-40466 — Input: Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath. A malicious HTTP endpoint can return a VM transport through the HTT CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
PhantomRPC: A new privilege escalation technique in Windows RPC
Kaspersky Securelist·securelist.com
Kaspersky researchers disclosed PhantomRPC, a novel local privilege escalation vulnerability in Windows RPC architecture that allows processes with impersonation privileges to escalate to SYSTEM level. The vulnerability stems from RPC's lack of server legitimacy verification, enabling attackers to deploy fake RPC servers mimicking legitimate services like TermService. Microsoft has not issued a patch despite proper disclosure, and the researchers demonstrate five distinct exploitation paths affecting all Windows versions.
82
Edit Score
CVE-2026-1952 — Delta: Electronics AS320T has denial of service via the undocumented subfunction vulnerability.
Delta Electronics AS320T has denial of service via the undocumented subfunction vulnerability. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-1951 — Delta: Electronics AS320T has no checking of the length of the buffer with the
Delta Electronics AS320T has no checking of the length of the buffer with the directory name vulnerability. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-1950 — Delta: Electronics AS320T has No checking of the length of the buffer with the
Delta Electronics AS320T has No checking of the length of the buffer with the file name vulnerability. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-5364 — Drag: The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is
The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved wi CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-1949 — Delta: Electronics AS320T has incorrect calculation of the buffer size on the stack in
Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-41323 — Kyverno: Since the admission controller SA has permissions to patch webhook configurations, a stolen token
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions to patch webhook configurations, a stolen token leads to CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-41316 — ERB: Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable
ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-41309 — Open: Versions prior to 9.0 are vulnerable to resource exhaustion.
Open Source Social Network (OSSN) is open-source social networking software developed in PHP. Versions prior to 9.0 are vulnerable to resource exhaustion. An attacker can upload a specially crafted image with extreme pixel dimensions (e.g., $10000 \times 10000$ pixels). While the compressed file size on disk may be small, the server attempts to allocate significant memory and CPU cycles during the decompression and resizing process, leading to a Denial of Service (DoS) condit CVSSv3.1 8.2 (HIGH)
8.2
CVSS v3.1
91
Edit Score
CVE-2026-33318 — Actual: Together these allow an attacker to set a known password and authenticate as the
Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /account/change-password` has no authorization check, allowing any session to overwrite the password hash; the inactive password `auth` row is never removed on migration; and the login endpoint accepts a client-supplied `loginMethod` th CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-33317 — TEE: In versions 3.13.0 through 4.10.0, missing checks in `entry_get_attribute_value()` in `ta/pkcs11/src/object.c` can lead to
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, missing checks in `entry_get_attribute_value()` in `ta/pkcs11/src/object.c` can lead to out-of-bounds read from the PKCS#11 TA heap or a crash. When chained with the OOB read, the PKCS#11 TA function `PKCS11_CMD_GET_ATTRIBUTE_VALUE` or `entry_get_attribute_value()` can, with a bad CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2026-33208 — Roxy-wi Roxy-wi: An authenticated attacker can inject arbitrary shell metacharacters to break out of the intended
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ < service > /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a remote managed server via SSH. An authenticated attacker can inject arbitrary shell metacharacters to break out of the intended grep command context and execute arbitrary CVSSv3.1 8.8 (HIGH) · EPSS 61th percentile
8.8
CVSS v3.1
94
Edit Score
CVE-2026-33078 — Roxy-wi Roxy-wi: Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/config/routes.py. The server_ip parameter, sourced from the URL path, is passed unsanitized through multiple function calls and ultimately interpolated into a SQL query string using Python string formatting, allowing attackers to execute arbitrary SQL commands. Version 8.2.6.4 fix CVSSv3.1 9.8 (CRITICAL) · EPSS 9th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-33076 — Roxy-wi Roxy-wi: Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote code execution due to path traversal and writing into scheduled tasks. Version 8.2.6.4 fixes the issue. CVSSv3.1 9.8 (CRITICAL) · EPSS 66th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-41325 — Getkirby Kirby: This prevents the injection of dynamic blueprint configuration into the creation request.
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile
8.8
CVSS v3.1
94
Edit Score