CVE-2026-53209

CVE-2026-53209 affects the Linux kernel Bluetooth HCI_SYNC path. When hci_adv_bcast_announcement() prepends the Broadcast Announcement service data to an already full extended advertising payload, the combined data may overflow the temporary buffer used to rebuild advertising data. The flaw is mi...

CVE-2026-53209

In the Linux kernel, the following vulnerability has been resolved: B...

EUVD-2026-39300

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisync: reject oversized Broadcast Announcement prepend Existing advertising instances can already hold the maximum extended advertising payload. When hciadvbcastannoucement prepends the Broadcast Announcement service...

EUVD-2026-38881

In the Linux kernel, the following vulnerability has been resolved: macvlan: fix macvlangetsize not reserving space for IFLAMACVLANBCCUTOFF macvlangetsize does not account for IFLAMACVLANBCCUTOFF, but macvlanfillinfo conditionally includes it when port-bccutoff != 1. This causes nlaputs32 to fail...

CVE-2026-54318 Home Assistant: Exported BroadcastReceiver allows local apps to spoof device location

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.5.3, the LocationSensorManager BroadcastReceiver is exported with no permission. Any installed app, with zero runtime permissions, can broadcast a forged Google Play Services...

EUVD-2026-36913

Unauthenticated PHP Object Injection in Broadcast Live Video 7.1.3 versions...

CVE-2026-27053

Unauthenticated PHP Object Injection in Broadcast Live Video 7.1.3 versions...

CVE-2026-27053 WordPress Broadcast Live Video plugin < 7.1.3 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Broadcast Live Video 7.1.3 versions...

CVE-2026-27053

The CVE concerns WordPress plugin Broadcast Live Video (versions

PT-2026-49358

Unauthenticated PHP Object Injection in Broadcast Live Video 7.1.3 versions...

GeoVision GV-IP Device Utility Device Authentication insufficient encryption vulnerability

Summary A insufficient encryption vulnerability exists in the Device Authentication functionality of GV-IP Device Utility versions: 9.0.5. A specially crafted network sniffing can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. Confirmed...

EUVD-2026-36498

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 fail to restrict roleupdated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change...

kernel: Linux kernel: Use-after-free in bonding driver leads to denial of service

A flaw was found in the Linux kernel's bonding driver. A local attacker with low privileges could exploit a use-after-free vulnerability in the bondxmitbroadcast function. This occurs due to a race condition during concurrent slave enslave/release operations, which can lead to the original socket...

ARM® CPU Vulnerability : Bypass of Stage 1 translation, Stage-2 translation, or GPT Protection

CVE Details Refer to Glossary for explanation of terms CVE| CVE Description| CVSS Score ---|---|--- CVE-2025-10263 non-AMD| According to the ARM® security team, a broadcast Translation Lookaside Buffer Invalidate TLBI on another Processing Element PE may be completed before affected memory access...

PT-2026-47584

Summary An unauthenticated attacker Alice connects to FUXA's Socket.IO endpoint and emits a device-webapi-request event whose property.address field names an arbitrary URL. FUXA's DEVICE WEBAPI REQUEST handler at server/runtime/index.js:296 calls axios.getaddress server-side and broadcasts the fu...

CVE-2022-45899

Nokia Broadcast Message Center BMC before 13.1 allows an unauthenticated remote attacker to do OS command injection as root via shell metacharacters in the Log Scanner Search Pattern field...

CVE-2026-34064

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, VestingContract::canchangebalance returns AccountError::InsufficientFunds when newbalance balance, the node crashes while trying to return an error. The mincap balance precondition is...

CVE-2026-50209

Broadcast events allow malicious software to rewrite the device's default Mobile Device Management MDM endpoint address, shifting administrative ownership to an external attacker...

CVE-2026-49189

Unchecked public access permissions on a core Broadcast Receiver allow unauthorized local software components to invoke administrative operations...

CVE-2026-42363

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with variou...