Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-31476 — Linux: This allows a remote attacker to invalidate any active session by simply sending a
In the Linux kernel, the following vulnerability has been resolved: ksmbd: do not expire session on binding failure When a multichannel session binding request fails (e.g. wrong password), the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. However, during binding, sess points to the target session looked up via ksmbd_session_lookup_slowpath() -- which belongs to another connection's user. This allows a remote attacker to invalidate any active session by CVSSv3.1 8.2 (HIGH) · EPSS 23th percentile
CVE-2026-31464 — Linux: The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs that are
In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices CVSSv3.1 8.1 (HIGH) · EPSS 7th percentile
CVE-2026-31463 — Linux: In the Linux kernel, the following vulnerability has been resolved: iomap: fix invalid folio
In the Linux kernel, the following vulnerability has been resolved: iomap: fix invalid folio access when i_blkbits differs from I/O granularity Commit aa35dd5cbc06 ("iomap: fix invalid folio access after folio_end_read()") partially addressed invalid folio access for folios without an ifs attached, but it did not handle the case where 1 << inode->i_blkbits matches the folio size but is different from the granularity used for the IO, which means IO can be submitted for less CVSSv3.1 9.8 (CRITICAL) · EPSS 5th percentile
CVE-2026-31450 — Linux: In the Linux kernel, the following vulnerability has been resolved: ext4: publish jinode after
In the Linux kernel, the following vulnerability has been resolved: ext4: publish jinode after initialization ext4_inode_attach_jinode() publishes ei->jinode to concurrent users. It used to set ei->jinode before jbd2_journal_init_jbd_inode(), allowing a reader to observe a non-NULL jinode with i_vfs_inode still unset. The fast commit flush path can then pass this jinode to jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and may crash. Below is the crash CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile
CVE-2026-31448 — Linux: In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops
In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual data On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in t CVSSv3.1 9.4 (CRITICAL) · EPSS 7th percentile
CVE-2026-31444 — Linux: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free and
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free and NULL deref in smb_grant_oplock() smb_grant_oplock() has two issues in the oplock publication sequence: 1) opinfo is linked into ci->m_op_list (via opinfo_add) before add_lease_global_list() is called. If add_lease_global_list() fails (kmalloc returns NULL), the error path frees the opinfo via __free_opinfo() while it is still linked in ci->m_op_list. Concurrent m_ CVSSv3.1 9.8 (CRITICAL) · EPSS 5th percentile
CVE-2026-31436 — Linux: This can lead to issues such as NULL pointer dereferences, double completion, or descriptor
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks. Fix this by completing d instead of found in the final list_for_each_entry_safe() loop. CVSSv3.1 9.8 (CRITICAL) · EPSS 5th percentile
CVE-2026-31435 — Linux: In the Linux kernel, the following vulnerability has been resolved: netfs: Fix read abandonment
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix read abandonment during retry Under certain circumstances, all the remaining subrequests from a read request will get abandoned during retry. The abandonment process expects the 'subreq' variable to be set to the place to start abandonment from, but it doesn't always have a useful value (it will be uninitialised on the first pass through the loop and it may point to a deleted subrequest on later CVSSv3.1 8.8 (HIGH) · EPSS 4th percentile
Understanding the CVE Ecosystem and NIST’s Changing Role
Bishop Fox analyzes NIST's April 2026 policy shift to prioritize CVE enrichment only for CISA's Known Exploited Vulnerabilities, federal government software, and Executive Order 14028 critical software, deprioritizing all other CVEs. The change formalizes what experienced security teams have practiced informally: risk-based triage rather than attempting to process all CVEs equally. The underlying problem is unsustainable CVE volume growth (263% increase 2020-2025, 48,244 new CVEs in 2025 alone) that has created a widening gap between CVE issuance and NIST enrichment capacity.
CVE-2026-31433 — Linux: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial OOB
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial OOB in get_file_all_info() for compound requests When a compound request consists of QUERY_DIRECTORY + QUERY_INFO (FILE_ALL_INFORMATION) and the first command consumes nearly the entire max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16() with PATH_MAX, causing out-of-bounds write beyond the response buffer. In get_file_all_info(), there was a missing validation ch CVSSv3.1 8.8 (HIGH) · EPSS 2th percentile
CVE-2026-31432 — Linux: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor. The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synt CVSSv3.1 8.8 (HIGH) · EPSS 1th percentile
CVE-2026-31431 — Linux Linux_kernel: In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly. CVSSv3.1 7.8 (HIGH) · EPSS 86th percentile
CVE-2026-6023 — Progress Telerik_ui_for_asp.net_ajax: In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is
In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible. CVSSv3.1 8.1 (HIGH) · EPSS 64th percentile
CVE-2026-5398 — Freebsd Freebsd: The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the
The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory. A malicious process can abuse the dangling pointer to grant itself root privileges. CVSSv3.1 8.4 (HIGH) · EPSS 4th percentile
CVE-2026-41145 — Minio Minio: Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER`
MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the we CVSSv3.1 8.2 (HIGH) · EPSS 30th percentile
CVE-2026-40344 — Minio Minio: Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball
MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (`PutObjectExtractHandler`) allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access CVSSv3.1 8.2 (HIGH) · EPSS 36th percentile
CVE-2026-41304 — Wwbn Avideo: The input is directly concatenated into a `wget` command executed via `exec()`, allowing command
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This CVSSv3.1 9.8 (CRITICAL)
CVE-2026-41133 — Pyload Pyload: is a free and open-source download manager written in Python.
pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions. This is a core authorization/session- CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile
CVE-2026-41064 — Wwbn Avideo: In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix. CVSSv3.1 9.3 (CRITICAL)
CVE-2026-41059 — Oauth2_proxy_project Oauth2_proxy: Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass.
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of `skip_auth_routes` or the legacy `skip_auth_regex`; use of patterns that can be widened by attacker-controlled suffixes, such as `^/foo/.*/bar$` causing potential exposure of `/foo/secret`; and protected upstream applications that interpret `# CVSSv3.1 8.2 (HIGH) · EPSS 33th percentile
CVE-2026-40575 — Oauth2_proxy_project Oauth2_proxy: This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-regex` or `--skip-auth-route` is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application. This can result in an unauthenticated re CVSSv3.1 9.1 (CRITICAL) · EPSS 23th percentile
CVE-2026-5921 — Github Enterprise_server: A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries agains CVSSv3.1 8.9 (HIGH) · EPSS 20th percentile
CVE-2026-5845 — Github Enterprise_server: An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scope CVSSv3.1 9.6 (CRITICAL) · EPSS 3th percentile
CVE-2026-4296 — Github Enterprise_server: An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an
An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. This could allow the attacker to gain unauthorized access to the victim's account wi CVSSv3.1 8.8 (HIGH) · EPSS 17th percentile
CVE-2026-41058 — Wwbn Avideo: In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix. CVSSv3.1 8.1 (HIGH)