CVE-2026-39907

Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attackers to trigger SMB connections and leak NTLMv2...

Exploit for Use After Free in Haxx Curl

CVE-2026-3805: Use-After-Free in curl SMB Connection Reuse I...

SUSE-SU-2026:1266-1 Security update for the Linux Kernel (Live Patch 20 for SUSE Linux Enterprise 15 SP6)

This update for the SUSE Linux Enterprise Kernel 6.4.0-150600.23.87 fixes various security issues The following security issues were fixed: - CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc bsc1258051. - CVE-2026-23111: netfilter: nftables: fix inverted genmask check i...

EUVD-2026-21627

Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability. The specific flaw exists within the...

CVE-2026-4149

The CVE-2026-4149 entry concerns Sonos Era 300. Affected component: SMB response handling (DataOffset) leading to out-of-bounds memory access and remote code execution. Impact: attacker can run code with kernel context via a network vector without authentication (high/CRITICAL). CVSS data: NVD/3....

PT-2026-32095

Name of the Vulnerable Software and Affected Versions Kubernetes affected versions not specified Description The Kubernetes CSI Driver for SMB contains a path traversal issue via the subDir parameter. This could allow unintended directories on the SMB server to be deleted. Recommendations At the...

Sonos Era 300 缓冲区错误漏洞

The Sonos Era 300 is a spatial audio speaker from the American company Sonos, equipped with Dolby Atmos technology. The Sonos Era 300 has a buffer error vulnerability, which stems from insufficient validation of the DataOffset field in SMB responses, potentially allowing remote code execution...

CVE-2026-40107

SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, tags with src attributes survive Mermaid's internal DOMPurify and land in SVG blocks. The SVG is injected via innerHTML with no secondary...

CVE-2026-40107

Summary: SiYuan before 3.6.4 configures Mermaid.js with securityLevel: loose and htmlLabels: true, allowing tags to survive DOMPurify and land in SVG blocks. The SVG is injected via innerHTML with no secondary sanitization. When a user opens a note containing a malicious Mermaid diagram, the El...

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-006756)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006756 advisory. In the Linux kernel, the following vulnerability has been resolved: cifs: Release folio lock on fscache read hit. Under the current code, when cifsreadpageworker is...

CVE-2026-31409

A flaw was found in ksmbd, a component of the Linux kernel. This vulnerability occurs when a multichannel Server Message Block SMB2 session setup request, specifically one with a binding flag, fails. Due to an error in handling this failure, ksmbd incorrectly retains a binding state for the...

CVE-2026-31409

In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn-binding on failed binding request When a multichannel SMB2SESSIONSETUP request with SMB2SESSIONREQFLAGBINDING fails ksmbd sets conn-binding = true but never clears it on the error path. This leaves the connectio...

CVE-2026-31409

In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn-binding on failed binding request When a multichannel SMB2SESSIONSETUP request with SMB2SESSIONREQFLAGBINDING fails ksmbd sets conn-binding = true but never clears it on the error path. This leaves the connectio...

CVE-2026-31409

In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn-binding on failed binding request When a multichannel SMB2SESSIONSETUP request with SMB2SESSIONREQFLAGBINDING fails ksmbd sets conn-binding = true but never clears it on the error path. This leaves the connectio...

Linux Distros Unpatched Vulnerability : CVE-2026-31409

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ksmbd: unset conn-binding on failed binding request When a multichannel SMB2SESSIONSETUP request with SMB2SESSIONREQFLAGBINDING fails ksmbd sets conn-binding =...

curl: CVE-2026-5773: wrong reuse of SMB connection

A vulnerability was discovered in curl version 8.19.0 and earlier versions that support SMB. The vulnerability was due to the incorrect reuse of SMB connections across different shares on the same server. This led to data spoofing and access control bypass. The issue was caused by the lack of...

CVE-2026-23427

A flaw was found in ksmbd, a component within the Linux kernel that provides server message block SMB functionality. This vulnerability, known as a use-after-free, occurs when the system attempts to access memory after it has been released. A remote attacker could exploit this by sending speciall...

CVE-2026-31392

A flaw was found in the Linux kernel's Server Message Block SMB client. A local attacker, by attempting to mount SMB shares using Kerberos sec=krb5 with a specified username, could cause the client to incorrectly reuse an existing SMB session. This session reuse occurs even when a different...

CVE-2026-23428

A flaw was found in ksmbd, a component of the Linux kernel. This use-after-free vulnerability occurs during the processing of Server Message Block version 2 SMB2 compound requests. An attacker could exploit this by sending a specially crafted sequence of SMB2 commands, causing the system to attem...

HTTPS Fetch, Windows x86 Reverse Named Pipe (SMB) Stager

Fetch and execute an x86 payload from an HTTPS server. Connect back to the attacker via a named pipe pivot Module Options msf use payload/cmd/windows/https/x86/peinject/reversenamedpipe msf payloadreversenamedpipe show actions ...actions... msf payloadreversenamedpipe set ACTION msf...