Trending Vulnerabilities

CVE-2026-20230 is a critical server-side request forgery vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). The flaw is caused by improper input validation of specific HTTP requests in the WebDialer component/service. An unauthenticated remote attacker can send crafted HTTP requests to a vulnerable system and trigger SSRF behavior through the affected device. Successful exploitation can allow the attacker to write files to the underlying operating system; those files can then be leveraged in subsequent stages to escalate privileges to root. Public reporting and technical writeups indicate the issue has been chained into arbitrary file write and webshell deployment on the underlying Tomcat-hosted application environment.

CVE-2026-20245 is an authenticated local privilege-escalation and command-injection vulnerability in the CLI of Cisco Catalyst SD-WAN Controller (formerly vSmart), Cisco Catalyst SD-WAN Manager (formerly vManage), and Cisco Catalyst SD-WAN Validator (formerly vBond). The flaw is caused by insufficient validation of user-supplied input in the tenant file upload functionality. An attacker with netadmin privileges can upload a crafted file, including a malicious CSV such as the observed evil_tenant.csv, and trigger processing through the CLI tenant-upload workflow. Successful exploitation results in arbitrary command execution as root on the underlying operating system. Reporting on observed exploitation indicates attackers used the issue after obtaining administrative access, then modified privileged files such as /etc/passwd and /etc/shadow to create a UID 0 account (for example, troot), switched to that account, and performed anti-forensic cleanup.

CVE-2026-47729, dubbed Squidbleed, is a heap out-of-bounds read / heap buffer over-read in Squid Web Proxy’s FTP gateway and FTP directory-listing parser. The flaw is described as stemming from improper validation of syntactic correctness of input in legacy FTP parsing logic dating back to 1997. Multiple sources in the provided content attribute the vulnerable behavior to whitespace-skipping logic in FtpGateway.cc / ftpListParseParts(), where a missing NUL-terminator guard before strchr()-based parsing can cause the parser to advance past the end of the intended buffer when processing a crafted or truncated FTP directory listing, particularly one lacking an expected filename after a timestamp. Because Squid may reuse heap buffers without zeroing them, the over-read can disclose stale memory from unrelated prior transactions. In affected deployments, the leaked memory may contain fragments of other users’ cleartext HTTP requests, including Authorization headers, cookies, API keys, credentials, and session tokens. The issue affects Squid versions prior to the fixed release; the provided content contains conflicting statements about whether the fix landed in 7.6 or 7.7, though several references indicate versions earlier than 7.6 are affected and that defenders should verify the actual patch/backport rather than rely solely on version numbering.

CVE-2026-8461, dubbed PixelSmash, is a heap out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder implementation in libavcodec/magicyuv.C. The flaw is triggered when decoding specially crafted MagicYUV video streams, including files delivered in AVI, MKV, or MOV containers. The reported root cause is inconsistent chroma plane height calculations between FFmpeg's frame allocator and the MagicYUV decoder during slice-based decoding. In affected cases, attacker-controlled odd slice_height values can cause the decoder to write an extra chroma row past the end of the allocated heap buffer, producing a one-row heap overflow with attacker-controlled data. This can crash applications using vulnerable FFmpeg builds and, under specific conditions, be developed into remote code execution. The issue affects FFmpeg versions before 8.1.2.

CVE-2025-67038 is an OS command injection vulnerability affecting Lantronix EDS5000 firmware version 2.1.0.0R3. The flaw is in the HTTP RPC module, which invokes a shell command to write logs when user authentication fails. In the vulnerable code path, the supplied username is directly concatenated into the shell command without sanitization or safe argument handling. An attacker can place shell metacharacters and arbitrary commands in the username parameter, causing the device to execute attacker-controlled OS commands. The injected commands run with root privileges. Multiple sources in the provided content characterize the issue as unauthenticated because it is reachable through the failed-authentication logging path.

CVE-2026-55200 is a critical memory corruption vulnerability in libssh2 affecting versions through 1.11.1. The flaw is in ssh2_transport_read() in src/transport.c, where the library accepts an attacker-controlled SSH packet_length value from a remote peer without enforcing the libssh2 maximum packet-size boundary before arithmetic and allocation decisions are made. In the vulnerable full-packet decryption path, an excessively large packet_length can cause integer wraparound in the size calculation used for heap allocation, resulting in an undersized buffer being allocated while subsequent processing still uses the original oversized packet length. This creates an out-of-bounds heap write condition. The issue is reachable pre-authentication during SSH transport negotiation, so a malicious or impersonated SSH server can trigger it as soon as a libssh2-based client connects.

CVE-2026-46331 is a local privilege escalation vulnerability in the Linux kernel net/sched traffic-control packet editing path, specifically act_pedit and the function tcf_pedit_act(). The bug stems from incorrect copy-on-write range handling: tcf_pedit_act() computed the writable range for skb_ensure_writable() once before iterating over edit keys using tcfp_off_max_hint, but that hint did not account for runtime header offsets introduced by typed keys. As a result, part of the eventual write region could remain outside the copied/writable area, enabling a partial copy-on-write condition and an out-of-bounds write into shared backing memory, including page-cache pages referenced by the skb. The upstream fix moved skb_ensure_writable() into the per-key loop so the actual write offset is known at the time of validation, added overflow checks for offset arithmetic, used skb_cow() for negative offsets such as Ethernet header edits at ingress to ensure headroom is copied, and hardened offset_valid() against INT_MIN negation. Public reporting and PoC material describe exploitation by corrupting cached page data for a privileged executable such as /bin/su, turning the bug into local root escalation.

CVE-2026-43503 is a Linux kernel networking/XFRM privilege-escalation vulnerability caused by multiple sk_buff fragment-transfer helpers failing to propagate the SKBFL_SHARED_FRAG flag when moving fragment descriptors between socket buffers. The primary affected helpers called out are __pskb_copy_fclone() and skb_shift(), with the same omission also present in skb_gro_receive(), skb_gro_receive_list(), tcp_clone_payload(), and skb_segment(). Because skb_copy_header() copies selected GSO metadata but not skb_shinfo()->flags, and other helpers move frag descriptors without updating flags, the destination skb can continue referencing externally owned or page-cache-backed pages while skb_has_shared_frag() incorrectly returns false. This breaks the invariant relied on by in-place writers such as ESP input processing in esp4.c/esp6.c, which use skb_has_shared_frag() to decide whether shared pages must first be copied via skb_cow_data(). In exploitable paths, including packet duplication via nf_dup_ipv4()/xt_TEE leading to pskb_copy() and then esp_input(), the stripped marker allows in-place ESP/authencesn-ESN writes into page-cache-backed memory. Public reporting describes this variant as DirtyClone, a DirtyFrag-family bug enabling modification of the page cache of root-owned read-only files.

CVE-2026-20253 is a critical missing-authentication vulnerability in the PostgreSQL Sidecar Service used by Splunk Enterprise. In affected Splunk Enterprise 10.2 releases prior to 10.2.4 and 10.0 releases prior to 10.0.7, the PostgreSQL sidecar recovery endpoint exposed through Splunk Web does not properly enforce authentication, allowing a network-reachable unauthenticated attacker to invoke backup and related file-operation functionality. As documented by Splunk and corroborated by public technical analysis, the vulnerable endpoint can be abused to create or truncate arbitrary files on the underlying system. Public reporting further indicates the file-operation primitive can be chained with attacker-controlled PostgreSQL connection parameters and restore behavior to achieve arbitrary file write and ultimately remote code execution under the Splunk service account. Splunk Enterprise 9.4 and earlier are not affected.

CVE-2026-12569 is a critical remote code execution vulnerability affecting PTC Windchill PDMlink and PTC FlexPLM. The flaw is described as an improper input validation issue that is exploitable through deserialization of untrusted data. Available reporting indicates a remote attacker can send a specially crafted malicious network request to trigger unsafe deserialization and achieve arbitrary code execution. The advisory states the issue applies to all CPS versions and also impacts Windchill and FlexPLM releases prior to 11.0 M030; additional reporting indicates affected branches include versions up to 11.0 and multiple releases in the 11.1, 11.2, 12.0, 12.1, and 13.0 lines. Active exploitation has been reported, including deployment of JSP web shells on vulnerable systems.

CVE-2026-4020 is a sensitive information exposure vulnerability in the Gravity SMTP plugin for WordPress affecting all versions up to and including 2.1.4. The issue is caused by a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data whose permission_callback unconditionally returns true, making the endpoint accessible without authentication. When the request includes the query parameter page=gravitysmtp-settings, the plugin's register_connector_data() method populates internal connector data and the endpoint returns an approximately 365 KB JSON System Report. The exposed report can include PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, WordPress configuration details, database table names, active plugins and their versions, the active theme, and API keys, secrets, and OAuth tokens configured for Gravity SMTP email integrations.

CVE-2026-12957 is a high-severity arbitrary code execution vulnerability in Language Servers for AWS before version 1.65.0 on all supported platforms. The issue is described as improper trust boundary enforcement: when a user opens a maliciously crafted workspace and trusts it when prompted, commands embedded in project configuration files can be automatically executed. Supporting reporting attributes the vulnerable behavior to automatic loading and execution of workspace-controlled Model Context Protocol (MCP) server configuration, including .amazonq/mcp.json, without adequate consent and trust-boundary enforcement. Because the language server is used by Amazon Q Developer integrations across IDEs, a malicious repository can cause attacker-controlled local commands to run in the developer environment.

CVE-2026-34908 is a critical improper access control vulnerability in Ubiquiti UniFi OS, including UniFi OS Server. Public reporting and technical analysis indicate the flaw is part of the UniFi OS authentication gateway and can allow an attacker with network access, without authentication, to make unauthorized changes to the system. Bishop Fox reported that CVE-2026-34908 can be combined with CVE-2026-34909 due to inconsistencies between how the UniFi stack validates the raw request URI and how NGINX routes the normalized URI, enabling an authentication gateway bypass to internal routes that should require authentication. On its own, the vendor describes the issue as allowing unauthorized system changes; when chained with CVE-2026-34909 and CVE-2026-34910, it can contribute to unauthenticated remote code execution and full root compromise on vulnerable UniFi OS deployments.

CVE-2026-20971 is a local kernel vulnerability in Samsung’s KNOX framework, specifically affecting the PROCA driver and its interaction with the FIVE integrity subsystem prior to SMR Jan-2026 Release 1. The flaw is a race-condition-driven use-after-free involving the task_integrity object used to track process integrity state. During process state transitions such as execve() (and reportedly fork-related paths), one kernel path can free an existing task_integrity object while another path continues to dereference the stale pointer, creating a dangling reference in kernel memory. Reported vulnerable paths include procfs-backed integrity read handlers such as proc_integrity_value_read() and proc_integrity_label_read(). Researchers reported that an unprivileged application could trigger the race and reclaim the freed memory with controlled data, including via a technique involving loading a non-executable/non-ELF file, resulting in practical kernel memory corruption despite Samsung kernel control-flow integrity mitigations. Samsung patched the issue in its January 2026 security update.

CVE-2026-48907 is a critical improper access control vulnerability in Widget Factory's Joomla Content Editor (JCE) extension for Joomla. The flaw affects the profile import functionality exposed via the profiles.import task/endpoint and allows unauthenticated users to create new editor profiles. Multiple supporting sources indicate the vulnerable workflow lacks adequate authorization checks and, in practice, can be abused to upload attacker-controlled PHP files. Additional reporting indicates insufficient file validation or bypassable MIME-type restrictions during import/upload handling, enabling placement of executable PHP payloads on the server, commonly in writable locations such as tmp/, images/, or media/. Once uploaded, the PHP payload can be requested and executed by the web server, resulting in unauthenticated remote code execution on vulnerable Joomla sites running affected JCE versions.

CVE-2026-35273 is a critical vulnerability in Oracle PeopleSoft Enterprise PeopleTools, specifically the Updates Environment Management / Environment Management Hub (PSEMHUB or EMHub) component, affecting supported versions 8.61 and 8.62. Oracle describes it as an easily exploitable flaw that allows an unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Multiple supporting sources characterize the issue as pre-authentication remote code execution in PSEMHUB/EMHub, with exploitation observed against HTTP-accessible endpoints including references to /PSIGW/HttpListeningConnector. The content consistently indicates that no authentication or user interaction is required and that successful exploitation can result in full takeover of the PeopleSoft platform.

CVE-2025-8088 is a path traversal vulnerability in the Windows version of WinRAR. A specially crafted RAR archive can abuse NTFS Alternate Data Streams (ADS) and traversal sequences so that, when the archive is opened or extracted with a vulnerable WinRAR version, files are written outside the intended extraction directory. Reported exploitation commonly used a visible decoy document together with hidden ADS-backed payload entries to silently drop attacker-controlled files into sensitive locations such as the user’s Windows Startup folder. This enables subsequent execution of attacker payloads, often via dropped LNK, HTA, VBScript, or other launcher files at next logon. The issue was patched by RARLAB in WinRAR 7.13 in July 2025 and was reported as exploited in the wild.

CVE-2026-34909 is a path traversal vulnerability in Ubiquiti UniFi OS devices. According to the provided content, a malicious actor with network access can exploit the flaw to access files on the underlying operating system outside the intended directory scope. Multiple sources in the content state that the issue affects the UniFi OS authentication gateway and can be used to expose sensitive host files, including configuration data and credentials, and that the accessed files may be manipulated to obtain access to an underlying system account. Bishop Fox analysis cited in the content further indicates that CVE-2026-34909 can be combined with CVE-2026-34908 to bypass authentication and reach internal routes that should require authorization, and then chained with CVE-2026-34910 for unauthenticated remote code execution with full root privileges. The content also states the issue was fixed by Ubiquiti in UniFi OS Server 5.0.8 and corresponding fixed releases for affected appliance lines.

CVE-2024-40766 is an improper access control vulnerability in SonicWall SonicOS affecting the management interface and SSLVPN functionality on SonicWall Firewall Gen 5, Gen 6, and Gen 7 devices. Reported affected versions include Gen 5 SonicOS 5.9.2.14-12o and older, Gen 6 6.5.4.14-109n and older, and Gen 7 SonicOS 7.0.1-5035 and older. SonicWall advisory SNWLID-2024-0015 states the flaw can lead to unauthorized resource access and, under specific conditions, firewall crashes. Subsequent vendor and third-party reporting tied observed intrusions to exposed management/SSLVPN services and to local SSLVPN accounts, particularly in environments where Gen 6 to Gen 7 migrations carried over local user passwords without resetting them. Public reporting consistently describes the issue as an access control flaw rather than providing vulnerable-function-level technical detail, so specific internal code paths are currently not available from the provided content.

CVE-2026-34910 is a critical improper input validation vulnerability in Ubiquiti UniFi OS, including UniFi OS Server, that allows command injection. Available reporting indicates the flaw is in the package-update service/endpoint, where attacker-controlled package name input is insufficiently validated and is interpolated into a shell command. Bishop Fox reported the vulnerable backend constructed a command similar to "sudo /usr/bin/uos runnable latest-versions %v" and executed it through an "sh -c" wrapper, allowing shell metacharacter injection. The issue can be exploited by a malicious actor with network access, and in practice has been shown as the command-execution stage of a larger exploit chain with CVE-2026-34908 and CVE-2026-34909 to achieve unauthenticated remote code execution against exposed UniFi OS management interfaces.

CVE-2026-20262 is an authenticated remote arbitrary file write vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. The flaw is caused by improper validation of user-supplied input during a file upload process in an affected API endpoint, with path traversal characteristics that allow writes outside intended directories. By sending a crafted HTTP request, an attacker with valid credentials can create a new file or overwrite any file on the underlying operating system. Cisco states that the written file can subsequently be leveraged to escalate privileges to root. The issue affects multiple versions across all deployment types of Catalyst SD-WAN Manager and has been reported as actively exploited in the wild.

CVE-2026-33017 is an unauthenticated remote code execution vulnerability in Langflow affecting versions prior to 1.9.0. The flaw is in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which is intentionally exposed without authentication for building public flows. When the optional data parameter is supplied, the endpoint incorrectly uses attacker-supplied flow definitions instead of the persisted flow data stored in the database. A malicious flow definition can include arbitrary Python code in node templates. During flow building, this attacker-controlled code traverses the normal build chain through functions including start_flow_build(), generate_flow_events(), create_graph(), build_graph_from_data(), Graph.from_payload(), vertex.instantiate_component(), instantiate_class(), eval_custom_component_code(), create_class(), and prepare_global_scope(), where it is ultimately executed via exec(compiled_code, exec_globals) without sandboxing or import restrictions. Because the vulnerable endpoint is unauthenticated and accepts untrusted executable flow content, a single crafted HTTP POST request can trigger arbitrary Python execution on the server. This issue is distinct from CVE-2025-3248, which involved /api/v1/validate/code; here, the root problem is that the public build endpoint accepts attacker-controlled flow data at all.

CVE-2026-8932 is a low-severity authentication bypass flaw in libcurl’s connection reuse logic for mutual TLS (mTLS). libcurl maintains a connection pool and may reuse an existing TLS connection when it determines that the new transfer’s configuration matches the existing connection. In affected versions, the configuration matching was incomplete for some mTLS-related options: certain client-certificate settings, particularly private-key-related options, were not included in the reuse eligibility checks. As a result, libcurl could incorrectly reuse a previously established connection even after the application changed the client certificate or private key settings, in cases where a new connection should have been required. This issue affects libcurl versions 7.7 through 8.20.0 and does not affect the curl command-line tool.

CVE-2026-42530 is a use-after-free vulnerability in NGINX Open Source's ngx_http_v3_module, specifically in the HTTP/3 QUIC processing path. When NGINX is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker can send a specially crafted HTTP/3 session that reopens a QPACK encoder stream mid-session. This can trigger a use-after-free condition in the NGINX worker process, resulting in memory corruption. The issue affects NGINX Open Source 1.31.0 and 1.31.1; public reporting indicates it was fixed in 1.31.2. The flaw can crash and restart the worker process and, on systems where ASLR is disabled or can be bypassed, may be leveraged for code execution.